Gronde, Christopher (Contractor) wrote:
> I restarted dirsrv and attempted to start krb5kdc and this is what the error 
> log shows
> 
> # tail /var/log/dirsrv/slapd-ITMODEV-GOV/errors
> [09/Nov/2015:11:01:02 -0500] - WARNING: userRoot: entry cache size 10485760B 
> is less than db size 28016640B; We recommend to increase the entry cache size 
> nsslapd-cachememsize.
> [09/Nov/2015:11:01:02 -0500] - slapd started.  Listening on All Interfaces 
> port 389 for LDAP requests
> [09/Nov/2015:11:06:04 -0500] - slapd shutting down - signaling operation 
> threads
> [09/Nov/2015:11:06:04 -0500] - slapd shutting down - closing down internal 
> subsystems and plugins
> [09/Nov/2015:11:06:04 -0500] - Waiting for 4 database threads to stop
> [09/Nov/2015:11:06:04 -0500] - All database threads now stopped
> [09/Nov/2015:11:06:04 -0500] - slapd stopped.
> [09/Nov/2015:11:14:20 -0500] - 389-Directory/1.2.11.15 B2015.247.1737 
> starting up
> [09/Nov/2015:11:14:20 -0500] - WARNING: userRoot: entry cache size 10485760B 
> is less than db size 28016640B; We recommend to increase the entry cache size 
> nsslapd-cachememsize.
> [09/Nov/2015:11:14:20 -0500] - slapd started.  Listening on All Interfaces 
> port 389 for LDAP requests

Ok, that's good.

I'd do something like this to see what is in the db (substitute
example.com with your domain):

$ ldapsearch -x -D 'cn=Directory Manager' -W -s one -b
cn=kerberos,dc=example,dc=com

(don't post the output as it would include the kerberos master key).

If that returns nothing that's bad.

If it succeeds I'd broaden the search base a bit to see what data you do
have:

$ ldapsearch -x -D 'cn=Directory Manager' -W -b
cn=groups,cn=accounts,dc=example,dc=com

I picked groups because usually groups << users in numbers. This is just
to see if you have data in the tree.

Let us know if either or both turns up nothing.

rob

> 
> -----Original Message-----
> From: Alexander Bokovoy [mailto:aboko...@redhat.com] 
> Sent: Monday, November 09, 2015 10:51 AM
> To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication 
> error)
> 
> On Mon, 09 Nov 2015, Gronde, Christopher (Contractor) wrote:
>> Hello all!
>>
>> On my replica IPA server after fixing a cert issue that had been going on 
>> for sometime, I have all my certs figured out but the krb5kdc service will 
>> not start.
>>
>> # service krb5kdc start
>> Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm ITMODEV.GOV - see 
>> log file for details                  [FAILED]
>>
>> # cat /var/log/krb5kdc.log
>> krb5kdc: Server error - while fetching master key K/M for realm 
>> ITMODEV.GOV
>> krb5kdc: Server error - while fetching master key K/M for realm 
>> ITMODEV.GOV
>> krb5kdc: Server error - while fetching master key K/M for realm 
>> ITMODEV.GOV
>>
>> I found this article online:  
>> http://research.imb.uq.edu.au/~l.rathbone/ldap/kerberos.shtml
>>
>> Which stated it might be because The slave KDC does not have a stash 
>> file (.k5.EXAMPLE.COM). You need to create one.  Tried the command
>> listed:
>>
>> # kdb5_util stash
>> kdb5_util: Server error while retrieving master entry
>>
>> No further information found on the proceeding error above for the kdb5_util 
>> command.
>>
>> Any thoughts?
> First: don't use instructions which are not related to IPA, please.
> 
> FreeIPA has its own LDAP driver for KDC and instructions for anything else do 
> not apply here at all.
> 
> If you see 'Server error - while fetching master key ..' it means KDC LDAP 
> driver was unable to contact LDAP server. Does LDAP server work on the 
> replica? What is in its error log (/var/log/dirsrv/slapd-ITMODEV-GOV/errors)?
> 
> --
> / Alexander Bokovoy
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to