Good Morning I have an issue with my LDAP/Kerberos setup on one of my production servers. Log snipits are below.
On boot LDAP starts and begins it's initialization process. The init script returns success 13 seconds later but as seen in the logs below slapd does not actually start accepting connections until 4 seconds after the init script returns. In these 4 seconds, krb5kdc tries to start, cannot connect to the ldap server and dies. kadmind does the same. 08:15:42 - LDAP starting 08:15:55 - LDAP init script returns success 08:15:56 - krb5kdc starting (returns success but then fails) 08:15:57 - kadmind starting (fails) 08:15:59 - SLAPD started (accepting requests) Is there a way to set a number of retries before krb5kdc will exit? Or if not does the kerberos community have a workaround that does not involve setting fixed sleep times in the init scripts? Thanks Tom Parker Jan 20 08:15:53 aruauth1 slapd[2049]: @(#) $OpenLDAP: slapd 2.4.20 (Jun 16 2010 10:21:06) $ abuild@anonymi:/usr/src/packages/BUILD/openldap-2.4.20/servers/slapd Jan 20 08:15:55 aruauth1 sshd[2263]: Server listening on 0.0.0.0 port 22. Jan 20 08:15:58 aruauth1 slapd[2049]: daemon: IPv6 socket() failed errno=97 (Address family not supported by protocol) Jan 20 08:15:58 aruauth1 slapd[2049]: daemon: IPv6 socket() failed errno=97 (Address family not supported by protocol) Jan 20 08:15:58 aruauth1 nscd: nss_ldap: could not search LDAP server - Server is unavailable Jan 20 08:15:58 aruauth1 nscd: nss_ldap: could not search LDAP server - Server is unavailable Jan 20 08:15:58 aruauth1 nscd: nss_ldap: could not search LDAP server - Server is unavailable Jan 20 08:15:58 aruauth1 nscd: nss_ldap: could not search LDAP server - Server is unavailable Jan 20 08:15:58 aruauth1 slapd[2532]: hdb_monitor_db_open: monitoring disabled; configure monitor database to enable Jan 20 08:15:59 aruauth1 slapd[2532]: slapd starting <notice -- Jan 20 08:15:42.400699000> ldap start Starting ldap-server <notice -- Jan 20 08:15:42.792879000> startproc: execve (/usr/lib/openldap/slapd) [ /usr/lib/openldap/slapd -h ldap:// ldaps:// ldapi:// -F /etc/openldap/slapd.d -u ldap -g lda p -o slp=off ], [ CONSOLE=/dev/console SELINUX_INIT=YES ROOTFS_FSTYPE=ext3 SHELL=/bin/sh TERM=linux ROOTFS_FSCK=0 LC_ALL=POSIX INIT_VERSION=sysvinit-2.86 REDIRECT=/dev/tty1 COL UMNS=100 PATH=/bin:/sbin:/usr/bin:/usr/sbin DO_CONFIRM= RUNLEVEL=3 resume=/dev/xvdb1 PWD=/ SPLASHCFG= PREVLEVEL=N LINES=37 HOME=/ SHLVL=2 splash=silent SPLASH=no ROOTFS_BLKDEV= /dev/xvda1 _=/sbin/startproc DAEMON=/usr/lib/openldap/slapd ] done <notice -- Jan 20 08:15:55.124334000> 'ldap start' exits with status 0 <notice -- Jan 20 08:15:56.738280000> krb5kdc start Starting Kerberos 5 KDC <notice -- Jan 20 08:15:56.853368000> startproc: execve (/usr/lib/mit/sbin/krb5kdc) [ /usr/lib/mit/sbin/krb5kdc ], [ CONSOLE=/dev/console SELINUX_INIT=YES ROOTFS_FSTYPE=ext3 SH ELL=/bin/sh TERM=linux ROOTFS_FSCK=0 LC_ALL=POSIX INIT_VERSION=sysvinit-2.86 REDIRECT=/dev/tty1 COLUMNS=100 PATH=/bin:/sbin:/usr/bin:/usr/sbin DO_CONFIRM= RUNLEVEL=3 resume=/de v/xvdb1 PWD=/ SPLASHCFG= PREVLEVEL=N LINES=37 HOME=/ SHLVL=2 splash=silent SPLASH=no ROOTFS_BLKDEV=/dev/xvda1 _=/sbin/startproc DAEMON=/usr/lib/mit/sbin/krb5kdc ] done <notice -- Jan 20 08:15:56.980293000> 'krb5kdc start' exits with status 0 <notice -- Jan 20 08:15:57.265535000> kadmind start Starting Kerberos 5 Admin Server <notice -- Jan 20 08:15:57.384954000> startproc: execve (/usr/lib/mit/sbin/kadmind) [ /usr/lib/mit/sbin/kadmind ], [ CONSOLE=/dev/console SELINUX_INIT=YES ROOTFS_FSTYPE=ext3 SH ELL=/bin/sh TERM=linux ROOTFS_FSCK=0 LC_ALL=POSIX INIT_VERSION=sysvinit-2.86 REDIRECT=/dev/tty1 COLUMNS=100 PATH=/bin:/sbin:/usr/bin:/usr/sbin DO_CONFIRM= RUNLEVEL=3 resume=/de v/xvdb1 PWD=/ SPLASHCFG= PREVLEVEL=N LINES=37 HOME=/ SHLVL=2 splash=silent SPLASH=no ROOTFS_BLKDEV=/dev/xvda1 _=/sbin/startproc DAEMON=/usr/lib/mit/sbin/kadmind ] kadmind: Can't contact LDAP server while initializing, aborting failed krb5kdc: cannot initialize realm XX.XX.XXX - see log file for details The log says krb5kdc: Can't contact LDAP server - while initializing database for realm AW.LS.CBN krb5kdc: Can't contact LDAP server - while initializing database for realm AW.LS.CBN krb5kdc: Can't contact LDAP server - while initializing database for realm AW.LS.CBN ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
