[Freeipa-users] Unable to start the krb5kdc
Simo Sorce
ssorce at redhat.com
Tue Jan 25 19:44:54 UTC 2011
On Tue, 25 Jan 2011 14:33:14 -0500
James Roman <james.roman at ssaihq.com> wrote:
> On 01/25/2011 12:42 PM, Simo Sorce wrote:
> > On Tue, 25 Jan 2011 12:04:25 -0500
> > James Roman<james.roman at ssaihq.com> wrote:
> >
> >> I noticed today that one of our FreeIPA 1.2.2 servers has stopped
> >> issuing tickets. When I attempt to restart all the IPA services the
> >> krb5kdc service failed to restart with the following error:
> >>
> >> krb5kdc: Unable to access Kerberos database - while initializing
> >> database for realm DOMAIN.COM
> >>
> >> I don't see any issues with the local LDAP database, or the kdc
> >> account in the LDAP database. I suspect the problem is with the
> >> ticket granting ticket on the problem server, but am unsure how to
> >> go about validating this assertion. I have not tried to restart
> >> the ipa services on the working server for fera that it might stop
> >> working.
> > Do you see errors in /var/log/krb5kdc.log ?
> >
> > Simo.
> >
> The error above is the only one that repeats in the krb5kdc.log when
> I attempt to restart the krb5kdc service. The actual error that is
> shown in standard out is:
>
> Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm DOMAIN.COM
> - see log file for details
Ok can you check the dirsrv logs and see if the KDC is actually trying
(and perhaps getting auth refused) at all ?
/var/log/dirsrv/slapd-DOMAIN-COM/access should show your KDC attempts
to access the LDAP server and bind as the uid=kdc..... user.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list