Re: [Freeipa-users] What happened to my {cacert,kdc}.pem files?

Tue, 09 Jul 2013 08:33:51 -0700 

Brian Vetter wrote:

We had to shut down our FREEIPA server and move it. When I brought it back up 
again today (all same IPs, network, etc), it failed to come up. I see lots of  
various forms of the following messages when trying to start the ipa, named, 
and other services:



What do you mean by move it? Physically move a machine or did you try to 
move the configuration?


rob



"Failed to init credentials (Cannot contact any KDC for realm ..."
"startup - The default password storage scheme SSHA could not be read or was not 
found in the file /etc/dirsrv/slapd-TESTREALM.COM/dse.ldif. It is mandatory."
"startup - The default password storage scheme SSHA could not be read or was not 
found in the file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is mandatory."
"krb5kdc: Server error - while fetching master key K/M for realm TESTREALM.COM"
"kinit: Cannot contact any KDC for realm 'TESTREALM.COM' while getting initial 
credentials"


From what I can surmise after seeing these, something in kerberos is messed up. 
I don't know for sure if it is related, but I see that the files referenced in 
/var/kerberos/krb5kdc/kdc.conf are not there. In particular,


pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem

If this is likely the case (or perhaps just the first thing I've run into that is wrong), how do I 
go about recovering them? I've tried (with fingers crossed) "yum reinstall 
freeipa-server" and "yum update freeipa-server" hoping that they'd see the need to 
fix this. They didn't. Still get the same errors.

Is there some backdoor way to recreate these files from elsewhere in the 
install? Perhaps buried in the 389 directory server's database and accessible 
using db4.4_dump or some other tools? If there is no way to recreate them, is 
there a way to reassert new keys without having to start all over? And if I 
have to start all over, is there anyway to extract some of the records from the 
dir DB so I can reload them with a new server?

Thanks for any suggestions/guidance,

Brian


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users






















					Reply via email to