[32977] in Kerberos
LDAP handle unavailable: Can't contact LDAP server
daemon@ATHENA.MIT.EDU (Kevin Longfellow)
Wed Dec 22 10:37:41 2010
Message-ID: <386163.46057.qm@web161309.mail.bf1.yahoo.com>
Date: Wed, 22 Dec 2010 07:37:35 -0800 (PST)
From: Kevin Longfellow <klongfel@yahoo.com>
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
Three KDC's are running MIT Kerberos 1.7.1 on RHEL 5u4 x86_64
We use ldap as the back end for all Kerberos principals. This morning all the
KDC's (three of them) appear to have lost connection to the ldap server
resulting in a complete loss of service. At first I thought it was a SSL
certificate issue (expired) but it appears to not be the case. It appears right
now that whatever happened once the krb5kdc process got into this state it
doesn't get out of it until a service restart. I left one of the KDC's in the
failed state where it cannot service a kinit request. Is there any information
I can gather for someone to give me a better idea what happened, so we can
prevent a future failure?
All three KDC's have messages like this around the same time:
Dec 22 11:31:49 adczaa98 krb5kdc[3564](info): AS_REQ (1 etypes {1})
10.87.129.29: LOOKING_UP_CLIENT: \n@DEV.COM for krbtgt/DEV.COM@DEV.COM, LDAP
handle unavailable: Can't contact LDAP server
I'm wondering if the principal coming through as \n may have caused this?
Once the KDC hit this failure all subsequent kinit commands fail with the same
message (except the correct principal name).
Thanks, Kevin
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
