LDAP handle unavailable: Can't contact LDAP server

Kevin Longfellow klongfel at yahoo.com
Wed Dec 22 10:37:35 EST 2010


Hi,

Three KDC's are running MIT Kerberos 1.7.1 on RHEL 5u4 x86_64

We use ldap as the back end for all Kerberos principals.  This morning all the 
KDC's (three of them) appear to have lost connection to the ldap server 
resulting in a complete loss of service.  At first I thought it was a SSL 
certificate issue (expired) but it appears to not be the case.  It appears right 
now that whatever happened once the krb5kdc process got into this state it 
doesn't get out of it until a service restart.  I left one of the KDC's in the 
failed state where it cannot service a kinit request.  Is there any information 
I can gather for someone to give me a better idea what happened, so we can 
prevent a future failure?

All three KDC's have messages like this around the same time:

Dec 22 11:31:49 adczaa98 krb5kdc[3564](info): AS_REQ (1 etypes {1}) 
10.87.129.29: LOOKING_UP_CLIENT: \n at DEV.COM for krbtgt/DEV.COM at DEV.COM, LDAP 
handle unavailable:  Can't contact LDAP server

I'm wondering if the principal coming through as \n may have caused this?

Once the KDC hit this failure all subsequent kinit commands fail with the same 
message (except the correct principal name).

Thanks, Kevin


      



More information about the Kerberos mailing list