LDAP and Kerberos Startup

Tom Parker tparker at cbnco.com
Thu Jan 20 11:50:14 EST 2011 

Good Morning

I have an issue with my LDAP/Kerberos setup on one of my production 
servers.   Log snipits are below.

On boot LDAP starts and begins it's initialization process.  The init 
script returns success 13 seconds later but as seen in the logs below 
slapd does not actually start accepting connections until 4 seconds 
after the init script returns.

In these 4 seconds, krb5kdc tries to start, cannot connect to the ldap 
server and dies.  kadmind does the same.

08:15:42 - LDAP starting
08:15:55 - LDAP init script returns success
08:15:56 - krb5kdc starting (returns success but then fails)
08:15:57 - kadmind starting (fails)
08:15:59 - SLAPD started (accepting requests)

Is there a way to set a number of retries before krb5kdc will exit?  Or 
if not does the kerberos community have a workaround that does not 
involve setting fixed sleep times in the init scripts?

Thanks

Tom Parker

Jan 20 08:15:53 aruauth1 slapd[2049]: @(#) $OpenLDAP: slapd 2.4.20 (Jun 
16 2010 10:21:06) $     
abuild at anonymi:/usr/src/packages/BUILD/openldap-2.4.20/servers/slapd
Jan 20 08:15:55 aruauth1 sshd[2263]: Server listening on 0.0.0.0 port 22.
Jan 20 08:15:58 aruauth1 slapd[2049]: daemon: IPv6 socket() failed 
errno=97 (Address family not supported by protocol)
Jan 20 08:15:58 aruauth1 slapd[2049]: daemon: IPv6 socket() failed 
errno=97 (Address family not supported by protocol)
Jan 20 08:15:58 aruauth1 nscd: nss_ldap: could not search LDAP server - 
Server is unavailable
Jan 20 08:15:58 aruauth1 nscd: nss_ldap: could not search LDAP server - 
Server is unavailable
Jan 20 08:15:58 aruauth1 nscd: nss_ldap: could not search LDAP server - 
Server is unavailable
Jan 20 08:15:58 aruauth1 nscd: nss_ldap: could not search LDAP server - 
Server is unavailable
Jan 20 08:15:58 aruauth1 slapd[2532]: hdb_monitor_db_open: monitoring 
disabled; configure monitor database to enable
Jan 20 08:15:59 aruauth1 slapd[2532]: slapd starting


<notice -- Jan 20 08:15:42.400699000> ldap start
Starting ldap-server
<notice -- Jan 20 08:15:42.792879000> startproc: execve 
(/usr/lib/openldap/slapd) [ /usr/lib/openldap/slapd -h ldap:// ldaps:// 
ldapi:// -F /etc/openldap/slapd.d -u ldap -g lda
p -o slp=off ], [ CONSOLE=/dev/console SELINUX_INIT=YES 
ROOTFS_FSTYPE=ext3 SHELL=/bin/sh TERM=linux ROOTFS_FSCK=0 LC_ALL=POSIX 
INIT_VERSION=sysvinit-2.86 REDIRECT=/dev/tty1 COL
UMNS=100 PATH=/bin:/sbin:/usr/bin:/usr/sbin DO_CONFIRM= RUNLEVEL=3 
resume=/dev/xvdb1 PWD=/ SPLASHCFG= PREVLEVEL=N LINES=37 HOME=/ SHLVL=2 
splash=silent SPLASH=no ROOTFS_BLKDEV=
/dev/xvda1 _=/sbin/startproc DAEMON=/usr/lib/openldap/slapd ]
done
<notice -- Jan 20 08:15:55.124334000> 'ldap start' exits with status 0

<notice -- Jan 20 08:15:56.738280000> krb5kdc start
Starting Kerberos 5 KDC
<notice -- Jan 20 08:15:56.853368000> startproc: execve 
(/usr/lib/mit/sbin/krb5kdc) [ /usr/lib/mit/sbin/krb5kdc ], [ 
CONSOLE=/dev/console SELINUX_INIT=YES ROOTFS_FSTYPE=ext3 SH
ELL=/bin/sh TERM=linux ROOTFS_FSCK=0 LC_ALL=POSIX 
INIT_VERSION=sysvinit-2.86 REDIRECT=/dev/tty1 COLUMNS=100 
PATH=/bin:/sbin:/usr/bin:/usr/sbin DO_CONFIRM= RUNLEVEL=3 resume=/de
v/xvdb1 PWD=/ SPLASHCFG= PREVLEVEL=N LINES=37 HOME=/ SHLVL=2 
splash=silent SPLASH=no ROOTFS_BLKDEV=/dev/xvda1 _=/sbin/startproc 
DAEMON=/usr/lib/mit/sbin/krb5kdc ]
done
<notice -- Jan 20 08:15:56.980293000> 'krb5kdc start' exits with status 0

<notice -- Jan 20 08:15:57.265535000> kadmind start
Starting Kerberos 5 Admin Server
<notice -- Jan 20 08:15:57.384954000> startproc: execve 
(/usr/lib/mit/sbin/kadmind) [ /usr/lib/mit/sbin/kadmind ], [ 
CONSOLE=/dev/console SELINUX_INIT=YES ROOTFS_FSTYPE=ext3 SH
ELL=/bin/sh TERM=linux ROOTFS_FSCK=0 LC_ALL=POSIX 
INIT_VERSION=sysvinit-2.86 REDIRECT=/dev/tty1 COLUMNS=100 
PATH=/bin:/sbin:/usr/bin:/usr/sbin DO_CONFIRM= RUNLEVEL=3 resume=/de
v/xvdb1 PWD=/ SPLASHCFG= PREVLEVEL=N LINES=37 HOME=/ SHLVL=2 
splash=silent SPLASH=no ROOTFS_BLKDEV=/dev/xvda1 _=/sbin/startproc 
DAEMON=/usr/lib/mit/sbin/kadmind ]
kadmind: Can't contact LDAP server while initializing, aborting
failed
krb5kdc: cannot initialize realm XX.XX.XXX - see log file for details

The log says
krb5kdc: Can't contact LDAP server - while initializing database for 
realm AW.LS.CBN
krb5kdc: Can't contact LDAP server - while initializing database for 
realm AW.LS.CBN
krb5kdc: Can't contact LDAP server - while initializing database for 
realm AW.LS.CBN

More information about the Kerberos mailing list