PID file ... not readable (yet?)

Jaap Winius jwinius at umrk.nl
Sun Nov 5 05:36:43 EST 2017 

Hi folks,

My network uses KDCs with OpenLDAP backends that run on Debian wheezy.  
That's all been working fine for a long time now, but earlier this  
year I tried and failed to add a KDC with an OpenLDAP backend based on  
Debian stretch (it runs, but can't authenticate properly to the KDC  
master -- see thread "KDC 1.15 startup error: Invalid credentials -  
while initializing database" starting 13 April 2017). I then set up  
another KDC with an OpenLDAP backend based on Debian jessie and that  
worked. However, one thing I believe I failed to mention in those  
earlier posts was this startup error:

   systemd[1]: krb5-kdc.service: PID file /run/krb5-kdc.pid \
     not readable (yet?) after start: No such file or directory

Perhaps I didn't mention it because the PID file never fails to appear  
and always contains the correct PID, but apparently it does not appear  
quickly enough. Does anyone know how to prevent this error? It's not  
generated on the jessie system.

The krb5-kdc.service file for my stretch system is as follows:

   [Unit]
   Description=Kerberos 5 Key Distribution Center

   [Service]
   Type=forking
   PIDFile=/run/krb5-kdc.pid
   ExecReload=/bin/kill -HUP $MAINPID
   EnvironmentFile=-/etc/default/krb5-kdc
   ExecStart=/usr/sbin/krb5kdc -P /run/krb5-kdc.pid $DAEMON_ARGS
   InaccessibleDirectories=-/etc/ssh -/etc/ssl/private  /root
   ReadOnlyDirectories=/
   ReadWriteDirectories=-/var/tmp /tmp /var/lib/krb5kdc -/var/run /run  
/var/log/krb5
   CapabilityBoundingSet=CAP_NET_BIND_SERVICE

   [Install]
   WantedBy=multi-user.target

Just today I moved krb5-kdc.service from /lib/systemd/system/ to  
/etc/systemd/system/ after modifying it to add the log directory and  
ran a "systemctl daemon-reload". I even ensured that the PIDFILE  
setting in /etc/init.d/krb5-kdc points to the same name --  
/run/krb5-kdc.pid -- but the result remains the same (although I  
suspect that in this case /etc/init.d/krb5-kdc is ignored).

So, any idea how to prevent this PID file error?

Thanks,

Jaap

More information about the Kerberos mailing list