View Issue Details

IDProjectCategoryView StatusLast Update
0007784CentOS-7krb5public2014-10-27 14:20
Reporterktdreyer Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Platformx64OSLinuxOS VersionC7
Product Version7.0-1406 
Summary0007784: krb5kdc fails to start on boot when using local LDAP backend
DescriptionWhen running krb5kdc with an OpenLDAP backend (slapd is on the same server), the krb5kdc service will start before slapd is up, which causes krb5kdc to fail during the boot process. It is necessary to restart the krb5kdc service after each reboot.
Steps To Reproduce1. Install/configure OpenLDAP's slapd.
2. Install/configure KDC to use the LDAP backend.
3. Confirm that the KDC is working and able to start properly (systemctl start krb5kdc && systemctl status krb5kdc). kinit works, etc.
4. Confirm that both services are enabled in systemd (systemctl enable krb5kdc && systemctl enable slapd).
5. Reboot the system.

After the reboot, slapd will have started, but krb5kdc will have tried to start and failed. The error in /var/log/krb5kdc.log is:

  krb5kdc: Can't contact LDAP server - while initializing database for realm EXAMPLE.COM

To fix this, simply restart the krb5kdc service:

  systemctl restart krb5kdc

And the KDC will be able to talk to slapd without issue.
Additional InformationI'm using the following versions:

krb5-server-1.11.3-49.el7.x86_64
openldap-servers-2.4.39-3.el7.x86_64

Changing the "After=" line in /usr/lib/systemd/system/krb5kdc.service from

  After=syslog.target network.target

to

  After=syslog.target network.target slapd.service

allows the KDC to start successfully on boot.
TagsNo tags attached.
abrt_hash
URL

Activities

ktdreyer

ktdreyer

2014-10-24 15:34

reporter   ~0021382

Cross-filed at https://bugzilla.redhat.com/1156512 for Fedora Rawhide, since the krb5kdc.service file has the same issue.
ktdreyer

ktdreyer

2014-10-27 14:20

reporter   ~0021405

For posterity, in my own setup, I've added the following file:

cat /etc/systemd/system/krb5kdc.service.d/ldap.conf
[Unit]
After=syslog.target network.target slapd.service

This causes the setting to persist after krb5-server upgrades.

Issue History

Date Modified Username Field Change
2014-10-24 15:24 ktdreyer New Issue
2014-10-24 15:34 ktdreyer Note Added: 0021382
2014-10-27 14:20 ktdreyer Note Added: 0021405