freeipa问题:freeipa无法重启

freeipa问题:freeipa无法重启

  • 重启freeipa的原因
    ldpa服务器挂了
    我去操作 ipactl restart
    但是krb5kdc kadmin 俩服务器没有办法重启
    一直报krbers数据库不存在

  • 解决方式
    我们的配置管理系统将这个文件配置修改为了客户端的配置文件

 cat /etc/krb5.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = WORMPEX.COM
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = true
 udp_preference_limit = 0
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 WORMPEX.COM = {
  kdc = ipa5.sys.ops.bj2.wormpex.com:88
  master_kdc = ipa5.sys.ops.bj2.wormpex.com:88
  admin_server = ipa5.sys.ops.bj2.wormpex.com:749
  default_domain = wormpex.com
  pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
  pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}

freeipa-server 的/etc/krb.conf应该是

includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = WORMPEX.COM
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = true
 udp_preference_limit = 0
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 WORMPEX.COM = {
  kdc = ipa5.sys.ops.bj2.wormpex.com:88
  master_kdc = ipa5.sys.ops.bj2.wormpex.com:88
  admin_server = ipa5.sys.ops.bj2.wormpex.com:749
  default_domain = wormpex.com
  pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
  pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}

[domain_realm]
 .wormpex.com = WORMPEX.COM
 wormpex.com = WORMPEX.COM
 ipa5.sys.ops.bj2.wormpex.com = WORMPEX.COM

[dbmodules]
  WORMPEX.COM = {
    db_library = ipadb.so
  }

[plugins]
 certauth = {
  module = ipakdb:kdb/ipadb.so
  enable_only = ipakdb
 }
  • 问题原因
    freeipa是ldpa和krebros的集合,数据存储是在ldap中,认证是krebros。而原生krebros是有自己的数据库的,freeipa里krebros数读取ldap中的数据,而配置文件修改以后,kerbros就没有读取无法读取ldap的数据,就会报kerbros的数据库不存在无法启动。
posted @ 2020-02-11 10:51  I'm杨呵呵  阅读(685)  评论(0编辑  收藏  举报