Vu Nguyen via FreeIPA-devel wrote:
After 7days, I tried to log in freeipa webUI and got this "Login
failed due to an unknown reason" message. So I rebooted my machine. After that I
cannot connect to freeipa webUI. Then I check ipa.service and got some errors related to
krb5 like "Failed to start krb5kdc Service" so I tried to start krb5kdc.service
but get errors too. Which is "krb5kdc: cannot initialize realm". I checked the
log file and got something might helpful :
"Cannot find master key record in database - while fetching master keys list for
realm"
"Didn't connect to LDAP on startup: 110"
"Server error - while fetching master key K/M for realm"
I also tried to run "kinit admin" command and got this message "kinit:
Cannot contact any KDC for realm"
I guess it is because my certificate expired which lead to this issue. Does anyone know
what should I do to fix this issue and prevent it in the future?
What are the 7 days? Is this seven days after the initial installation?
Certificates are good for two years.
The root cause appears that the LDAP server (389-ds) did not start. The
logs are in /var/log/dirsrv/slapd-REALM. I'd suggest taking a look at
errors.
And/or try ipactl restart. It'll fail pretty quickly if 389-ds won't
start and again, the logs should tell you what happened.
rob