krb5kdc.log server not found, how to do a kinit or krb5.conf that freeipa likes better

Jelle de Jong via FreeIPA-users Sat, 06 Mar 2021 12:05:58 -0800

Hello everybody,

Can someone help how to do a kinit or change my krb5.conf so freeipadoes not create "Server not found in Kerberos database" warningsflooding the logs?

After freeipa crashed because root / was 100% filled due to/var/log/krb5kdc.* total size being more then 30GB I found that the logis full with:


[root@freeipa01 ~]# tail -n 2 /var/log/krb5kdc.log

Mar 06 20:54:42 freeipa01.powercraft.lan krb5kdc[122009](info): TGS_REQ(6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)})192.168.25.22: UNKNOWN_SERVER: authtime 0, etypes {rep=UNSUPPORTED:(0)}nextcl...@powercraft.lan for krbtgt/(null)@POWERCRAFT.LAN, Server notfound in Kerberos database

[root@nextcloud01 ~]# sudo -u apache kinit -r 14d -l 7dnextcl...@powercraft.lan

I create a kerberos ticket with the above command to create a ticket forapache with nextcloud to use to access samba (libsmbclient) withkerberos as user nextcloud (samba01 and nextcloud01 are both ipa clients)


[root@nextcloud01 ~]# sudo -u apache klist
Ticket cache: KEYRING:persistent:48:48
Default principal: nextcl...@powercraft.lan

Valid starting     Expires            Service principal

03/06/21 19:04:04 03/07/21 19:03:14cifs/samba01.powercraft....@powercraft.lan

        renew until 03/13/21 19:03:14
03/06/21 19:03:14  03/07/21 19:03:14  krbtgt/powercraft....@powercraft.lan
        renew until 03/13/21 19:03:14

[root@nextcloud01 ~]# cat /etc/krb5.conf
#File modified by ipa-client-install

includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = POWERCRAFT.LAN
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  dns_canonicalize_hostname = false
# ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}
# krb5_ccname_template = FILE:%d/krb5cc_%U

[realms]
  POWERCRAFT.LAN = {
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem

  }

[domain_realm]
  .powercraft.lan = POWERCRAFT.LAN
  powercraft.lan = POWERCRAFT.LAN
  nextcloud01.powercraft.lan = POWERCRAFT.LAN
[

Thank you in advance,

Kind regards,

Jelle de Jong
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] /var/log/krb5kdc.log server not found, how to do a kinit or krb5.conf that freeipa likes better

Reply via email to