There is a bunch of interesting order-of-events issues I'm discovering with what I'm doing, and because of that it is creating errors that are obscured in the packaging process. I don't know if there's a fix, or just some alerts, etc. The package failure appears to be because I did NOT set up a realm; intending to use ldap as the backend, I figured I would NOT have krb5-kdc config create an initial realm. This means when it tries to start the service, I get this in the logs:
Cannot open DB2 database '/var/lib/krb5kdc/principal': No such file or directory - while initializing database for realm SUBDOMAIN.DOMAIN.COM
The realm is defined by the install of krb5-config, so it knows the realm it wants to use. So, fine, maybe that's expected; then I go in and run krb5_ldap_util to create the realm, and THAT led to another error...the tool doesn't support TLS. I get "Confidentiality required while initializing database" which indicates a TLS error. Disabled forcing of tls on the ldap server and I could initialize the realm, stash everything needed in keyfiles, and I was off to the races.
I don't know if there is a packaging fix (other than the advice from the maintainers above about handling the systemd calls knowing they will fail) but it's been interesting to troubleshoot.
There is a bunch of interesting order-of-events issues I'm discovering with what I'm doing, and because of that it is creating errors that are obscured in the packaging process. I don't know if there's a fix, or just some alerts, etc. The package failure appears to be because I did NOT set up a realm; intending to use ldap as the backend, I figured I would NOT have krb5-kdc config create an initial realm. This means when it tries to start the service, I get this in the logs:
Cannot open DB2 database '/var/lib/ krb5kdc/ principal' : No such file or directory - while initializing database for realm SUBDOMAIN. DOMAIN. COM
The realm is defined by the install of krb5-config, so it knows the realm it wants to use. So, fine, maybe that's expected; then I go in and run krb5_ldap_util to create the realm, and THAT led to another error...the tool doesn't support TLS. I get "Confidentiality required while initializing database" which indicates a TLS error. Disabled forcing of tls on the ldap server and I could initialize the realm, stash everything needed in keyfiles, and I was off to the races.
I don't know if there is a packaging fix (other than the advice from the maintainers above about handling the systemd calls knowing they will fail) but it's been interesting to troubleshoot.