Cannot configure krb5-kdc on Ubuntu Jammy 22.04.01, "Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 142."

systemctl is a non-optional component of an Ubuntu 22.04 system. What does `which systemctl` return for you? What does `systemctl` return when you run it?

/usr/bin/systemctl

It's definitely installed; I've just stopped and started slapd with it.

Running it with no arguments gives me a giant list of services, targets, etc. All the normal systemd stuff you would expect. I can even see krb5-kdc red and failed in the list.

then this must be a bug in the init-system-helpers package providing the deb-systemd-invoke command; reassigning.

Just a follow up, I'm getting the same issue on Ubuntu 22.10 as well. I reimaged the server from scratch and tried to install the following, which had the same issue:

apt -y install db-util db5.3-util krb5-admin-server krb5-config krb5-kdc krb5-kdc-ldap krb5-user ldap-utils libgssrpc4 libkadm5clnt-mit12 libkadm5srv-mit12 libkdb5-10 libltdl7 libodbc2 libsasl2-modules-gssapi-mit libverto-libevent1 libverto1 sasl2-bin schema2ldif slapd

None of those should cause a conflict. I did a "dpkg-reconfigure" on all of them, and the only one with an issue is krb5-kdc, and on 22.10 the error is a slightly different line, "Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 145." That's line 145 instead of 142, seems like it's that systemd-invoke line, is there a way for me to get additional debug from that command?

I did a little debugging, and the problem happens because krb5-kdc.service fails to start with:

Feb 02 15:22:34 krb5-test systemd[1]: Starting Kerberos 5 Key Distribution Center...
Feb 02 15:22:34 krb5-test krb5kdc[3957]: Cannot open DB2 database '/var/lib/krb5kdc/principal': No such file or directory - while initializing database for realm LXD
Feb 02 15:22:34 krb5-test krb5kdc[3957]: krb5kdc: cannot initialize realm LXD - see log file for details
Feb 02 15:22:34 krb5-test systemd[1]: krb5-kdc.service: Control process exited, code=exited, status=1/FAILURE
Feb 02 15:22:34 krb5-test systemd[1]: krb5-kdc.service: Failed with result 'exit-code'.
Feb 02 15:22:34 krb5-test systemd[1]: Failed to start Kerberos 5 Key Distribution Center.

systemd-invoke will try to run systemctl like this:

systemctl --quiet --system restart krb5-kdc.service

which fails because of the problem mentioned above.

I don't think this is a problem with init-system-helpers, but rather an issue with krb5-kdc indeed. Also, I believe it's worth reporting this bug to Debian, since they suffer from it too.

FWIW, because Focal's deb-systemd-invoke doesn't use --quiet we end up getting a clearer error there:

# dpkg-reconfigure krb5-kdc
Job for krb5-kdc.service failed because the control process exited with error code.
See "systemctl status krb5-kdc.service" and "journalctl -xe" for details.
invoke-rc.d: initscript krb5-kdc, action "start" failed.
● krb5-kdc.service - Kerberos 5 Key Distribution Center
     Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Thu 2023-02-02 18:32:34 UTC; 7ms ago
    Process: 2000 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid $DAEMON_ARGS (code=exited, status=1/FAILURE)
        CPU: 10ms

Feb 02 18:32:34 bla systemd[1]: Starting Kerberos 5 Key Distribution Center...
Feb 02 18:32:34 bla krb5kdc[2000]: Cannot open DB2 database '/var/lib/krb5kdc/principal': No such file or directory - while initializing database for realm LXD
Feb 02 18:32:34 bla krb5kdc[2000]: krb5kdc: cannot initialize realm LXD - see log file for details
Feb 02 18:32:34 bla systemd[1]: krb5-kdc.service: Control process exited, code=exited, status=1/FAILURE
Feb 02 18:32:34 bla systemd[1]: krb5-kdc.service: Failed with result 'exit-code'.
Feb 02 18:32:34 bla systemd[1]: Failed to start Kerberos 5 Key Distribution Center.

>>>>> "Sergio" == Sergio Durigan Junior <email address hidden> writes:
    Sergio> systemd-invoke will try to run systemctl like this:

    Sergio> systemctl --quiet --system restart krb5-kdc.service

    Sergio> which fails because of the problem mentioned above.

So, there was a bug that made its way to the Debian TC asking what the
behavior ought to be when a maintainer script tried to restart a unit
and the unit failed.
The conclusion of that bug was that there is no general
policy--sometimes you want the maintainer script to fail, sometimes you
do not.
At least that was my recollection.

krb5-kdc is a service where you probably don't want the unit
restarting/starting to be a failure to cause the maintainer script to
fail.
How to I explain that to debhelper?

--Sam

There is a bunch of interesting order-of-events issues I'm discovering with what I'm doing, and because of that it is creating errors that are obscured in the packaging process. I don't know if there's a fix, or just some alerts, etc. The package failure appears to be because I did NOT set up a realm; intending to use ldap as the backend, I figured I would NOT have krb5-kdc config create an initial realm. This means when it tries to start the service, I get this in the logs:

Cannot open DB2 database '/var/lib/krb5kdc/principal': No such file or directory - while initializing database for realm SUBDOMAIN.DOMAIN.COM

The realm is defined by the install of krb5-config, so it knows the realm it wants to use. So, fine, maybe that's expected; then I go in and run krb5_ldap_util to create the realm, and THAT led to another error...the tool doesn't support TLS. I get "Confidentiality required while initializing database" which indicates a TLS error. Disabled forcing of tls on the ldap server and I could initialize the realm, stash everything needed in keyfiles, and I was off to the races.

I don't know if there is a packaging fix (other than the advice from the maintainers above about handling the systemd calls knowing they will fail) but it's been interesting to troubleshoot.

Status changed to 'Confirmed' because the bug affects multiple users.