[Freeipa-users] FreeIPA v2.2.0 on F17 not starting

Rich Megginson rmeggins at redhat.com
Thu May 17 21:53:00 UTC 2012 

On 05/17/2012 03:13 PM, Iliyan Stoyanov wrote:
> Hello,
>
> I'm running latest (as of today) F17 with FreeIPA v.2.2.0. After 
> running ipa-server-install everything runs alright and IPA is running 
> fine. 389, kerberos and the rest of the components start up fine. 
> However after reboot of the machine IPA doesn't want to start, 
> systemctl status ipa.service reports:
>
> ipa.service - Identity, Policy, Audit
>   Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
>   Active: failed (Result: exit-code) since Thu, 17 May 2012 23:17:42 
> +0300; 6min ago
> Process: 567 ExecStart=/usr/sbin/ipactl start (code=exited, 
> status=1/FAILURE)
>   CGroup: name=systemd:/system/ipa.service
>
> May 17 23:17:40 cerberus.intra.evilpuppy.bg ipactl[567]: Failed to 
> read data from Directory Service: Unknown error when retrieving list 
> of services from LDAP: [Errno 111] Connection refused
> May 17 23:17:40 cerberus.intra.evilpuppy.bg ipactl[567]: Shutting down
> May 17 23:17:41 cerberus.intra.evilpuppy.bg ipactl[567]: Starting 
> Directory Service
>
> and ipactl start just repeats the error:
>
> ipactl start
> Starting Directory Service
> Failed to read data from Directory Service: Unknown error when 
> retrieving list of services from LDAP: [Errno 111] Connection refused
> Shutting down
>
> If I start ns-slapd by hand with ns-slapd -D /etc/dirsrv/slapd-PKI-IPA 
> && ns-slapd -D /etc/dirsrv/slapd-MYREALM, slapd starts, however the 
> MYREALM instance throws
>
> etc/dirsrv/slapd-MYREALM/dse.ldif: nsslapd-maxdescriptors: 
> nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors 
> must range from 1 to 4096 (the current process limit).  Server will 
> use a setting of 4096.
> [17/May/2012:23:25:29 +0300] - Config Warning: - 
> nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors 
> must range from 1 to 4096 (the current process limit).  Server will 
> use a setting of 4096.
>
> which however is not a big problem, but it seems ns-slapd doesn't care 
> about the limits that are setup in the limits.conf.

It cares, but the systemd conf file must also specify NOFILES=8192

>
> after starting the directory server I again try with  systemctl start 
> ipa.service and the result this time is:
>
> ipa.service - Identity, Policy, Audit
>   Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
>   Active: failed (Result: exit-code) since Thu, 17 May 2012 23:28:02 
> +0300; 25s ago
> Process: 942 ExecStart=/usr/sbin/ipactl start (code=exited, 
> status=1/FAILURE)
>   CGroup: name=systemd:/system/ipa.service
>
> May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Job failed. 
> See system journal and 'systemctl status' for details.
> May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Failed to 
> start KDC Service
> May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Shutting down
> May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Aborting ipactl
> May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Starting 
> Directory Service
> May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Starting KDC 
> Service
>
> the /var/log/krb5kdc.log reports:
>
> rb5kdc: Server error - while fetching master key K/M for realm MYREALM
> May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](debug): Got signal 
> to request exit
> May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing 
> down fd 9
> May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing 
> down fd 10
> May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing 
> down fd 8
> May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing 
> down fd 7
> May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): shutting down
> krb5kdc: Server error - while fetching master key K/M for realm MYREALM
>
> >From what I get from the kdc.conf file in /var/kerberos/krb5kdc it 
> seems like the files
> pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
> pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
> are missing in that path, however I don't really know what should 
> generate those pem certs. From my very basic understanding of how IPA 
> works I assume that is dogtag's job, and again I assume ipactl 
> start/systemctl start ipa.service probably should take care of that, 
> however this doesn't happen.
>
> So any help with this issue is welcome. I can go for LDAP/KRB setup to 
> use on my virtual/physical machines, however if going down the 
> krb/LDAP route I think IPA would be far better to support in the long run.
>
> If that might be some help, I'm running x86_64 F17 inside Xen domU. 
> The host is Fedora 17 Dom0 with a bunch of other CentOS6.2 and NetBSD6 
> DomU.
>
> I have the exact same situation also with FreeIPA built from git. The 
> packages from git are  version 2.99:
>
> freeipa-server-selinux-2.99.0GIT46c6ff6-0.fc17.x86_64
> freeipa-python-2.99.0GIT46c6ff6-0.fc17.x86_64
> freeipa-admintools-2.99.0GIT46c6ff6-0.fc17.x86_64
> freeipa-server-2.99.0GIT46c6ff6-0.fc17.x86_64
> freeipa-client-2.99.0GIT46c6ff6-0.fc17.x86_64
>
> the 2.2.0 version I also ran was the one in F17.
>
> Thanks in advance,
> BR
> ilf
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120517/99c87e24/attachment.htm>

More information about the Freeipa-users mailing list