[Freeipa-users] Failed to start Identity, Policy, Audit

Rob Crittenden rcritten at redhat.com
Mon Mar 2 19:14:19 UTC 2015 

Umarzuki Mochlis wrote:
> After rebooting freeipa server, I cannot log in to its web interface
> and when I try to start it, it failed
> 
> More info:
> 
> [root at ipa ~]# systemctl start ipa.service
> Job for ipa.service failed. See 'systemctl status ipa.service' and
> 'journalctl -n' for details.
> 
> [root at ipa ~]# systemctl status ipa.service
> ipa.service - Identity, Policy, Audit
>           Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
>           Active: failed (Result: exit-code) since Sun, 2015-03-01
> 21:36:49 MYT; 15s ago
>          Process: 1918 ExecStart=/usr/sbin/ipactl start (code=exited,
> status=1/FAILURE)
>           CGroup: name=systemd:/system/ipa.service
> 
> Mar 01 21:36:49 ipa.domain.com ipactl[1918]: Aborting ipactl
> Mar 01 21:36:49 ipa.domain.com ipactl[1918]: Starting Directory Service
> Mar 01 21:36:49 ipa.domain.com ipactl[1918]: Starting krb5kdc Service
> Mar 01 21:36:49 ipa.domain.com ipactl[1918]: Starting kadmin Service
> Mar 01 21:36:49 ipa.domain.com ipactl[1918]: Starting ipa_memcached Service
> Mar 01 21:36:49 ipa.domain.com ipactl[1918]: Starting httpd Service
> Mar 01 21:36:49 ipa.domain.com ipactl[1918]: Starting pki-tomcatd Service
> Mar 01 21:36:49 ipa.domain.com systemd[1]: ipa.service: main process
> exited, code=exited, status=1/FAILURE
> Mar 01 21:36:49 ipa.domain.com systemd[1]: Failed to start Identity,
> Policy, Audit.
> Mar 01 21:36:49 ipa.domain.com systemd[1]: Unit ipa.service entered failed state
> 
> [root at ipa ~]# KRB5_TRACE=/dev/stdout kinit admin
> [2324] 1425217336.627346: Getting initial credentials for admin at domain.com
> [2324] 1425217336.630877: Sending request (155 bytes) to domain.com
> [2324] 1425217336.631163: Sending initial UDP request to dgram 192.168.1.100:88
> [2324] 1425217336.631265: UDP error receiving from dgram
> 192.168.1.100:88: 111/Connection refused
> [2324] 1425217336.631301: Initiating TCP connection to stream 192.168.1.100:88
> [2324] 1425217336.631351: Terminating TCP connection to stream 192.168.1.100:88
> kinit: Cannot contact any KDC for realm 'domain.com' while getting
> initial credentials
> 
> [root at ipa ~]# rpm -qa  | grep ipa
> freeipa-admintools-3.1.0-2.fc18.x86_64
> freeipa-server-3.1.0-2.fc18.x86_64
> libipa_hbac-python-1.9.3-1.fc18.x86_64
> python-iniparse-0.4-6.fc18.noarch
> freeipa-client-3.1.0-2.fc18.x86_64
> freeipa-server-selinux-3.1.0-2.fc18.x86_64
> freeipa-python-3.1.0-2.fc18.x86_64
> libipa_hbac-1.9.3-1.fc18.x86_64
> 
> What is my next course of action to solve this?
> 

Two suggestions:

# getcert list

See if you have a bunch of expired certificates. I'm thinking probably
not the problem since Apache appears to have started.

It is failing with the CA so I'd look in those logs, /var/log/pki-ca
IIRC with 3.1 (or /var/log/pki-something, should be obvious.

You may also want to look for SELinux errors:

# ausearch -m AVC -ts recent

Assuming expired certificates aren't the problem you can manually start
the other services to get your infrastructure back up while you
investigate the CA startup failure.

rob

More information about the Freeipa-users mailing list