[Freeipa-users] krb5kdc service not starting

Tue Apr 26 13:17:12 UTC 2016

On 04/26/2016 03:13 PM, Gady Notrica wrote:
> Hello world,
>
>
>
> I am having issues this morning with my primary IPA. See below the
> details in the logs and command result. Basically, krb5kdc service not
> starting - krb5kdc: Server error - while fetching master key.
>
>
>
> DNS is functioning. See below dig result. I have a trust with Windows AD.
>
>
>
> Please help…!
>
>
>
> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l
>
> ● krb5kdc.service - Kerberos 5 KDC
>
>    Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled;
> vendor preset: disabled)
>
>    Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52 EDT;
> 41min ago
>
>   Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
> $KRB5KDC_ARGS (code=exited, status=1/FAILURE)
>
>
>
> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos 5
> KDC...
>
> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: cannot
> initialize realm IPA.DOMAIN.LOCAL- see log file for details
>
> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service:
> control process exited, code=exited status=1
>
> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start
> Kerberos 5 KDC.
>
> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit krb5kdc.service
> entered failed state.
>
> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed.
>
> [root at cd-ipa1 log]#
>
>
>
> Errors in /var/log/krb5kdc.log
>
>
>
> krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL
>
> krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL
>
> krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL
>
>
>
> [root at cd-ipa1 log]# systemctl status httpd -l
>
> ● httpd.service - The Apache HTTP Server
>
>    Loaded: loaded (/etc/systemd/system/httpd.service; disabled; vendor
> preset: disabled)
>
>    Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:21 EDT;
> 39min ago
>
>      Docs: man:httpd(8)
>
>            man:apachectl(8)
>
>   Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
> (code=exited, status=1/FAILURE)
>
>
>
> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: File
> "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line 1579, in
> __wait_for_connection
>
> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
> wait_for_open_socket(lurl.hostport, timeout)
>
> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: File
> "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line 1200, in
> wait_for_open_socket
>
> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: raise e
>
> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
> error: [Errno 2] No such file or directory
>
> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
> ipa         : ERROR    Unknown error while retrieving setting from
> ldapi://%2fvar%2frun%2fslapd-IPA-CANDEAL-CA.socket: [Errno 2] No such
> file or directory
>
> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service:
> control process exited, code=exited status=1
>
> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start The
> Apache HTTP Server.
>
> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit httpd.service
> entered failed state.
>
> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed.
>
> [root at cd-ipa1 log]#
>
>
>
>
>
> DNS Result for dig redhat.com
>
>
>
> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com
>
> ;; global options: +cmd
>
> ;; Got answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414
>
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2
>
>
>
> ;; OPT PSEUDOSECTION:
>
> ; EDNS: version: 0, flags:; udp: 4096
>
> ;; QUESTION SECTION:
>
> ;redhat.com.                    IN      A
>
>
>
> ;; ANSWER SECTION:
>
> redhat.com.             60      IN      A       209.132.183.105
>
>
>
> ;; AUTHORITY SECTION:
>
> .                       849     IN      NS      f.root-servers.net.
>
> .                       849     IN      NS      e.root-servers.net.
>
> .                       849     IN      NS      k.root-servers.net.
>
> .                       849     IN      NS      m.root-servers.net.
>
> .                       849     IN      NS      b.root-servers.net.
>
> .                       849     IN      NS      g.root-servers.net.
>
> .                       849     IN      NS      c.root-servers.net.
>
> .                       849     IN      NS      h.root-servers.net.
>
> .                       849     IN      NS      l.root-servers.net.
>
> .                       849     IN      NS      a.root-servers.net.
>
> .                       849     IN      NS      j.root-servers.net.
>
> .                       849     IN      NS      i.root-servers.net.
>
> .                       849     IN      NS      d.root-servers.net.
>
>
>
> ;; ADDITIONAL SECTION:
>
> j.root-servers.net.     3246    IN      A       192.58.128.30
>
>
>
> ;; Query time: 79 msec
>
> ;; SERVER: 10.20.10.41#53(10.20.10.41)
>
> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016
>
> ;; MSG SIZE  rcvd: 282
>
>
>
> Gady Notrica| IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell.
> 416.818.4797 | gnotrica at candeal.com <mailto:gnotrica at candeal.com>
>
> CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 |
> www.candeal.com <http://www.candeal.ca/>| Follow us: Description:
> Description: cid:image003.jpg at 01CBD419.622CDF90
> <http://www.twitter.com/candeal> *Description: Description: Description:
> cid:image002.jpg at 01CBD419.622CDF90*
> <http://www.linkedin.com/profile/view?id=36869324&trk=tab_pro>
>
>
>
>
>

It seems like Directory server is not running. Can you post result of 
'ipactl status' and 'systemctl status dirsrv at IPA-CANDEAL-CA.service'?

-- 
Martin^3 Babinsky