[Freeipa-users] krb5kdc service not starting
Ludwig Krispenz
lkrispen at redhat.com
Tue Apr 26 14:01:57 UTC 2016
On 04/26/2016 03:26 PM, Gady Notrica wrote:
> Here...
>
> [root at cd-p-ipa1 log]# ipactl status
> Directory Service: STOPPED
> Directory Service must be running in order to obtain status of other services
> ipa: INFO: The ipactl command was successful
>
> [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-CANDEAL-CA.service -l
> ● dirsrv at IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA.
> Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled)
> Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 30min ago
> Process: 6333 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE)
>
> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes
> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes
> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes
> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes
> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes
> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes
> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes
> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes
> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15"
> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server.
this says the server doesn't know a syntax oid, but it is a known one.
It could be that the syntax plugings couldn't be loaded. Thera are more
errors before, could you check where the errors start in
/var/log/dirsrv/slapd-<INSTANCE>/errors ?
And, did you do any changes to the system before this problem started ?
> [root at cd-p-ipa1 log]#
>
> Gady
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin Babinsky
> Sent: April 26, 2016 9:17 AM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] krb5kdc service not starting
>
> On 04/26/2016 03:13 PM, Gady Notrica wrote:
>> Hello world,
>>
>>
>>
>> I am having issues this morning with my primary IPA. See below the
>> details in the logs and command result. Basically, krb5kdc service not
>> starting - krb5kdc: Server error - while fetching master key.
>>
>>
>>
>> DNS is functioning. See below dig result. I have a trust with Windows AD.
>>
>>
>>
>> Please help…!
>>
>>
>>
>> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l
>>
>> ● krb5kdc.service - Kerberos 5 KDC
>>
>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled;
>> vendor preset: disabled)
>>
>> Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52
>> EDT; 41min ago
>>
>> Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
>> $KRB5KDC_ARGS (code=exited, status=1/FAILURE)
>>
>>
>>
>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos
>> 5 KDC...
>>
>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: cannot
>> initialize realm IPA.DOMAIN.LOCAL- see log file for details
>>
>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service:
>> control process exited, code=exited status=1
>>
>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start
>> Kerberos 5 KDC.
>>
>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit
>> krb5kdc.service entered failed state.
>>
>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed.
>>
>> [root at cd-ipa1 log]#
>>
>>
>>
>> Errors in /var/log/krb5kdc.log
>>
>>
>>
>> krb5kdc: Server error - while fetching master key K/M for realm
>> DOMAIN.LOCAL
>>
>> krb5kdc: Server error - while fetching master key K/M for realm
>> DOMAIN.LOCAL
>>
>> krb5kdc: Server error - while fetching master key K/M for realm
>> DOMAIN.LOCAL
>>
>>
>>
>> [root at cd-ipa1 log]# systemctl status httpd -l
>>
>> ● httpd.service - The Apache HTTP Server
>>
>> Loaded: loaded (/etc/systemd/system/httpd.service; disabled; vendor
>> preset: disabled)
>>
>> Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:21
>> EDT; 39min ago
>>
>> Docs: man:httpd(8)
>>
>> man:apachectl(8)
>>
>> Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
>> (code=exited, status=1/FAILURE)
>>
>>
>>
>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: File
>> "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line 1579, in
>> __wait_for_connection
>>
>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
>> wait_for_open_socket(lurl.hostport, timeout)
>>
>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
>> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line 1200,
>> in wait_for_open_socket
>>
>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
>> raise e
>>
>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
>> error: [Errno 2] No such file or directory
>>
>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
>> ipa : ERROR Unknown error while retrieving setting from
>> ldapi://%2fvar%2frun%2fslapd-IPA-CANDEAL-CA.socket: [Errno 2] No such
>> file or directory
>>
>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service:
>> control process exited, code=exited status=1
>>
>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start
>> The Apache HTTP Server.
>>
>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit httpd.service
>> entered failed state.
>>
>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed.
>>
>> [root at cd-ipa1 log]#
>>
>>
>>
>>
>>
>> DNS Result for dig redhat.com
>>
>>
>>
>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com
>>
>> ;; global options: +cmd
>>
>> ;; Got answer:
>>
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414
>>
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2
>>
>>
>>
>> ;; OPT PSEUDOSECTION:
>>
>> ; EDNS: version: 0, flags:; udp: 4096
>>
>> ;; QUESTION SECTION:
>>
>> ;redhat.com. IN A
>>
>>
>>
>> ;; ANSWER SECTION:
>>
>> redhat.com. 60 IN A 209.132.183.105
>>
>>
>>
>> ;; AUTHORITY SECTION:
>>
>> . 849 IN NS f.root-servers.net.
>>
>> . 849 IN NS e.root-servers.net.
>>
>> . 849 IN NS k.root-servers.net.
>>
>> . 849 IN NS m.root-servers.net.
>>
>> . 849 IN NS b.root-servers.net.
>>
>> . 849 IN NS g.root-servers.net.
>>
>> . 849 IN NS c.root-servers.net.
>>
>> . 849 IN NS h.root-servers.net.
>>
>> . 849 IN NS l.root-servers.net.
>>
>> . 849 IN NS a.root-servers.net.
>>
>> . 849 IN NS j.root-servers.net.
>>
>> . 849 IN NS i.root-servers.net.
>>
>> . 849 IN NS d.root-servers.net.
>>
>>
>>
>> ;; ADDITIONAL SECTION:
>>
>> j.root-servers.net. 3246 IN A 192.58.128.30
>>
>>
>>
>> ;; Query time: 79 msec
>>
>> ;; SERVER: 10.20.10.41#53(10.20.10.41)
>>
>> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016
>>
>> ;; MSG SIZE rcvd: 282
>>
>>
>>
>> Gady
>>
>>
>>
>>
>>
> It seems like Directory server is not running. Can you post result of 'ipactl status' and 'systemctl status dirsrv at IPA-CANDEAL-CA.service'?
>
> --
> Martin^3 Babinsky
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill
More information about the Freeipa-users
mailing list