[Freeipa-users] krb5kdc service not starting
Gady Notrica
gnotrica at candeal.com
Tue Apr 26 18:15:59 UTC 2016
Hey world,
Any ideas?
Gady
-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica
Sent: April 26, 2016 10:10 AM
To: Ludwig Krispenz; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting
No, no changes. Lost connectivity with my VMs during the night (networking issues in datacenter)
Reboot the server and oups, no IPA is coming up... The replica (secondary server) is fine though.
Gady Notrica
-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz
Sent: April 26, 2016 10:02 AM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting
On 04/26/2016 03:26 PM, Gady Notrica wrote:
> Here...
>
> [root at cd-p-ipa1 log]# ipactl status
> Directory Service: STOPPED
> Directory Service must be running in order to obtain status of other
> services
> ipa: INFO: The ipactl command was successful
>
> [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-CANDEAL-CA.service
> -l ● dirsrv at IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA.
> Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled)
> Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 30min ago
> Process: 6333 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i
> -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid
> (code=exited, status=1/FAILURE)
>
> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]:
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26
> 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]:
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26
> 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]:
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15"
> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server.
this says the server doesn't know a syntax oid, but it is a known one.
It could be that the syntax plugings couldn't be loaded. Thera are more errors before, could you check where the errors start in /var/log/dirsrv/slapd-<INSTANCE>/errors ?
And, did you do any changes to the system before this problem started ?
> [root at cd-p-ipa1 log]#
>
> Gady
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com
> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin Babinsky
> Sent: April 26, 2016 9:17 AM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] krb5kdc service not starting
>
> On 04/26/2016 03:13 PM, Gady Notrica wrote:
>> Hello world,
>>
>>
>>
>> I am having issues this morning with my primary IPA. See below the
>> details in the logs and command result. Basically, krb5kdc service
>> not starting - krb5kdc: Server error - while fetching master key.
>>
>>
>>
>> DNS is functioning. See below dig result. I have a trust with Windows AD.
>>
>>
>>
>> Please help…!
>>
>>
>>
>> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l
>>
>> ● krb5kdc.service - Kerberos 5 KDC
>>
>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service;
>> disabled; vendor preset: disabled)
>>
>> Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52
>> EDT; 41min ago
>>
>> Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
>> $KRB5KDC_ARGS (code=exited, status=1/FAILURE)
>>
>>
>>
>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos
>> 5 KDC...
>>
>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc:
>> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details
>>
>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service:
>> control process exited, code=exited status=1
>>
>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start
>> Kerberos 5 KDC.
>>
>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit
>> krb5kdc.service entered failed state.
>>
>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed.
>>
>> [root at cd-ipa1 log]#
>>
>>
>>
>> Errors in /var/log/krb5kdc.log
>>
>>
>>
>> krb5kdc: Server error - while fetching master key K/M for realm
>> DOMAIN.LOCAL
>>
>> krb5kdc: Server error - while fetching master key K/M for realm
>> DOMAIN.LOCAL
>>
>> krb5kdc: Server error - while fetching master key K/M for realm
>> DOMAIN.LOCAL
>>
>>
>>
>> [root at cd-ipa1 log]# systemctl status httpd -l
>>
>> ● httpd.service - The Apache HTTP Server
>>
>> Loaded: loaded (/etc/systemd/system/httpd.service; disabled;
>> vendor
>> preset: disabled)
>>
>> Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:21
>> EDT; 39min ago
>>
>> Docs: man:httpd(8)
>>
>> man:apachectl(8)
>>
>> Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
>> (code=exited, status=1/FAILURE)
>>
>>
>>
>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]:
>> File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line
>> 1579, in __wait_for_connection
>>
>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
>> wait_for_open_socket(lurl.hostport, timeout)
>>
>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
>> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line
>> 1200, in wait_for_open_socket
>>
>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
>> raise e
>>
>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
>> error: [Errno 2] No such file or directory
>>
>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
>> ipa : ERROR Unknown error while retrieving setting from
>> ldapi://%2fvar%2frun%2fslapd-IPA-CANDEAL-CA.socket: [Errno 2] No such
>> file or directory
>>
>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service:
>> control process exited, code=exited status=1
>>
>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start
>> The Apache HTTP Server.
>>
>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit
>> httpd.service entered failed state.
>>
>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed.
>>
>> [root at cd-ipa1 log]#
>>
>>
>>
>>
>>
>> DNS Result for dig redhat.com
>>
>>
>>
>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com
>>
>> ;; global options: +cmd
>>
>> ;; Got answer:
>>
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414
>>
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2
>>
>>
>>
>> ;; OPT PSEUDOSECTION:
>>
>> ; EDNS: version: 0, flags:; udp: 4096
>>
>> ;; QUESTION SECTION:
>>
>> ;redhat.com. IN A
>>
>>
>>
>> ;; ANSWER SECTION:
>>
>> redhat.com. 60 IN A 209.132.183.105
>>
>>
>>
>> ;; AUTHORITY SECTION:
>>
>> . 849 IN NS f.root-servers.net.
>>
>> . 849 IN NS e.root-servers.net.
>>
>> . 849 IN NS k.root-servers.net.
>>
>> . 849 IN NS m.root-servers.net.
>>
>> . 849 IN NS b.root-servers.net.
>>
>> . 849 IN NS g.root-servers.net.
>>
>> . 849 IN NS c.root-servers.net.
>>
>> . 849 IN NS h.root-servers.net.
>>
>> . 849 IN NS l.root-servers.net.
>>
>> . 849 IN NS a.root-servers.net.
>>
>> . 849 IN NS j.root-servers.net.
>>
>> . 849 IN NS i.root-servers.net.
>>
>> . 849 IN NS d.root-servers.net.
>>
>>
>>
>> ;; ADDITIONAL SECTION:
>>
>> j.root-servers.net. 3246 IN A 192.58.128.30
>>
>>
>>
>> ;; Query time: 79 msec
>>
>> ;; SERVER: 10.20.10.41#53(10.20.10.41)
>>
>> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016
>>
>> ;; MSG SIZE rcvd: 282
>>
>>
>>
>> Gady
>>
>>
>>
>>
>>
> It seems like Directory server is not running. Can you post result of 'ipactl status' and 'systemctl status dirsrv at IPA-CANDEAL-CA.service'?
>
> --
> Martin^3 Babinsky
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list