[Freeipa-users] krb5kdc service not starting
Ludwig Krispenz
lkrispen at redhat.com
Wed Apr 27 15:25:56 UTC 2016
you can try:
cp /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.startOK
/etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif
and start dirsrv again,
On 04/27/2016 05:19 PM, Gady Notrica wrote:
>
> Yes I have few files… see here…:
>
> [root at cd-p-ipa1 log]# ls -l /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse*
>
> -rw------- 1 dirsrv root 153365 Jan 15 11:59
> /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.2a425e90d7bf6f15
>
> -rw------- 1 dirsrv root 187894 Feb 17 11:51
> /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.359903482c3cf7aa
>
> -rw------- 1 dirsrv root 191405 Apr 14 09:36
> /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.37a6887eb1084abe
>
> -rw------- 1 dirsrv root 191427 Mar 11 09:40
> /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.95bd550f879430c2
>
> -rw------- 1 dirsrv root 191427 Mar 7 15:17
> /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.e21fffebbee53edb
>
> -rw-r--r-- 1 dirsrv root 191566 Apr 14 09:37
> /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.modified.out
>
> -rw------- 1 dirsrv dirsrv 191405 Apr 23 11:39
> /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.startOK
>
> -r--r----- 1 dirsrv dirsrv 36003 Jan 15 11:46
> /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse_original.ldif
>
> Gady Notrica| IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell.
> 416.818.4797 | gnotrica at candeal.com <mailto:gnotrica at candeal.com>
>
> CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 |
> www.candeal.com <http://www.candeal.ca/>| Follow us:Description:
> Description: cid:image003.jpg at 01CBD419.622CDF90
> <http://www.twitter.com/candeal>*Description: Description:
> Description: cid:image002.jpg at 01CBD419.622CDF90*
> <http://www.linkedin.com/profile/view?id=36869324&trk=tab_pro>
>
> *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com]
> *Sent:* April 27, 2016 11:18 AM
> *To:* Gady Notrica
> *Cc:* Rob Crittenden; freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] krb5kdc service not starting
>
> On 04/27/2016 05:10 PM, Gady Notrica wrote:
>
> Oh! No…
>
> Is there a way I can pull those files from the secondary server
> and put them on the primary?
>
> do you have any file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse* ? There
> might be some older states to try
> If you want to use a dse.ldif from another server, it could only work
> if the other server is really the same, same backends, indexes,,....
> and you would have to do a lot of editing to adapt the file to the
> local system, eg replication agreements ....
> And then it is not sure if something else could be broken
>
> Or I can run the re-installation ipa-server-install with repair option
> and copy the data back from the secondary server?
>
> I'm not so sure about the IPA reinstall/repair process, maybe soemone
> else can step in
>
> Thanks,
>
> Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell.
> 416.818.4797 | gnotrica at candeal.com <mailto:gnotrica at candeal.com>
>
> CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 |
> www.candeal.com <http://www.candeal.ca/>| Follow us:Description:
> Description: cid:image003.jpg at 01CBD419.622CDF90
> <http://www.twitter.com/candeal>*Description: Description:
> Description: cid:image002.jpg at 01CBD419.622CDF90*
> <http://www.linkedin.com/profile/view?id=36869324&trk=tab_pro>
>
> *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com]
> *Sent:* April 27, 2016 10:58 AM
> *To:* Gady Notrica
> *Cc:* Rob Crittenden; freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] krb5kdc service not starting
>
> On 04/27/2016 04:36 PM, Gady Notrica wrote:
>
> *No changes*to /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. I am
> tailing the log file and running those commands doesn’t generate
> any log, nothing.
>
> [root at cd-p-ipa1 log]# ipactl start
>
> Starting Directory Service
>
> Job for dirsrv at IPA-CANDEAL-CA.service
> <mailto:dirsrv at IPA-CANDEAL-CA.service> failed because the control
> process exited with error code. See "systemctl status
> dirsrv at IPA-CANDEAL-CA.service
> <mailto:dirsrv at IPA-CANDEAL-CA.service>" and "journalctl -xe" for
> details.
>
> Failed to start Directory Service: Command ''/bin/systemctl'
> 'start' 'dirsrv at IPA-CANDEAL-CA.service
> <mailto:dirsrv at IPA-CANDEAL-CA.service>'' returned non-zero exit
> status 1
>
> *Logs from /var/log/messages*
>
> Apr 27 10:26:05 cd-p-ipa1 systemd: Starting 389 Directory Server
> IPA-CANDEAL-CA....
>
> Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400]
> dse - The configuration file
> /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from
> backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.tmp, error -1
>
> Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400]
> dse - The configuration file
> /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from
> backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.bak, error -1
>
> Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400]
> config - The given config file
> /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif could not be accessed,
> Netscape Portable Runtime error -5950 (File not found.)
>
> this is BAD, looks like you completely lost your configuration file
> for DS, so it doesn't even know where to log anything. When you lost
> your VM and rebooted there must hav ebeen some data loss.
> It could be only dse.ldif, but also other files.
>
>
> [root at cd-p-ipa1 log]# systemctl start dirsrv at IPA-CANDEAL-CA.service
> <mailto:dirsrv at IPA-CANDEAL-CA.service>
>
> Job for dirsrv at IPA-CANDEAL-CA.service
> <mailto:dirsrv at IPA-CANDEAL-CA.service> failed because the control
> process exited with error code. See "systemctl status
> dirsrv at IPA-CANDEAL-CA.service <mailto:dirsrv at IPA-CANDEAL-CA.service>"
> and "journalctl -xe" for details.
>
> [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-CANDEAL-CA.service
> <mailto:dirsrv at IPA-CANDEAL-CA.service> -l
>
> ● dirsrv at IPA-CANDEAL-CA.service <mailto:dirsrv at IPA-CANDEAL-CA.service>
> - 389 Directory Server IPA-CANDEAL-CA.
>
> Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service
> <mailto:/usr/lib/systemd/system/dirsrv at .service>; enabled; vendor
> preset: disabled)
>
> Active: failed (Result: exit-code) since Wed 2016-04-27 10:26:17 EDT;
> 3s ago
>
> Process: 9830 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i
> /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid
> (code=exited, status=1/FAILURE)
>
> Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]:
> [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp:
> slapi_attr_values2keys_sv failed for type attributetypes
>
> Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]:
> [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp:
> slapi_attr_values2keys_sv failed for type attributetypes
>
> Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]:
> [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp:
> slapi_attr_values2keys_sv failed for type attributetypes
>
> Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]:
> [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp:
> slapi_attr_values2keys_sv failed for type attributetypes
>
> Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]:
> [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp:
> slapi_attr_values2keys_sv failed for type attributetypes
>
> Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]:
> [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp:
> slapi_attr_values2keys_sv failed for type attributetypes
>
> Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]:
> [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp:
> slapi_attr_values2keys_sv failed for type attributetypes
>
> Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]:
> [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp:
> slapi_attr_values2keys_sv failed for type attributetypes
>
> Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]:
> [27/Apr/2016:10:26:17 -0400] dse_read_one_file - The entry cn=schema
> in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno:
> 1) is invalid, error code 21 (Invalid syntax) - attribute type aci:
> Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15"
>
> Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]:
> [27/Apr/2016:10:26:17 -0400] dse - Please edit the file to correct the
> reported problems and then restart the server.
>
> [root at cd-p-ipa1 log]#
>
> Gady
>
> *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com]
> *Sent:* April 27, 2016 10:06 AM
> *To:* Gady Notrica
> *Cc:* Rob Crittenden; freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] krb5kdc service not starting
>
> On 04/27/2016 03:48 PM, Gady Notrica wrote:
>
> Hello Ludwig,
>
> I do have only 1 error logs for the 26^th in
> /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only
> line I have
>
> [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync
> - failed to send dirsync search request: 2
>
> [*26/Apr/2016*:00:13:01 -0400] - Entry
> "uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca"
> missing attribute "sn" required by object class "person"
>
> I don’t know if that helps.
>
> no. And it is weird that there should be no logs, there were
> definitely messages logged around 8:50, you provided them via
> systemctl status dirsrv...
> And at least the startup messages should b there
>
> Can you try to start dirsrv again. and check what config settings for
> errorlog are in your dse.ldif
>
>
>
> Gady
>
> *From:*Ludwig Krispenz [mailto:lkrispen at redhat.com]
> *Sent:* April 27, 2016 3:18 AM
> *To:* Gady Notrica
> *Cc:* Rob Crittenden; freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] krb5kdc service not starting
>
> On 04/26/2016 09:09 PM, Gady Notrica wrote:
>
> HERE..
>
> [23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get
> initial credentials for principal
> [ldap/cd-p-ipa1.ipa.domain.local at IPA.DOMAIN.LOCAL
> <mailto:ldap/cd-p-ipa1.ipa.domain.local at IPA.DOMAIN.LOCAL>] in
> keytab [FILE:/etc/dirsrv/ds.keytab
> <FILE:///%5C%5C%5C%5C%5C%5C%5C%5Cetc%5Cdirsrv%5Cds.keytab>]:
> -1765328228 (Cannot contact any KDC for requested realm)
>
> [23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind -
> Error: could not perform interactive bind for id [] mech [GSSAPI]:
> LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI
> Error: Unspecified GSS failure. Minor code may provide more
> information (No Kerberos credentials available)) errno 0 (Success)
>
> [23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not
> perform interactive bind for id [] authentication mechanism
> [GSSAPI]: error -2 (Local error)
>
> [23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin -
> agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389):
> Replication bind with GSSAPI auth failed: LDAP error -2 (Local
> error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> failure. Minor code may provide more information (No Kerberos
> credentials available))
>
> [23/Apr/2016:11:39:51 -0400] - slapd started. Listening on All
> Interfaces port 389 for LDAP requests
>
> [23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port
> 636 for LDAPS requests
>
> [23/Apr/2016:11:39:51 -0400] - Listening on
> /var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests
>
> [23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin -
> agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389):
> Replication bind with GSSAPI auth resumed
>
> [23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin -
> agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable
> to receive the response for a startReplication extended operation
> to consumer (Can't contact LDAP server). Will retry later.
>
> [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind -
> Error: could not perform interactive bind for id [] mech [GSSAPI]:
> LDAP error -1 (Can't contact LDAP server) ((null)) errno 107
> (Transport endpoint is not connected)
>
> [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not
> perform interactive bind for id [] authentication mechanism
> [GSSAPI]: error -1 (Can't contact LDAP server)
>
> [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind -
> Error: could not perform interactive bind for id [] mech [GSSAPI]:
> LDAP error -1 (Can't contact LDAP server) ((null)) errno 107
> (Transport endpoint is not connected)
>
> [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not
> perform interactive bind for id [] authentication mechanism
> [GSSAPI]: error -1 (Can't contact LDAP server)
>
> [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind -
> Error: could not perform interactive bind for id [] mech [GSSAPI]:
> LDAP error -1 (Can't contact LDAP server) ((null)) errno 107
> (Transport endpoint is not connected)
>
> [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not
> perform interactive bind for id [] authentication mechanism
> [GSSAPI]: error -1 (Can't contact LDAP server)
>
> [23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin -
> agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389):
> Replication bind with GSSAPI auth resumed
>
> [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync
> - failed to send dirsync search request: 2
>
> these are old logs, the problem you were reporting was on Apr, 26:
>
>
>
>
>
> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15"
> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server.
>
>
> we need the logs from that time
>
>
>
>
>
>
>
> Gady
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: April 26, 2016 2:44 PM
> To: Gady Notrica; Ludwig Krispenz; freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com>
> Subject: Re: [Freeipa-users] krb5kdc service not starting
>
> Gady Notrica wrote:
>
> > Hey world,
>
> >
>
> > Any ideas?
>
> What about the first part of Ludwig's question: Is there anything in
> the 389-ds error log?
>
> rob
>
> >
>
> > Gady
>
> >
>
> > -----Original Message-----
>
> > From: freeipa-users-bounces at redhat.com
> <mailto:freeipa-users-bounces at redhat.com>
>
> > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica
>
> > Sent: April 26, 2016 10:10 AM
>
> > To: Ludwig Krispenz; freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com>
>
> > Subject: Re: [Freeipa-users] krb5kdc service not starting
>
> >
>
> > No, no changes. Lost connectivity with my VMs during the night
>
> > (networking issues in datacenter)
>
> >
>
> > Reboot the server and oups, no IPA is coming up... The replica
> (secondary server) is fine though.
>
> >
>
> > Gady Notrica
>
> >
>
> > -----Original Message-----
>
> > From: freeipa-users-bounces at redhat.com
> <mailto:freeipa-users-bounces at redhat.com>
>
> > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz
>
> > Sent: April 26, 2016 10:02 AM
>
> > To: freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
>
> > Subject: Re: [Freeipa-users] krb5kdc service not starting
>
> >
>
> >
>
> > On 04/26/2016 03:26 PM, Gady Notrica wrote:
>
> >> Here...
>
> >>
>
> >> [root at cd-p-ipa1 log]# ipactl status
>
> >> Directory Service: STOPPED
>
> >> Directory Service must be running in order to obtain status of other
>
> >> services
>
> >> ipa: INFO: The ipactl command was successful
>
> >>
>
> >> [root at cd-p-ipa1 log]# systemctl status
> dirsrv at IPA-DOMAIN-LOCAL.service <mailto:dirsrv at IPA-CANDEAL-CA.service>
>
> >> -l ● dirsrv at IPA-DOMAIN-LOCAL.service
> <mailto:dirsrv at IPA-DOMAIN-LOCAL.service> - 389 Directory Server
> IPA-DOMAIN-LOCAL.
>
> >> Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service
> <mailto:/usr/lib/systemd/system/dirsrv at .service>; enabled; vendor
> preset: disabled)
>
> >> Active: failed (Result: exit-code) since Tue 2016-04-26
> 08:50:21 EDT; 30min ago
>
> >> Process: 6333 ExecStart=/usr/sbin/ns-slapd -D
>
> >> /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w
>
> >> /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE)
>
> >>
>
> >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:
>
> >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
>
> >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26
>
> >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:
>
> >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
>
> >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26
>
> >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:
>
> >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
>
> >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26
> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26
> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26
> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26
> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26
> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26
> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016!
>
> :08:50:21
>
> -0400] dse_read_one_file - The entry cn=schema in file
> /etc/dirsrv/slapd-IPA-DOMAIN-LOCAL/schema/00core.ldif (lineno: 1) is
> invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown
> attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15"
>
> >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:
> [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the
> reported problems and then restart the server.
>
> > this says the server doesn't know a syntax oid, but it is a known one.
>
> > It could be that the syntax plugings couldn't be loaded. Thera are
> more errors before, could you check where the errors start in
> /var/log/dirsrv/slapd-<INSTANCE>/errors ?
>
> >
>
> > And, did you do any changes to the system before this problem started ?
>
> >> [root at cd-p-ipa1 log]#
>
> >>
>
> >> Gady
>
> >>
>
> >> -----Original Message-----
>
> >> From: freeipa-users-bounces at redhat.com
> <mailto:freeipa-users-bounces at redhat.com>
>
> >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin
>
> >> Babinsky
>
> >> Sent: April 26, 2016 9:17 AM
>
> >> To: freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
>
> >> Subject: Re: [Freeipa-users] krb5kdc service not starting
>
> >>
>
> >> On 04/26/2016 03:13 PM, Gady Notrica wrote:
>
> >>> Hello world,
>
> >>>
>
> >>>
>
> >>>
>
> >>> I am having issues this morning with my primary IPA. See below the
>
> >>> details in the logs and command result. Basically, krb5kdc service
>
> >>> not starting - krb5kdc: Server error - while fetching master key.
>
> >>>
>
> >>>
>
> >>>
>
> >>> DNS is functioning. See below dig result. I have a trust with
> Windows AD.
>
> >>>
>
> >>>
>
> >>>
>
> >>> Please help…!
>
> >>>
>
> >>>
>
> >>>
>
> >>> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l
>
> >>>
>
> >>> ● krb5kdc.service - Kerberos 5 KDC
>
> >>>
>
> >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service;
>
> >>> disabled; vendor preset: disabled)
>
> >>>
>
> >>> Active: failed (Result: exit-code) since Tue 2016-04-26
>
> >>> 08:27:52 EDT; 41min ago
>
> >>>
>
> >>> Process: 3694 ExecStart=/usr/sbin/krb5kdc -P
>
> >>> /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE)
>
> >>>
>
> >>>
>
> >>>
>
> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting
>
> >>> Kerberos
>
> >>> 5 KDC...
>
> >>>
>
> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc:
>
> >>> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details
>
> >>>
>
> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service:
>
> >>> control process exited, code=exited status=1
>
> >>>
>
> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start
>
> >>> Kerberos 5 KDC.
>
> >>>
>
> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit
>
> >>> krb5kdc.service entered failed state.
>
> >>>
>
> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]:
> krb5kdc.service failed.
>
> >>>
>
> >>> [root at cd-ipa1 log]#
>
> >>>
>
> >>>
>
> >>>
>
> >>> Errors in /var/log/krb5kdc.log
>
> >>>
>
> >>>
>
> >>>
>
> >>> krb5kdc: Server error - while fetching master key K/M for realm
>
> >>> DOMAIN.LOCAL
>
> >>>
>
> >>> krb5kdc: Server error - while fetching master key K/M for realm
>
> >>> DOMAIN.LOCAL
>
> >>>
>
> >>> krb5kdc: Server error - while fetching master key K/M for realm
>
> >>> DOMAIN.LOCAL
>
> >>>
>
> >>>
>
> >>>
>
> >>> [root at cd-ipa1 log]# systemctl status httpd -l
>
> >>>
>
> >>> ● httpd.service - The Apache HTTP Server
>
> >>>
>
> >>> Loaded: loaded (/etc/systemd/system/httpd.service; disabled;
>
> >>> vendor
>
> >>> preset: disabled)
>
> >>>
>
> >>> Active: failed (Result: exit-code) since Tue 2016-04-26
>
> >>> 08:27:21 EDT; 39min ago
>
> >>>
>
> >>> Docs: man:httpd(8) <man:httpd%288%29>
>
> >>>
>
> >>> man:apachectl(8) <man:apachectl%288%29>
>
> >>>
>
> >>> Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
>
> >>> (code=exited, status=1/FAILURE)
>
> >>>
>
> >>>
>
> >>>
>
> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]:
>
> >>> File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line
>
> >>> 1579, in __wait_for_connection
>
> >>>
>
> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
>
> >>> wait_for_open_socket(lurl.hostport, timeout)
>
> >>>
>
> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
>
> >>> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line
>
> >>> 1200, in wait_for_open_socket
>
> >>>
>
> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
>
> >>> raise e
>
> >>>
>
> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
>
> >>> error: [Errno 2] No such file or directory
>
> >>>
>
> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
>
> >>> ipa : ERROR Unknown error while retrieving setting from
>
> >>> ldapi://%2fvar%2frun%2fslapd-IPA-DOMAIN-LOCAL.socket: [Errno 2] No
>
> >>> such file or directory
>
> >>>
>
> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service:
>
> >>> control process exited, code=exited status=1
>
> >>>
>
> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start
>
> >>> The Apache HTTP Server.
>
> >>>
>
> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit
>
> >>> httpd.service entered failed state.
>
> >>>
>
> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service
> failed.
>
> >>>
>
> >>> [root at cd-ipa1 log]#
>
> >>>
>
> >>>
>
> >>>
>
> >>>
>
> >>>
>
> >>> DNS Result for dig redhat.com
>
> >>>
>
> >>>
>
> >>>
>
> >>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com
>
> >>>
>
> >>> ;; global options: +cmd
>
> >>>
>
> >>> ;; Got answer:
>
> >>>
>
> >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414
>
> >>>
>
> >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL:
>
> >>> 2
>
> >>>
>
> >>>
>
> >>>
>
> >>> ;; OPT PSEUDOSECTION:
>
> >>>
>
> >>> ; EDNS: version: 0, flags:; udp: 4096
>
> >>>
>
> >>> ;; QUESTION SECTION:
>
> >>>
>
> >>> ;redhat.com. IN A
>
> >>>
>
> >>>
>
> >>>
>
> >>> ;; ANSWER SECTION:
>
> >>>
>
> >>> redhat.com. 60 IN A 209.132.183.105
>
> >>>
>
> >>>
>
> >>>
>
> >>> ;; AUTHORITY SECTION:
>
> >>>
>
> >>> . 849 IN NS f.root-servers.net.
>
> >>>
>
> >>> . 849 IN NS e.root-servers.net.
>
> >>>
>
> >>> . 849 IN NS k.root-servers.net.
>
> >>>
>
> >>> . 849 IN NS m.root-servers.net.
>
> >>>
>
> >>> . 849 IN NS b.root-servers.net.
>
> >>>
>
> >>> . 849 IN NS g.root-servers.net.
>
> >>>
>
> >>> . 849 IN NS c.root-servers.net.
>
> >>>
>
> >>> . 849 IN NS h.root-servers.net.
>
> >>>
>
> >>> . 849 IN NS l.root-servers.net.
>
> >>>
>
> >>> . 849 IN NS a.root-servers.net.
>
> >>>
>
> >>> . 849 IN NS j.root-servers.net.
>
> >>>
>
> >>> . 849 IN NS i.root-servers.net.
>
> >>>
>
> >>> . 849 IN NS d.root-servers.net.
>
> >>>
>
> >>>
>
> >>>
>
> >>> ;; ADDITIONAL SECTION:
>
> >>>
>
> >>> j.root-servers.net. 3246 IN A 192.58.128.30
>
> >>>
>
> >>>
>
> >>>
>
> >>> ;; Query time: 79 msec
>
> >>>
>
> >>> ;; SERVER: 10.20.10.41#53(10.20.10.41)
>
> >>>
>
> >>> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016
>
> >>>
>
> >>> ;; MSG SIZE rcvd: 282
>
> >>>
>
> >>>
>
> >>>
>
> >>> Gady
>
> >>>
>
> >>>
>
> >>>
>
> >>>
>
> >>>
>
> >> It seems like Directory server is not running. Can you post result
> of 'ipactl status' and 'systemctl status
> dirsrv at IPA-DOMAIN-LOCAL.service <mailto:dirsrv at IPA-CANDEAL-CA.service>'?
>
> >>
>
> >> --
>
> >> Martin^3 Babinsky
>
> >>
>
> >> --
>
> >> Manage your subscription for the Freeipa-users mailing list:
>
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> >> Go to http://freeipa.org for more info on the project
>
> >>
>
> >
>
> > --
>
> > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
>
> > Commercial register: Amtsgericht Muenchen, HRB 153243, Managing
>
> > Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael
>
> > O'Neill
>
> >
>
> > --
>
> > Manage your subscription for the Freeipa-users mailing list:
>
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
> > Go to http://freeipa.org for more info on the project
>
> >
>
> > --
>
> > Manage your subscription for the Freeipa-users mailing list:
>
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
> > Go to http://freeipa.org for more info on the project
>
> >
>
>
>
>
>
>
> --
> Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn,
> Commercial register: Amtsgericht Muenchen, HRB 153243,
> Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill
>
>
>
>
>
> --
> Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn,
> Commercial register: Amtsgericht Muenchen, HRB 153243,
> Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill
>
>
>
>
> --
> Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn,
> Commercial register: Amtsgericht Muenchen, HRB 153243,
> Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill
>
>
>
> --
> Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn,
> Commercial register: Amtsgericht Muenchen, HRB 153243,
> Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160427/6199075d/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 11810 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160427/6199075d/attachment.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 11586 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160427/6199075d/attachment-0001.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 7126 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160427/6199075d/attachment-0002.jpe>
More information about the Freeipa-users
mailing list