[Freeipa-users] krb5kdc service not starting

Wed Apr 27 17:02:01 UTC 2016

Hello Ludwig,

Is there a reason why my AD show offline?

[root at cd-p-ipa1 /]# wbinfo --online-status
BUILTIN : online
IPA : online
CD-PRD : offline

[cid:image004.png at 01D1A084.FAE146D0]

But I can see the trust. And DNS is resolving.

[root at cd-p-ipa1 /]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: CD-PRD.domain.com
  Domain NetBIOS name: CD-PRD
  Domain Security Identifier: S-1-5-21-1645522239-1450960922-839522115
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------
[root at cd-p-ipa1 /]# ipa trust-show
Realm name: CD-PRD.domain.com
  Realm name: CD-PRD.domain.com
  Domain NetBIOS name: CD-PRD
  Domain Security Identifier: S-1-5-21-1645522239-1450960922-839522115
  Trust direction: Two-way trust
  Trust type: Active Directory domain

[root at cd-p-ipa1 /]# ipa user-show gnotrica at CD-PRD.domain.com
ipa: ERROR: gnotrica at cd-prd.domain.com: user not found
[root at cd-p-ipa1 /]# dig SRV _ldap._tcp.cd-prd.domain.com

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> SRV _ldap._tcp.cd-prd.domain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13868
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 6

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.cd-prd.domain.com.  IN      SRV

;; ANSWER SECTION:
_ldap._tcp.cd-prd.domain.com. 600 IN    SRV     0 100 389 cd-dc2.cd-prd.domain.com.
_ldap._tcp.cd-prd.domain.com. 600 IN    SRV     0 100 389 cd-dc1.cd-prd.domain.com.

Gady

From: Ludwig Krispenz [mailto:lkrispen at redhat.com]
Sent: April 27, 2016 11:26 AM
To: Gady Notrica
Cc: Rob Crittenden; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting

you can try:
cp /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.startOK /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif

and start dirsrv again,
On 04/27/2016 05:19 PM, Gady Notrica wrote:
Yes I have few files… see here…:

[root at cd-p-ipa1 log]# ls -l /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse*
-rw------- 1 dirsrv root   153365 Jan 15 11:59 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.2a425e90d7bf6f15
-rw------- 1 dirsrv root   187894 Feb 17 11:51 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.359903482c3cf7aa
-rw------- 1 dirsrv root   191405 Apr 14 09:36 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.37a6887eb1084abe
-rw------- 1 dirsrv root   191427 Mar 11 09:40 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.95bd550f879430c2
-rw------- 1 dirsrv root   191427 Mar  7 15:17 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.ipa.e21fffebbee53edb
-rw-r--r-- 1 dirsrv root   191566 Apr 14 09:37 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.modified.out
-rw------- 1 dirsrv dirsrv 191405 Apr 23 11:39 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.startOK
-r--r----- 1 dirsrv dirsrv  36003 Jan 15 11:46 /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse_original.ldif

Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 416.818.4797 | gnotrica at candeal.com<mailto:gnotrica at candeal.com>
CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | www.candeal.com<http://www.candeal.ca/> | Follow us: [Description: Description:                    cid:image003.jpg at 01CBD419.622CDF90] <http://www.twitter.com/candeal>   [Description: Description: Description:                      cid:image002.jpg at 01CBD419.622CDF90] <http://www.linkedin.com/profile/view?id=36869324&trk=tab_pro>

From: Ludwig Krispenz [mailto:lkrispen at redhat.com]
Sent: April 27, 2016 11:18 AM
To: Gady Notrica
Cc: Rob Crittenden; freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] krb5kdc service not starting

On 04/27/2016 05:10 PM, Gady Notrica wrote:
Oh! No…

Is there a way I can pull those files from the secondary server and put them on the primary?
do you have any file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse* ? There might be some older states to try
If you want to use a dse.ldif from another server, it could only work if the other server is really the same, same backends, indexes,,.... and you would have to do a lot of editing to adapt the file to the local system, eg replication agreements ....
And then it is not sure if something else could be broken

Or I can run the re-installation ipa-server-install with repair option and copy the data back from the secondary server?
I'm not so sure about the IPA reinstall/repair process, maybe soemone else can step in

Thanks,

Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 416.818.4797 | gnotrica at candeal.com<mailto:gnotrica at candeal.com>
CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | www.candeal.com<http://www.candeal.ca/> | Follow us: [Description: Description:                    cid:image003.jpg at 01CBD419.622CDF90] <http://www.twitter.com/candeal>   [Description: Description: Description:                      cid:image002.jpg at 01CBD419.622CDF90] <http://www.linkedin.com/profile/view?id=36869324&trk=tab_pro>

From: Ludwig Krispenz [mailto:lkrispen at redhat.com]
Sent: April 27, 2016 10:58 AM
To: Gady Notrica
Cc: Rob Crittenden; freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] krb5kdc service not starting

On 04/27/2016 04:36 PM, Gady Notrica wrote:
No changes to /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. I am tailing the log file and running those commands doesn’t generate any log, nothing.

[root at cd-p-ipa1 log]# ipactl start
Starting Directory Service
Job for dirsrv at IPA-CANDEAL-CA.service<mailto:dirsrv at IPA-CANDEAL-CA.service> failed because the control process exited with error code. See "systemctl status dirsrv at IPA-CANDEAL-CA.service<mailto:dirsrv at IPA-CANDEAL-CA.service>" and "journalctl -xe" for details.
Failed to start Directory Service: Command ''/bin/systemctl' 'start' 'dirsrv at IPA-CANDEAL-CA.service<mailto:dirsrv at IPA-CANDEAL-CA.service>'' returned non-zero exit status 1

Logs from /var/log/messages

Apr 27 10:26:05 cd-p-ipa1 systemd: Starting 389 Directory Server IPA-CANDEAL-CA....
Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - The configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.tmp, error -1
Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - The configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.bak, error -1
Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] config - The given config file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif could not be accessed, Netscape Portable Runtime error -5950 (File not found.)
this is BAD, looks like you completely lost your configuration file for DS, so it doesn't even know where to log anything. When you lost your VM and rebooted there must hav ebeen some data loss.
It could be only dse.ldif, but also other files.

[root at cd-p-ipa1 log]# systemctl start dirsrv at IPA-CANDEAL-CA.service<mailto:dirsrv at IPA-CANDEAL-CA.service>
Job for dirsrv at IPA-CANDEAL-CA.service<mailto:dirsrv at IPA-CANDEAL-CA.service> failed because the control process exited with error code. See "systemctl status dirsrv at IPA-CANDEAL-CA.service<mailto:dirsrv at IPA-CANDEAL-CA.service>" and "journalctl -xe" for details.

[root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-CANDEAL-CA.service<mailto:dirsrv at IPA-CANDEAL-CA.service> -l
● dirsrv at IPA-CANDEAL-CA.service<mailto:dirsrv at IPA-CANDEAL-CA.service> - 389 Directory Server IPA-CANDEAL-CA.
   Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service<mailto:/usr/lib/systemd/system/dirsrv at .service>; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2016-04-27 10:26:17 EDT; 3s ago
  Process: 9830 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE)

Apr 27 10:26:17 cd-p-ipa1.ipa.domain.com ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.domain.com ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.domain.com ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.domain.com ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.domain.com ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.domain.com ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.domain.com ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.domain.com ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.domain.com ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15"
Apr 27 10:26:17 cd-p-ipa1.ipa.domain.com ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] dse - Please edit the file to correct the reported problems and then restart the server.
[root at cd-p-ipa1 log]#

Gady

From: Ludwig Krispenz [mailto:lkrispen at redhat.com]
Sent: April 27, 2016 10:06 AM
To: Gady Notrica
Cc: Rob Crittenden; freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] krb5kdc service not starting

On 04/27/2016 03:48 PM, Gady Notrica wrote:
Hello Ludwig,

I do have only 1 error logs for the 26th in /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I have

[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2
[26/Apr/2016:00:13:01 -0400] - Entry "uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" missing attribute "sn" required by object class "person"

[cid:image003.jpg at 01D1A080.869A6B20]

I don’t know if that helps.
no. And it is weird that there should be no logs, there were definitely messages logged around 8:50, you provided them via systemctl status dirsrv...
And at least the startup messages should b there

Can you try to start dirsrv again. and check what config settings for errorlog  are in your dse.ldif

Gady

From: Ludwig Krispenz [mailto:lkrispen at redhat.com]
Sent: April 27, 2016 3:18 AM
To: Gady Notrica
Cc: Rob Crittenden; freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] krb5kdc service not starting

On 04/26/2016 09:09 PM, Gady Notrica wrote:

HERE..

[23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/cd-p-ipa1.ipa.domain.local at IPA.DOMAIN.LOCAL<mailto:ldap/cd-p-ipa1.ipa.domain.local at IPA.DOMAIN.LOCAL>] in keytab [FILE:/etc/dirsrv/ds.keytab<FILE:///\\%5C%5C%5C%5C%5C%5C%5C%5Cetc%5Cdirsrv%5Cds.keytab>]: -1765328228 (Cannot contact any KDC for requested realm)

[23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success)

[23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error)

[23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available))

[23/Apr/2016:11:39:51 -0400] - slapd started.  Listening on All Interfaces port 389 for LDAP requests

[23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 for LDAPS requests

[23/Apr/2016:11:39:51 -0400] - Listening on /var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests

[23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed

[23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later.

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server)

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server)

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server)

[23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed

[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2
these are old logs, the problem you were reporting was on Apr, 26:

Apr 26 08:50:21 cd-p-ipa1.ipa.domain.com ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15"

Apr 26 08:50:21 cd-p-ipa1.ipa.domain.com ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server.

we need the logs from that time

Gady

-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com]
Sent: April 26, 2016 2:44 PM
To: Gady Notrica; Ludwig Krispenz; freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] krb5kdc service not starting

Gady Notrica wrote:

> Hey world,

>

> Any ideas?

What about the first part of Ludwig's question: Is there anything in the 389-ds error log?

rob

>

> Gady

>

> -----Original Message-----

> From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com>

> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady Notrica

> Sent: April 26, 2016 10:10 AM

> To: Ludwig Krispenz; freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>

> Subject: Re: [Freeipa-users] krb5kdc service not starting

>

> No, no changes. Lost connectivity with my VMs during the night

> (networking issues in datacenter)

>

> Reboot the server and oups, no IPA is coming up... The replica (secondary server) is fine though.

>

> Gady Notrica

>

> -----Original Message-----

> From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com>

> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Ludwig Krispenz

> Sent: April 26, 2016 10:02 AM

> To: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>

> Subject: Re: [Freeipa-users] krb5kdc service not starting

>

>

> On 04/26/2016 03:26 PM, Gady Notrica wrote:

>> Here...

>>

>> [root at cd-p-ipa1 log]# ipactl status

>> Directory Service: STOPPED

>> Directory Service must be running in order to obtain status of other

>> services

>> ipa: INFO: The ipactl command was successful

>>

>> [root at cd-p-ipa1 log]# systemctl status dirsrv at IPA-DOMAIN-LOCAL.service<mailto:dirsrv at IPA-CANDEAL-CA.service>

>> -l ● dirsrv at IPA-DOMAIN-LOCAL.service<mailto:dirsrv at IPA-DOMAIN-LOCAL.service> - 389 Directory Server IPA-DOMAIN-LOCAL.

>>      Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service<mailto:/usr/lib/systemd/system/dirsrv at .service>; enabled; vendor preset: disabled)

>>      Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 30min ago

>>     Process: 6333 ExecStart=/usr/sbin/ns-slapd -D

>> /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w

>> /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE)

>>

>> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:

>> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:

>> slapi_attr_values2keys_sv failed for type attributetypes Apr 26

>> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:

>> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:

>> slapi_attr_values2keys_sv failed for type attributetypes Apr 26

>> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:

>> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:

>> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016!

 :08:50:21

-0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-DOMAIN-LOCAL/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15"

>> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server.

> this says the server doesn't know a syntax oid, but it is a known one.

> It could be that the syntax plugings couldn't be loaded. Thera are more errors before, could you check where the errors start in /var/log/dirsrv/slapd-<INSTANCE>/errors ?

>

> And, did you do any changes to the system before this problem started ?

>> [root at cd-p-ipa1 log]#

>>

>> Gady

>>

>> -----Original Message-----

>> From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com>

>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin

>> Babinsky

>> Sent: April 26, 2016 9:17 AM

>> To: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>

>> Subject: Re: [Freeipa-users] krb5kdc service not starting

>>

>> On 04/26/2016 03:13 PM, Gady Notrica wrote:

>>> Hello world,

>>>

>>>

>>>

>>> I am having issues this morning with my primary IPA. See below the

>>> details in the logs and command result. Basically, krb5kdc service

>>> not starting - krb5kdc: Server error - while fetching master key.

>>>

>>>

>>>

>>> DNS is functioning. See below dig result. I have a trust with Windows AD.

>>>

>>>

>>>

>>> Please help…!

>>>

>>>

>>>

>>> [root at cd-ipa1 log]# systemctl status krb5kdc.service -l

>>>

>>> ● krb5kdc.service - Kerberos 5 KDC

>>>

>>>      Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service;

>>> disabled; vendor preset: disabled)

>>>

>>>      Active: failed (Result: exit-code) since Tue 2016-04-26

>>> 08:27:52 EDT; 41min ago

>>>

>>>     Process: 3694 ExecStart=/usr/sbin/krb5kdc -P

>>> /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE)

>>>

>>>

>>>

>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting

>>> Kerberos

>>> 5 KDC...

>>>

>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc:

>>> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details

>>>

>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service:

>>> control process exited, code=exited status=1

>>>

>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start

>>> Kerberos 5 KDC.

>>>

>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit

>>> krb5kdc.service entered failed state.

>>>

>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed.

>>>

>>> [root at cd-ipa1 log]#

>>>

>>>

>>>

>>> Errors in /var/log/krb5kdc.log

>>>

>>>

>>>

>>> krb5kdc: Server error - while fetching master key K/M for realm

>>> DOMAIN.LOCAL

>>>

>>> krb5kdc: Server error - while fetching master key K/M for realm

>>> DOMAIN.LOCAL

>>>

>>> krb5kdc: Server error - while fetching master key K/M for realm

>>> DOMAIN.LOCAL

>>>

>>>

>>>

>>> [root at cd-ipa1 log]# systemctl status httpd -l

>>>

>>> ● httpd.service - The Apache HTTP Server

>>>

>>>      Loaded: loaded (/etc/systemd/system/httpd.service; disabled;

>>> vendor

>>> preset: disabled)

>>>

>>>      Active: failed (Result: exit-code) since Tue 2016-04-26

>>> 08:27:21 EDT; 39min ago

>>>

>>>        Docs: man:httpd(8)<man:httpd%288%29>

>>>

>>>              man:apachectl(8)<man:apachectl%288%29>

>>>

>>>     Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy

>>> (code=exited, status=1/FAILURE)

>>>

>>>

>>>

>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]:

>>> File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line

>>> 1579, in __wait_for_connection

>>>

>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:

>>> wait_for_open_socket(lurl.hostport, timeout)

>>>

>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:

>>> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line

>>> 1200, in wait_for_open_socket

>>>

>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:

>>> raise e

>>>

>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:

>>> error: [Errno 2] No such file or directory

>>>

>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:

>>> ipa         : ERROR    Unknown error while retrieving setting from

>>> ldapi://%2fvar%2frun%2fslapd-IPA-DOMAIN-LOCAL.socket: [Errno 2] No

>>> such file or directory

>>>

>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service:

>>> control process exited, code=exited status=1

>>>

>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start

>>> The Apache HTTP Server.

>>>

>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit

>>> httpd.service entered failed state.

>>>

>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed.

>>>

>>> [root at cd-ipa1 log]#

>>>

>>>

>>>

>>>

>>>

>>> DNS Result for dig redhat.com

>>>

>>>

>>>

>>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com

>>>

>>> ;; global options: +cmd

>>>

>>> ;; Got answer:

>>>

>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414

>>>

>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL:

>>> 2

>>>

>>>

>>>

>>> ;; OPT PSEUDOSECTION:

>>>

>>> ; EDNS: version: 0, flags:; udp: 4096

>>>

>>> ;; QUESTION SECTION:

>>>

>>> ;redhat.com.                    IN      A

>>>

>>>

>>>

>>> ;; ANSWER SECTION:

>>>

>>> redhat.com.             60      IN      A       209.132.183.105

>>>

>>>

>>>

>>> ;; AUTHORITY SECTION:

>>>

>>> .                       849     IN      NS      f.root-servers.net.

>>>

>>> .                       849     IN      NS      e.root-servers.net.

>>>

>>> .                       849     IN      NS      k.root-servers.net.

>>>

>>> .                       849     IN      NS      m.root-servers.net.

>>>

>>> .                       849     IN      NS      b.root-servers.net.

>>>

>>> .                       849     IN      NS      g.root-servers.net.

>>>

>>> .                       849     IN      NS      c.root-servers.net.

>>>

>>> .                       849     IN      NS      h.root-servers.net.

>>>

>>> .                       849     IN      NS      l.root-servers.net.

>>>

>>> .                       849     IN      NS      a.root-servers.net.

>>>

>>> .                       849     IN      NS      j.root-servers.net.

>>>

>>> .                       849     IN      NS      i.root-servers.net.

>>>

>>> .                       849     IN      NS      d.root-servers.net.

>>>

>>>

>>>

>>> ;; ADDITIONAL SECTION:

>>>

>>> j.root-servers.net.     3246    IN      A       192.58.128.30

>>>

>>>

>>>

>>> ;; Query time: 79 msec

>>>

>>> ;; SERVER: 10.20.10.41#53(10.20.10.41)

>>>

>>> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016

>>>

>>> ;; MSG SIZE  rcvd: 282

>>>

>>>

>>>

>>> Gady

>>>

>>>

>>>

>>>

>>>

>> It seems like Directory server is not running. Can you post result of 'ipactl status' and 'systemctl status dirsrv at IPA-DOMAIN-LOCAL.service<mailto:dirsrv at IPA-CANDEAL-CA.service>'?

>>

>> --

>> Martin^3 Babinsky

>>

>> --

>> Manage your subscription for the Freeipa-users mailing list:

>> https://www.redhat.com/mailman/listinfo/freeipa-users

>> Go to http://freeipa.org for more info on the project

>>

>

> --

> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,

> Commercial register: Amtsgericht Muenchen, HRB 153243, Managing

> Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael

> O'Neill

>

> --

> Manage your subscription for the Freeipa-users mailing list:

> https://www.redhat.com/mailman/listinfo/freeipa-users

> Go to http://freeipa.org for more info on the project

>

> --

> Manage your subscription for the Freeipa-users mailing list:

> https://www.redhat.com/mailman/listinfo/freeipa-users

> Go to http://freeipa.org for more info on the project

>

--

Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,