[Freeipa-users] IPA wont start, all services fail

Alexander Bokovoy abokovoy at redhat.com
Mon Jan 18 07:27:48 UTC 2016 

On Mon, 18 Jan 2016, Simpson Lachlan wrote:
>> None of the above is revealing an issue.
>>
>> Follow http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes
>> to enable crashdumps for ns-slapd to see what happens in reality (check
>> systemd-enabled systems' recipes).
>
>Here is where things got interesting - I was 20 minutes in before I realised I had
>no dirsrv core dumps.
>
>New things I learnt while doing this though:
>
> - I have 2.5 GB of core files in /var/log/samba/cores/winbindd ? To the best of my
>knowledge I was using SSSD, I have no idea what winbind is doing there. Can I just
>delete (yum remove samba-winbind*) it? From the look of it, I'm getting a new winbind
>core dump every 5 minutes.Could this be stopping samba from running?
smbd and winbindd are required for trust setup but their startup fails
because they cannot talk to LDAP server over LDAPI+GSSAPI. That's why
they coredump, to indicate issue. However, they are not the issue in
themselves, they are consequence of your LDAP server not being able to
start.

> - /etc/nsswitch.conf is all "files sss" - there's no winbind anywhere.
winbindd has multiple operations and we are using trust topology part of
it, not identity management.

>- while following the instructions to "set ulimit -c unlimited" on system I found things
>that *really* confused me:
>
>As noted in the original email, this was in the failed list of systemctld:
>
> dirsrv at unix.co.org.au.service
>
>and it continues to fail this morning. So I tried running
>
>sc start dirsrv.target
>
>and that worked:
>
>[root at vmts-linuxidm samba]# sc status dirsrv.target
>● dirsrv.target - 389 Directory Server
>   Loaded: loaded (/usr/lib/systemd/system/dirsrv.target; enabled; vendor preset: disabled)
>   Active: active since Mon 2016-01-18 09:58:14 AEDT; 1h 20min ago
>
>Jan 18 09:58:14 vmts-linuxidm.unix.co.org.au systemd[1]: Reached target 389 Directory Server.
>Jan 18 09:58:14 vmts-linuxidm.unix.co.org.au systemd[1]: Starting 389 Directory Server.
>
>
>
>So I stopped it and started dirsrv at unix.co.org.au just to confirm, and yes it's failing.
>After some testing, I discovered that *this* would work:
>
>sc start dirsrv at UNIX-CO-ORG-AU
>
>My syntax was all wrong. (Does anyone know how can I clear out bad syntax from the
>systemctld output?)
what bad output?
 systemctl start dirsrv at INSTANCE
is the correct syntax where INSTANCE is the same for /etc/dirsrv/slapd-INSTANCE or /var/log/dirsrv/slapd-INSTANCE.
The name of instance is produced from the realm by replacing dots with
-.

>Anyway, I have a running dirsrv, but SMB still fails, and it's failing on winbind first (see
>notes below). It looks like it's because there's no Kerberos server available. Indeed,
>kinit admin is still failing. I think that when I ran ipa-adtrust-install I said no to creating
>sids for local users.
>[root at vmts-linuxidm samba]# sc status dirsrv at UNIX-CO-ORG-AU.service
>dirsrv at UNIX-CO-ORG-AU.service - 389 Directory Server UNIX-CO-ORG-AU.
>   Loaded: loaded (/usr/lib/systemd/system/dirsrv at .service; enabled; vendor preset: disabled)
>   Active: active (running) since Mon 2016-01-18 11:21:25 AEDT; 5min ago
>  Process: 11655 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=0/SUCCESS)
> Main PID: 11656 (ns-slapd)
>   CGroup: /system.slice/system-dirsrv.slice/dirsrv at UNIX-CO-ORG-AU.service
>           └─11656 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-UNIX-CO-ORG-AU -i /var/run/dirsrv/slapd-UNIX-CO-OR...
>
>Jan 18 11:21:25 vmts-linuxidm.unix.co.org.au ns-slapd[11655]: [18/Jan/2016:11:21:25 +1100] - SSL alert:         ...led
>Jan 18 11:21:25 vmts-linuxidm.unix.co.org.au ns-slapd[11655]: [18/Jan/2016:11:21:25 +1100] - SSL alert:         ...led
>Jan 18 11:21:25 vmts-linuxidm.unix.co.org.au ns-slapd[11655]: [18/Jan/2016:11:21:25 +1100] - SSL alert:         ...led
>Jan 18 11:21:25 vmts-linuxidm.unix.co.org.au ns-slapd[11655]: [18/Jan/2016:11:21:25 +1100] - SSL alert:         ...led
>Jan 18 11:21:25 vmts-linuxidm.unix.co.org.au ns-slapd[11655]: [18/Jan/2016:11:21:25 +1100] - SSL alert:         ...led
>Jan 18 11:21:25 vmts-linuxidm.unix.co.org.au ns-slapd[11655]: [18/Jan/2016:11:21:25 +1100] - SSL alert:         ...led
>Jan 18 11:21:25 vmts-linuxidm.unix.co.org.au ns-slapd[11655]: [18/Jan/2016:11:21:25 +1100] SSL Initialization - ...1.2
>Jan 18 11:25:06 vmts-linuxidm.unix.co.org.au ns-slapd[11656]: GSSAPI server step 1
>Jan 18 11:25:06 vmts-linuxidm.unix.co.org.au ns-slapd[11656]: GSSAPI server step 2
>Jan 18 11:25:06 vmts-linuxidm.unix.co.org.au ns-slapd[11656]: GSSAPI server step 3
So, start KDC.

You can at this point simply try 'ipactl restart' -- it will attempt to
shutdown and restart all required IPA services, including KDC.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list