<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 05/17/2012 03:13 PM, Iliyan Stoyanov wrote: <blockquote cite="mid:1337289212.24421.16.camel@tablet" type="cite"> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <meta name="GENERATOR" content="GtkHTML/4.4.2"> Hello, I'm running latest (as of today) F17 with FreeIPA v.2.2.0. After running ipa-server-install everything runs alright and IPA is running fine. 389, kerberos and the rest of the components start up fine. However after reboot of the machine IPA doesn't want to start, systemctl status ipa.service reports: ipa.service - Identity, Policy, Audit Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled) Active: failed (Result: exit-code) since Thu, 17 May 2012 23:17:42 +0300; 6min ago Process: 567 ExecStart=/usr/sbin/ipactl start (code=exited, status=1/FAILURE) CGroup: name=systemd:/system/ipa.service May 17 23:17:40 cerberus.intra.evilpuppy.bg ipactl[567]: Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: [Errno 111] Connection refused May 17 23:17:40 cerberus.intra.evilpuppy.bg ipactl[567]: Shutting down May 17 23:17:41 cerberus.intra.evilpuppy.bg ipactl[567]: Starting Directory Service and ipactl start just repeats the error: ipactl start Starting Directory Service Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: [Errno 111] Connection refused Shutting down If I start ns-slapd by hand with ns-slapd -D /etc/dirsrv/slapd-PKI-IPA && ns-slapd -D /etc/dirsrv/slapd-MYREALM, slapd starts, however the MYREALM instance throws etc/dirsrv/slapd-MYREALM/dse.ldif: nsslapd-maxdescriptors: nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 4096 (the current process limit). Server will use a setting of 4096. [17/May/2012:23:25:29 +0300] - Config Warning: - nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors must range from 1 to 4096 (the current process limit). Server will use a setting of 4096. which however is not a big problem, but it seems ns-slapd doesn't care about the limits that are setup in the limits.conf. </blockquote> It cares, but the systemd conf file must also specify NOFILES=8192 <blockquote cite="mid:1337289212.24421.16.camel@tablet" type="cite"> after starting the directory server I again try with systemctl start ipa.service and the result this time is: ipa.service - Identity, Policy, Audit Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled) Active: failed (Result: exit-code) since Thu, 17 May 2012 23:28:02 +0300; 25s ago Process: 942 ExecStart=/usr/sbin/ipactl start (code=exited, status=1/FAILURE) CGroup: name=systemd:/system/ipa.service May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Job failed. See system journal and 'systemctl status' for details. May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Failed to start KDC Service May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Shutting down May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Aborting ipactl May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Starting Directory Service May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Starting KDC Service the /var/log/krb5kdc.log reports: rb5kdc: Server error - while fetching master key K/M for realm MYREALM May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](debug): Got signal to request exit May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing down fd 9 May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing down fd 10 May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing down fd 8 May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing down fd 7 May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): shutting down krb5kdc: Server error - while fetching master key K/M for realm MYREALM >From what I get from the kdc.conf file in /var/kerberos/krb5kdc it seems like the files pkinit_identity = <a class="moz-txt-link-freetext" href="FILE:/var/kerberos/krb5kdc/kdc.pem">FILE:/var/kerberos/krb5kdc/kdc.pem</a> pkinit_anchors = <a class="moz-txt-link-freetext" href="FILE:/var/kerberos/krb5kdc/cacert.pem">FILE:/var/kerberos/krb5kdc/cacert.pem</a> are missing in that path, however I don't really know what should generate those pem certs. From my very basic understanding of how IPA works I assume that is dogtag's job, and again I assume ipactl start/systemctl start ipa.service probably should take care of that, however this doesn't happen. So any help with this issue is welcome. I can go for LDAP/KRB setup to use on my virtual/physical machines, however if going down the krb/LDAP route I think IPA would be far better to support in the long run. If that might be some help, I'm running x86_64 F17 inside Xen domU. The host is Fedora 17 Dom0 with a bunch of other CentOS6.2 and NetBSD6 DomU. I have the exact same situation also with FreeIPA built from git. The packages from git are version 2.99: freeipa-server-selinux-2.99.0GIT46c6ff6-0.fc17.x86_64 freeipa-python-2.99.0GIT46c6ff6-0.fc17.x86_64 freeipa-admintools-2.99.0GIT46c6ff6-0.fc17.x86_64 freeipa-server-2.99.0GIT46c6ff6-0.fc17.x86_64 freeipa-client-2.99.0GIT46c6ff6-0.fc17.x86_64 the 2.2.0 version I also ran was the one in F17. Thanks in advance, BR ilf <fieldset class="mimeAttachmentHeader"></fieldset> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> </body> </html>