UPDATE:
I did a little more troubleshooting and was able to get dirsrv to start. Now I
need to figure out why named service won't start. Here's the output from
starting services and ipa-healthcheck. I presume several of the healthcheck
failures are due to named service not running. Can anyone confirm?
[root@gsil-ipa01 ipa]# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other services
[root@gsil-ipa01 ipa]# ipactl start --ignore-service-failures
Existing service file detected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Failed to start named Service
Forced start, ignoring named Service, continuing normal operation
Starting httpd Service
Starting ipa-custodia Service
Starting pki-tomcatd Service
Starting smb Service
Starting winbind Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@gsil-ipa01 ipa]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: STOPPED
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
1 service(s) are not running
[root@gsil-ipa01 ipa]# ipa-healthcheck --failures-only
caSigningCert External CA not found, assuming 3rd party
[
{
"source": "ipahealthcheck.meta.services",
"check": "named",
"result": "ERROR",
"uuid": "b5bfa450-77f4-4655-a4e2-fccbf88aa43a",
"when": "20230316153125Z",
"duration": "0.111160",
"kw": {
"status": false,
"msg": "named: not running"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "CRITICAL",
"uuid": "dcaa538c-a5e2-4247-9210-d6047a0d65f5",
"when": "20230316153132Z",
"duration": "0.281251",
"kw": {
"key": "DSREPLLE0001",
"items": [
"Replication",
"Agreement"
],
"msg": "The replication agreement (metogsil-ipa02.idm.x.xl) under
\"dc=idm,dc=x,dc=x\" is not in synchronization."
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "CRITICAL",
"uuid": "556f572a-0ee9-42fa-8c06-b90e33ed961d",
"when": "20230316153132Z",
"duration": "0.281301",
"kw": {
"key": "DSREPLLE0001",
"items": [
"Replication",
"Agreement"
],
"msg": "The replication agreement (catogsil-ipa02.idm.x.x) under
\"o=ipaca\" is not in synchronization."
}
},
{
"source": "ipahealthcheck.ipa.dna",
"check": "IPADNARangeCheck",
"result": "CRITICAL",
"uuid": "7b88f564-dac5-4191-96ec-b9ad922c0f5e",
"when": "20230316153142Z",
"duration": "0.027683",
"kw": {
"exception": "Insufficient access: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information
(Preauthentication failed)"
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "6b0bc0c1-d505-4f5a-944d-42dd044b2365",
"when": "20230316153426Z",
"duration": "164.364540",
"kw": {
"msg": "Got {count} ipa-ca A records, expected {expected}",
"count": 1,
"expected": 2
}
},
{
"source": "ipahealthcheck.ipa.files",
"check": "IPAFileCheck",
"result": "WARNING",
"uuid": "ea3fcb5d-a280-4a29-ab5b-60abe15febdb",
"when": "20230316153426Z",
"duration": "0.003201",
"kw": {
"key": "_var_log_ipaupgrade.log_mode",
"path": "/var/log/ipaupgrade.log",
"type": "mode",
"expected": "0600",
"got": "0644",
"msg": "Permissions of /var/log/ipaupgrade.log are too permissive: 0644
and should be 0600"
}
},
{
"source": "ipahealthcheck.ipa.host",
"check": "IPAHostKeytab",
"result": "ERROR",
"uuid": "9e43e0d9-7143-40b1-8411-c0aa4b53bb1e",
"when": "20230316153426Z",
"duration": "0.027001",
"kw": {
"msg": "Failed to obtain host TGT: Major (851968): Unspecified GSS
failure. Minor code may provide more information, Minor (2529638936):
Preauthentication failed"
}
},
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustDomainsCheck",
"result": "ERROR",
"uuid": "a0ed3f4b-c409-42e4-b730-d9964ed46f64",
"when": "20230316153427Z",
"duration": "0.336395",
"kw": {
"key": "domain-list",
"sssctl": "/usr/sbin/sssctl",
"sssd_domains": "",
"trust_domains": "gx.x",
"msg": "{sssctl} {key} reports mismatch: sssd domains {sssd_domains}
trust domains {trust_domains}"
}
},
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustCatalogCheck",
"result": "WARNING",
"uuid": "fd1ff67b-48b3-49dd-a3b4-32631a51672f",
"when": "20230316153427Z",
"duration": "0.013619",
"kw": {
"key": "S-1-5-21-3568498085-2952124370-1649233135",
"error": "returned nothing",
"msg": "Look up of {key} {error}"
}
},
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustCatalogCheck",
"result": "ERROR",
"uuid": "c478454c-f94c-4089-ade4-7c3bd73d6b65",
"when": "20230316153427Z",
"duration": "0.127239",
"kw": {
"key": "domain-status",
"error": "CalledProcessError(Command ['/usr/sbin/sssctl',
'domain-status', 'gx.x', '--active-server'] returned non-zero exit status 1:
'Unable to get online status\\n')",
"msg": "Execution of {key} failed: {error}"
}
}
]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
