Rich Megginson wrote:
On 05/17/2012 03:13 PM, Iliyan Stoyanov wrote:
Hello,
I'm running latest (as of today) F17 with FreeIPA v.2.2.0. After
running ipa-server-install everything runs alright and IPA is running
fine. 389, kerberos and the rest of the components start up fine.
However after reboot of the machine IPA doesn't want to start,
systemctl status ipa.service reports:
ipa.service - Identity, Policy, Audit
Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
Active: failed (Result: exit-code) since Thu, 17 May 2012 23:17:42
+0300; 6min ago
Process: 567 ExecStart=/usr/sbin/ipactl start (code=exited,
status=1/FAILURE)
CGroup: name=systemd:/system/ipa.service
May 17 23:17:40 cerberus.intra.evilpuppy.bg ipactl[567]: Failed to
read data from Directory Service: Unknown error when retrieving list
of services from LDAP: [Errno 111] Connection refused
May 17 23:17:40 cerberus.intra.evilpuppy.bg ipactl[567]: Shutting down
May 17 23:17:41 cerberus.intra.evilpuppy.bg ipactl[567]: Starting
Directory Service
and ipactl start just repeats the error:
ipactl start
Starting Directory Service
Failed to read data from Directory Service: Unknown error when
retrieving list of services from LDAP: [Errno 111] Connection refused
Shutting down
If I start ns-slapd by hand with ns-slapd -D /etc/dirsrv/slapd-PKI-IPA
&& ns-slapd -D /etc/dirsrv/slapd-MYREALM, slapd starts, however the
MYREALM instance throws
etc/dirsrv/slapd-MYREALM/dse.ldif: nsslapd-maxdescriptors:
nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors
must range from 1 to 4096 (the current process limit). Server will use
a setting of 4096.
[17/May/2012:23:25:29 +0300] - Config Warning: -
nsslapd-maxdescriptors: invalid value "8192", maximum file descriptors
must range from 1 to 4096 (the current process limit). Server will use
a setting of 4096.
which however is not a big problem, but it seems ns-slapd doesn't care
about the limits that are setup in the limits.conf.
It cares, but the systemd conf file must also specify NOFILES=8192
after starting the directory server I again try with systemctl start
ipa.service and the result this time is:
ipa.service - Identity, Policy, Audit
Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
Active: failed (Result: exit-code) since Thu, 17 May 2012 23:28:02
+0300; 25s ago
Process: 942 ExecStart=/usr/sbin/ipactl start (code=exited,
status=1/FAILURE)
CGroup: name=systemd:/system/ipa.service
May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Job failed.
See system journal and 'systemctl status' for details.
May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Failed to
start KDC Service
May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Shutting down
May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Aborting ipactl
May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Starting
Directory Service
May 17 23:28:02 cerberus.intra.evilpuppy.bg ipactl[942]: Starting KDC
Service
the /var/log/krb5kdc.log reports:
rb5kdc: Server error - while fetching master key K/M for realm MYREALM
May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](debug): Got signal
to request exit
May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
down fd 9
May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
down fd 10
May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
down fd 8
May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): closing
down fd 7
May 17 23:14:25 cerberus.--redacted-- krb5kdc[3275](info): shutting down
krb5kdc: Server error - while fetching master key K/M for realm MYREALM
>From what I get from the kdc.conf file in /var/kerberos/krb5kdc it
seems like the files
pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
are missing in that path, however I don't really know what should
generate those pem certs. From my very basic understanding of how IPA
works I assume that is dogtag's job, and again I assume ipactl
start/systemctl start ipa.service probably should take care of that,
however this doesn't happen.
So any help with this issue is welcome. I can go for LDAP/KRB setup to
use on my virtual/physical machines, however if going down the
krb/LDAP route I think IPA would be far better to support in the long run.
If that might be some help, I'm running x86_64 F17 inside Xen domU.
The host is Fedora 17 Dom0 with a bunch of other CentOS6.2 and NetBSD6
DomU.
I have the exact same situation also with FreeIPA built from git. The
packages from git are version 2.99:
freeipa-server-selinux-2.99.0GIT46c6ff6-0.fc17.x86_64
freeipa-python-2.99.0GIT46c6ff6-0.fc17.x86_64
freeipa-admintools-2.99.0GIT46c6ff6-0.fc17.x86_64
freeipa-server-2.99.0GIT46c6ff6-0.fc17.x86_64
freeipa-client-2.99.0GIT46c6ff6-0.fc17.x86_64
the 2.2.0 version I also ran was the one in F17.
Thanks in advance,
BR
ilf
It could be a timeout problem. ipactl starts the dirsrv instance to get
the list of services it needs to start. If this connect fails it would
behave this way. If you look in /usr/sbin/ipactl you'll see a 6 second
timeout. I'd try bumping that up to a higher value.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
