Umarzuki Mochlis wrote:
> After rebooting freeipa server, I cannot log in to its web interface
> and when I try to start it, it failed
> 
> More info:
> 
> [root@ipa ~]# systemctl start ipa.service
> Job for ipa.service failed. See 'systemctl status ipa.service' and
> 'journalctl -n' for details.
> 
> [root@ipa ~]# systemctl status ipa.service
> ipa.service - Identity, Policy, Audit
>           Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
>           Active: failed (Result: exit-code) since Sun, 2015-03-01
> 21:36:49 MYT; 15s ago
>          Process: 1918 ExecStart=/usr/sbin/ipactl start (code=exited,
> status=1/FAILURE)
>           CGroup: name=systemd:/system/ipa.service
> 
> Mar 01 21:36:49 ipa.domain.com ipactl[1918]: Aborting ipactl
> Mar 01 21:36:49 ipa.domain.com ipactl[1918]: Starting Directory Service
> Mar 01 21:36:49 ipa.domain.com ipactl[1918]: Starting krb5kdc Service
> Mar 01 21:36:49 ipa.domain.com ipactl[1918]: Starting kadmin Service
> Mar 01 21:36:49 ipa.domain.com ipactl[1918]: Starting ipa_memcached Service
> Mar 01 21:36:49 ipa.domain.com ipactl[1918]: Starting httpd Service
> Mar 01 21:36:49 ipa.domain.com ipactl[1918]: Starting pki-tomcatd Service
> Mar 01 21:36:49 ipa.domain.com systemd[1]: ipa.service: main process
> exited, code=exited, status=1/FAILURE
> Mar 01 21:36:49 ipa.domain.com systemd[1]: Failed to start Identity,
> Policy, Audit.
> Mar 01 21:36:49 ipa.domain.com systemd[1]: Unit ipa.service entered failed 
> state
> 
> [root@ipa ~]# KRB5_TRACE=/dev/stdout kinit admin
> [2324] 1425217336.627346: Getting initial credentials for ad...@domain.com
> [2324] 1425217336.630877: Sending request (155 bytes) to domain.com
> [2324] 1425217336.631163: Sending initial UDP request to dgram 
> 192.168.1.100:88
> [2324] 1425217336.631265: UDP error receiving from dgram
> 192.168.1.100:88: 111/Connection refused
> [2324] 1425217336.631301: Initiating TCP connection to stream 192.168.1.100:88
> [2324] 1425217336.631351: Terminating TCP connection to stream 
> 192.168.1.100:88
> kinit: Cannot contact any KDC for realm 'domain.com' while getting
> initial credentials
> 
> [root@ipa ~]# rpm -qa  | grep ipa
> freeipa-admintools-3.1.0-2.fc18.x86_64
> freeipa-server-3.1.0-2.fc18.x86_64
> libipa_hbac-python-1.9.3-1.fc18.x86_64
> python-iniparse-0.4-6.fc18.noarch
> freeipa-client-3.1.0-2.fc18.x86_64
> freeipa-server-selinux-3.1.0-2.fc18.x86_64
> freeipa-python-3.1.0-2.fc18.x86_64
> libipa_hbac-1.9.3-1.fc18.x86_64
> 
> What is my next course of action to solve this?
> 

Two suggestions:

# getcert list

See if you have a bunch of expired certificates. I'm thinking probably
not the problem since Apache appears to have started.

It is failing with the CA so I'd look in those logs, /var/log/pki-ca
IIRC with 3.1 (or /var/log/pki-something, should be obvious.

You may also want to look for SELinux errors:

# ausearch -m AVC -ts recent

Assuming expired certificates aren't the problem you can manually start
the other services to get your infrastructure back up while you
investigate the CA startup failure.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to