Gady Notrica wrote:
Hey world,
Any ideas?
What about the first part of Ludwig's question: Is there anything in the
389-ds error log?
rob
Gady
-----Original Message-----
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica
Sent: April 26, 2016 10:10 AM
To: Ludwig Krispenz; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting
No, no changes. Lost connectivity with my VMs during the night (networking
issues in datacenter)
Reboot the server and oups, no IPA is coming up... The replica (secondary
server) is fine though.
Gady Notrica
-----Original Message-----
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz
Sent: April 26, 2016 10:02 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting
On 04/26/2016 03:26 PM, Gady Notrica wrote:
Here...
[root@cd-p-ipa1 log]# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other
services
ipa: INFO: The ipactl command was successful
[root@cd-p-ipa1 log]# systemctl status dirsrv@IPA-CANDEAL-CA.service
-l ● dirsrv@IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA.
Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor
preset: disabled)
Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT;
30min ago
Process: 6333 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i
-i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid
(code=exited, status=1/FAILURE)
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]:
[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
slapi_attr_values2keys_sv failed for type attributetypes Apr 26
08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]:
[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
slapi_attr_values2keys_sv failed for type attributetypes Apr 26
08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]:
[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21
cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] -
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type
attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]:
[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21
cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] -
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type
attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]:
[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21
cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] -
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type
attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]:
[26/Apr/2016!
:08:50:21
-0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15"
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21
-0400] dse - Please edit the file to correct the reported problems and then
restart the server.
this says the server doesn't know a syntax oid, but it is a known one.
It could be that the syntax plugings couldn't be loaded. Thera are more errors
before, could you check where the errors start in
/var/log/dirsrv/slapd-<INSTANCE>/errors ?
And, did you do any changes to the system before this problem started ?
[root@cd-p-ipa1 log]#
Gady
-----Original Message-----
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky
Sent: April 26, 2016 9:17 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting
On 04/26/2016 03:13 PM, Gady Notrica wrote:
Hello world,
I am having issues this morning with my primary IPA. See below the
details in the logs and command result. Basically, krb5kdc service
not starting - krb5kdc: Server error - while fetching master key.
DNS is functioning. See below dig result. I have a trust with Windows AD.
Please help…!
[root@cd-ipa1 log]# systemctl status krb5kdc.service -l
● krb5kdc.service - Kerberos 5 KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service;
disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52
EDT; 41min ago
Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
$KRB5KDC_ARGS (code=exited, status=1/FAILURE)
Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos
5 KDC...
Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc:
cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details
Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service:
control process exited, code=exited status=1
Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start
Kerberos 5 KDC.
Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit
krb5kdc.service entered failed state.
Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed.
[root@cd-ipa1 log]#
Errors in /var/log/krb5kdc.log
krb5kdc: Server error - while fetching master key K/M for realm
DOMAIN.LOCAL
krb5kdc: Server error - while fetching master key K/M for realm
DOMAIN.LOCAL
krb5kdc: Server error - while fetching master key K/M for realm
DOMAIN.LOCAL
[root@cd-ipa1 log]# systemctl status httpd -l
● httpd.service - The Apache HTTP Server
Loaded: loaded (/etc/systemd/system/httpd.service; disabled;
vendor
preset: disabled)
Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:21
EDT; 39min ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
(code=exited, status=1/FAILURE)
Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]:
File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line
1579, in __wait_for_connection
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
wait_for_open_socket(lurl.hostport, timeout)
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line
1200, in wait_for_open_socket
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
raise e
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
error: [Errno 2] No such file or directory
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
ipa : ERROR Unknown error while retrieving setting from
ldapi://%2fvar%2frun%2fslapd-IPA-CANDEAL-CA.socket: [Errno 2] No such
file or directory
Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service:
control process exited, code=exited status=1
Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start
The Apache HTTP Server.
Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit
httpd.service entered failed state.
Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed.
[root@cd-ipa1 log]#
DNS Result for dig redhat.com
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;redhat.com. IN A
;; ANSWER SECTION:
redhat.com. 60 IN A 209.132.183.105
;; AUTHORITY SECTION:
. 849 IN NS f.root-servers.net.
. 849 IN NS e.root-servers.net.
. 849 IN NS k.root-servers.net.
. 849 IN NS m.root-servers.net.
. 849 IN NS b.root-servers.net.
. 849 IN NS g.root-servers.net.
. 849 IN NS c.root-servers.net.
. 849 IN NS h.root-servers.net.
. 849 IN NS l.root-servers.net.
. 849 IN NS a.root-servers.net.
. 849 IN NS j.root-servers.net.
. 849 IN NS i.root-servers.net.
. 849 IN NS d.root-servers.net.
;; ADDITIONAL SECTION:
j.root-servers.net. 3246 IN A 192.58.128.30
;; Query time: 79 msec
;; SERVER: 10.20.10.41#53(10.20.10.41)
;; WHEN: Tue Apr 26 09:02:43 EDT 2016
;; MSG SIZE rcvd: 282
Gady
It seems like Directory server is not running. Can you post result of 'ipactl
status' and 'systemctl status dirsrv@IPA-CANDEAL-CA.service'?
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial
register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry,
Charles Cachera, Michael Cunningham, Michael O'Neill
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
