On 04/27/2016 03:48 PM, Gady Notrica wrote:


Hello Ludwig,

I do have only 1 error logs for the 26^th in /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I have

[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2

[*26/Apr/2016*:00:13:01 -0400] - Entry "uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" missing attribute "sn" required by object class "person"

I don’t know if that helps.

no. And it is weird that there should be no logs, there were definitely messages logged around 8:50, you provided them via systemctl status dirsrv...
And at least the startup messages should b there

Can you try to start dirsrv again. and check what config settings for errorlog are in your dse.ldif

Gady

*From:*Ludwig Krispenz [mailto:lkris...@redhat.com]
*Sent:* April 27, 2016 3:18 AM
*To:* Gady Notrica
*Cc:* Rob Crittenden; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] krb5kdc service not starting

On 04/26/2016 09:09 PM, Gady Notrica wrote:

    HERE..

    [23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get
    initial credentials for principal
    [ldap/cd-p-ipa1.ipa.domain.local@IPA.DOMAIN.LOCAL
    <mailto:ldap/cd-p-ipa1.ipa.domain.local@IPA.DOMAIN.LOCAL>] in
    keytab [FILE:/etc/dirsrv/ds.keytab
    <FILE:///%5C%5Cetc%5Cdirsrv%5Cds.keytab>]: -1765328228 (Cannot
    contact any KDC for requested realm)

    [23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind -
    Error: could not perform interactive bind for id [] mech [GSSAPI]:
    LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI
    Error: Unspecified GSS failure.  Minor code may provide more
    information (No Kerberos credentials available)) errno 0 (Success)

    [23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not
    perform interactive bind for id [] authentication mechanism
    [GSSAPI]: error -2 (Local error)

    [23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin -
    agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389):
    Replication bind with GSSAPI auth failed: LDAP error -2 (Local
    error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
    failure.  Minor code may provide more information (No Kerberos
    credentials available))

    [23/Apr/2016:11:39:51 -0400] - slapd started.  Listening on All
    Interfaces port 389 for LDAP requests

    [23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port
    636 for LDAPS requests

    [23/Apr/2016:11:39:51 -0400] - Listening on
    /var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests

    [23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin -
    agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389):
    Replication bind with GSSAPI auth resumed

    [23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin -
    agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable
    to receive the response for a startReplication extended operation
    to consumer (Can't contact LDAP server). Will retry later.

    [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind -
    Error: could not perform interactive bind for id [] mech [GSSAPI]:
    LDAP error -1 (Can't contact LDAP server) ((null)) errno 107
    (Transport endpoint is not connected)

    [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not
    perform interactive bind for id [] authentication mechanism
    [GSSAPI]: error -1 (Can't contact LDAP server)

    [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind -
    Error: could not perform interactive bind for id [] mech [GSSAPI]:
    LDAP error -1 (Can't contact LDAP server) ((null)) errno 107
    (Transport endpoint is not connected)

    [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not
    perform interactive bind for id [] authentication mechanism
    [GSSAPI]: error -1 (Can't contact LDAP server)

    [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind -
    Error: could not perform interactive bind for id [] mech [GSSAPI]:
    LDAP error -1 (Can't contact LDAP server) ((null)) errno 107
    (Transport endpoint is not connected)

    [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not
    perform interactive bind for id [] authentication mechanism
    [GSSAPI]: error -1 (Can't contact LDAP server)

    [23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin -
    agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389):
    Replication bind with GSSAPI auth resumed

    [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync
    - failed to send dirsync search request: 2

these are old logs, the problem you were reporting was on Apr, 26:


Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] 
dse_read_one_file - The entry cn=schema in file 
/etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 
(Invalid syntax) - attribute type aci: Unknown attribute syntax OID 
"1.3.6.1.4.1.1466.115.121.1.15"
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] dse - Please edit the file to correct the reported problems and then 
restart the server.
we need the logs from that time




Gady

-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 26, 2016 2:44 PM
To: Gady Notrica; Ludwig Krispenz; freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] krb5kdc service not starting

Gady Notrica wrote:

> Hey world,

>

> Any ideas?

What about the first part of Ludwig's question: Is there anything in the 389-ds error log?

rob

>

> Gady

>

> -----Original Message-----

> From: freeipa-users-boun...@redhat.com <mailto:freeipa-users-boun...@redhat.com>

> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica

> Sent: April 26, 2016 10:10 AM

> To: Ludwig Krispenz; freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>

> Subject: Re: [Freeipa-users] krb5kdc service not starting

>

> No, no changes. Lost connectivity with my VMs during the night

> (networking issues in datacenter)

>

> Reboot the server and oups, no IPA is coming up... The replica (secondary server) is fine though.

>

> Gady Notrica

>

> -----Original Message-----

> From: freeipa-users-boun...@redhat.com <mailto:freeipa-users-boun...@redhat.com>

> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz

> Sent: April 26, 2016 10:02 AM

> To: freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>

> Subject: Re: [Freeipa-users] krb5kdc service not starting

>

>

> On 04/26/2016 03:26 PM, Gady Notrica wrote:

>> Here...

>>

>> [root@cd-p-ipa1 log]# ipactl status

>> Directory Service: STOPPED

>> Directory Service must be running in order to obtain status of other

>> services

>> ipa: INFO: The ipactl command was successful

>>

>> [root@cd-p-ipa1 log]# systemctl status dirsrv@IPA-DOMAIN-LOCAL.service <mailto:dirsrv@IPA-CANDEAL-CA.service>

>> -l ● dirsrv@IPA-DOMAIN-LOCAL.service <mailto:dirsrv@IPA-DOMAIN-LOCAL.service> - 389 Directory Server IPA-DOMAIN-LOCAL.

>> Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service <mailto:/usr/lib/systemd/system/dirsrv@.service>; enabled; vendor preset: disabled)

>> Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 30min ago

>>     Process: 6333 ExecStart=/usr/sbin/ns-slapd -D

>> /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w

>> /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE)

>>

>> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:

>> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:

>> slapi_attr_values2keys_sv failed for type attributetypes Apr 26

>> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:

>> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:

>> slapi_attr_values2keys_sv failed for type attributetypes Apr 26

>> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:

>> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:

>> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016!

 :08:50:21

-0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-DOMAIN-LOCAL/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15"

>> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported problems and then restart the server.

> this says the server doesn't know a syntax oid, but it is a known one.

> It could be that the syntax plugings couldn't be loaded. Thera are more errors before, could you check where the errors start in /var/log/dirsrv/slapd-<INSTANCE>/errors ?

>

> And, did you do any changes to the system before this problem started ?

>> [root@cd-p-ipa1 log]#

>>

>> Gady

>>

>> -----Original Message-----

>> From: freeipa-users-boun...@redhat.com <mailto:freeipa-users-boun...@redhat.com>

>> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin

>> Babinsky

>> Sent: April 26, 2016 9:17 AM

>> To: freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>

>> Subject: Re: [Freeipa-users] krb5kdc service not starting

>>

>> On 04/26/2016 03:13 PM, Gady Notrica wrote:

>>> Hello world,

>>>

>>>

>>>

>>> I am having issues this morning with my primary IPA. See below the

>>> details in the logs and command result. Basically, krb5kdc service

>>> not starting - krb5kdc: Server error - while fetching master key.

>>>

>>>

>>>

>>> DNS is functioning. See below dig result. I have a trust with Windows AD.

>>>

>>>

>>>

>>> Please help…!

>>>

>>>

>>>

>>> [root@cd-ipa1 log]# systemctl status krb5kdc.service -l

>>>

>>> ● krb5kdc.service - Kerberos 5 KDC

>>>

>>>      Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service;

>>> disabled; vendor preset: disabled)

>>>

>>>      Active: failed (Result: exit-code) since Tue 2016-04-26

>>> 08:27:52 EDT; 41min ago

>>>

>>>     Process: 3694 ExecStart=/usr/sbin/krb5kdc -P

>>> /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE)

>>>

>>>

>>>

>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting

>>> Kerberos

>>> 5 KDC...

>>>

>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc:

>>> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details

>>>

>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service:

>>> control process exited, code=exited status=1

>>>

>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start

>>> Kerberos 5 KDC.

>>>

>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit

>>> krb5kdc.service entered failed state.

>>>

>>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed.

>>>

>>> [root@cd-ipa1 log]#

>>>

>>>

>>>

>>> Errors in /var/log/krb5kdc.log

>>>

>>>

>>>

>>> krb5kdc: Server error - while fetching master key K/M for realm

>>> DOMAIN.LOCAL

>>>

>>> krb5kdc: Server error - while fetching master key K/M for realm

>>> DOMAIN.LOCAL

>>>

>>> krb5kdc: Server error - while fetching master key K/M for realm

>>> DOMAIN.LOCAL

>>>

>>>

>>>

>>> [root@cd-ipa1 log]# systemctl status httpd -l

>>>

>>> ● httpd.service - The Apache HTTP Server

>>>

>>>      Loaded: loaded (/etc/systemd/system/httpd.service; disabled;

>>> vendor

>>> preset: disabled)

>>>

>>>      Active: failed (Result: exit-code) since Tue 2016-04-26

>>> 08:27:21 EDT; 39min ago

>>>

>>>        Docs: man:httpd(8) <man:httpd%288%29>

>>>

>>> man:apachectl(8) <man:apachectl%288%29>

>>>

>>>     Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy

>>> (code=exited, status=1/FAILURE)

>>>

>>>

>>>

>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]:

>>> File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line

>>> 1579, in __wait_for_connection

>>>

>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:

>>> wait_for_open_socket(lurl.hostport, timeout)

>>>

>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:

>>> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line

>>> 1200, in wait_for_open_socket

>>>

>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:

>>> raise e

>>>

>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:

>>> error: [Errno 2] No such file or directory

>>>

>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:

>>> ipa         : ERROR Unknown error while retrieving setting from

>>> ldapi://%2fvar%2frun%2fslapd-IPA-DOMAIN-LOCAL.socket: [Errno 2] No

>>> such file or directory

>>>

>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service:

>>> control process exited, code=exited status=1

>>>

>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start

>>> The Apache HTTP Server.

>>>

>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit

>>> httpd.service entered failed state.

>>>

>>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed.

>>>

>>> [root@cd-ipa1 log]#

>>>

>>>

>>>

>>>

>>>

>>> DNS Result for dig redhat.com

>>>

>>>

>>>

>>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com

>>>

>>> ;; global options: +cmd

>>>

>>> ;; Got answer:

>>>

>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414

>>>

>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL:

>>> 2

>>>

>>>

>>>

>>> ;; OPT PSEUDOSECTION:

>>>

>>> ; EDNS: version: 0, flags:; udp: 4096

>>>

>>> ;; QUESTION SECTION:

>>>

>>> ;redhat.com.                    IN      A

>>>

>>>

>>>

>>> ;; ANSWER SECTION:

>>>

>>> redhat.com. 60      IN      A       209.132.183.105

>>>

>>>

>>>

>>> ;; AUTHORITY SECTION:

>>>

>>> . 849     IN      NS      f.root-servers.net.

>>>

>>> . 849     IN      NS      e.root-servers.net.

>>>

>>> . 849     IN      NS      k.root-servers.net.

>>>

>>> . 849     IN      NS      m.root-servers.net.

>>>

>>> . 849     IN      NS      b.root-servers.net.

>>>

>>> . 849     IN      NS      g.root-servers.net.

>>>

>>> . 849     IN      NS      c.root-servers.net.

>>>

>>> . 849     IN      NS      h.root-servers.net.

>>>

>>> . 849     IN      NS      l.root-servers.net.

>>>

>>> . 849     IN      NS      a.root-servers.net.

>>>

>>> . 849     IN      NS      j.root-servers.net.

>>>

>>> . 849     IN      NS      i.root-servers.net.

>>>

>>> . 849     IN      NS      d.root-servers.net.

>>>

>>>

>>>

>>> ;; ADDITIONAL SECTION:

>>>

>>> j.root-servers.net. 3246    IN      A       192.58.128.30

>>>

>>>

>>>

>>> ;; Query time: 79 msec

>>>

>>> ;; SERVER: 10.20.10.41#53(10.20.10.41)

>>>

>>> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016

>>>

>>> ;; MSG SIZE  rcvd: 282

>>>

>>>

>>>

>>> Gady

>>>

>>>

>>>

>>>

>>>

>> It seems like Directory server is not running. Can you post result of 'ipactl status' and 'systemctl status dirsrv@IPA-DOMAIN-LOCAL.service <mailto:dirsrv@IPA-CANDEAL-CA.service>'?

>>

>> --

>> Martin^3 Babinsky

>>

>> --

>> Manage your subscription for the Freeipa-users mailing list:

>> https://www.redhat.com/mailman/listinfo/freeipa-users

>> Go to http://freeipa.org for more info on the project

>>

>

> --

> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,

> Commercial register: Amtsgericht Muenchen, HRB 153243, Managing

> Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael

> O'Neill

>

> --

> Manage your subscription for the Freeipa-users mailing list:

> https://www.redhat.com/mailman/listinfo/freeipa-users

> Go to http://freeipa.org for more info on the project

>

> --

> Manage your subscription for the Freeipa-users mailing list:

> https://www.redhat.com/mailman/listinfo/freeipa-users

> Go to http://freeipa.org for more info on the project

>



--
Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael 
O'Neill

--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael 
O'Neill

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to