Gady
From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: April 27, 2016 3:18 AM
To: Gady Notrica
Cc: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting
On 04/26/2016 09:09 PM, Gady Notrica wrote:
HERE..
[23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial credentials for
principal
[ldap/cd-p-ipa1.ipa.domain.local@IPA.DOMAIN.LOCAL<mailto:ldap/cd-p-ipa1.ipa.domain.local@IPA.DOMAIN.LOCAL>]
in keytab [FILE:/etc/dirsrv/ds.keytab<FILE:///\\etc\dirsrv\ds.keytab>]: -1765328228
(Cannot contact any KDC for requested realm)
[23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local
error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (No Kerberos credentials available))
errno 0 (Success)
[23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not perform
interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local
error)
[23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin -
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with
GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (No Kerberos
credentials available))
[23/Apr/2016:11:39:51 -0400] - slapd started. Listening on All Interfaces port
389 for LDAP requests
[23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 for LDAPS
requests
[23/Apr/2016:11:39:51 -0400] - Listening on
/var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests
[23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin -
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with
GSSAPI auth resumed
[23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin -
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to receive the
response for a startReplication extended operation to consumer (Can't contact LDAP
server). Will retry later.
[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)
[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't
contact LDAP server)
[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)
[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't
contact LDAP server)
[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)
[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't
contact LDAP server)
[23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin -
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with
GSSAPI auth resumed
[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to
send dirsync search request: 2
these are old logs, the problem you were reporting was on Apr, 26:
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400]
dse_read_one_file - The entry cn=schema in file
/etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21
(Invalid syntax) - attribute type aci: Unknown attribute syntax OID
"1.3.6.1.4.1.1466.115.121.1.15"
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21
-0400] dse - Please edit the file to correct the reported problems and then
restart the server.
we need the logs from that time
Gady
-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 26, 2016 2:44 PM
To: Gady Notrica; Ludwig Krispenz;
freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] krb5kdc service not starting
Gady Notrica wrote:
Hey world,
Any ideas?
What about the first part of Ludwig's question: Is there anything in the 389-ds
error log?
rob
Gady
-----Original Message-----
From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica
Sent: April 26, 2016 10:10 AM
To: Ludwig Krispenz; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] krb5kdc service not starting
No, no changes. Lost connectivity with my VMs during the night
(networking issues in datacenter)
Reboot the server and oups, no IPA is coming up... The replica (secondary
server) is fine though.
Gady Notrica
-----Original Message-----
From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz
Sent: April 26, 2016 10:02 AM
To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] krb5kdc service not starting
On 04/26/2016 03:26 PM, Gady Notrica wrote:
Here...
[root@cd-p-ipa1 log]# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other
services
ipa: INFO: The ipactl command was successful
[root@cd-p-ipa1 log]# systemctl status
dirsrv@IPA-DOMAIN-LOCAL.service<mailto:dirsrv@IPA-CANDEAL-CA.service>
-l ● dirsrv@IPA-DOMAIN-LOCAL.service<mailto:dirsrv@IPA-DOMAIN-LOCAL.service> -
389 Directory Server IPA-DOMAIN-LOCAL.
Loaded: loaded
(/usr/lib/systemd/system/dirsrv@.service<mailto:/usr/lib/systemd/system/dirsrv@.service>;
enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT;
30min ago
Process: 6333 ExecStart=/usr/sbin/ns-slapd -D
/etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w
/var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE)
Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:
[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
slapi_attr_values2keys_sv failed for type attributetypes Apr 26
08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:
[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
slapi_attr_values2keys_sv failed for type attributetypes Apr 26
08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:
[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21
cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] -
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type
attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:
[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21
cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] -
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type
attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:
[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21
cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] -
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type
attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:
[26/Apr/2016!
:08:50:21
-0400] dse_read_one_file - The entry cn=schema in file
/etc/dirsrv/slapd-IPA-DOMAIN-LOCAL/schema/00core.ldif (lineno: 1) is invalid, error code
21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID
"1.3.6.1.4.1.1466.115.121.1.15"
Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:
[26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported
problems and then restart the server.
this says the server doesn't know a syntax oid, but it is a known one.
It could be that the syntax plugings couldn't be loaded. Thera are more errors
before, could you check where the errors start in
/var/log/dirsrv/slapd-<INSTANCE>/errors ?
And, did you do any changes to the system before this problem started ?
[root@cd-p-ipa1 log]#
Gady
-----Original Message-----
From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin
Babinsky
Sent: April 26, 2016 9:17 AM
To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] krb5kdc service not starting
On 04/26/2016 03:13 PM, Gady Notrica wrote:
Hello world,
I am having issues this morning with my primary IPA. See below the
details in the logs and command result. Basically, krb5kdc service
not starting - krb5kdc: Server error - while fetching master key.
DNS is functioning. See below dig result. I have a trust with Windows AD.
Please help…!
[root@cd-ipa1 log]# systemctl status krb5kdc.service -l
● krb5kdc.service - Kerberos 5 KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service;
disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2016-04-26
08:27:52 EDT; 41min ago
Process: 3694 ExecStart=/usr/sbin/krb5kdc -P
/var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE)
Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting
Kerberos
5 KDC...
Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc:
cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details
Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service:
control process exited, code=exited status=1
Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start
Kerberos 5 KDC.
Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit
krb5kdc.service entered failed state.
Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed.
[root@cd-ipa1 log]#
Errors in /var/log/krb5kdc.log
krb5kdc: Server error - while fetching master key K/M for realm
DOMAIN.LOCAL
krb5kdc: Server error - while fetching master key K/M for realm
DOMAIN.LOCAL
krb5kdc: Server error - while fetching master key K/M for realm
DOMAIN.LOCAL
[root@cd-ipa1 log]# systemctl status httpd -l
● httpd.service - The Apache HTTP Server
Loaded: loaded (/etc/systemd/system/httpd.service; disabled;
vendor
preset: disabled)
Active: failed (Result: exit-code) since Tue 2016-04-26
08:27:21 EDT; 39min ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
(code=exited, status=1/FAILURE)
Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]:
File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line
1579, in __wait_for_connection
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
wait_for_open_socket(lurl.hostport, timeout)
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line
1200, in wait_for_open_socket
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
raise e
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
error: [Errno 2] No such file or directory
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
ipa : ERROR Unknown error while retrieving setting from
ldapi://%2fvar%2frun%2fslapd-IPA-DOMAIN-LOCAL.socket: [Errno 2] No
such file or directory
Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service:
control process exited, code=exited status=1
Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start
The Apache HTTP Server.
Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit
httpd.service entered failed state.
Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed.
[root@cd-ipa1 log]#
DNS Result for dig redhat.com
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL:
2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;redhat.com. IN A
;; ANSWER SECTION:
redhat.com. 60 IN A 209.132.183.105
;; AUTHORITY SECTION:
. 849 IN NS f.root-servers.net.
. 849 IN NS e.root-servers.net.
. 849 IN NS k.root-servers.net.
. 849 IN NS m.root-servers.net.
. 849 IN NS b.root-servers.net.
. 849 IN NS g.root-servers.net.
. 849 IN NS c.root-servers.net.
. 849 IN NS h.root-servers.net.
. 849 IN NS l.root-servers.net.
. 849 IN NS a.root-servers.net.
. 849 IN NS j.root-servers.net.
. 849 IN NS i.root-servers.net.
. 849 IN NS d.root-servers.net.
;; ADDITIONAL SECTION:
j.root-servers.net. 3246 IN A 192.58.128.30
;; Query time: 79 msec
;; SERVER: 10.20.10.41#53(10.20.10.41)
;; WHEN: Tue Apr 26 09:02:43 EDT 2016
;; MSG SIZE rcvd: 282
Gady
It seems like Directory server is not running. Can you post result of 'ipactl status'
and 'systemctl status
dirsrv@IPA-DOMAIN-LOCAL.service<mailto:dirsrv@IPA-CANDEAL-CA.service>'?
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243, Managing
Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael
O'Neill
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael
O'Neill