Some information from the dirsrv error log (sanitized: XYZ = realm): [01/Apr/2015:11:01:49 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting up [01/Apr/2015:11:01:49 +0300] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=idm,dc=local [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - CleanAllRUV Task: cleanAllRUV task found, resuming the cleaning of rid(6)... [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:11:01:49 +0300] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Apr/2015:11:01:49 +0300] - Listening on All Interfaces port 636 for LDAPS requests [01/Apr/2015:11:01:49 +0300] - Listening on /var/run/slapd-IDM-LOCAL.socket for LDAPI requests [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - agmt="cn=meTokwtard-idm-slve.idm.local" (kwtard-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - agmt="cn=meToindpr-idm-slve.idm.local" (indpr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:11:01:50 +0300] - slapd shutting down - signaling operation threads [01/Apr/2015:11:01:50 +0300] - slapd shutting down - waiting for 27 threads to terminate [01/Apr/2015:11:01:50 +0300] - slapd shutting down - closing down internal subsystems and plugins [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Cleaning rid (6)... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting to process all the updates from the deleted replica... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting for all the replicas to be online... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Server shutting down. Process will resume at server startup [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed out) [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - agmt="cn=meTokwtospr-idm-slve.idm.local" (kwtospr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - agmt="cn=meTokwtpr-idm-slve.idm.local" (kwtpr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errors [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - agmt="cn=meToukpr-idm-slve.idm.local" (ukpr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:11:02:09 +0300] - Waiting for 4 database threads to stop [01/Apr/2015:11:02:10 +0300] - All database threads now stopped [01/Apr/2015:11:02:10 +0300] - slapd stopped. [01/Apr/2015:10:15:39 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting up [01/Apr/2015:10:15:39 +0300] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=idm,dc=local [01/Apr/2015:10:15:39 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - CleanAllRUV Task: cleanAllRUV task found, resuming the cleaning of rid(6)... [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:10:15:39 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:10:15:39 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 2 (No such file or directory) [01/Apr/2015:10:15:39 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:10:15:39 +0300] csngen_new_csn - Warning: too much time skew (-2771 secs). Current seqnum=3 [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - agmt="cn=meTokwtard-idm-slve.idm.local" (kwtard-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:10:15:39 +0300] csngen_new_csn - Warning: too much time skew (-2770 secs). Current seqnum=1 [01/Apr/2015:10:15:39 +0300] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Apr/2015:10:15:39 +0300] - Listening on All Interfaces port 636 for LDAPS requests [01/Apr/2015:10:15:39 +0300] - Listening on /var/run/slapd-IDM-LOCAL.socket for LDAPI requests [01/Apr/2015:10:15:39 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:10:15:39 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - agmt="cn=meToindpr-idm-slve.idm.local" (indpr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:10:15:40 +0300] csngen_new_csn - Warning: too much time skew (-2771 secs). Current seqnum=1 [01/Apr/2015:10:15:41 +0300] - slapd shutting down - signaling operation threads [01/Apr/2015:10:15:41 +0300] - slapd shutting down - waiting for 28 threads to terminate [01/Apr/2015:10:15:41 +0300] - slapd shutting down - closing down internal subsystems and plugins [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Cleaning rid (6)... [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting to process all the updates from the deleted replica... [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting for all the replicas to be online... [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Server shutting down. Process will resume at server startup [01/Apr/2015:10:15:58 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed out) [01/Apr/2015:10:15:58 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Apr/2015:10:15:58 +0300] NSMMReplicationPlugin - agmt="cn=meTokwtospr-idm-slve.idm.local" (kwtospr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Apr/2015:10:15:58 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:10:15:58 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:10:15:58 +0300] NSMMReplicationPlugin - agmt="cn=meTokwtpr-idm-slve.idm.local" (kwtpr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:10:15:59 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:10:15:59 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:10:15:59 +0300] NSMMReplicationPlugin - agmt="cn=meToukpr-idm-slve.idm.local" (ukpr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:10:15:59 +0300] - Waiting for 4 database threads to stop [01/Apr/2015:10:16:00 +0300] - All database threads now stopped [01/Apr/2015:10:16:00 +0300] - slapd stopped.
On Wed, Apr 1, 2015 at 9:56 AM, Traiano Welcome <trai...@gmail.com> wrote: > Hi List > > I've just tried to restart my IPA services after recently adding a new > replica (0 configuration changes on the IPA server otherwise!), but > ipactl fails when starting up named: > > --- > [root@lolpr-xyz-mstr slapd-XYZ-LOCAL]# ipactl start > Starting Directory Service > Starting krb5kdc Service > Starting kadmin Service > Starting named Service > Job for named.service failed. See 'systemctl status named.service' and > 'journalctl -xn' for details. > Failed to start named Service > Shutting down > Aborting ipactl > --- > > I then manual start named service and try again, but then smb service fails: > > --- > [root@lolpr-xyz-mstr ~]# ipactl start > Existing service file detected! > Assuming stale, cleaning and proceeding > Starting Directory Service > Starting krb5kdc Service > Starting kadmin Service > Starting named Service > Starting ipa_memcached Service > Starting httpd Service > Starting pki-tomcatd Service > Starting smb Service > Job for smb.service failed. See 'systemctl status smb.service' and > 'journalctl -xn' for details. > Failed to start smb Service > Shutting down > Aborting ipactl > --- > > systemctl status shows the following output for smb.service: > > --- > [root@lolpr-xyz-mstr ~]# systemctl -l status smb.service > smb.service - Samba SMB Daemon > Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) > Active: failed (Result: exit-code) since Wed 2015-04-01 09:21:10 > AST; 1min 14s ago > Process: 4662 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, > status=1/FAILURE) > Main PID: 4662 (code=exited, status=1/FAILURE) > Status: "Starting process..." > CGroup: /system.slice/smb.service > > Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI client step 1 > Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more information > (Server ldap/lolpr-xyz-mstr@XYZ.LOCAL not found in Kerberos database) > Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 > 09:21:10.211028, 0] ipa_sam.c:4440(pdb_init_ipasam) > Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: Failed to get base DN. > Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 > 09:21:10.211210, 0] > ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) > Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: pdb backend > ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly > init (error was NT_STATUS_UNSUCCESSFUL) > Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main > process exited, code=exited, status=1/FAILURE > Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start > Samba SMB Daemon. > Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service > entered failed state. > Apr 01 09:21:12 lolpr-xyz-mstr.xyz.local systemd[1]: Stopped Samba SMB Daemon. > --- > > > I manually try to start the smb service as follows, but can't (Of > course the directory service is not up, so there's a little catch22 > there and this many not mean much): > > > --- > > [root@lolpr-xyz-mstr slapd-XYZ-LOCAL]# systemctl status smb.service > smb.service - Samba SMB Daemon > Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) > Active: failed (Result: exit-code) since Wed 2015-04-01 09:50:38 AST; 57s > ago > Process: 8089 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, > status=1/FAILURE) > Main PID: 8089 (code=exited, status=1/FAILURE) > Status: "Starting process..." > > Apr 01 09:50:36 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: > code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' > Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 > 09:50:37.573772, 0] ipa_sam.c:4128(bind_callback_cleanup) > Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: > code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' > Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 > 09:50:38.574722, 0] ipa_sam.c:4440(pdb_init_ipasam) > Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: Failed to get base DN. > Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 > 09:50:38.574903, 0] > ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) > Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: pdb backend > ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly > init (error was NT_STATUS_UNSUCCESSFUL) > Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main > process exited, code=exited, status=1/FAILURE > Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start > Samba SMB Daemon. > Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service > entered failed state. > [root@lolpr-xyz-mstr slapd-XYZ-LOCAL]# > > --- > > Please could someone advise me on how to drill deeper into debugging > this issue to get ipactl to start ? > > NOTES: > > - This server is successfully in a Trust relationship with ActiveDirectory. > - There are a number of replicas established which have been working > fine til this morning > - Another replica was added around the time of the failure using the > same steps as usual (not sure how this could be related) > > > Many thanks in advance, > Traiano -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project