HERE..
[23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial credentials for principal [ldap/cd-p-ipa1.ipa.domain.local@IPA.DOMAIN.LOCAL] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [23/Apr/2016:11:39:51 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 for LDAPS requests [23/Apr/2016:11:39:51 -0400] - Listening on /var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests [23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed [23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with GSSAPI auth resumed [25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to send dirsync search request: 2 Gady -----Original Message----- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 26, 2016 2:44 PM To: Gady Notrica; Ludwig Krispenz; freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc service not starting Gady Notrica wrote: > Hey world, > > Any ideas? What about the first part of Ludwig's question: Is there anything in the 389-ds error log? rob > > Gady > > -----Original Message----- > From: > freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica > Sent: April 26, 2016 10:10 AM > To: Ludwig Krispenz; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> > Subject: Re: [Freeipa-users] krb5kdc service not starting > > No, no changes. Lost connectivity with my VMs during the night > (networking issues in datacenter) > > Reboot the server and oups, no IPA is coming up... The replica (secondary > server) is fine though. > > Gady Notrica > > -----Original Message----- > From: > freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz > Sent: April 26, 2016 10:02 AM > To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> > Subject: Re: [Freeipa-users] krb5kdc service not starting > > > On 04/26/2016 03:26 PM, Gady Notrica wrote: >> Here... >> >> [root@cd-p-ipa1 log]# ipactl status >> Directory Service: STOPPED >> Directory Service must be running in order to obtain status of other >> services >> ipa: INFO: The ipactl command was successful >> >> [root@cd-p-ipa1 log]# systemctl status >> dirsrv@IPA-DOMAIN-LOCAL.service<mailto:dirsrv@IPA-CANDEAL-CA.service> >> -l ● dirsrv@IPA-DOMAIN-LOCAL.service - 389 Directory Server IPA-DOMAIN-LOCAL. >> Loaded: loaded >> (/usr/lib/systemd/system/dirsrv@.service<mailto:/usr/lib/systemd/system/dirsrv@.service>; >> enabled; vendor preset: disabled) >> Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; >> 30min ago >> Process: 6333 ExecStart=/usr/sbin/ns-slapd -D >> /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w >> /var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE) >> >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 >> 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 >> cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - >> valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type >> attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 >> cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - >> valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type >> attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: >> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 >> cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - >> valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type >> attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016! :08:50:21 -0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-DOMAIN-LOCAL/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" >> Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: >> [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the >> reported problems and then restart the server. > this says the server doesn't know a syntax oid, but it is a known one. > It could be that the syntax plugings couldn't be loaded. Thera are more > errors before, could you check where the errors start in > /var/log/dirsrv/slapd-<INSTANCE>/errors ? > > And, did you do any changes to the system before this problem started ? >> [root@cd-p-ipa1 log]# >> >> Gady >> >> -----Original Message----- >> From: >> freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> >> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin >> Babinsky >> Sent: April 26, 2016 9:17 AM >> To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> >> Subject: Re: [Freeipa-users] krb5kdc service not starting >> >> On 04/26/2016 03:13 PM, Gady Notrica wrote: >>> Hello world, >>> >>> >>> >>> I am having issues this morning with my primary IPA. See below the >>> details in the logs and command result. Basically, krb5kdc service >>> not starting - krb5kdc: Server error - while fetching master key. >>> >>> >>> >>> DNS is functioning. See below dig result. I have a trust with Windows AD. >>> >>> >>> >>> Please help…! >>> >>> >>> >>> [root@cd-ipa1 log]# systemctl status krb5kdc.service -l >>> >>> ● krb5kdc.service - Kerberos 5 KDC >>> >>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; >>> disabled; vendor preset: disabled) >>> >>> Active: failed (Result: exit-code) since Tue 2016-04-26 >>> 08:27:52 EDT; 41min ago >>> >>> Process: 3694 ExecStart=/usr/sbin/krb5kdc -P >>> /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE) >>> >>> >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting >>> Kerberos >>> 5 KDC... >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: >>> cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: >>> control process exited, code=exited status=1 >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >>> Kerberos 5 KDC. >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit >>> krb5kdc.service entered failed state. >>> >>> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed. >>> >>> [root@cd-ipa1 log]# >>> >>> >>> >>> Errors in /var/log/krb5kdc.log >>> >>> >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> krb5kdc: Server error - while fetching master key K/M for realm >>> DOMAIN.LOCAL >>> >>> >>> >>> [root@cd-ipa1 log]# systemctl status httpd -l >>> >>> ● httpd.service - The Apache HTTP Server >>> >>> Loaded: loaded (/etc/systemd/system/httpd.service; disabled; >>> vendor >>> preset: disabled) >>> >>> Active: failed (Result: exit-code) since Tue 2016-04-26 >>> 08:27:21 EDT; 39min ago >>> >>> Docs: man:httpd(8) >>> >>> man:apachectl(8) >>> >>> Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy >>> (code=exited, status=1/FAILURE) >>> >>> >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: >>> File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line >>> 1579, in __wait_for_connection >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> wait_for_open_socket(lurl.hostport, timeout) >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line >>> 1200, in wait_for_open_socket >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> raise e >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> error: [Errno 2] No such file or directory >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: >>> ipa : ERROR Unknown error while retrieving setting from >>> ldapi://%2fvar%2frun%2fslapd-IPA-DOMAIN-LOCAL.socket: [Errno 2] No >>> such file or directory >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: >>> control process exited, code=exited status=1 >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start >>> The Apache HTTP Server. >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit >>> httpd.service entered failed state. >>> >>> Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed. >>> >>> [root@cd-ipa1 log]# >>> >>> >>> >>> >>> >>> DNS Result for dig redhat.com >>> >>> >>> >>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com >>> >>> ;; global options: +cmd >>> >>> ;; Got answer: >>> >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414 >>> >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: >>> 2 >>> >>> >>> >>> ;; OPT PSEUDOSECTION: >>> >>> ; EDNS: version: 0, flags:; udp: 4096 >>> >>> ;; QUESTION SECTION: >>> >>> ;redhat.com. IN A >>> >>> >>> >>> ;; ANSWER SECTION: >>> >>> redhat.com. 60 IN A 209.132.183.105 >>> >>> >>> >>> ;; AUTHORITY SECTION: >>> >>> . 849 IN NS f.root-servers.net. >>> >>> . 849 IN NS e.root-servers.net. >>> >>> . 849 IN NS k.root-servers.net. >>> >>> . 849 IN NS m.root-servers.net. >>> >>> . 849 IN NS b.root-servers.net. >>> >>> . 849 IN NS g.root-servers.net. >>> >>> . 849 IN NS c.root-servers.net. >>> >>> . 849 IN NS h.root-servers.net. >>> >>> . 849 IN NS l.root-servers.net. >>> >>> . 849 IN NS a.root-servers.net. >>> >>> . 849 IN NS j.root-servers.net. >>> >>> . 849 IN NS i.root-servers.net. >>> >>> . 849 IN NS d.root-servers.net. >>> >>> >>> >>> ;; ADDITIONAL SECTION: >>> >>> j.root-servers.net. 3246 IN A 192.58.128.30 >>> >>> >>> >>> ;; Query time: 79 msec >>> >>> ;; SERVER: 10.20.10.41#53(10.20.10.41) >>> >>> ;; WHEN: Tue Apr 26 09:02:43 EDT 2016 >>> >>> ;; MSG SIZE rcvd: 282 >>> >>> >>> >>> Gady >>> >>> >>> >>> >>> >> It seems like Directory server is not running. Can you post result of >> 'ipactl status' and 'systemctl status >> dirsrv@IPA-DOMAIN-LOCAL.service<mailto:dirsrv@IPA-CANDEAL-CA.service>'? >> >> -- >> Martin^3 Babinsky >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, Managing > Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael > O'Neill > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project