Re: [Freeipa-users] krb5kdc service not starting

Wed, 27 Apr 2016 08:01:15 -0700 

On Wed, 27 Apr 2016, Gady Notrica wrote:

Hello Ludwig,

I do have only 1 error logs for the 26th in 
/var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I have

[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to 
send dirsync search request: 2
[26/Apr/2016:00:13:01 -0400] - Entry "uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" 
missing attribute "sn" required by object class "person"

[cid:image003.jpg@01D1A069.EF91B910]

I don’t know if that helps.

Your setup seem to have corruption of the data on disk of that VM. Start
from looking into whether all RPM package owned files are in correct
state.

For 389-ds-base run as root 'rpm -V 389-ds-base'. For normal install you would 
get something
like this:

# rpm -V 389-ds-base
.M....G..    /etc/dirsrv
..5....T.  c /etc/sysconfig/dirsrv
S.5....T.  c /etc/sysconfig/dirsrv.systemd
.M....G..    /var/lib/dirsrv

If you have more changes, show them.

Repeat the same for freeipa-server (or ipa-server if this is
RHEL/CentOS).

Next, compare schema files between what is in the 389-ds-base and
IPA deployment. Following shell snippet would give you output that shows
difference between the schema files, ignoring comments. In normal
situation the difference should only be in 99user.ldif.

#!/bin/bash
instance=EXAMPLE-COM
for i in /etc/dirsrv/schema/*.ldif ; do
        f=/etc/dirsrv/slapd-$instance/schema/$(basename $i)
        [ -f $f ] && cmp -s $i $f || diff -u $i $f | egrep -v '^\+#|^-#|^ #'
done



Gady

From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: April 27, 2016 3:18 AM
To: Gady Notrica
Cc: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting


On 04/26/2016 09:09 PM, Gady Notrica wrote:

HERE..



[23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial credentials for 
principal 
[ldap/cd-p-ipa1.ipa.domain.local@IPA.DOMAIN.LOCAL<mailto:ldap/cd-p-ipa1.ipa.domain.local@IPA.DOMAIN.LOCAL>]
 in keytab [FILE:/etc/dirsrv/ds.keytab<FILE:///\\etc\dirsrv\ds.keytab>]: -1765328228 
(Cannot contact any KDC for requested realm)

[23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local 
error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  
Minor code may provide more information (No Kerberos credentials available)) 
errno 0 (Success)

[23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local 
error)

[23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with 
GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information (No Kerberos 
credentials available))

[23/Apr/2016:11:39:51 -0400] - slapd started.  Listening on All Interfaces port 
389 for LDAP requests

[23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 for LDAPS 
requests

[23/Apr/2016:11:39:51 -0400] - Listening on 
/var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests

[23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with 
GSSAPI auth resumed

[23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to receive the 
response for a startReplication extended operation to consumer (Can't contact LDAP 
server). Will retry later.

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't 
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't 
contact LDAP server)

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't 
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't 
contact LDAP server)

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't 
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't 
contact LDAP server)

[23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with 
GSSAPI auth resumed

[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to 
send dirsync search request: 2
these are old logs, the problem you were reporting was on Apr, 26:



Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] 
dse_read_one_file - The entry cn=schema in file 
/etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 
(Invalid syntax) - attribute type aci: Unknown attribute syntax OID 
"1.3.6.1.4.1.1466.115.121.1.15"

Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] dse - Please edit the file to correct the reported problems and then 
restart the server.





we need the logs from that time






Gady



-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 26, 2016 2:44 PM
To: Gady Notrica; Ludwig Krispenz; 
freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] krb5kdc service not starting



Gady Notrica wrote:


Hey world,







Any ideas?




What about the first part of Ludwig's question: Is there anything in the 389-ds 
error log?



rob








Gady







-----Original Message-----



From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>



[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica



Sent: April 26, 2016 10:10 AM



To: Ludwig Krispenz; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>



Subject: Re: [Freeipa-users] krb5kdc service not starting







No, no changes. Lost connectivity with my VMs during the night



(networking issues in datacenter)







Reboot the server and oups, no IPA is coming up... The replica (secondary 
server) is fine though.







Gady Notrica







-----Original Message-----



From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>



[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz



Sent: April 26, 2016 10:02 AM



To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>



Subject: Re: [Freeipa-users] krb5kdc service not starting











On 04/26/2016 03:26 PM, Gady Notrica wrote:



Here...







[root@cd-p-ipa1 log]# ipactl status



Directory Service: STOPPED



Directory Service must be running in order to obtain status of other



services



ipa: INFO: The ipactl command was successful







[root@cd-p-ipa1 log]# systemctl status 
dirsrv@IPA-DOMAIN-LOCAL.service<mailto:dirsrv@IPA-CANDEAL-CA.service>



-l ● dirsrv@IPA-DOMAIN-LOCAL.service<mailto:dirsrv@IPA-DOMAIN-LOCAL.service> - 
389 Directory Server IPA-DOMAIN-LOCAL.



     Loaded: loaded 
(/usr/lib/systemd/system/dirsrv@.service<mailto:/usr/lib/systemd/system/dirsrv@.service>;
 enabled; vendor preset: disabled)



     Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 
30min ago



    Process: 6333 ExecStart=/usr/sbin/ns-slapd -D



/etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w



/var/run/dirsrv/slapd-%i.startpid (code=exited, status=1/FAILURE)







Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:



[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:



slapi_attr_values2keys_sv failed for type attributetypes Apr 26



08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:



[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:



slapi_attr_values2keys_sv failed for type attributetypes Apr 26



08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]:



[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:



slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 
cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: 
[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 
cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: 
[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 
cd-p-ipa1.ipa.domain.local ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: 
[26/Apr/2016!


:08:50:21

-0400] dse_read_one_file - The entry cn=schema in file 
/etc/dirsrv/slapd-IPA-DOMAIN-LOCAL/schema/00core.ldif (lineno: 1) is invalid, error code 
21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID 
"1.3.6.1.4.1.1466.115.121.1.15"


Apr 26 08:50:21 cd-p-ipa1.ipa.domain.local ns-slapd[6333]: 
[26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the reported 
problems and then restart the server.



this says the server doesn't know a syntax oid, but it is a known one.



It could be that the syntax plugings couldn't be loaded. Thera are more errors 
before, could you check where the errors start in 
/var/log/dirsrv/slapd-<INSTANCE>/errors ?







And, did you do any changes to the system before this problem started ?



[root@cd-p-ipa1 log]#







Gady







-----Original Message-----



From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>



[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin



Babinsky



Sent: April 26, 2016 9:17 AM



To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>



Subject: Re: [Freeipa-users] krb5kdc service not starting







On 04/26/2016 03:13 PM, Gady Notrica wrote:



Hello world,















I am having issues this morning with my primary IPA. See below the



details in the logs and command result. Basically, krb5kdc service



not starting - krb5kdc: Server error - while fetching master key.















DNS is functioning. See below dig result. I have a trust with Windows AD.















Please help…!















[root@cd-ipa1 log]# systemctl status krb5kdc.service -l







● krb5kdc.service - Kerberos 5 KDC







     Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service;



disabled; vendor preset: disabled)







     Active: failed (Result: exit-code) since Tue 2016-04-26



08:27:52 EDT; 41min ago







    Process: 3694 ExecStart=/usr/sbin/krb5kdc -P



/var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE)















Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting



Kerberos



5 KDC...







Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc:



cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details







Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service:



control process exited, code=exited status=1







Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start



Kerberos 5 KDC.







Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit



krb5kdc.service entered failed state.







Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed.







[root@cd-ipa1 log]#















Errors in /var/log/krb5kdc.log















krb5kdc: Server error - while fetching master key K/M for realm



DOMAIN.LOCAL







krb5kdc: Server error - while fetching master key K/M for realm



DOMAIN.LOCAL







krb5kdc: Server error - while fetching master key K/M for realm



DOMAIN.LOCAL















[root@cd-ipa1 log]# systemctl status httpd -l







● httpd.service - The Apache HTTP Server







     Loaded: loaded (/etc/systemd/system/httpd.service; disabled;



vendor



preset: disabled)







     Active: failed (Result: exit-code) since Tue 2016-04-26



08:27:21 EDT; 39min ago







       Docs: man:httpd(8)







             man:apachectl(8)







    Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy



(code=exited, status=1/FAILURE)















Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]:



File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line



1579, in __wait_for_connection







Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:



wait_for_open_socket(lurl.hostport, timeout)







Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:



File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line



1200, in wait_for_open_socket







Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:



raise e







Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:



error: [Errno 2] No such file or directory







Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:



ipa         : ERROR    Unknown error while retrieving setting from



ldapi://%2fvar%2frun%2fslapd-IPA-DOMAIN-LOCAL.socket: [Errno 2] No



such file or directory







Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service:



control process exited, code=exited status=1







Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start



The Apache HTTP Server.







Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit



httpd.service entered failed state.







Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed.







[root@cd-ipa1 log]#























DNS Result for dig redhat.com















; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com







;; global options: +cmd







;; Got answer:







;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414







;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL:



2















;; OPT PSEUDOSECTION:







; EDNS: version: 0, flags:; udp: 4096







;; QUESTION SECTION:







;redhat.com.                    IN      A















;; ANSWER SECTION:







redhat.com.             60      IN      A       209.132.183.105















;; AUTHORITY SECTION:







.                       849     IN      NS      f.root-servers.net.







.                       849     IN      NS      e.root-servers.net.







.                       849     IN      NS      k.root-servers.net.







.                       849     IN      NS      m.root-servers.net.







.                       849     IN      NS      b.root-servers.net.







.                       849     IN      NS      g.root-servers.net.







.                       849     IN      NS      c.root-servers.net.







.                       849     IN      NS      h.root-servers.net.







.                       849     IN      NS      l.root-servers.net.







.                       849     IN      NS      a.root-servers.net.







.                       849     IN      NS      j.root-servers.net.







.                       849     IN      NS      i.root-servers.net.







.                       849     IN      NS      d.root-servers.net.















;; ADDITIONAL SECTION:







j.root-servers.net.     3246    IN      A       192.58.128.30















;; Query time: 79 msec







;; SERVER: 10.20.10.41#53(10.20.10.41)







;; WHEN: Tue Apr 26 09:02:43 EDT 2016







;; MSG SIZE  rcvd: 282















Gady























It seems like Directory server is not running. Can you post result of 'ipactl status' 
and 'systemctl status 
dirsrv@IPA-DOMAIN-LOCAL.service<mailto:dirsrv@IPA-CANDEAL-CA.service>'?







--



Martin^3 Babinsky







--



Manage your subscription for the Freeipa-users mailing list:



https://www.redhat.com/mailman/listinfo/freeipa-users



Go to http://freeipa.org for more info on the project











--



Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,



Commercial register: Amtsgericht Muenchen, HRB 153243, Managing



Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael



O'Neill







--



Manage your subscription for the Freeipa-users mailing list:



https://www.redhat.com/mailman/listinfo/freeipa-users



Go to http://freeipa.org for more info on the project







--



Manage your subscription for the Freeipa-users mailing list:



https://www.redhat.com/mailman/listinfo/freeipa-users



Go to http://freeipa.org for more info on the project










--

Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,

Commercial register: Amtsgericht Muenchen, HRB 153243,

Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael 
O'Neill





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to