Re: [Freeipa-users] krb5kdc service not starting

2016-05-12 Thread Prasun Gera 
I]: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (No Kerberos credentials
available)) errno 0 (Success)
[11/May/2016:23:19:52 -0400] slapi_ldap_bind - Error: could not perform
interactive bind for id [] authentication mechanism [GSSAPI]: error -2
(Local error)
[11/May/2016:23:19:52 -0400] NSMMReplicationPlugin - agmt="cn=
meToidm_master.cc.gt.atl.ga.us" (idm_master:389): Replication bind with
GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more
information (No Kerberos credentials available))
[11/May/2016:23:19:52 -0400] NSMMReplicationPlugin -
agmt="cn=cloneAgreement1-idm_replica.com-pki-tomcat" (idm_master:389):
Unable to acquire replica: the replica instructed us to go into backoff
mode. Will retry later.
[11/May/2016:23:19:52 -0400] DSRetroclPlugin - delete_changerecord: could
not delete change record 404054 (rc: 32)
[11/May/2016:23:19:52 -0400] - slapd started.  Listening on All Interfaces
port 389 for LDAP requests
[11/May/2016:23:19:52 -0400] - Listening on All Interfaces port 636 for
LDAPS requests
[11/May/2016:23:19:52 -0400] - Listening on
/var/run/slapd-DOMAINNAME-EDU.socket for LDAPI requests
[11/May/2016:23:19:52 -0400] DSRetroclPlugin - delete_changerecord: could
not delete change record 404055 (rc: 32)
[11/May/2016:23:19:52 -0400] DSRetroclPlugin - delete_changerecord: could
not delete change record 404056 (rc: 32)
[11/May/2016:23:19:52 -0400] DSRetroclPlugin - delete_changerecord: could
not delete change record 404057 (rc: 32)
[11/May/2016:23:19:52 -0400] DSRetroclPlugin - delete_changerecord: could
not delete change record 404058 (rc: 32)
... lots of similar messages



On Thu, May 12, 2016 at 4:25 AM, Ludwig Krispenz <lkris...@redhat.com>
wrote:

>
> On 05/12/2016 05:28 AM, Prasun Gera wrote:
>
> Hi everyone,
> I had a pretty similar failure on my replica yesterday. The replica was
> not reachable, and I asked someone to have a look at the system. They
> presumably rebooted it. When it came back up, ipactl wouldn't start, and
> the symptoms were pretty similar to those described in this thread. I
> followed the solution of copying dse.ldif.startOK to dse.ldif, and that
> started everything.
>
> This is very strange, it should not be possible to loose a dse.ldif,
> although you are now teh second person reporting this. I have seen 0 length
> dse.ldif.tmp if a VM was powerd off while ds was active, but from DS  point
> of view it is not possible to complete loos the dse.ldif.
> The dse.ldif stores the configuration information including replication
> agreements and and when ever this is updated the new state is written to
> disk. The procedure is like this:
> -create a dse.ldif.tmp (this is the only time a 0 byte dse.ldif* file
> exists
> -write the config to dse.ldif.tmp
> -rename dse.ldif to dse.ldif.bak
> -rename dse.ldif.tmp to dse.ldif
>
> So, if the machine or the server crashes during this process there should
> be always a dse.ldif.tmp or dse.ldif.bak containing the current or latest
> information. If anyone has an idea how on a VM when powering it off can
> completely loose these files I would like to know.
>
> However, I see some errors in dirsrv's logs. It is constantly printing
> lines like "DSRetroclPlugin - delete_changerecord: could not delete change
> record 418295". Is that normal ?
>
> Unfortunately it can be. If after a crash the beginning of the retro cl is
> incorrectly calculated, changelog trimming might try to remov no longer
> existing records, it is annoying but harmless, so far we have not further
> investigated how to prevent this.
>
> How do I confirm that the replica is back and fully functional ? Why did
> this happen in the first place ?
>
> On Wed, Apr 27, 2016 at 1:41 PM, Gady Notrica <gnotr...@candeal.com>
> wrote:
>
>> All good!!!
>>
>> Gady
>>
>> -Original Message-
>> From: Alexander Bokovoy [mailto:aboko...@redhat.com]
>> Sent: April 27, 2016 1:19 PM
>> To: Gady Notrica
>> Cc: Ludwig Krispenz; freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] krb5kdc service not starting
>>
>> On Wed, 27 Apr 2016, Gady Notrica wrote:
>> >Hello Ludwig,
>> >
>> >Is there a reason why my AD show offline?
>> >
>> >[root@cd-p-ipa1 /]# wbinfo --online-status BUILTIN : online IPA :
>> >online CD-PRD : offline
>> wbinfo output is irrelevant for RHEL 7.2-based IPA trusts.
>>
>> You need to make sure that 'getent passwd CD-PRD\\Administrator'
>> resolves via SSSD.
>>
>> --
>> / Alexander Bokovoy
>>
>> --
>> Manage your subscription fo

Re: [Freeipa-users] krb5kdc service not starting

2016-05-12 Thread Ludwig Krispenz 


On 05/12/2016 05:28 AM, Prasun Gera wrote:

Hi everyone,
I had a pretty similar failure on my replica yesterday. The replica 
was not reachable, and I asked someone to have a look at the system. 
They presumably rebooted it. When it came back up, ipactl wouldn't 
start, and the symptoms were pretty similar to those described in this 
thread. I followed the solution of copying dse.ldif.startOK 
to dse.ldif, and that started everything.
This is very strange, it should not be possible to loose a dse.ldif, 
although you are now teh second person reporting this. I have seen 0 
length dse.ldif.tmp if a VM was powerd off while ds was active, but from 
DS  point of view it is not possible to complete loos the dse.ldif.
The dse.ldif stores the configuration information including replication 
agreements and and when ever this is updated the new state is written to 
disk. The procedure is like this:

-create a dse.ldif.tmp (this is the only time a 0 byte dse.ldif* file exists
-write the config to dse.ldif.tmp
-rename dse.ldif to dse.ldif.bak
-rename dse.ldif.tmp to dse.ldif

So, if the machine or the server crashes during this process there 
should be always a dse.ldif.tmp or dse.ldif.bak containing the current 
or latest information. If anyone has an idea how on a VM when powering 
it off can completely loose these files I would like to know.
However, I see some errors in dirsrv's logs. It is constantly printing 
lines like "DSRetroclPlugin - delete_changerecord: could not delete 
change record 418295". Is that normal ?
Unfortunately it can be. If after a crash the beginning of the retro cl 
is incorrectly calculated, changelog trimming might try to remov no 
longer existing records, it is annoying but harmless, so far we have not 
further investigated how to prevent this.
How do I confirm that the replica is back and fully functional ? Why 
did this happen in the first place ?


On Wed, Apr 27, 2016 at 1:41 PM, Gady Notrica <gnotr...@candeal.com 
<mailto:gnotr...@candeal.com>> wrote:


All good!!!

Gady

-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com
<mailto:aboko...@redhat.com>]
Sent: April 27, 2016 1:19 PM
To: Gady Notrica
Cc: Ludwig Krispenz; freeipa-users@redhat.com
<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] krb5kdc service not starting

On Wed, 27 Apr 2016, Gady Notrica wrote:
>Hello Ludwig,
>
>Is there a reason why my AD show offline?
>
>[root@cd-p-ipa1 /]# wbinfo --online-status BUILTIN : online IPA :
>online CD-PRD : offline
wbinfo output is irrelevant for RHEL 7.2-based IPA trusts.

You need to make sure that 'getent passwd CD-PRD\\Administrator'
resolves via SSSD.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project






--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael 
O'Neill

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] krb5kdc service not starting

2016-05-11 Thread Prasun Gera 
Hi everyone,
I had a pretty similar failure on my replica yesterday. The replica was not
reachable, and I asked someone to have a look at the system. They
presumably rebooted it. When it came back up, ipactl wouldn't start, and
the symptoms were pretty similar to those described in this thread. I
followed the solution of copying dse.ldif.startOK to dse.ldif, and that
started everything. However, I see some errors in dirsrv's logs. It is
constantly printing lines like "DSRetroclPlugin - delete_changerecord:
could not delete change record 418295". Is that normal ? How do I confirm
that the replica is back and fully functional ? Why did this happen in the
first place ?

On Wed, Apr 27, 2016 at 1:41 PM, Gady Notrica <gnotr...@candeal.com> wrote:

> All good!!!
>
> Gady
>
> -Original Message-
> From: Alexander Bokovoy [mailto:aboko...@redhat.com]
> Sent: April 27, 2016 1:19 PM
> To: Gady Notrica
> Cc: Ludwig Krispenz; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] krb5kdc service not starting
>
> On Wed, 27 Apr 2016, Gady Notrica wrote:
> >Hello Ludwig,
> >
> >Is there a reason why my AD show offline?
> >
> >[root@cd-p-ipa1 /]# wbinfo --online-status BUILTIN : online IPA :
> >online CD-PRD : offline
> wbinfo output is irrelevant for RHEL 7.2-based IPA trusts.
>
> You need to make sure that 'getent passwd CD-PRD\\Administrator'
> resolves via SSSD.
>
> --
> / Alexander Bokovoy
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] krb5kdc service not starting

2016-04-27 Thread Gady Notrica 
All good!!!

Gady

-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com] 
Sent: April 27, 2016 1:19 PM
To: Gady Notrica
Cc: Ludwig Krispenz; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting

On Wed, 27 Apr 2016, Gady Notrica wrote:
>Hello Ludwig,
>
>Is there a reason why my AD show offline?
>
>[root@cd-p-ipa1 /]# wbinfo --online-status BUILTIN : online IPA : 
>online CD-PRD : offline
wbinfo output is irrelevant for RHEL 7.2-based IPA trusts.

You need to make sure that 'getent passwd CD-PRD\\Administrator'
resolves via SSSD.

-- 
/ Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] krb5kdc service not starting

2016-04-27 Thread Alexander Bokovoy 

On Wed, 27 Apr 2016, Gady Notrica wrote:

Hello Ludwig,

Is there a reason why my AD show offline?

[root@cd-p-ipa1 /]# wbinfo --online-status
BUILTIN : online
IPA : online
CD-PRD : offline

wbinfo output is irrelevant for RHEL 7.2-based IPA trusts.

You need to make sure that 'getent passwd CD-PRD\\Administrator'
resolves via SSSD.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] krb5kdc service not starting

2016-04-27 Thread Ludwig Krispenz 


On 04/27/2016 05:10 PM, Gady Notrica wrote:


Oh! No…

Is there a way I can pull those files from the secondary server and 
put them on the primary?


do you have any file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse* ? There might 
be some older states to try
If you want to use a dse.ldif from another server, it could only work if 
the other server is really the same, same backends, indexes,, and 
you would have to do a lot of editing to adapt the file to the local 
system, eg replication agreements 

And then it is not sure if something else could be broken


Or I can run the re-installation ipa-server-install with repair option 
and copy the data back from the secondary server?


I'm not so sure about the IPA reinstall/repair process, maybe soemone 
else can step in


Thanks,

Gady Notrica| IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 
416.818.4797 | gnotr...@candeal.com <mailto:gnotr...@candeal.com>


CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | 
www.candeal.com <http://www.candeal.ca/>| Follow us:Description: 
Description: cid:image003.jpg@01CBD419.622CDF90 
<http://www.twitter.com/candeal>*Description: Description: 
Description: cid:image002.jpg@01CBD419.622CDF90* 
<http://www.linkedin.com/profile/view?id=36869324=tab_pro>


*From:*Ludwig Krispenz [mailto:lkris...@redhat.com]
*Sent:* April 27, 2016 10:58 AM
*To:* Gady Notrica
*Cc:* Rob Crittenden; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] krb5kdc service not starting

On 04/27/2016 04:36 PM, Gady Notrica wrote:

*No changes*to /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. I am
tailing the log file and running those commands doesn’t generate
any log, nothing.

[root@cd-p-ipa1 log]# ipactl start

Starting Directory Service

Job for dirsrv@IPA-CANDEAL-CA.service
<mailto:dirsrv@IPA-CANDEAL-CA.service> failed because the control
process exited with error code. See "systemctl status
dirsrv@IPA-CANDEAL-CA.service
<mailto:dirsrv@IPA-CANDEAL-CA.service>" and "journalctl -xe" for
details.

Failed to start Directory Service: Command ''/bin/systemctl'
'start' 'dirsrv@IPA-CANDEAL-CA.service
<mailto:dirsrv@IPA-CANDEAL-CA.service>'' returned non-zero exit
status 1

*Logs from /var/log/messages*

Apr 27 10:26:05 cd-p-ipa1 systemd: Starting 389 Directory Server
IPA-CANDEAL-CA

Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400]
dse - The configuration file
/etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from
backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.tmp, error -1

Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400]
dse - The configuration file
/etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored from
backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.bak, error -1

Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400]
config - The given config file
/etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif could not be accessed,
Netscape Portable Runtime error -5950 (File not found.)

this is BAD, looks like you completely lost your configuration file 
for DS, so it doesn't even know where to log anything. When you lost 
your VM and rebooted there must hav ebeen some data loss.

It could be only dse.ldif, but also other files.

[root@cd-p-ipa1 log]# systemctl start dirsrv@IPA-CANDEAL-CA.service 
<mailto:dirsrv@IPA-CANDEAL-CA.service>


Job for dirsrv@IPA-CANDEAL-CA.service 
<mailto:dirsrv@IPA-CANDEAL-CA.service> failed because the control 
process exited with error code. See "systemctl status 
dirsrv@IPA-CANDEAL-CA.service <mailto:dirsrv@IPA-CANDEAL-CA.service>" 
and "journalctl -xe" for details.


[root@cd-p-ipa1 log]# systemctl status dirsrv@IPA-CANDEAL-CA.service 
<mailto:dirsrv@IPA-CANDEAL-CA.service> -l


● dirsrv@IPA-CANDEAL-CA.service <mailto:dirsrv@IPA-CANDEAL-CA.service> 
- 389 Directory Server IPA-CANDEAL-CA.


Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service 
<mailto:/usr/lib/systemd/system/dirsrv@.service>; enabled; vendor 
preset: disabled)


Active: failed (Result: exit-code) since Wed 2016-04-27 10:26:17 EDT; 
3s ago


Process: 9830 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i 
/var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid 
(code=exited, status=1/FAILURE)


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes


Apr 27 10:26:17 cd-p-ipa

Re: [Freeipa-users] krb5kdc service not starting

2016-04-27 Thread Alexander Bokovoy 

On Wed, 27 Apr 2016, Gady Notrica wrote:

Hello Ludwig,

I do have only 1 error logs for the 26th in 
/var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I have

[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to 
send dirsync search request: 2
[26/Apr/2016:00:13:01 -0400] - Entry "uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" 
missing attribute "sn" required by object class "person"

[cid:image003.jpg@01D1A069.EF91B910]

I don’t know if that helps.

Your setup seem to have corruption of the data on disk of that VM. Start
from looking into whether all RPM package owned files are in correct
state.

For 389-ds-base run as root 'rpm -V 389-ds-base'. For normal install you would 
get something
like this:

# rpm -V 389-ds-base
.MG../etc/dirsrv
..5T.  c /etc/sysconfig/dirsrv
S.5T.  c /etc/sysconfig/dirsrv.systemd
.MG../var/lib/dirsrv

If you have more changes, show them.

Repeat the same for freeipa-server (or ipa-server if this is
RHEL/CentOS).

Next, compare schema files between what is in the 389-ds-base and
IPA deployment. Following shell snippet would give you output that shows
difference between the schema files, ignoring comments. In normal
situation the difference should only be in 99user.ldif.

#!/bin/bash
instance=EXAMPLE-COM
for i in /etc/dirsrv/schema/*.ldif ; do
f=/etc/dirsrv/slapd-$instance/schema/$(basename $i)
[ -f $f ] && cmp -s $i $f || diff -u $i $f | egrep -v '^\+#|^-#|^ #'
done



Gady

From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: April 27, 2016 3:18 AM
To: Gady Notrica
Cc: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting


On 04/26/2016 09:09 PM, Gady Notrica wrote:

HERE..



[23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial credentials for 
principal 
[ldap/cd-p-ipa1.ipa.domain.local@IPA.DOMAIN.LOCAL<mailto:ldap/cd-p-ipa1.ipa.domain.local@IPA.DOMAIN.LOCAL>]
 in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 
(Cannot contact any KDC for requested realm)

[23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local 
error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  
Minor code may provide more information (No Kerberos credentials available)) 
errno 0 (Success)

[23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local 
error)

[23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with 
GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information (No Kerberos 
credentials available))

[23/Apr/2016:11:39:51 -0400] - slapd started.  Listening on All Interfaces port 
389 for LDAP requests

[23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 for LDAPS 
requests

[23/Apr/2016:11:39:51 -0400] - Listening on 
/var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests

[23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with 
GSSAPI auth resumed

[23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to receive the 
response for a startReplication extended operation to consumer (Can't contact LDAP 
server). Will retry later.

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't 
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't 
contact LDAP server)

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't 
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't 
contact LDAP server)

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't 
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't 
contact LDAP server)

[23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local&q

Re: [Freeipa-users] krb5kdc service not starting

2016-04-27 Thread Ludwig Krispenz 


On 04/27/2016 04:36 PM, Gady Notrica wrote:


*No changes*to /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. I am 
tailing the log file and running those commands doesn’t generate any 
log, nothing.


[root@cd-p-ipa1 log]# ipactl start

Starting Directory Service

Job for dirsrv@IPA-CANDEAL-CA.service failed because the control 
process exited with error code. See "systemctl status 
dirsrv@IPA-CANDEAL-CA.service" and "journalctl -xe" for details.


Failed to start Directory Service: Command ''/bin/systemctl' 'start' 
'dirsrv@IPA-CANDEAL-CA.service'' returned non-zero exit status 1


*Logs from /var/log/messages*

Apr 27 10:26:05 cd-p-ipa1 systemd: Starting 389 Directory Server 
IPA-CANDEAL-CA


Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - 
The configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was 
not restored from backup 
/etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.tmp, error -1


Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - 
The configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was 
not restored from backup 
/etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.bak, error -1


Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] 
config - The given config file 
/etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif could not be accessed, 
Netscape Portable Runtime error -5950 (File not found.)


this is BAD, looks like you completely lost your configuration file for 
DS, so it doesn't even know where to log anything. When you lost your VM 
and rebooted there must hav ebeen some data loss.

It could be only dse.ldif, but also other files.


[root@cd-p-ipa1 log]# systemctl start dirsrv@IPA-CANDEAL-CA.service

Job for dirsrv@IPA-CANDEAL-CA.service failed because the control 
process exited with error code. See "systemctl status 
dirsrv@IPA-CANDEAL-CA.service" and "journalctl -xe" for details.


[root@cd-p-ipa1 log]# systemctl status dirsrv@IPA-CANDEAL-CA.service -l

● dirsrv@IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA.

Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; 
vendor preset: disabled)


Active: failed (Result: exit-code) since Wed 2016-04-27 10:26:17 EDT; 
3s ago


Process: 9830 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i 
/var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid 
(code=exited, status=1/FAILURE)


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] dse_read_one_file - The entry cn=schema 
in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 
1) is invalid, error code 21 (Invalid syntax) - attribute type aci: 
Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15"


Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: 
[27/Apr/2016:10:26:17 -0400] dse - Please edit the file to correct the 
reported problems and then restart the server.


[root@cd-p-ipa1 log]#

Gady

*From:*Ludwig Krispenz [mailto:lkris...@redhat.com]
*Sent:* April 27, 2016 10:06 AM
*To:* Gady Notrica
*Cc:* Rob Crittenden; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] krb5kdc service not starting

On 04/27/2016 03:48 PM, Gady Notrica wrote:

Hello Ludwig,

I do have only 1 error logs for the 26^th in
/var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only
line I have

[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync
- failed to send dirsync search request: 2

[*26/Apr/2016*:00:13:01 -0400] - Entry
"uid=MMOOREDT$,cn=users,cn=accounts,dc=ip

Re: [Freeipa-users] krb5kdc service not starting

2016-04-27 Thread Gady Notrica 
No changes to /var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. I am tailing the log 
file and running those commands doesn’t generate any log, nothing.

[root@cd-p-ipa1 log]# ipactl start
Starting Directory Service
Job for dirsrv@IPA-CANDEAL-CA.service failed because the control process exited 
with error code. See "systemctl status dirsrv@IPA-CANDEAL-CA.service" and 
"journalctl -xe" for details.
Failed to start Directory Service: Command ''/bin/systemctl' 'start' 
'dirsrv@IPA-CANDEAL-CA.service'' returned non-zero exit status 1

Logs from /var/log/messages

Apr 27 10:26:05 cd-p-ipa1 systemd: Starting 389 Directory Server 
IPA-CANDEAL-CA
Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - The 
configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored 
from backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.tmp, error -1
Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] dse - The 
configuration file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif was not restored 
from backup /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif.bak, error -1
Apr 27 10:26:05 cd-p-ipa1 ns-slapd: [27/Apr/2016:10:26:05 -0400] config - The 
given config file /etc/dirsrv/slapd-IPA-CANDEAL-CA/dse.ldif could not be 
accessed, Netscape Portable Runtime error -5950 (File not found.)

[root@cd-p-ipa1 log]# systemctl start dirsrv@IPA-CANDEAL-CA.service
Job for dirsrv@IPA-CANDEAL-CA.service failed because the control process exited 
with error code. See "systemctl status dirsrv@IPA-CANDEAL-CA.service" and 
"journalctl -xe" for details.

[root@cd-p-ipa1 log]# systemctl status dirsrv@IPA-CANDEAL-CA.service -l
● dirsrv@IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA.
   Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor 
preset: disabled)
   Active: failed (Result: exit-code) since Wed 2016-04-27 10:26:17 EDT; 3s ago
  Process: 9830 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i 
/var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, 
status=1/FAILURE)

Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 
-0400] dse_read_one_file - The entry cn=schema in file 
/etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, 
error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax 
OID "1.3.6.1.4.1.1466.115.121.1.15"
Apr 27 10:26:17 cd-p-ipa1.ipa.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 
-0400] dse - Please edit the file to correct the reported problems and then 
restart the server.
[root@cd-p-ipa1 log]#

Gady

From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: April 27, 2016 10:06 AM
To: Gady Notrica
Cc: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting


On 04/27/2016 03:48 PM, Gady Notrica wrote:
Hello Ludwig,

I do have only 1 error logs for the 26th in 
/var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I have

[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to 
send dirsync search request: 2
[26/Apr/2016:00:13:01 -0400] - Entry 
"uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" missing attribute 
"sn" required by object class "person"

[cid:image001.jpg@01D1A06F.6FD59F60]

I don’t know if that helps.
no. And it is weird that there should be no logs, there were definitely 
messages logged around 8:50, you provided them via systemctl status dirsrv...
And at least the startup messages should b there

Can you try

Re: [Freeipa-users] krb5kdc service not starting

2016-04-27 Thread Gady Notrica 
Hello Ludwig,

I do have only 1 error logs for the 26th in 
/var/log/dirsrv/slapd-IPA-CANDEAL-CA/errors. Below is the only line I have

[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to 
send dirsync search request: 2
[26/Apr/2016:00:13:01 -0400] - Entry 
"uid=MMOOREDT$,cn=users,cn=accounts,dc=ipa,dc=candeal,dc=ca" missing attribute 
"sn" required by object class "person"

[cid:image003.jpg@01D1A069.EF91B910]

I don’t know if that helps.

Gady

From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: April 27, 2016 3:18 AM
To: Gady Notrica
Cc: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting


On 04/26/2016 09:09 PM, Gady Notrica wrote:

HERE..



[23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial credentials 
for principal 
[ldap/cd-p-ipa1.ipa.domain.local@IPA.DOMAIN.LOCAL<mailto:ldap/cd-p-ipa1.ipa.domain.local@IPA.DOMAIN.LOCAL>]
 in keytab [FILE:/etc/dirsrv/ds.keytab]: 
-1765328228 (Cannot contact any KDC for requested realm)

[23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local 
error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  
Minor code may provide more information (No Kerberos credentials available)) 
errno 0 (Success)

[23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local 
error)

[23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with 
GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: 
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information 
(No Kerberos credentials available))

[23/Apr/2016:11:39:51 -0400] - slapd started.  Listening on All Interfaces port 
389 for LDAP requests

[23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 for LDAPS 
requests

[23/Apr/2016:11:39:51 -0400] - Listening on 
/var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests

[23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with 
GSSAPI auth resumed

[23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to receive the 
response for a startReplication extended operation to consumer (Can't contact 
LDAP server). Will retry later.

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't 
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't 
contact LDAP server)

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't 
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't 
contact LDAP server)

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't 
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't 
contact LDAP server)

[23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with 
GSSAPI auth resumed

[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to 
send dirsync search request: 2
these are old logs, the problem you were reporting was on Apr, 26:



Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] dse_read_one_file - The entry cn=schema in file 
/etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, 
error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax 
OID "1.3.6.1.4.1.1466.115.121.1.15"

Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] dse - Please edit the file to correct the reported problems and then 
restart the server.





we need the logs from that time






Gady



-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 26, 2016 2:44 PM
To: Gady Notrica; Ludwig Krispenz; 
freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] krb5

Re: [Freeipa-users] krb5kdc service not starting

2016-04-27 Thread Ludwig Krispenz 


On 04/26/2016 09:09 PM, Gady Notrica wrote:


HERE..

[23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial 
credentials for principal 
[ldap/cd-p-ipa1.ipa.domain.local@IPA.DOMAIN.LOCAL] in keytab 
[FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for 
requested realm)


[23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: 
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (No Kerberos 
credentials available)) errno 0 (Success)


[23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not 
perform interactive bind for id [] authentication mechanism [GSSAPI]: 
error -2 (Local error)


[23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication 
bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): 
generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code 
may provide more information (No Kerberos credentials available))


[23/Apr/2016:11:39:51 -0400] - slapd started.  Listening on All 
Interfaces port 389 for LDAP requests


[23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 
for LDAPS requests


[23/Apr/2016:11:39:51 -0400] - Listening on 
/var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests


[23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication 
bind with GSSAPI auth resumed


[23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to 
receive the response for a startReplication extended operation to 
consumer (Can't contact LDAP server). Will retry later.


[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: 
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
-1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint 
is not connected)


[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not 
perform interactive bind for id [] authentication mechanism [GSSAPI]: 
error -1 (Can't contact LDAP server)


[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: 
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
-1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint 
is not connected)


[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not 
perform interactive bind for id [] authentication mechanism [GSSAPI]: 
error -1 (Can't contact LDAP server)


[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: 
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
-1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint 
is not connected)


[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not 
perform interactive bind for id [] authentication mechanism [GSSAPI]: 
error -1 (Can't contact LDAP server)


[23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication 
bind with GSSAPI auth resumed


[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - 
failed to send dirsync search request: 2



these are old logs, the problem you were reporting was on Apr, 26:

Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] 
dse_read_one_file - The entry cn=schema in file 
/etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 
(Invalid syntax) - attribute type aci: Unknown attribute syntax OID 
"1.3.6.1.4.1.1466.115.121.1.15"
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] dse - Please edit the file to correct the reported problems and then 
restart the server.


we need the logs from that time




Gady

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 26, 2016 2:44 PM
To: Gady Notrica; Ludwig Krispenz; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting

Gady Notrica wrote:

> Hey world,

>

> Any ideas?

What about the first part of Ludwig's question: Is there anything in 
the 389-ds error log?


rob

>

> Gady

>

> -Original Message-

> From: freeipa-users-boun...@redhat.com 
<mailto:freeipa-users-boun...@redhat.com>


> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica

> Sent: April 26, 2016 10:10 AM

> To: Ludwig Krispenz; freeipa-users@redhat.com 
<mailto:freeipa-users@redhat.com>


> Subject: Re: [Freeipa-users] krb5kdc service not starting

>

> No, no changes. Lost connectivity with my VMs during the night

> (networking issues in datacenter)

>

> Reboot the server and oups, no IPA is coming up... The replica 
(s

Re: [Freeipa-users] krb5kdc service not starting

2016-04-26 Thread Gady Notrica 
HERE..



[23/Apr/2016:11:39:51 -0400] set_krb5_creds - Could not get initial credentials 
for principal [ldap/cd-p-ipa1.ipa.domain.local@IPA.DOMAIN.LOCAL] in keytab 
[FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested 
realm)

[23/Apr/2016:11:39:51 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local 
error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  
Minor code may provide more information (No Kerberos credentials available)) 
errno 0 (Success)

[23/Apr/2016:11:39:51 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local 
error)

[23/Apr/2016:11:39:51 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with 
GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: 
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information 
(No Kerberos credentials available))

[23/Apr/2016:11:39:51 -0400] - slapd started.  Listening on All Interfaces port 
389 for LDAP requests

[23/Apr/2016:11:39:51 -0400] - Listening on All Interfaces port 636 for LDAPS 
requests

[23/Apr/2016:11:39:51 -0400] - Listening on 
/var/run/slapd-IPA-DOMAIN-LOCAL.socket for LDAPI requests

[23/Apr/2016:11:39:55 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with 
GSSAPI auth resumed

[23/Apr/2016:14:37:27 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Unable to receive the 
response for a startReplication extended operation to consumer (Can't contact 
LDAP server). Will retry later.

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't 
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't 
contact LDAP server)

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't 
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't 
contact LDAP server)

[23/Apr/2016:14:38:02 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't 
contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected)

[23/Apr/2016:14:38:02 -0400] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't 
contact LDAP server)

[23/Apr/2016:14:38:13 -0400] NSMMReplicationPlugin - 
agmt="cn=meTocd-s-ipa1.ipa.domain.local" (cd-s-ipa1:389): Replication bind with 
GSSAPI auth resumed

[25/Apr/2016:22:34:51 -0400] NSMMReplicationPlugin - windows sync - failed to 
send dirsync search request: 2



Gady



-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 26, 2016 2:44 PM
To: Gady Notrica; Ludwig Krispenz; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting



Gady Notrica wrote:

> Hey world,

>

> Any ideas?



What about the first part of Ludwig's question: Is there anything in the 389-ds 
error log?



rob



>

> Gady

>

> -Original Message-

> From: 
> freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>

> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica

> Sent: April 26, 2016 10:10 AM

> To: Ludwig Krispenz; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>

> Subject: Re: [Freeipa-users] krb5kdc service not starting

>

> No, no changes. Lost connectivity with my VMs during the night

> (networking issues in datacenter)

>

> Reboot the server and oups, no IPA is coming up... The replica (secondary 
> server) is fine though.

>

> Gady Notrica

>

> -Original Message-

> From: 
> freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>

> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz

> Sent: April 26, 2016 10:02 AM

> To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>

> Subject: Re: [Freeipa-users] krb5kdc service not starting

>

>

> On 04/26/2016 03:26 PM, Gady Notrica wrote:

>> Here...

>>

>> [root@cd-p-ipa1 log]# ipactl status

>> Directory Service: STOPPED

>> Directory Service must be running in order to obt

Re: [Freeipa-users] krb5kdc service not starting

2016-04-26 Thread Rob Crittenden 

Gady Notrica wrote:

Hey world,

Any ideas?


What about the first part of Ludwig's question: Is there anything in the 
389-ds error log?


rob



Gady

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica
Sent: April 26, 2016 10:10 AM
To: Ludwig Krispenz; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting

No, no changes. Lost connectivity with my VMs during the night (networking 
issues in datacenter)

Reboot the server and oups, no IPA is coming up... The replica (secondary 
server) is fine though.

Gady Notrica

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz
Sent: April 26, 2016 10:02 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting


On 04/26/2016 03:26 PM, Gady Notrica wrote:

Here...

[root@cd-p-ipa1 log]# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other
services
ipa: INFO: The ipactl command was successful

[root@cd-p-ipa1 log]# systemctl status dirsrv@IPA-CANDEAL-CA.service
-l ● dirsrv@IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA.
 Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor 
preset: disabled)
 Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 
30min ago
Process: 6333 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i
-i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid
(code=exited, status=1/FAILURE)

Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]:
[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
slapi_attr_values2keys_sv failed for type attributetypes Apr 26
08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]:
[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
slapi_attr_values2keys_sv failed for type attributetypes Apr 26
08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]:
[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp:
slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 
cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 
cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
[26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 
cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
[26/Apr/2016!
:08:50:21 
-0400] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15"

Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] dse - Please edit the file to correct the reported problems and then 
restart the server.

this says the server doesn't know a syntax oid, but it is a known one.
It could be that the syntax plugings couldn't be loaded. Thera are more errors 
before, could you check where the errors start in 
/var/log/dirsrv/slapd-/errors ?

And, did you do any changes to the system before this problem started ?

[root@cd-p-ipa1 log]#

Gady

-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky
Sent: April 26, 2016 9:17 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting

On 04/26/2016 03:13 PM, Gady Notrica wrote:

Hello world,



I am having issues this morning with my primary IPA. See below the
details in the logs and command result. Basically, krb5kdc service
not starting - krb5kdc: Server error - while fetching master key.



DNS is functioning. See below dig result. I have a trust with Windows AD.



Please help…!



[root@cd-ipa1 log]# systemctl status krb5kdc.service -l

● krb5kdc.service - Kerberos 5 KDC

 Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service;
disabled; vendor preset: disabled)

 Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52
EDT; 41min ago

Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
$KRB5KDC_ARGS (code=exited, status=1/FAILURE)



Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos
5 KDC...

Apr 26 08:27:

Re: [Freeipa-users] krb5kdc service not starting

2016-04-26 Thread Gady Notrica 
Hey world,

Any ideas? 

Gady

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica
Sent: April 26, 2016 10:10 AM
To: Ludwig Krispenz; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting

No, no changes. Lost connectivity with my VMs during the night (networking 
issues in datacenter)

Reboot the server and oups, no IPA is coming up... The replica (secondary 
server) is fine though.

Gady Notrica 

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz
Sent: April 26, 2016 10:02 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting


On 04/26/2016 03:26 PM, Gady Notrica wrote:
> Here...
>
> [root@cd-p-ipa1 log]# ipactl status
> Directory Service: STOPPED
> Directory Service must be running in order to obtain status of other 
> services
> ipa: INFO: The ipactl command was successful
>
> [root@cd-p-ipa1 log]# systemctl status dirsrv@IPA-CANDEAL-CA.service 
> -l ● dirsrv@IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA.
> Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor 
> preset: disabled)
> Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 
> 30min ago
>Process: 6333 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i 
> -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid 
> (code=exited, status=1/FAILURE)
>
> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26
> 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26
> 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 
> cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - 
> valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
> attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 
> cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - 
> valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
> attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 
> cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - 
> valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
> attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file 
> /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, 
> error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax 
> OID "1.3.6.1.4.1.1466.115.121.1.15"
> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the 
> reported problems and then restart the server.
this says the server doesn't know a syntax oid, but it is a known one. 
It could be that the syntax plugings couldn't be loaded. Thera are more errors 
before, could you check where the errors start in 
/var/log/dirsrv/slapd-/errors ?

And, did you do any changes to the system before this problem started ?
> [root@cd-p-ipa1 log]#
>
> Gady
>
> -Original Message-
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky
> Sent: April 26, 2016 9:17 AM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] krb5kdc service not starting
>
> On 04/26/2016 03:13 PM, Gady Notrica wrote:
>> Hello world,
>>
>>
>>
>> I am having issues this morning with my primary IPA. See below the 
>> details in the logs and command result. Basically, krb5kdc service 
>> not starting - krb5kdc: Server error - while fetching master key.
>>
>>
>>
>> DNS is functioning. See below dig result. I have a trust with Windows AD.
>>
>>
>>
>> Please help…!
>>
>>
>>
>> [root@cd-ipa1 log]# systemctl status krb5kdc.service -l
>>
>> ● krb5kdc.service - Kerberos 5 KDC
>>
>> Loaded: loaded (/usr/lib

Re: [Freeipa-users] krb5kdc service not starting

2016-04-26 Thread Gady Notrica 
No, no changes. Lost connectivity with my VMs during the night (networking 
issues in datacenter)

Reboot the server and oups, no IPA is coming up... The replica (secondary 
server) is fine though.

Gady Notrica 

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz
Sent: April 26, 2016 10:02 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting


On 04/26/2016 03:26 PM, Gady Notrica wrote:
> Here...
>
> [root@cd-p-ipa1 log]# ipactl status
> Directory Service: STOPPED
> Directory Service must be running in order to obtain status of other 
> services
> ipa: INFO: The ipactl command was successful
>
> [root@cd-p-ipa1 log]# systemctl status dirsrv@IPA-CANDEAL-CA.service 
> -l ● dirsrv@IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA.
> Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor 
> preset: disabled)
> Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 
> 30min ago
>Process: 6333 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i 
> -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid 
> (code=exited, status=1/FAILURE)
>
> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 
> 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 
> 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 
> cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - 
> valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
> attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 
> cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - 
> valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
> attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] - valueset_value_syntax_cmp: 
> slapi_attr_values2keys_sv failed for type attributetypes Apr 26 08:50:21 
> cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] - 
> valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
> attributetypes Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] dse_read_one_file - The entry cn=schema in file 
> /etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, 
> error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax 
> OID "1.3.6.1.4.1.1466.115.121.1.15"
> Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: 
> [26/Apr/2016:08:50:21 -0400] dse - Please edit the file to correct the 
> reported problems and then restart the server.
this says the server doesn't know a syntax oid, but it is a known one. 
It could be that the syntax plugings couldn't be loaded. Thera are more errors 
before, could you check where the errors start in 
/var/log/dirsrv/slapd-/errors ?

And, did you do any changes to the system before this problem started ?
> [root@cd-p-ipa1 log]#
>
> Gady
>
> -Original Message-
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky
> Sent: April 26, 2016 9:17 AM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] krb5kdc service not starting
>
> On 04/26/2016 03:13 PM, Gady Notrica wrote:
>> Hello world,
>>
>>
>>
>> I am having issues this morning with my primary IPA. See below the 
>> details in the logs and command result. Basically, krb5kdc service 
>> not starting - krb5kdc: Server error - while fetching master key.
>>
>>
>>
>> DNS is functioning. See below dig result. I have a trust with Windows AD.
>>
>>
>>
>> Please help…!
>>
>>
>>
>> [root@cd-ipa1 log]# systemctl status krb5kdc.service -l
>>
>> ● krb5kdc.service - Kerberos 5 KDC
>>
>> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; 
>> disabled; vendor preset: disabled)
>>
>> Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52 
>> EDT; 41min ago
>>
>>Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid 
>> $KRB5KDC_ARGS (code=exited, status

Re: [Freeipa-users] krb5kdc service not starting

2016-04-26 Thread Ludwig Krispenz 


On 04/26/2016 03:26 PM, Gady Notrica wrote:

Here...

[root@cd-p-ipa1 log]# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other services
ipa: INFO: The ipactl command was successful

[root@cd-p-ipa1 log]# systemctl status dirsrv@IPA-CANDEAL-CA.service -l
● dirsrv@IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA.
Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor 
preset: disabled)
Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 30min 
ago
   Process: 6333 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i 
/var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, 
status=1/FAILURE)

Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 -0400] 
dse_read_one_file - The entry cn=schema in file 
/etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, error code 21 
(Invalid syntax) - attribute type aci: Unknown attribute syntax OID 
"1.3.6.1.4.1.1466.115.121.1.15"
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] dse - Please edit the file to correct the reported problems and then 
restart the server.
this says the server doesn't know a syntax oid, but it is a known one. 
It could be that the syntax plugings couldn't be loaded. Thera are more 
errors before, could you check where the errors start in 
/var/log/dirsrv/slapd-/errors ?


And, did you do any changes to the system before this problem started ?

[root@cd-p-ipa1 log]#

Gady

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky
Sent: April 26, 2016 9:17 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting

On 04/26/2016 03:13 PM, Gady Notrica wrote:

Hello world,



I am having issues this morning with my primary IPA. See below the
details in the logs and command result. Basically, krb5kdc service not
starting - krb5kdc: Server error - while fetching master key.



DNS is functioning. See below dig result. I have a trust with Windows AD.



Please help…!



[root@cd-ipa1 log]# systemctl status krb5kdc.service -l

● krb5kdc.service - Kerberos 5 KDC

Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled;
vendor preset: disabled)

Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52
EDT; 41min ago

   Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
$KRB5KDC_ARGS (code=exited, status=1/FAILURE)



Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos
5 KDC...

Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: cannot
initialize realm IPA.DOMAIN.LOCAL- see log file for details

Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service:
control process exited, code=exited status=1

Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start
Kerberos 5 KDC.

Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit
krb5kdc.service entered failed state.

Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed.

[root@cd-ipa1 log]#



Errors in /var/log/krb5kdc.log



krb5kdc: Server error - while fetching master key K/M for realm
DOMAIN.LOCAL

krb5kdc: Server error - while fetching master key K/M for realm
DOMAIN.LOCAL

krb5kdc: Server error - while fetching master key K/M for realm
DOMAIN.LOCAL



[root@cd-ipa1 log]# systemctl status httpd -l

● httpd.service - The Apache HTTP Server

Loaded: loaded (/etc/syst

Re: [Freeipa-users] krb5kdc service not starting

2016-04-26 Thread Gady Notrica 
Here...

[root@cd-p-ipa1 log]# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other services
ipa: INFO: The ipactl command was successful

[root@cd-p-ipa1 log]# systemctl status dirsrv@IPA-CANDEAL-CA.service -l
● dirsrv@IPA-CANDEAL-CA.service - 389 Directory Server IPA-CANDEAL-CA.
   Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor 
preset: disabled)
   Active: failed (Result: exit-code) since Tue 2016-04-26 08:50:21 EDT; 30min 
ago
  Process: 6333 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i 
/var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, 
status=1/FAILURE)

Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] - valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] dse_read_one_file - The entry cn=schema in file 
/etc/dirsrv/slapd-IPA-CANDEAL-CA/schema/00core.ldif (lineno: 1) is invalid, 
error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax 
OID "1.3.6.1.4.1.1466.115.121.1.15"
Apr 26 08:50:21 cd-p-ipa1.ipa.candeal.ca ns-slapd[6333]: [26/Apr/2016:08:50:21 
-0400] dse - Please edit the file to correct the reported problems and then 
restart the server.
[root@cd-p-ipa1 log]#

Gady

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky
Sent: April 26, 2016 9:17 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc service not starting

On 04/26/2016 03:13 PM, Gady Notrica wrote:
> Hello world,
>
>
>
> I am having issues this morning with my primary IPA. See below the 
> details in the logs and command result. Basically, krb5kdc service not 
> starting - krb5kdc: Server error - while fetching master key.
>
>
>
> DNS is functioning. See below dig result. I have a trust with Windows AD.
>
>
>
> Please help…!
>
>
>
> [root@cd-ipa1 log]# systemctl status krb5kdc.service -l
>
> ● krb5kdc.service - Kerberos 5 KDC
>
>Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; 
> vendor preset: disabled)
>
>Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52 
> EDT; 41min ago
>
>   Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid 
> $KRB5KDC_ARGS (code=exited, status=1/FAILURE)
>
>
>
> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos 
> 5 KDC...
>
> Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: cannot 
> initialize realm IPA.DOMAIN.LOCAL- see log file for details
>
> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service:
> control process exited, code=exited status=1
>
> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start 
> Kerberos 5 KDC.
>
> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit 
> krb5kdc.service entered failed state.
>
> Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed.
>
> [root@cd-ipa1 log]#
>
>
>
> Errors in /var/log/krb5kdc.log
>
>
>
> krb5kdc: Server error - while fetching master key K/M for realm 
> DOMAIN.LOCAL
>
> krb5kdc: Server error - while fetching master key K/M for realm 
> DOMAIN.LOCAL
>
> krb5kdc: Server error - while fetching master key K/M for realm 
> DOMAIN.LOCAL
>
>
>
> [root@cd-ipa1 log]# systemctl status httpd -l
>
> ● httpd.service - The Apache HTTP Server
>
>Loaded: loaded (/etc/systemd/system/httpd.service; disa

Re: [Freeipa-users] krb5kdc service not starting

2016-04-26 Thread Martin Babinsky 

On 04/26/2016 03:13 PM, Gady Notrica wrote:

Hello world,



I am having issues this morning with my primary IPA. See below the
details in the logs and command result. Basically, krb5kdc service not
starting - krb5kdc: Server error - while fetching master key.



DNS is functioning. See below dig result. I have a trust with Windows AD.



Please help…!



[root@cd-ipa1 log]# systemctl status krb5kdc.service -l

● krb5kdc.service - Kerberos 5 KDC

   Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled;
vendor preset: disabled)

   Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52 EDT;
41min ago

  Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
$KRB5KDC_ARGS (code=exited, status=1/FAILURE)



Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos 5
KDC...

Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: cannot
initialize realm IPA.DOMAIN.LOCAL- see log file for details

Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service:
control process exited, code=exited status=1

Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start
Kerberos 5 KDC.

Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit krb5kdc.service
entered failed state.

Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed.

[root@cd-ipa1 log]#



Errors in /var/log/krb5kdc.log



krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL

krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL

krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL



[root@cd-ipa1 log]# systemctl status httpd -l

● httpd.service - The Apache HTTP Server

   Loaded: loaded (/etc/systemd/system/httpd.service; disabled; vendor
preset: disabled)

   Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:21 EDT;
39min ago

 Docs: man:httpd(8)

   man:apachectl(8)

  Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
(code=exited, status=1/FAILURE)



Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: File
"/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line 1579, in
__wait_for_connection

Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
wait_for_open_socket(lurl.hostport, timeout)

Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: File
"/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line 1200, in
wait_for_open_socket

Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: raise e

Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
error: [Errno 2] No such file or directory

Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]:
ipa : ERRORUnknown error while retrieving setting from
ldapi://%2fvar%2frun%2fslapd-IPA-CANDEAL-CA.socket: [Errno 2] No such
file or directory

Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service:
control process exited, code=exited status=1

Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start The
Apache HTTP Server.

Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit httpd.service
entered failed state.

Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed.

[root@cd-ipa1 log]#





DNS Result for dig redhat.com



; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2



;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;redhat.com.IN  A



;; ANSWER SECTION:

redhat.com. 60  IN  A   209.132.183.105



;; AUTHORITY SECTION:

.   849 IN  NS  f.root-servers.net.

.   849 IN  NS  e.root-servers.net.

.   849 IN  NS  k.root-servers.net.

.   849 IN  NS  m.root-servers.net.

.   849 IN  NS  b.root-servers.net.

.   849 IN  NS  g.root-servers.net.

.   849 IN  NS  c.root-servers.net.

.   849 IN  NS  h.root-servers.net.

.   849 IN  NS  l.root-servers.net.

.   849 IN  NS  a.root-servers.net.

.   849 IN  NS  j.root-servers.net.

.   849 IN  NS  i.root-servers.net.

.   849 IN  NS  d.root-servers.net.



;; ADDITIONAL SECTION:

j.root-servers.net. 3246IN  A   192.58.128.30



;; Query time: 79 msec

;; SERVER: 10.20.10.41#53(10.20.10.41)

;; WHEN: Tue Apr 26 09:02:43 EDT 2016

;; MSG SIZE  rcvd: 282



Gady Notrica| IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell.
416.818.4797 |

[Freeipa-users] krb5kdc service not starting

2016-04-26 Thread Gady Notrica 
Hello world,

I am having issues this morning with my primary IPA. See below the details in 
the logs and command result. Basically, krb5kdc service not starting - krb5kdc: 
Server error - while fetching master key.

DNS is functioning. See below dig result. I have a trust with Windows AD.

Please help…!

[root@cd-ipa1 log]# systemctl status krb5kdc.service -l
● krb5kdc.service - Kerberos 5 KDC
   Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor 
preset: disabled)
   Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52 EDT; 41min 
ago
  Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid 
$KRB5KDC_ARGS (code=exited, status=1/FAILURE)

Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos 5 KDC...
Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: cannot 
initialize realm IPA.DOMAIN.LOCAL- see log file for details
Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: control 
process exited, code=exited status=1
Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start Kerberos 5 
KDC.
Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit krb5kdc.service 
entered failed state.
Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed.
[root@cd-ipa1 log]#

Errors in /var/log/krb5kdc.log

krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL
krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL
krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL

[root@cd-ipa1 log]# systemctl status httpd -l
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/etc/systemd/system/httpd.service; disabled; vendor preset: 
disabled)
   Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:21 EDT; 39min 
ago
 Docs: man:httpd(8)
   man:apachectl(8)
  Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, 
status=1/FAILURE)

Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: File 
"/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line 1579, in 
__wait_for_connection
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: 
wait_for_open_socket(lurl.hostport, timeout)
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: File 
"/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line 1200, in 
wait_for_open_socket
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: raise e
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: error: 
[Errno 2] No such file or directory
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: ipa 
: ERRORUnknown error while retrieving setting from 
ldapi://%2fvar%2frun%2fslapd-IPA-CANDEAL-CA.socket: [Errno 2] No such file or 
directory
Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: control 
process exited, code=exited status=1
Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start The Apache 
HTTP Server.
Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit httpd.service entered 
failed state.
Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed.
[root@cd-ipa1 log]#


DNS Result for dig redhat.com

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;redhat.com.IN  A

;; ANSWER SECTION:
redhat.com. 60  IN  A   209.132.183.105

;; AUTHORITY SECTION:
.   849 IN  NS  f.root-servers.net.
.   849 IN  NS  e.root-servers.net.
.   849 IN  NS  k.root-servers.net.
.   849 IN  NS  m.root-servers.net.
.   849 IN  NS  b.root-servers.net.
.   849 IN  NS  g.root-servers.net.
.   849 IN  NS  c.root-servers.net.
.   849 IN  NS  h.root-servers.net.
.   849 IN  NS  l.root-servers.net.
.   849 IN  NS  a.root-servers.net.
.   849 IN  NS  j.root-servers.net.
.   849 IN  NS  i.root-servers.net.
.   849 IN  NS  d.root-servers.net.

;; ADDITIONAL SECTION:
j.root-servers.net. 3246IN  A   192.58.128.30

;; Query time: 79 msec
;; SERVER: 10.20.10.41#53(10.20.10.41)
;; WHEN: Tue Apr 26 09:02:43 EDT 2016
;; MSG SIZE  rcvd: 282

Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 416.818.4797 
| gnotr...@candeal.com
CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 |