UPDATE:
I did a little more troubleshooting and was able to get dirsrv to start. Now I need to
figure out why named service won't start. Here's the output from starting
services and ipa-healthcheck. I presume several of the healthcheck failures are due to
named service not running. Can anyone confirm?
It's likely. Kerberos and TLS rely on working name resolution. If your
server has a valid entry in /etc/hosts that may mitigate some issues but
but I'd still focus on getting named to start as a first step.
rob
[root@gsil-ipa01 ipa]# ipactl status
Directory Service: STOPPED
Directory Service must be running in order to obtain status of other services
[root@gsil-ipa01 ipa]# ipactl start --ignore-service-failures
Existing service file detected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Failed to start named Service
Forced start, ignoring named Service, continuing normal operation
Starting httpd Service
Starting ipa-custodia Service
Starting pki-tomcatd Service
Starting smb Service
Starting winbind Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@gsil-ipa01 ipa]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: STOPPED
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
1 service(s) are not running
[root@gsil-ipa01 ipa]# ipa-healthcheck --failures-only
caSigningCert External CA not found, assuming 3rd party
[
{
"source": "ipahealthcheck.meta.services",
"check": "named",
"result": "ERROR",
"uuid": "b5bfa450-77f4-4655-a4e2-fccbf88aa43a",
"when": "20230316153125Z",
"duration": "0.111160",
"kw": {
"status": false,
"msg": "named: not running"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "CRITICAL",
"uuid": "dcaa538c-a5e2-4247-9210-d6047a0d65f5",
"when": "20230316153132Z",
"duration": "0.281251",
"kw": {
"key": "DSREPLLE0001",
"items": [
"Replication",
"Agreement"
],
"msg": "The replication agreement (metogsil-ipa02.idm.x.xl) under
\"dc=idm,dc=x,dc=x\" is not in synchronization."
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "CRITICAL",
"uuid": "556f572a-0ee9-42fa-8c06-b90e33ed961d",
"when": "20230316153132Z",
"duration": "0.281301",
"kw": {
"key": "DSREPLLE0001",
"items": [
"Replication",
"Agreement"
],
"msg": "The replication agreement (catogsil-ipa02.idm.x.x) under
\"o=ipaca\" is not in synchronization."
}
},
{
"source": "ipahealthcheck.ipa.dna",
"check": "IPADNARangeCheck",
"result": "CRITICAL",
"uuid": "7b88f564-dac5-4191-96ec-b9ad922c0f5e",
"when": "20230316153142Z",
"duration": "0.027683",
"kw": {
"exception": "Insufficient access: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more information
(Preauthentication failed)"
}
},
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "6b0bc0c1-d505-4f5a-944d-42dd044b2365",
"when": "20230316153426Z",
"duration": "164.364540",
"kw": {
"msg": "Got {count} ipa-ca A records, expected {expected}",
"count": 1,
"expected": 2
}
},
{
"source": "ipahealthcheck.ipa.files",
"check": "IPAFileCheck",
"result": "WARNING",
"uuid": "ea3fcb5d-a280-4a29-ab5b-60abe15febdb",
"when": "20230316153426Z",
"duration": "0.003201",
"kw": {
"key": "_var_log_ipaupgrade.log_mode",
"path": "/var/log/ipaupgrade.log",
"type": "mode",
"expected": "0600",
"got": "0644",
"msg": "Permissions of /var/log/ipaupgrade.log are too permissive:
0644 and should be 0600"
}
},
{
"source": "ipahealthcheck.ipa.host",
"check": "IPAHostKeytab",
"result": "ERROR",
"uuid": "9e43e0d9-7143-40b1-8411-c0aa4b53bb1e",
"when": "20230316153426Z",
"duration": "0.027001",
"kw": {
"msg": "Failed to obtain host TGT: Major (851968): Unspecified GSS
failure. Minor code may provide more information, Minor (2529638936): Preauthentication
failed"
}
},
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustDomainsCheck",
"result": "ERROR",
"uuid": "a0ed3f4b-c409-42e4-b730-d9964ed46f64",
"when": "20230316153427Z",
"duration": "0.336395",
"kw": {
"key": "domain-list",
"sssctl": "/usr/sbin/sssctl",
"sssd_domains": "",
"trust_domains": "gx.x",
"msg": "{sssctl} {key} reports mismatch: sssd domains {sssd_domains}
trust domains {trust_domains}"
}
},
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustCatalogCheck",
"result": "WARNING",
"uuid": "fd1ff67b-48b3-49dd-a3b4-32631a51672f",
"when": "20230316153427Z",
"duration": "0.013619",
"kw": {
"key": "S-1-5-21-3568498085-2952124370-1649233135",
"error": "returned nothing",
"msg": "Look up of {key} {error}"
}
},
{
"source": "ipahealthcheck.ipa.trust",
"check": "IPATrustCatalogCheck",
"result": "ERROR",
"uuid": "c478454c-f94c-4089-ade4-7c3bd73d6b65",
"when": "20230316153427Z",
"duration": "0.127239",
"kw": {
"key": "domain-status",
"error": "CalledProcessError(Command ['/usr/sbin/sssctl',
'domain-status', 'gx.x', '--active-server'] returned non-zero exit
status 1: 'Unable to get online status\\n')",
"msg": "Execution of {key} failed: {error}"
}
}
]
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue