Jeremy Tourville via FreeIPA-users wrote:
UPDATE: I did a little more troubleshooting and was able to get dirsrv to start. Now I need to figure out why named service won't start. Here's the output from starting services and ipa-healthcheck. I presume several of the healthcheck failures are due to named service not running. Can anyone confirm?
It's likely. Kerberos and TLS rely on working name resolution. If your server has a valid entry in /etc/hosts that may mitigate some issues but but I'd still focus on getting named to start as a first step.
rob
[root@gsil-ipa01 ipa]# ipactl status Directory Service: STOPPED Directory Service must be running in order to obtain status of other services [root@gsil-ipa01 ipa]# ipactl start --ignore-service-failures Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Failed to start named Service Forced start, ignoring named Service, continuing normal operation Starting httpd Service Starting ipa-custodia Service Starting pki-tomcatd Service Starting smb Service Starting winbind Service Starting ipa-otpd Service Starting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful [root@gsil-ipa01 ipa]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 1 service(s) are not running [root@gsil-ipa01 ipa]# ipa-healthcheck --failures-only caSigningCert External CA not found, assuming 3rd party [ { "source": "ipahealthcheck.meta.services", "check": "named", "result": "ERROR", "uuid": "b5bfa450-77f4-4655-a4e2-fccbf88aa43a", "when": "20230316153125Z", "duration": "0.111160", "kw": { "status": false, "msg": "named: not running" } }, { "source": "ipahealthcheck.ds.replication", "check": "ReplicationCheck", "result": "CRITICAL", "uuid": "dcaa538c-a5e2-4247-9210-d6047a0d65f5", "when": "20230316153132Z", "duration": "0.281251", "kw": { "key": "DSREPLLE0001", "items": [ "Replication", "Agreement" ], "msg": "The replication agreement (metogsil-ipa02.idm.x.xl) under "dc=idm,dc=x,dc=x" is not in synchronization." } }, { "source": "ipahealthcheck.ds.replication", "check": "ReplicationCheck", "result": "CRITICAL", "uuid": "556f572a-0ee9-42fa-8c06-b90e33ed961d", "when": "20230316153132Z", "duration": "0.281301", "kw": { "key": "DSREPLLE0001", "items": [ "Replication", "Agreement" ], "msg": "The replication agreement (catogsil-ipa02.idm.x.x) under "o=ipaca" is not in synchronization." } }, { "source": "ipahealthcheck.ipa.dna", "check": "IPADNARangeCheck", "result": "CRITICAL", "uuid": "7b88f564-dac5-4191-96ec-b9ad922c0f5e", "when": "20230316153142Z", "duration": "0.027683", "kw": { "exception": "Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Preauthentication failed)" } }, { "source": "ipahealthcheck.ipa.idns", "check": "IPADNSSystemRecordsCheck", "result": "WARNING", "uuid": "6b0bc0c1-d505-4f5a-944d-42dd044b2365", "when": "20230316153426Z", "duration": "164.364540", "kw": { "msg": "Got {count} ipa-ca A records, expected {expected}", "count": 1, "expected": 2 } }, { "source": "ipahealthcheck.ipa.files", "check": "IPAFileCheck", "result": "WARNING", "uuid": "ea3fcb5d-a280-4a29-ab5b-60abe15febdb", "when": "20230316153426Z", "duration": "0.003201", "kw": { "key": "_var_log_ipaupgrade.log_mode", "path": "/var/log/ipaupgrade.log", "type": "mode", "expected": "0600", "got": "0644", "msg": "Permissions of /var/log/ipaupgrade.log are too permissive: 0644 and should be 0600" } }, { "source": "ipahealthcheck.ipa.host", "check": "IPAHostKeytab", "result": "ERROR", "uuid": "9e43e0d9-7143-40b1-8411-c0aa4b53bb1e", "when": "20230316153426Z", "duration": "0.027001", "kw": { "msg": "Failed to obtain host TGT: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638936): Preauthentication failed" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustDomainsCheck", "result": "ERROR", "uuid": "a0ed3f4b-c409-42e4-b730-d9964ed46f64", "when": "20230316153427Z", "duration": "0.336395", "kw": { "key": "domain-list", "sssctl": "/usr/sbin/sssctl", "sssd_domains": "", "trust_domains": "gx.x", "msg": "{sssctl} {key} reports mismatch: sssd domains {sssd_domains} trust domains {trust_domains}" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustCatalogCheck", "result": "WARNING", "uuid": "fd1ff67b-48b3-49dd-a3b4-32631a51672f", "when": "20230316153427Z", "duration": "0.013619", "kw": { "key": "S-1-5-21-3568498085-2952124370-1649233135", "error": "returned nothing", "msg": "Look up of {key} {error}" } }, { "source": "ipahealthcheck.ipa.trust", "check": "IPATrustCatalogCheck", "result": "ERROR", "uuid": "c478454c-f94c-4089-ade4-7c3bd73d6b65", "when": "20230316153427Z", "duration": "0.127239", "kw": { "key": "domain-status", "error": "CalledProcessError(Command ['/usr/sbin/sssctl', 'domain-status', 'gx.x', '--active-server'] returned non-zero exit status 1: 'Unable to get online status\n')", "msg": "Execution of {key} failed: {error}" } } ] _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue