FreeIPA Centos7 fails after first reboot due to 389dir service crashing

jessedalestacey · 08-13-2015, 01:21 PM

I have reinstalled centos7 and ipa-server with SSSD & BIND etc several times now and configure everything to work fine with the global forwarders etc. Then after the first reboot, "kinit admin" fails with"Cannot contact any KDC" since the IPA service fails to start, and the IPA service says the 389DIR service didn't start. Then I find in the slapd log this error below. I do the same on Centos6 and it does not have this issue! Are my global forwarders maybe inflating the database and crashing 389dir?

[root@tarkin slapd-ANSYS-COM]# systemctl status ipa
ipa.service - Identity, Policy, Audit
Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
Active: failed (Result: exit-code) since Thu 2015-08-13 11:23:57 EDT; 8min ago
Process: 908 ExecStart=/usr/sbin/ipactl start (code=exited, status=1/FAILURE)
Main PID: 908 (code=exited, status=1/FAILURE)
CGroup: /system.slice/ipa.service

Aug 13 11:18:51 tarkin.ansys.com systemd[1]: Starting Identity, Policy, Audit...
Aug 13 11:23:57 tarkin.ansys.com ipactl[908]: Failed to start Directory Service:
Aug 13 11:23:57 tarkin.ansys.com ipactl[908]: Starting Directory Service
Aug 13 11:23:57 tarkin.ansys.com systemd[1]: ipa.service: main process exited, code=exited, status=1/FAILURE
Aug 13 11:23:57 tarkin.ansys.com systemd[1]: Failed to start Identity, Policy, Audit.
Aug 13 11:23:57 tarkin.ansys.com systemd[1]: Unit ipa.service entered failed state.
[root@tarkin slapd-ANSYS-COM]# systemctl start ipa

[13/Aug/2015:11:08:30 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
[13/Aug/2015:11:08:30 -0400] - 389-Directory/1.3.3.1 B2015.218.023 starting up
[13/Aug/2015:11:08:30 -0400] nis-plugin - warning: no entries in domain=ansys.com,map=ethers.byaddr
[13/Aug/2015:11:08:30 -0400] nis-plugin - warning: no entries in domain=ansys.com,map=ethers.byname
[13/Aug/2015:11:08:30 -0400] nis-plugin - warning: no entries in domain=ansys.com,map=netgroup
[13/Aug/2015:11:18:56 -0400] - SSL alert: Configured NSS Ciphers

[13/Aug/2015:11:18:56 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
[13/Aug/2015:11:18:56 -0400] - 389-Directory/1.3.3.1 B2015.218.023 starting up
[13/Aug/2015:11:18:56 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database.
[13/Aug/2015:11:18:57 -0400] nis-plugin - warning: no entries in domain=ansys.com,map=ethers.byaddr
[13/Aug/2015:11:18:57 -0400] nis-plugin - warning: no entries in domain=ansys.com,map=ethers.byname
[13/Aug/2015:11:18:57 -0400] nis-plugin - warning: no entries in domain=ansys.com,map=netgroup

[12/Aug/2015:11:02:37 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[12/Aug/2015:11:02:37 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
[12/Aug/2015:11:02:37 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled
[12/Aug/2015:11:02:37 -0400] - 389-Directory/1.3.3.1 B2015.064.2159 starting up
[12/Aug/2015:11:02:37 -0400] - WARNING: userRoot: entry cache size 1407372B is less than db size 5914624B; We recommend to increase the entry

cache size nsslapd
-cachememsize.
[12/Aug/2015:11:02:37 -0400] - WARNING: changelog: entry cache size 858992B is less than db size 29384704B; We recommend to increase the entry

cache size nsslapd-cachememsize.
[12/Aug/2015:11:02:37 -0400] - I'm resizing my cache now...cache was 1342176 and is now 1073740
[12/Aug/2015:11:02:38 -0400] nis-plugin - warning: no entries in domain=mon.ansys.com,map=ethers.byaddr
[12/Aug/2015:11:02:38 -0400] nis-plugin - warning: no entries in domain=mon.ansys.com,map=ethers.byname
[12/Aug/2015:11:02:39 -0400] nis-plugin - warning: no entries in domain=mon.ansys.com,map=netgroup

ericson007 · 08-27-2015, 10:15 AM

Welcome to the forum, what is up with all the IPA stuff. You guys trying the rhel rhcsa ipa setup from the new pearson book?

Anyway. I posted quite a bit in this thread

http://www.linuxquestions.org/questi...dc-4175536667/

See if that points you in the correct direction.

Before configuring IPA make sure to edit the hosts file. Add the actual ip address you want to use with the fqdn.

So ipa.host.domain immediately after that. If you have just the ipa part, the dns will fail and that will xause the 389 directory to fail which will cause kerberos to fail.

Systemctl status ipa will say it runs because it is actually running. Just all parts of it is messed up. The reason it is advised to use integrated dns is because it makes it easier, but not fool proof that it will always work.

Check that host file and double check the interface ip is in it and make sure it is not dhcp issued. That solves about 90 of these issues.