LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 08-13-2015, 02:21 PM   #1
jessedalestacey
LQ Newbie
 
Registered: Aug 2015
Posts: 1

Rep: Reputation: Disabled
FreeIPA Centos7 fails after first reboot due to 389dir service crashing


I have reinstalled centos7 and ipa-server with SSSD & BIND etc several times now and configure everything to work fine with the global forwarders etc. Then after the first reboot, "kinit admin" fails with"Cannot contact any KDC" since the IPA service fails to start, and the IPA service says the 389DIR service didn't start. Then I find in the slapd log this error below. I do the same on Centos6 and it does not have this issue! Are my global forwarders maybe inflating the database and crashing 389dir?


[root@tarkin slapd-ANSYS-COM]# systemctl status ipa
ipa.service - Identity, Policy, Audit
Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled)
Active: failed (Result: exit-code) since Thu 2015-08-13 11:23:57 EDT; 8min ago
Process: 908 ExecStart=/usr/sbin/ipactl start (code=exited, status=1/FAILURE)
Main PID: 908 (code=exited, status=1/FAILURE)
CGroup: /system.slice/ipa.service

Aug 13 11:18:51 tarkin.ansys.com systemd[1]: Starting Identity, Policy, Audit...
Aug 13 11:23:57 tarkin.ansys.com ipactl[908]: Failed to start Directory Service:
Aug 13 11:23:57 tarkin.ansys.com ipactl[908]: Starting Directory Service
Aug 13 11:23:57 tarkin.ansys.com systemd[1]: ipa.service: main process exited, code=exited, status=1/FAILURE
Aug 13 11:23:57 tarkin.ansys.com systemd[1]: Failed to start Identity, Policy, Audit.
Aug 13 11:23:57 tarkin.ansys.com systemd[1]: Unit ipa.service entered failed state.
[root@tarkin slapd-ANSYS-COM]# systemctl start ipa


[13/Aug/2015:11:08:30 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
[13/Aug/2015:11:08:30 -0400] - 389-Directory/1.3.3.1 B2015.218.023 starting up
[13/Aug/2015:11:08:30 -0400] nis-plugin - warning: no entries in domain=ansys.com,map=ethers.byaddr
[13/Aug/2015:11:08:30 -0400] nis-plugin - warning: no entries in domain=ansys.com,map=ethers.byname
[13/Aug/2015:11:08:30 -0400] nis-plugin - warning: no entries in domain=ansys.com,map=netgroup
[13/Aug/2015:11:18:56 -0400] - SSL alert: Configured NSS Ciphers

[13/Aug/2015:11:18:56 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
[13/Aug/2015:11:18:56 -0400] - 389-Directory/1.3.3.1 B2015.218.023 starting up
[13/Aug/2015:11:18:56 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database.
[13/Aug/2015:11:18:57 -0400] nis-plugin - warning: no entries in domain=ansys.com,map=ethers.byaddr
[13/Aug/2015:11:18:57 -0400] nis-plugin - warning: no entries in domain=ansys.com,map=ethers.byname
[13/Aug/2015:11:18:57 -0400] nis-plugin - warning: no entries in domain=ansys.com,map=netgroup


[12/Aug/2015:11:02:37 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
[12/Aug/2015:11:02:37 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled
[12/Aug/2015:11:02:37 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled
[12/Aug/2015:11:02:37 -0400] - 389-Directory/1.3.3.1 B2015.064.2159 starting up
[12/Aug/2015:11:02:37 -0400] - WARNING: userRoot: entry cache size 1407372B is less than db size 5914624B; We recommend to increase the entry

cache size nsslapd
-cachememsize.
[12/Aug/2015:11:02:37 -0400] - WARNING: changelog: entry cache size 858992B is less than db size 29384704B; We recommend to increase the entry

cache size nsslapd-cachememsize.
[12/Aug/2015:11:02:37 -0400] - I'm resizing my cache now...cache was 1342176 and is now 1073740
[12/Aug/2015:11:02:38 -0400] nis-plugin - warning: no entries in domain=mon.ansys.com,map=ethers.byaddr
[12/Aug/2015:11:02:38 -0400] nis-plugin - warning: no entries in domain=mon.ansys.com,map=ethers.byname
[12/Aug/2015:11:02:39 -0400] nis-plugin - warning: no entries in domain=mon.ansys.com,map=netgroup
 
Old 08-27-2015, 11:15 AM   #2
ericson007
Member
 
Registered: Sep 2004
Location: Japan
Distribution: CentOS 7.1
Posts: 735

Rep: Reputation: 154Reputation: 154
Welcome to the forum, what is up with all the IPA stuff. You guys trying the rhel rhcsa ipa setup from the new pearson book?

Anyway. I posted quite a bit in this thread

http://www.linuxquestions.org/questi...dc-4175536667/

See if that points you in the correct direction.

Before configuring IPA make sure to edit the hosts file. Add the actual ip address you want to use with the fqdn.

So ipa.host.domain immediately after that. If you have just the ipa part, the dns will fail and that will xause the 389 directory to fail which will cause kerberos to fail.

Systemctl status ipa will say it runs because it is actually running. Just all parts of it is messed up. The reason it is advised to use integrated dns is because it makes it easier, but not fool proof that it will always work.

Check that host file and double check the interface ip is in it and make sure it is not dhcp issued. That solves about 90 of these issues.

Last edited by ericson007; 08-28-2015 at 12:24 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] CentOS7 fails to boot: "Failed to mount /sysroot" thealmightyos Linux - General 18 10-10-2014 10:07 AM
Freeipa server configuration fails during settingup CA / pki pix9 Linux - Server 2 06-04-2014 01:14 AM
Freeipa vs Samba4 : will Redhat dump freeipa in favor of Samba4? exodius Linux - Enterprise 1 12-16-2013 03:16 AM
Hang on Reboot due to i2c driver saurabhchokshi Linux - Kernel 0 09-27-2010 05:16 PM
reboot broke xwindows (probably due to updates) davidstvz SUSE / openSUSE 10 08-18-2008 09:25 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 01:55 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration