[Freeipa-users] Re: keytab file deleted and sssd not starting

[Rob Crittenden via FreeIPA-users]

Jeremy Tourville via FreeIPA-users wrote:
> UPDATE:
> I did a little more troubleshooting and was able to get dirsrv to start.  Now 
> I need to figure out why named service won't start.  Here's the output from 
> starting services and ipa-healthcheck.  I presume several of the healthcheck 
> failures are due to named service not running.  Can anyone confirm?

It's likely. Kerberos and TLS rely on working name resolution. If your
server has a valid entry in /etc/hosts that may mitigate some issues but
but I'd still focus on getting named to start as a first step.

rob

> 
> [root@gsil-ipa01 ipa]# ipactl status
> Directory Service: STOPPED
> Directory Service must be running in order to obtain status of other services
> [root@gsil-ipa01 ipa]# ipactl start --ignore-service-failures
> Existing service file detected!
> Assuming stale, cleaning and proceeding
> Starting Directory Service
> Starting krb5kdc Service
> Starting kadmin Service
> Starting named Service
> Failed to start named Service
> Forced start, ignoring named Service, continuing normal operation
> Starting httpd Service
> Starting ipa-custodia Service
> Starting pki-tomcatd Service
> Starting smb Service
> Starting winbind Service
> Starting ipa-otpd Service
> Starting ipa-dnskeysyncd Service
> ipa: INFO: The ipactl command was successful
> [root@gsil-ipa01 ipa]# ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: STOPPED
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> pki-tomcatd Service: RUNNING
> smb Service: RUNNING
> winbind Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> 1 service(s) are not running
> [root@gsil-ipa01 ipa]# ipa-healthcheck --failures-only
> caSigningCert External CA not found, assuming 3rd party
> [
>   {
>     "source": "ipahealthcheck.meta.services",
>     "check": "named",
>     "result": "ERROR",
>     "uuid": "b5bfa450-77f4-4655-a4e2-fccbf88aa43a",
>     "when": "20230316153125Z",
>     "duration": "0.111160",
>     "kw": {
>       "status": false,
>       "msg": "named: not running"
>     }
>   },
>   {
>     "source": "ipahealthcheck.ds.replication",
>     "check": "ReplicationCheck",
>     "result": "CRITICAL",
>     "uuid": "dcaa538c-a5e2-4247-9210-d6047a0d65f5",
>     "when": "20230316153132Z",
>     "duration": "0.281251",
>     "kw": {
>       "key": "DSREPLLE0001",
>       "items": [
>         "Replication",
>         "Agreement"
>       ],
>       "msg": "The replication agreement (metogsil-ipa02.idm.x.xl) under 
> \"dc=idm,dc=x,dc=x\" is not in synchronization."
>     }
>   },
>   {
>     "source": "ipahealthcheck.ds.replication",
>     "check": "ReplicationCheck",
>     "result": "CRITICAL",
>     "uuid": "556f572a-0ee9-42fa-8c06-b90e33ed961d",
>     "when": "20230316153132Z",
>     "duration": "0.281301",
>     "kw": {
>       "key": "DSREPLLE0001",
>       "items": [
>         "Replication",
>         "Agreement"
>       ],
>       "msg": "The replication agreement (catogsil-ipa02.idm.x.x) under 
> \"o=ipaca\" is not in synchronization."
>     }
>   },
>   {
>     "source": "ipahealthcheck.ipa.dna",
>     "check": "IPADNARangeCheck",
>     "result": "CRITICAL",
>     "uuid": "7b88f564-dac5-4191-96ec-b9ad922c0f5e",
>     "when": "20230316153142Z",
>     "duration": "0.027683",
>     "kw": {
>       "exception": "Insufficient access: SASL(-1): generic failure: GSSAPI 
> Error: Unspecified GSS failure.  Minor code may provide more information 
> (Preauthentication failed)"
>     }
>   },
>   {
>     "source": "ipahealthcheck.ipa.idns",
>     "check": "IPADNSSystemRecordsCheck",
>     "result": "WARNING",
>     "uuid": "6b0bc0c1-d505-4f5a-944d-42dd044b2365",
>     "when": "20230316153426Z",
>     "duration": "164.364540",
>     "kw": {
>       "msg": "Got {count} ipa-ca A records, expected {expected}",
>       "count": 1,
>       "expected": 2
>     }
>   },
>   {
>     "source": "ipahealthcheck.ipa.files",
>     "check": "IPAFileCheck",
>     "result": "WARNING",
>     "uuid": "ea3fcb5d-a280-4a29-ab5b-60abe15febdb",
>     "when": "20230316153426Z",
>     "duration": "0.003201",
>     "kw": {
>       "key": "_var_log_ipaupgrade.log_mode",
>       "path": "/var/log/ipaupgrade.log",
>       "type": "mode",
>       "expected": "0600",
>       "got": "0644",
>       "msg": "Permissions of /var/log/ipaupgrade.log are too permissive: 0644 
> and should be 0600"
>     }
>   },
>   {
>     "source": "ipahealthcheck.ipa.host",
>     "check": "IPAHostKeytab",
>     "result": "ERROR",
>     "uuid": "9e43e0d9-7143-40b1-8411-c0aa4b53bb1e",
>     "when": "20230316153426Z",
>     "duration": "0.027001",
>     "kw": {
>       "msg": "Failed to obtain host TGT: Major (851968): Unspecified GSS 
> failure.  Minor code may provide more information, Minor (2529638936): 
> Preauthentication failed"
>     }
>   },
>   {
>     "source": "ipahealthcheck.ipa.trust",
>     "check": "IPATrustDomainsCheck",
>     "result": "ERROR",
>     "uuid": "a0ed3f4b-c409-42e4-b730-d9964ed46f64",
>     "when": "20230316153427Z",
>     "duration": "0.336395",
>     "kw": {
>       "key": "domain-list",
>       "sssctl": "/usr/sbin/sssctl",
>       "sssd_domains": "",
>       "trust_domains": "gx.x",
>       "msg": "{sssctl} {key} reports mismatch: sssd domains {sssd_domains} 
> trust domains {trust_domains}"
>     }
>   },
>   {
>     "source": "ipahealthcheck.ipa.trust",
>     "check": "IPATrustCatalogCheck",
>     "result": "WARNING",
>     "uuid": "fd1ff67b-48b3-49dd-a3b4-32631a51672f",
>     "when": "20230316153427Z",
>     "duration": "0.013619",
>     "kw": {
>       "key": "S-1-5-21-3568498085-2952124370-1649233135",
>       "error": "returned nothing",
>       "msg": "Look up of {key} {error}"
>     }
>   },
>   {
>     "source": "ipahealthcheck.ipa.trust",
>     "check": "IPATrustCatalogCheck",
>     "result": "ERROR",
>     "uuid": "c478454c-f94c-4089-ade4-7c3bd73d6b65",
>     "when": "20230316153427Z",
>     "duration": "0.127239",
>     "kw": {
>       "key": "domain-status",
>       "error": "CalledProcessError(Command ['/usr/sbin/sssctl', 
> 'domain-status', 'gx.x', '--active-server'] returned non-zero exit status 1: 
> 'Unable to get online status\\n')",
>       "msg": "Execution of {key} failed: {error}"
>     }
>   }
> ]
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue