[Freeipa-users] krb5kdc service not starting

Tue Apr 26 13:13:04 UTC 2016

Hello world,

I am having issues this morning with my primary IPA. See below the details in the logs and command result. Basically, krb5kdc service not starting - krb5kdc: Server error - while fetching master key.

DNS is functioning. See below dig result. I have a trust with Windows AD.

Please help…!

[root at cd-ipa1 log]# systemctl status krb5kdc.service -l
● krb5kdc.service - Kerberos 5 KDC
   Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:52 EDT; 41min ago
  Process: 3694 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE)

Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Starting Kerberos 5 KDC...
Apr 26 08:27:52 cd-ipa1.ipa.domain.localkrb5kdc[3694]: krb5kdc: cannot initialize realm IPA.DOMAIN.LOCAL- see log file for details
Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service: control process exited, code=exited status=1
Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start Kerberos 5 KDC.
Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: Unit krb5kdc.service entered failed state.
Apr 26 08:27:52 cd-ipa1.ipa.domain.localsystemd[1]: krb5kdc.service failed.
[root at cd-ipa1 log]#

Errors in /var/log/krb5kdc.log

krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL
krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL
krb5kdc: Server error - while fetching master key K/M for realm DOMAIN.LOCAL

[root at cd-ipa1 log]# systemctl status httpd -l
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/etc/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2016-04-26 08:27:21 EDT; 39min ago
     Docs: man:httpd(8)
           man:apachectl(8)
  Process: 3594 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=1/FAILURE)

Apr 26 08:27:21 cd-ipa1.ipa.domain.localipa-httpd-kdcproxy[3594]: File "/usr/lib/python2.7/siteackages/ipapython/ipaldap.py", line 1579, in __wait_for_connection
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: wait_for_open_socket(lurl.hostport, timeout)
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: File "/usr/lib/python2.7/siteackages/ipapython/ipautil.py", line 1200, in wait_for_open_socket
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: raise e
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: error: [Errno 2] No such file or directory
Apr 26 08:27:21 cd-ipa1.ipa.domain.local ipa-httpd-kdcproxy[3594]: ipa         : ERROR    Unknown error while retrieving setting from ldapi://%2fvar%2frun%2fslapd-IPA-CANDEAL-CA.socket: [Errno 2] No such file or directory
Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service: control process exited, code=exited status=1
Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Failed to start The Apache HTTP Server.
Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: Unit httpd.service entered failed state.
Apr 26 08:27:21 cd-ipa1.ipa.domain.localsystemd[1]: httpd.service failed.
[root at cd-ipa1 log]#

DNS Result for dig redhat.com

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> redhat.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5414
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;redhat.com.                    IN      A

;; ANSWER SECTION:
redhat.com.             60      IN      A       209.132.183.105

;; AUTHORITY SECTION:
.                       849     IN      NS      f.root-servers.net.
.                       849     IN      NS      e.root-servers.net.
.                       849     IN      NS      k.root-servers.net.
.                       849     IN      NS      m.root-servers.net.
.                       849     IN      NS      b.root-servers.net.
.                       849     IN      NS      g.root-servers.net.
.                       849     IN      NS      c.root-servers.net.
.                       849     IN      NS      h.root-servers.net.
.                       849     IN      NS      l.root-servers.net.
.                       849     IN      NS      a.root-servers.net.
.                       849     IN      NS      j.root-servers.net.
.                       849     IN      NS      i.root-servers.net.
.                       849     IN      NS      d.root-servers.net.

;; ADDITIONAL SECTION:
j.root-servers.net.     3246    IN      A       192.58.128.30

;; Query time: 79 msec
;; SERVER: 10.20.10.41#53(10.20.10.41)
;; WHEN: Tue Apr 26 09:02:43 EDT 2016
;; MSG SIZE  rcvd: 282

Gady Notrica | IT Systems Analyst | 416.814.7800 Ext. 7921 | Cell. 416.818.4797 | gnotrica at candeal.com<mailto:gnotrica at candeal.com>
CanDeal | 152 King St. E, 4th Floor, Toronto ON M5A 1J4 | www.candeal.com<http://www.candeal.ca/> | Follow us: [Description: Description: cid:image003.jpg at 01CBD419.622CDF90] <http://www.twitter.com/candeal>   [Description: Description: Description: cid:image002.jpg at 01CBD419.622CDF90] <http://www.linkedin.com/profile/view?id=36869324&trk=tab_pro>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160426/d2fcfe8f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 11810 bytes
Desc: image001.jpg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160426/d2fcfe8f/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 11586 bytes
Desc: image002.jpg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160426/d2fcfe8f/attachment-0001.jpg>