Home
Products
Red Hat Enterprise Linux
7
Linux Domain Identity, Authentication, and Policy Guide
A.5. Investigating Why a Service Fails to Start

A.5. Investigating Why a Service Fails to Start

Review the log for the service that fails to start. See Section C.2, “Identity Management Log Files and Directories”.
For example, the log for Directory Server is at /var/log/dirsrv/slapd-IPA-EXAMPLE-COM/errors.
Make sure that the server on which the service is running has a fully qualified domain name (FQDN). See the section called “Verifying the Server Host Name”.
If the /etc/hosts file contains an entry for the server on which the service is running, make sure the fully qualified domain name is listed first. See also the section called “The /etc/hosts File”.
Make sure you meet the other conditions in Section 2.1.5, “Host Name and DNS Configuration”.
Determine what keys are included in the keytab that is used for authentication of the service. For example, for the dirsrv service ticket:
```
klist -kt /etc/dirsrv/ds.keytab
```
```
# klist -kt /etc/dirsrv/ds.keytab
Keytab name: FILE:/etc/dirsrv/ds.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 01/10/2017 14:54:39 ldap/server.example.com@EXAMPLE.COM
   2 01/10/2017 14:54:39 ldap/server.example.com@EXAMPLE.COM
   [... output truncated ...]
```
Copy to Clipboard Toggle word wrap
1. Make sure that the displayed principals match the system's FQDN.
2. Make sure that the displayed version of the keys (KVNO) in the above-mentioned service keytab match the KVNO in the server keytab. To display the server keytab:
```
kinit admin
kvno ldap/server.example.com@EXAMPLE.COM
```
```
$ kinit admin
$ kvno ldap/server.example.com@EXAMPLE.COM
```
  Copy to Clipboard Toggle word wrap
3. Verify that the forward (A, AAAA, or both) and reverse records on the client match the displayed system name and service principal.
Verify that the forward (A, AAAA, or both) and reverse records on the client are correct.
Make sure that the system time difference on the client and the server is 5 minutes at the most.

Services can fail to start after the IdM administrative server certificates expire. To check if this is the cause in your case:

Use the getcert list command to list all certificates tracked by the certmonger utility.
In the output, find the IdM administrative certificates: the ldap and httpd server certificates.

Examine the fields labeled status and expires.

getcert list

# getcert list
Number of certificates and requests being tracked: 8.
[... output truncated ...]
Request ID '20170421124617':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-EXAMPLE-COM/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM
	subject: CN=ipa.example.com,O=IPA.EXAMPLE.COM
	expires: 2019-04-22 12:46:17 UTC
[... output truncated ...]
Request ID '20170421130535':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM
	subject: CN=ipa.example.com,O=IPA.EXAMPLE.COM
	expires: 2019-04-22 13:05:35 UTC
[... output truncated ...]

Copy to Clipboard

Toggle word wrap

If you need to start the service even though the certificates are expired, see Section 26.5, “Allowing IdM to Start with Expired Certificates”.

A.5. Investigating Why a Service Fails to Start

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links