A.5. Investigating Why a Service Fails to Start
- Review the log for the service that fails to start. See Section C.2, “Identity Management Log Files and Directories”.For example, the log for Directory Server is at
/var/log/dirsrv/slapd-IPA-EXAMPLE-COM/errors
. - Make sure that the server on which the service is running has a fully qualified domain name (FQDN). See the section called “Verifying the Server Host Name”.
- If the
/etc/hosts
file contains an entry for the server on which the service is running, make sure the fully qualified domain name is listed first. See also the section called “The/etc/hosts
File”. - Make sure you meet the other conditions in Section 2.1.5, “Host Name and DNS Configuration”.
- Determine what keys are included in the keytab that is used for authentication of the service. For example, for the
dirsrv
service ticket:# klist -kt /etc/dirsrv/ds.keytab Keytab name: FILE:/etc/dirsrv/ds.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 01/10/2017 14:54:39 ldap/server.example.com@EXAMPLE.COM 2 01/10/2017 14:54:39 ldap/server.example.com@EXAMPLE.COM [... output truncated ...]
- Make sure that the displayed principals match the system's FQDN.
- Make sure that the displayed version of the keys (KVNO) in the above-mentioned service keytab match the KVNO in the server keytab. To display the server keytab:
$ kinit admin $ kvno ldap/server.example.com@EXAMPLE.COM
- Verify that the forward (A, AAAA, or both) and reverse records on the client match the displayed system name and service principal.
- Verify that the forward (A, AAAA, or both) and reverse records on the client are correct.
- Make sure that the system time difference on the client and the server is 5 minutes at the most.
- Services can fail to start after the IdM administrative server certificates expire. To check if this is the cause in your case:
- Use the getcert list command to list all certificates tracked by the
certmonger
utility. - In the output, find the IdM administrative certificates: the
ldap
andhttpd
server certificates. - Examine the fields labeled
status
andexpires
.# getcert list Number of certificates and requests being tracked: 8. [... output truncated ...] Request ID '20170421124617': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM subject: CN=ipa.example.com,O=IPA.EXAMPLE.COM expires: 2019-04-22 12:46:17 UTC [... output truncated ...] Request ID '20170421130535': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM subject: CN=ipa.example.com,O=IPA.EXAMPLE.COM expires: 2019-04-22 13:05:35 UTC [... output truncated ...]
If you need to start the service even though the certificates are expired, see Section 26.5, “Allowing IdM to Start with Expired Certificates”.