Appendix A. Troubleshooting: General Guidelines
This appendix describes general steps for determining the root cause of a problem, for example by querying logs and service statuses.
Note
For lists of specific problems and their solutions, see Appendix B, Troubleshooting: Solutions to Specific Problems.
What were you doing when you encountered the problem?
If you know which specific area of IdM is causing the problem, follow these links:
If this guide does not help you find and fix the problem and you proceed to file a customer case, include any notable error output that you determined using these troubleshooting procedures in the case report. See also Contacting Red Hat Technical Support.
A.1. Investigating Failures when Executing the ipa
Utility
Basic Troubleshooting
- Add the
--verbose
(-v
) option to the command. This displays debug information. - Add the
-vv
option to the command. This displays the JSON response and request.
Advanced Troubleshooting
Figure A.1, “The architecture of executing the ipa cert-show command” shows which components interact when the user uses the IdM command-line utility. Querying these components can help you investigate where the problem occurred and what caused it.
- Use the following utilities:
host
to check the DNS resolution of the IdM server or clientping
to check if the IdM server is availableiptables
to check the current firewall configuration on the IdM serverdate
to check the current timenc
to try to connect to the required ports, as listed in Section 2.1.6, “Port Requirements”
For details on using these utilities, see their man pages. - Set the
KRB5_TRACE
environment variable to the/dev/stdout
file to send trace-logging output to/dev/stdout
:$ KRB5_TRACE=/dev/stdout ipa cert-find
Review the Kerberos key distribution center (KDC) log:/var/log/krb5kdc.log
. - Review the Apache error log:
- Enable debug level on the server: Open the
/etc/ipa/server.conf
file, and add thedebug=True
option to the[global]
section. - Restart the
httpd
service:# systemctl restart httpd.service
- Run the command that failed again.
- Review the
httpd
error log on the server:/var/log/httpd/error_log
.
Run the command with the-vvv
option to display the HTTP request and response. - Review the Apache access log:
/var/log/httpd/access_log
.Review the logs for the Certificate System component:/var/log/pki/pki-ca-spawn.time_of_installation.log
/var/log/pki/pki-tomcat/ca/debug
/var/log/pki/pki-tomcat/ca/system
/var/log/pki/pki-tomcat/ca/selftests.log
- Use the # journalctl -u pki-tomcatd@pki-tomcat.service command to review the
journal
log.
- Review the Directory Server access log:
/var/log/dirsrv/slapd-IPA-EXAMPLE-COM/access
.
Figure A.1. The architecture of executing the ipa cert-show command
Related Information
- See Section C.2, “Identity Management Log Files and Directories” for descriptions of various Identity Management log files.