Appendix B. Troubleshooting: Solutions to Specific Problems
For troubleshooting advice for:
- Servers, see Section B.1, “Identity Management Servers”
- Replicas, see Section B.2, “Identity Management Replicas”
- Clients, see Section B.3, “Identity Management Clients”
- Authentication, see Section B.4, “Logging In and Authentication Problems”
- Vaults, see Section B.5, “Vaults”
B.1. Identity Management Servers
B.1.1. External CA Installation Fails
The ipa-server-install --external-ca command fails with the following error:
ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/configuration_file' returned non-zero exit status 1 Configuration of CA failed
The env|grep proxy command displays variables such as the following:
env|grep proxy http_proxy=http://example.com:8080 ftp_proxy=http://example.com:8080 https_proxy=http://example.com:8080
What this means:
The
*_proxy
environmental variables are preventing the server from being installed.
To fix the problem:
- Use the following shell script to unset the
*_proxy
environmental variables:# for i in ftp http https; do unset ${i}_proxy; done
- Run the
pkidestroy
utility to remove the unsuccessful CA subsystem installation:# pkidestroy -s CA -i pki-tomcat; rm -rf /var/log/pki/pki-tomcat /etc/sysconfig/pki-tomcat /etc/sysconfig/pki/tomcat/pki-tomcat /var/lib/pki/pki-tomcat /etc/pki/pki-tomcat /root/ipa.csr
- Remove the failed IdM server installation:
# ipa-server-install --uninstall
- Retry running ipa-server-install --external-ca.
B.1.2. named
Daemon Fails to Start
After installing an IdM server with integrated DNS, the
named-pkcs11
fails to start. The /var/log/messages
file includes an error message related to the named-pkcs11
service and the ldap.so
library:
ipaserver named[6886]: failed to dynamically load driver 'ldap.so': libldap-2.4.so.2: cannot open shared object file: No such file or directory
What this means:
The bind-chroot package is installed and is preventing the
named-pkcs11
service from starting.
To fix the problem:
- Uninstall the bind-chroot package.
# yum remove bind-chroot
- Restart the IdM server.
# ipactl restart
B.1.3. Installing a Server Fails on a System with IPv6 Disabled
When attempting to install an IdM server on a system with IPv6 disabled, the following error occurs during the installation process:
CRITICAL Failed to restart the directory server Command '/bin/systemctl restart dirsrv@EXAMPLE.service' returned non-zero exit status 1
What this means:
Installing and running a server requires IPv6 to be enabled on the network. See Section 2.1.3, “System Requirements”.
To fix the problem:
Enable IPv6 on your system. For details, see How do I disable or enable the IPv6 protocol in Red Hat Enterprise Linux? in Red Hat Knowledgebase.
Note that IPv6 is enabled by default on Red Hat Enterprise Linux 7 systems.