Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

A.5. Investigating Why a Service Fails to Start

  1. Review the log for the service that fails to start. See Section C.2, “Identity Management Log Files and Directories”.
    For example, the log for Directory Server is at /var/log/dirsrv/slapd-IPA-EXAMPLE-COM/errors.
  2. Make sure that the server on which the service is running has a fully qualified domain name (FQDN). See the section called “Verifying the Server Host Name”.
  3. If the /etc/hosts file contains an entry for the server on which the service is running, make sure the fully qualified domain name is listed first. See also the section called “The /etc/hosts File”.
  4. Make sure you meet the other conditions in Section 2.1.5, “Host Name and DNS Configuration”.
  5. Determine what keys are included in the keytab that is used for authentication of the service. For example, for the dirsrv service ticket:
    # klist -kt /etc/dirsrv/ds.keytab
    Keytab name: FILE:/etc/dirsrv/ds.keytab
    KVNO Timestamp           Principal
    ---- ------------------- ------------------------------------------------------
       2 01/10/2017 14:54:39 ldap/server.example.com@EXAMPLE.COM
       2 01/10/2017 14:54:39 ldap/server.example.com@EXAMPLE.COM
       [... output truncated ...]
    1. Make sure that the displayed principals match the system's FQDN.
    2. Make sure that the displayed version of the keys (KVNO) in the above-mentioned service keytab match the KVNO in the server keytab. To display the server keytab:
      $ kinit admin
      $ kvno ldap/server.example.com@EXAMPLE.COM
    3. Verify that the forward (A, AAAA, or both) and reverse records on the client match the displayed system name and service principal.
  6. Verify that the forward (A, AAAA, or both) and reverse records on the client are correct.
  7. Make sure that the system time difference on the client and the server is 5 minutes at the most.
  8. Services can fail to start after the IdM administrative server certificates expire. To check if this is the cause in your case:
    1. Use the getcert list command to list all certificates tracked by the certmonger utility.
    2. In the output, find the IdM administrative certificates: the ldap and httpd server certificates.
    3. Examine the fields labeled status and expires.
      # getcert list
      Number of certificates and requests being tracked: 8.
      [... output truncated ...]
      Request ID '20170421124617':
      	status: MONITORING
      	stuck: no
      	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-EXAMPLE-COM/pwdfile.txt'
      	certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB'
      	CA: IPA
      	issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM
      	subject: CN=ipa.example.com,O=IPA.EXAMPLE.COM
      	expires: 2019-04-22 12:46:17 UTC
      [... output truncated ...]
      Request ID '20170421130535':
      	status: MONITORING
      	stuck: no
      	key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
      	certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
      	CA: IPA
      	issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM
      	subject: CN=ipa.example.com,O=IPA.EXAMPLE.COM
      	expires: 2019-04-22 13:05:35 UTC
      [... output truncated ...]
    If you need to start the service even though the certificates are expired, see Section 26.5, “Allowing IdM to Start with Expired Certificates”.