Show Table of Contents
A.5. Investigating Why a Service Fails to Start
- Review the log for the service that fails to start. See Section C.2, “Identity Management Log Files and Directories”.For example, the log for Directory Server is at
/var/log/dirsrv/slapd-IPA-EXAMPLE-COM/errors. - Make sure that the server on which the service is running has a fully qualified domain name (FQDN). See the section called “Verifying the Server Host Name”.
- If the
/etc/hostsfile contains an entry for the server on which the service is running, make sure the fully qualified domain name is listed first. See also the section called “The/etc/hostsFile”. - Make sure you meet the other conditions in Section 2.1.3, “Host Name and DNS Configuration”.
- Determine what keys are included in the keytab that is used for authentication of the service. For example, for the
dirsrvservice ticket:# klist -kt /etc/dirsrv/ds.keytabKeytab name: FILE:/etc/dirsrv/ds.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 01/10/2017 14:54:39 ldap/server.example.com@EXAMPLE.COM 2 01/10/2017 14:54:39 ldap/server.example.com@EXAMPLE.COM [... output truncated ...]- Make sure that the displayed principals match the system's FQDN.
- Make sure that the displayed version of the keys (KVNO) in the above-mentioned service keytab match the KVNO in the server keytab. To display the server keytab:
$ kinit admin$ kvno ldap/server.example.com@EXAMPLE.COM - Verify that the forward (A, AAAA, or both) and reverse records on the client match the displayed system name and service principal.
- Verify that the forward (A, AAAA, or both) and reverse records on the client are correct.
- Make sure that the system time difference on the client and the server is 5 minutes at the most.
- Services can fail to start after the IdM administrative server certificates expire. To check if this is the cause in your case:
- Use the
getcert listcommand to list all certificates tracked by thecertmongerutility. - In the output, find the IdM administrative certificates: the
ldapandhttpdserver certificates. - Examine the fields labeled
statusandexpires.# getcert listNumber of certificates and requests being tracked: 8. [... output truncated ...] Request ID '20170421124617': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM subject: CN=ipa.example.com,O=IPA.EXAMPLE.COM expires: 2019-04-22 12:46:17 UTC [... output truncated ...] Request ID '20170421130535': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM subject: CN=ipa.example.com,O=IPA.EXAMPLE.COM expires: 2019-04-22 13:05:35 UTC [... output truncated ...]
If you need to start the service even though the certificates are expired, see Section 26.5, “Allowing IdM to Start with Expired Certificates”.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.