IPA service is failing to start. Directory Server logged: Cannot create replay cache file /var/tmp/ldap_xyz: Permission denied

Solution Verified - Updated -

Issue

  • IPA service is failing to start.

    # ipactl start
Existing service file detected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Failed to start named Service
Shutting down
Hint: You can use --ignore-service-failure option for forced start in case that a non-critical service failed
Aborting ipactl

  • The Directory Server logs show "Permission denied"

    [23/Jan/2017:13:47:43.148111676 +0300] conn=22 fd=101 slot=101 connection from local to /var/run/slapd-EXAMPLE-COM.socket
[23/Jan/2017:13:47:43.160390587 +0300] conn=22 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[23/Jan/2017:13:47:43.162374164 +0300] conn=22 op=0 RESULT err=49 tag=97 nentries=0 etime=0 - SASL(-1): generic 
failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Cannot create replay 
cache file /var/tmp/ldap_991: Permission denied)   <---------
[23/Jan/2017:13:47:43.163084939 +0300] conn=22 op=1 UNBIND

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Identity Management (IdM) / FreeIPA

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content