From Free IPA

Contents 1 General Troubleshooting Tips 1.1 Kerberos 1.2 SSH Connections 1.3 IPA Tools 1.4 Firefox 1.5 Service Principals 1.6 Other Possible Errors 2 Performing a Re-install 3 Troubleshooting DNS and Service Discovery 3.1 Zone Files 3.2 Firewalls 3.3 IPA Server boot problems

General Troubleshooting Tips

Kerberos

1. Run the following command to ensure that Kerberos is working:

$ kinit admin
Password for admin@EXAMPLE.COM

This will retrieve your Kerberos ticket.

2. Now run the following command:

$ ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin

If you get an error message such as:

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure.  Minor code may provide more information (No such file or
directory)

It means that you are probably running a version of FDS prior to 1.1. You should upgrade FDS to version 1.1 or later.

SSH Connections

You may find that the system appears to hang if you attempt to use ssh to connect to a host for which you do not have a Kerberos ticket.

This can occur when the host where the KDC is running is down. After three attempts to contact the KDC, ssh will fall back to other authentication methods. This can take several minutes.

To resolve this issue, you need to restart the host where the KDC is running, and ensure that the KDC is restarted.

If the KDC is down, but the actual host is still running, the timeout is relatively quick. In this case, you only need to restart the KDC.

IPA Tools

If the Kerberos check works, but the ipa-* tools fail, ensure that your /etc/hosts file is correctly configured.

Refer to Configuring /etc/hosts

If ipa-* tools still fail, enable debug output in Apache, as follows:

1. Edit the /etc/httpd/conf/httpd.conf file, and set LogLevel to "debug".

2. Restart the httpd service (# service httpd restart)

This will provide more verbose output that might help in isolating the problem.

Firefox

Refer to Configuring Firefox and Common Error Messages for information about troubleshooting Firefox.

Service Principals

If you are trying to install a service principal and keytab on a client, you might see the following error from the ipa-getkeytab command:

SASL/GSSAPI authentication started
SASL Bind failed!

A SASL bind failure indicates either that you do not have a Kerberos ticket or that you have an invalid ticket (an expired ticket or a ticket for the wrong user). Ensure that your ticket is valid and retry the operation.

If this does not solve the problem, check the /var/log/krb5kdc.log file on the IPA server for entries that contain the following (or similar):

admin@EXAMPLE.COM for ldap/192.168.1.1@EXAMPLE.COM, Server not found in Kerberos database

This is indicative of a DNS reverse lookup failure. Service principals must be constructed from hostnames, and the existence of an IP address here indicates that the system was unable to resolve the IP address back to a host name.

To address this problem, ensure that your reverse lookup zone on the DNS is correctly configured, and retry the operation.

Other Possible Errors

1. Could not initialize GSSAPI: Unspecified GSS failure. Minor code may provide more information/Server not found in Kerberos database

You may have multiple entries for the same host created by different KDCs.

2. The ipa command line tools might report "connection refused"

This might be due to the apache server not accepting connections on the SSL port. Verify that the /etc/httpd/conf.d/nss.conf file exists. If not, you may not have installed the mod_nss rpm package. Also verify that all references to 8443 have been changed to 443 in the /etc/httpd/conf.d/nss.conf file. Restart httpd after you have installed mod_nss and edited the /etc/httpd/conf.d/nss.conf file.

Performing a Re-install

If the installation fails, or if you want to re-run the installation script, you need to remove the existing installation first. Run the server installation command using the --uninstall switch, as follows:

# ipa-server-install --uninstall

You also need to remove the Kerberos keytab before you begin the reinstallation process:

# rm -f /var/kerberos/krb5kdc/kpasswd.keytab

Troubleshooting DNS and Service Discovery

As discussed in How IPA and DNS Work Together, to take full advantage of its Service Discovery capabilities, IPA relies on a functional DNS. If the DNS fails or is not fully functional, Service Discovery may also fail to operate correctly, which can cause problems in a high-availability deployment.

The following sections detail some common mistakes that could prevent the DNS from functioning correctly.

Zone Files

• Ensure that you increment the serial number when editing a zone file.

If the serial number is not incremented, the master nameserver will have the latest information, but the slave nameservers will never be notified of the change, and will therefore not attempt to refresh their data for that zone.

After editing a zone file you may need to reload the file (service named reload) or restart the named service (service named restart).

• Ensure that you use ellipses and semi-colons correctly in the /etc/named.conf file.

An omitted semi-colon or unclosed ellipsis can prevent named from starting.

• Remember to place periods (.) in zone files after all FQDNs and omit them on hostnames.

A period at the end of a domain name denotes a fully qualified domain name. If the period is omitted, then named appends the name of the zone or the $ORIGIN value to complete it.

Firewalls

• If a firewall is blocking connections from the named program to other nameservers, edit the firewall's configuration file to allow the connection.

By default, BIND version 9 uses random ports above 1024 to query other nameservers. Some firewalls, however, expect all nameservers to communicate using only port 53. To force named to use port 53, add the following line to the options statement of the /etc/named.conf file:

query-source address * port 53;

See also Required Ports

IPA Server boot problems

• If your newly installed IPA server hangs durring system initialization while "Starting system message bus" is displayed, you have a networking problem. This is likely related to NetworkManager.

You have two choices to fix it.

You can switch from NetworkManager to static networking with:

1. boot into single-user mode
2. run # chkconfig NetworkManager off ; chkconfig network on
3. If you haven't already done so, you'll need to configure static networking.

Or configure NetworkManager to wait for a network connection at boot time:

1. Ensure you have NetworkManager-0.7.0-0.9.4.svn3675.fc9 or higher installed
2. /sbin/chkconfig messagebus resetpriorities
3. /sbin/chkconfig haldaemon resetpriorities
4. /sbin/chkconfig NetworkManager resetpriorities
5. Ensure that there is a /etc/rc3.d/S27NetworkManager file.
6. Add NETWORKWAIT=yes to /etc/sysconfig/network file to block startup for up to 10 seconds while waiting for a network connection to come up.