[Freeipa-users] Re: Unable to start directory server after updates

Alexander Bokovoy via FreeIPA-users Mon, 30 Aug 2021 00:38:10 -0700

On su, 29 elo 2021, Jeremy Tourville via FreeIPA-users wrote:

I found this page on troubleshooting - 
https://docs.pagure.org/bind-dyndb-ldap/BIND9/NamedCannotStart.html


I can manually start named.service but cannot start named when using ipactl.

Section 1
I was able to get a log (this log is prior to changes made in section 4)

#less /var/named/data/named.run

reloading configuration succeeded
reloading zones succeeded
network unreachable resolving './DNSKEY/IN': 2001:7fd::1#53
network unreachable resolving './DNSKEY/IN': 2001:500:1::53#53
network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53
network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
network unreachable resolving './DNSKEY/IN': 2001:500:12::d0d#53
network unreachable resolving './DNSKEY/IN': 2001:500:200::b#53
network unreachable resolving './DNSKEY/IN': 2001:503:ba3e::2:30#53
network unreachable resolving './DNSKEY/IN': 2001:500:a8::e#53
network unreachable resolving './DNSKEY/IN': 2001:7fe::53#53
network unreachable resolving './DNSKEY/IN': 2001:dc3::35#53
network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53
network unreachable resolving './DNSKEY/IN': 2001:500:2d::d#53
network unreachable resolving './DNSKEY/IN': 2001:503:c27::2:30#53
all zones loaded
running
managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now 
trusted

With the changes in section 4 (below) I now see this additional info in the log:
received control channel command 'stop'
shutting down: flushing changes
stopping command channel on 127.0.0.1#953
stopping command channel on ::1#953
no longer listening on 127.0.0.1#53
no longer listening on ::1#53
exiting

I was unable to get a log from tmp/named_krb5.log using the rhel/fedora method. 
 Do I need to use the archlinux method?

No.


Section 2
I don't see any evidence of this issue based on logs.
Furthermore, hostname FQDN and /etc/hosts are set properly according to the 
examples shown

Section 3
The values here match

Section 4
I see that my system was running a named.conf file that didn't have any 
credentials.  I looked at my yum history and the timestamps for my named.conf* 
files.  The yum update that most likely affected them was run at 9:52.  The two 
oldest files are marked 9:55 and I presume are the backups as part of the 
update process.
[root@utility etc]# ls -la named.conf*
-rw-r-----. 1 root named 1876 Aug 29 08:01 named.conf
-rw-r-----. 1 root named 1705 May 27 15:49 named.conf.bak
-rw-r--r--. 1 root root  1876 Aug 28 09:55 named.conf.ipa-backup
-rw-r-----. 1 root named 1535 Aug 28 09:55 named.conf.rpmsave

I did attempt to copy the oldest files over the existing named.conf and start 
the named service.  I still didn't have any luck in either case.
#cp named.conf.rpmsave named.conf
#ipactl start
#cp named.conf.ipa-backup named.conf
#ipactl start

Systemctl status when using named.conf.rpmsave version:

[root@utility etc]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
  Loaded: loaded (/usr/lib/systemd/system/named.service; linked; vendor preset: 
disabled)
  Active: active (running) since Sun 2021-08-29 08:38:05 CDT; 1s ago
 Process: 2294 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS 
(code=exited, status=0/SUCCESS)
 Process: 2291 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then 
/usr/sbin/named-checkconf -z "$NAMEDCONF"; else ec>
Main PID: 2296 (named)
   Tasks: 8 (limit: 37317)
  Memory: 59.5M
  CGroup: /system.slice/named.service
          └─2296 /usr/sbin/named -u named -c /etc/named.conf

Aug 29 08:38:05 utility.idm.nac-issa.org named[2296]: managed-keys-zone: Key 
20326 for zone . acceptance timer complete: key now trusted
Aug 29 08:38:06 utility.idm.nac-issa.org named[2296]: resolver priming query 
complete
Aug 29 08:38:06 utility.idm.nac-issa.org named[2296]: LDAP configuration 
synchronization failed: socket is not connected


^^ this says that bind-dyndb-ldap was unable to connect to LDAP server
using the method configured in named.conf, e.g. LDAPI.

Perhaps, 389-ds did not start at that point yet or it does not have
LDAPI enabled (unlikely)?




--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Unable to start directory server after updates

Reply via email to