Home Wiki > Portal:FreeIPA/Troubleshoot
Sign up | Login

Portal:FreeIPA/Troubleshoot

tagline: From openSUSE

General Information

FreeIPA is a complicated system and requires the cooperation of directory, name resolution, authentication and web services. Please carefully read the Installation Guide before attempting server/replica/client installation.

Troubleshoot Certificate Authority

YaST fails to create CA with error "According to 'basicConstraints', this is not a CA."

There is currently a bug in the YaST CA Management module, when you create a new CA, the default constraints are not properly configured and CA creation fails. To resolve the issue, visit "Advanced Options" when prompted for new CA password, and set CA "CA:true" under "Basic Constraints".

YaST fails to create server certificate with error "Signing certificate failed."

Click "Details" button to learn the error details. Most commonly the valid period of the server certificate is incorrectly set to exceed the valid period of CA; if this is the case, decrease the valid period of the certificate and try again.

Troubleshoot Common CA and LDAP configuration

Command update-ca-certificates does not produce any output

This is normal. The command only produces output when an error is encountered.

File /etc/openldap/ldap.conf does not exist

Please install OpenLDAP client package:

# zypper install openldap2-client

And try again.

Troubleshoot FreeIPA Server/Replica Installation

Access installation log file

ipa-server-install command writes logging information into file /var/log/ipaserver-install.log. To inspect the log file while IPA server is being installed, run:

# tail -F /var/log/ipaserver-install.log | cat -v

ipa-replica-install command writes logging information into file /var/log/ipareplica-install.log. To inspect the log file while IPA replica is being installed, run:

# tail -F /var/log/ipaserver-install.log | cat -v

Occasionally binary-only content is written into the log files during the installation process (a known issue), therefore it is necessary to use "cat -v" to turn the binary content into readable characters.

Clean up after a failed run of ipa-server-install

If ipa-server-install installation has started but fails to complete successfully, the next installation attempt will fail with message "IPA server is already configured on this system.". It is necessary to clean up the incomplete installation by running:

# ipa-server-install --uninstall

before making another installation attempt.

Clean up after a failed run of ipa-replica-install

If ipa-replica-install installation has started but fails to complete successfully, the next installation attempt will fail. It is necessary to clean up the incomplete installation by running on the replica:

# ipa-server-install --uninstall

And run on replica Target machine (not the replica machine itself):

# ipa-replica-manage del <failed_replica_FQDN> --force

Then you may re-try replica installation.

The server certificate is not valid: invalid for server <host name>

Make sure that the certificate file used for FreeIPA service satisfies all of these conditions:

  1. It is in PKCS12 format.
  2. It is a Server certificate (not a Client certificate).
  3. It contains both certificate and key.
  4. It does not contain CA or sub-CA certificate.
  5. The certificate common name matches server fully-qualified-domain-name exactly.

hostname: Name or service not known

Sometimes NetworkManager can cause hostname-unknown issue, please disable NetworkManager and use Wicked Service for network setup. Consult YaST Network Settings manual for more details.

If NetworkManager is determined not to be the cause of host name trouble, correct host name and FQDN manually via "hostnamectl" command and manually enter the FQDN and short host name into /etc/hosts, then proceed with FreeIPA server/replica installation.

Troubleshoot FreeIPA Administration Tools

Access web service log files

FreeIPA web application runs on Apache web server.

Apache web server daemon logs critical and startup errors in system journal, accessible via:

# journalctl -u apache2.service -f

Web access log and FreeIPA web application errors are logged in conventional log files, located by default under "/var/log/apache2".

Command line tool "ipa" gives error "did not receive Kerberos credentials"

Before using the command line tool "ipa", your current system user must have already obtained a Kerberos ticket with IPA administrative privilege. Use command "klist" to determine whether a Kerberos ticket has been obtained, and if not, obtain a new ticket via:

# kinit admin
Password for admin@LINUXDOM.NET: <enter IPA admin password>

and then retry the ipa command.

Troubleshoot FreeIPA Client

Access authentication daemon log

FreeIPA client runs SSSD (System Security Services Daemon), whose logs are accessible via:

# journalctl -u sssd.service -f

SSSD complains "Key table entry not found"

(Or alternatively "Failed to initialize credentials using keytab", "Client ... not found in Kerberos database.")

The error indicates SSSD was looking for your client host's Kerberos key but it is not found in Kerberos keytab file (/etc/krb5.keytab).

There are several possible causes:

  • Keytab file is empty.
  • Keytab file does not belong to this client machine (incorrect placement).
  • Client machine's FQDN does not match the principal name in keytab file due to name resolution error.
  • Client machine's host name does not reflect the FQDN used by IPA database to identify the host.

In any case, inspect the keytab file content by running command:

# klist -ke

The result should show more than one entries belonging to principal "host/<client_FQDN>.domain@DOMAIN_REALM", e.g.:

host/pulautin.linuxdom.net@LINUXDOM.NET (aes256-cts-hmac-sha1-96) 
host/pulautin.linuxdom.net@LINUXDOM.NET (des3-cbc-sha1)
... (and more)

If the keytab file appears empty or the principal name does not match with the client's fully-qualified-domain-name, it is necessary to re-retrieve the client's keytab file via "ipa-getkeytab" command. Refer to Installation Guide for detailed procedure.

If the keytab file content looks correct, then there is a possibility of name resolution error on the client side. Re-visit YaST Authentication Client module and enter the expected FQDN from client (e.g. "pulautin.linuxdom.net") into domain parameter "ipa_hostname", and see if the problem is eliminated. If the problem is eliminated, then check the private network's domain name and DNS server settings on DHCP server.

Desktop or remote login using IPA credentials fails on the client

Inspect all system journal:

# journalctl -f

While re-attempting a login, to determine the failure reason.

Please note that it is sometimes necessary to reboot the client machine after it is configured as IPA client for the very first time.