IPA Fails to start: Timeout Exceeded and No Route to Host when IPV6 disabled
IPA doesn’t start? Just prints the following when an attempt is made to start it?
# strace -f -s 256 ipactl start
.
.
.
.
socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC, IPPROTO_IP) = 4
connect(4, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr(“127.0.0.1”)}, 16) = 0
getsockname(4, {sa_family=AF_INET, sin_port=htons(51027), sin_addr=inet_addr(“127.0.0.1”)}, [28->16]) = 0
close(4) = 0
socket(AF_INET6, SOCK_DGRAM|SOCK_CLOEXEC, IPPROTO_IP) = 4
connect(4, {sa_family=AF_INET6, sin6_port=htons(389), inet_pton(AF_INET6, “::1”, &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, 28) = -1 EHOSTUNREACH (No route to host)
close(4) = 0
socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
connect(4, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr(“127.0.0.1”)}, 16) = 0
close(4) = 0
socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP) = 4
connect(4, {sa_family=AF_INET6, sin6_port=htons(389), inet_pton(AF_INET6, “::1“, &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, 28) = -1 EHOSTUNREACH (No route to host)
close(4) = 0
select(0, NULL, NULL, NULL, {tv_sec=1, tv_usec=0}^C) = ? ERESTARTNOHAND (To be restarted if no handler)
strace: Process 3890 detached
Cancelled.
Running some basic checks, reveals the same error since IPV6 is disabled:
# nc -vz localhost 389
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 127.0.0.1:389.
Ncat: 0 bytes sent, 0 bytes received in 0.03 seconds.
# nc -vz ::1 389
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: No route to host.
#
And starting or attempting to start IPA resulted in:
# ipactl start
Starting Directory Service
Failed to start Directory Service: Timeout exceeded
More debugging:
# vi /etc/sysctl.conf
# sysctl -p
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:86:0d:fa brd ff:ff:ff:ff:ff:ff
inet 192.168.0.44/24 brd 192.168.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet 192.168.0.46/32 scope global eth0
valid_lft forever preferred_lft forever
Disabling the disabling of IPV6 by commenting out the lines:
# cat /etc/sysctl.conf
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1
# net.ipv6.conf.all.disable_ipv6 = 1
# net.ipv6.conf.default.disable_ipv6 = 1
DO NOT run this on the IPA server. This breaks SAMBA (https://www.freeipa.org/page/Deployment_Recommendations)
# grubby –update-kernel ALL –args ‘ipv6.disable=1’
After disabling with the commands below IPV6 the above error happened. Reenabling IPV6:
cat /etc/sysctl.conf
# net.ipv6.conf.all.disable_ipv6 = 1
# net.ipv6.conf.default.disable_ipv6 = 1
Followed by executing:
# sysctl -p
to stage the above changes, resolved the above error. IPA now successfully starts up:
# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
Other errors seen alongside the one mentioned above:
# pwd
/var/log/dirsrv/slapd-NIX-MDS-XYZ
# tail -f errors access
(Sun Mar 10 10:09:21 2024) [[sssd[ldap_child[2407]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Cannot contact any KDC for realm ‘NIX.MDS.XYZ’
Mar 10 11:46:32 idmipa01.nix.mds.xyz ns-slapd[1587]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_993))
# vi /var/log/krb5kdc.log
Mar 09 23:40:37 idmipa01.nix.mds.xyz krb5kdc[1114](info): Didn’t connect to LDAP on startup: 110
krb5kdc: Server error – while fetching master key K/M for realm NIX.MDS.XYZ
VMWare
(Disconnected)
Connection timed out
Cheers,
HTH