Header Shadow Image

«
»

IPA Fails to start: Timeout Exceeded and No Route to Host when IPV6 disabled

IPA doesn’t start? Just prints the following when an attempt is made to start it?

# strace -f -s 256 ipactl start
.
.
.
.
socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC, IPPROTO_IP) = 4
connect(4, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr(“127.0.0.1”)}, 16) = 0
getsockname(4, {sa_family=AF_INET, sin_port=htons(51027), sin_addr=inet_addr(“127.0.0.1”)}, [28->16]) = 0
close(4) = 0
socket(AF_INET6, SOCK_DGRAM|SOCK_CLOEXEC, IPPROTO_IP) = 4
connect(4, {sa_family=AF_INET6, sin6_port=htons(389), inet_pton(AF_INET6, “::1”, &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, 28) = -1 EHOSTUNREACH (No route to host)
close(4) = 0
socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
connect(4, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr(“127.0.0.1”)}, 16) = 0
close(4) = 0
socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP) = 4
connect(4, {sa_family=AF_INET6, sin6_port=htons(389), inet_pton(AF_INET6, “::1“, &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, 28) = -1 EHOSTUNREACH (No route to host)
close(4) = 0
select(0, NULL, NULL, NULL, {tv_sec=1, tv_usec=0}^C) = ? ERESTARTNOHAND (To be restarted if no handler)
strace: Process 3890 detached
Cancelled.

Running some basic checks, reveals the same error since IPV6 is disabled:

# nc -vz localhost 389
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 127.0.0.1:389.
Ncat: 0 bytes sent, 0 bytes received in 0.03 seconds.
# nc -vz ::1 389
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: No route to host.
#

And starting or attempting to start IPA resulted in:

#  ipactl start
Starting Directory Service
Failed to start Directory Service: Timeout exceeded

More debugging:

# vi /etc/sysctl.conf
# sysctl -p
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:86:0d:fa brd ff:ff:ff:ff:ff:ff
inet 192.168.0.44/24 brd 192.168.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet 192.168.0.46/32 scope global eth0
valid_lft forever preferred_lft forever

Disabling the disabling of IPV6 by commenting out the lines:

# cat /etc/sysctl.conf
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1
# net.ipv6.conf.all.disable_ipv6 = 1
# net.ipv6.conf.default.disable_ipv6 = 1

DO NOT run this on the IPA server. This breaks SAMBA (https://www.freeipa.org/page/Deployment_Recommendations)

# grubby –update-kernel ALL –args ‘ipv6.disable=1’

After disabling with the commands below IPV6 the above error happened. Reenabling IPV6:

cat /etc/sysctl.conf
# net.ipv6.conf.all.disable_ipv6 = 1
# net.ipv6.conf.default.disable_ipv6 = 1

Followed by executing:

# sysctl -p

to stage the above changes, resolved the above error.  IPA now successfully starts up:

# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

Other errors seen alongside the one mentioned above:

# pwd
/var/log/dirsrv/slapd-NIX-MDS-XYZ
# tail -f errors access

(Sun Mar 10 10:09:21 2024) [[sssd[ldap_child[2407]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Cannot contact any KDC for realm ‘NIX.MDS.XYZ’

Mar 10 11:46:32 idmipa01.nix.mds.xyz ns-slapd[1587]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_993))

# vi /var/log/krb5kdc.log
Mar 09 23:40:37 idmipa01.nix.mds.xyz krb5kdc[1114](info): Didn’t connect to LDAP on startup: 110
krb5kdc: Server error – while fetching master key K/M for realm NIX.MDS.XYZ

VMWare
(Disconnected)

Connection timed out

Cheers,
HTH

This entry was posted on Sunday, March 10th, 2024 at 12:51 pm and is filed under NIX Posts. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Subscribe
Notify of
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
     
  Copyright © 2003 - 2025 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License

  

0
Would love your thoughts, please comment.x
()
x
The IT Development and Technology Mini Vault | MicroDevSys.com
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.