Skip to content
Client Panel

Troubleshooting

This page covers the most common FreeIPA deployment issues, backup and recovery, and production hardening advice.

Symptom:

ipa-server-install: ERROR: DNS resolution of ipa-server.example.internal failed

Diagnosis:

Terminal window
cat /etc/hosts | grep ipa-server
getent hosts ipa-server.example.internal
cat /etc/resolv.conf

Fix: Ensure /etc/hosts has the correct entry with FQDN first:

Terminal window
echo "192.168.100.128 ipa-server.example.internal ipa-server" >> /etc/hosts

Symptom:

ipa-server-install: ERROR: NTP synchronization failed

Diagnosis:

Terminal window
systemctl status chronyd
chronyc sources
chronyc makestep
timedatectl status

Fix: If the NTP source is unreachable or blocked by firewall:

Terminal window
systemctl stop chronyd
ntpdate pool.ntp.org
systemctl start chronyd

Root cause: NTP source unreachable or UDP port 123 blocked.

Symptom:

ipa-server-install: ERROR: The Kerberos key table already exists

Fix:

Terminal window
ipa-server-install --uninstall
rm -f /etc/krb5.keytab
# Then re-run ipa-server-install

Symptom:

ipa-server-install: ERROR: Directory Server failed to start

Diagnosis:

Terminal window
journalctl -u dirsrv -n 50
df -h /var
ss -tlnp | grep 389
getenforce

Common causes: Disk full, port 389 already in use, or overly restrictive SELinux policies.

Symptom: ssh testuser@client-1 hangs and eventually times out.

Diagnosis:

Terminal window
systemctl status sssd
journalctl -u sssd -n 100
ping ipa-server.example.internal
dig +short ipa-server.example.internal
cat /etc/krb5.conf
kinit -V testuser

Common fixes:

CauseSolution
Network/DNS unreachableCheck firewall, DNS config
SSSD not runningsystemctl start sssd
SELinux blockinggetenforce, then setenforce 0 to test
Misconfigured KerberosVerify [realm] and [domain_realm] in /etc/krb5.conf

Symptom:

id testuser
# id: 'testuser': no such user

Diagnosis:

Terminal window
# Does the user exist on the server?
ipa user-find testuser
# Clear the SSSD cache
sss_cache -u testuser
# Check NSS configuration
grep sss /etc/nsswitch.conf
# Manual LDAP lookup
ldapsearch -x -h ipa-server.example.internal -b "cn=users,cn=accounts,dc=example,dc=internal" uid=testuser

Common causes: User not created, SSSD not synced, sss missing from /etc/nsswitch.conf, or LDAP connection blocked.

Symptom: After ipa passwd testuser, the new password fails.

Fix:

Terminal window
kdestroy -A # Clear Kerberos tickets
sss_cache -u testuser # Clear SSSD cache
sleep 30 # Wait for SSSD sync
ssh testuser@client-1 # Retry

Root cause: SSSD caches credentials. Changes need cache flush or sync delay to propagate.

Symptom:

kinit testuser
# KDC returned error string: SKEW(Clock skew too great)

Diagnosis:

Terminal window
timedatectl status
date
chronyc sources

Fix:

Terminal window
chronyc makestep # Force NTP sync
ntpdate -s pool.ntp.org # Fallback manual sync
# If the server and client times differ:
ssh ipa-server 'date'
date --set="$(ssh ipa-server date)" # Match server time manually

Root cause: NTP misconfigured or not running. Kerberos requires time difference under 5 minutes.

/var/lib/ipa/backup/ipa-full-YYYY-MM-DD-HH-MM-SS.tar.gz
ipa-backup

What gets backed up: LDAP database, Kerberos keys, PKI certificates, DNS zone data, and configuration files.

Schedule regular backups:

0 2 * * 0 /usr/sbin/ipa-backup
Terminal window
ls -la /var/lib/ipa/backup/
ipa-restore /var/lib/ipa/backup/ipa-full-YYYY-MM-DD-HH-MM-SS.tar.gz
ipactl status
Terminal window
ipa-client-install --uninstall
Terminal window
# WARNING: This destroys all FreeIPA data
ipa-server-install --uninstall
# Remove residual files (only if you are sure)
rm -rf /etc/ipa /var/lib/ipa

FreeIPA supports master-replica architecture for LDAP data replication. Set up a second server as a replica:

  • DNS should resolve to a load-balanced address (e.g., ipa.example.internal pointing to both IPs)
  • Each replica independently runs DNS, Kerberos, and CA services
  • Reference: FreeIPA Replica Setup
  • Use SSH key authentication instead of passwords
  • Store admin and DS passwords in a secure vault
  • Enable DNSSEC validation (remove --no-dnssec-validation)
  • Keep SELinux enabled, adjust policies instead of disabling
  • LDAP cache: SSSD caches by default for 1–2 hours; adjust based on user change frequency
  • DNS cache: Increase TTL (e.g., 3600 seconds) for stable environments
  • Connection pooling: FreeIPA manages this automatically

When troubleshooting, follow this order:

DNS → Network → SSSD → LDAP → Kerberos

Most FreeIPA failures trace back to a broken link somewhere in this chain. Start at the top and work down.


Adapted from Dawn’s Blog : FreeIPA Complete Deployment Guide.