<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 19.12.2016 21:24, Brian J. Murrell wrote: </div> <blockquote cite="mid:1482179085.28211.36.camel@interlinx.bc.ca" type="cite"> <pre wrap="">On Mon, 2016-12-19 at 17:26 +0100, Martin Basti wrote: </pre> <blockquote type="cite"> <pre wrap=""> On 19.12.2016 13:19, Brian J. Murrell wrote: </pre> <blockquote type="cite"> <pre wrap="">On Mon, 2016-12-19 at 09:42 +0100, Martin Basti wrote: </pre> <blockquote type="cite"> <pre wrap="">Hello, could you recheck with SElinux in permissive mode? </pre> </blockquote> <pre wrap=""> Yeah, still happens even after doing: # setenforce 0 Cheers, b. </pre> </blockquote> <pre wrap=""> could you please kinit as service? kinit -kt /etc/ipa/dnssec/ipa-dnskeysyncd.keytab ipa- dnskeysyncd/$(hostname) </pre> </blockquote> <pre wrap=""> # kinit -kt /etc/ipa/dnssec/ipa-dnskeysyncd.keytab ipa-dnskeysyncd/server.example.com # klist Ticket cache: KEYRING:persistent:0:0 Default principal: <a class="moz-txt-link-abbreviated" href="mailto:ipa-dnskeysyncd/server.example.com@EXAMPLE.COM">ipa-dnskeysyncd/server.example.com@EXAMPLE.COM</a> Valid starting Expires Service principal 19/12/16 15:20:20 20/12/16 15:20:20 <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/EXAMPLE.COM@EXAMPLE.COM">krbtgt/EXAMPLE.COM@EXAMPLE.COM</a> Seems to have worked. FWIW, I was not asked for any password. Cheers, b. </pre> <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> The password is the keytab file So there are actually no issues with credentials, it needs more debugging, in past we have similar case but we haven't found the root cause why it doesn't have the right credentials after kinit. Are you willing to do more basic level code debugging? BTW this is used only with DNSSEC feature. I you don't use DNSSEC signing you can ignore this failing service (ipactl start --ignore-service-failures) Martin </body> </html>