<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hello,<br>
</p>
<p>could you check this link
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials:bindtoLDAPserverfailed">https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials:bindtoLDAPserverfailed</a><br>
</p>
<p>kinit prints nothing when it works, so it works in your case, can
you after kinit as DNS service try to use ldapsearch -Y GSSAPI ?</p>
<p><br>
</p>
<p>Martin<br>
</p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 05.01.2017 14:58, Jeff Goddard
wrote:<br>
</div>
<blockquote
cite="mid:CA+No-6GbmSFcduvg=y8m-xciYymE70_SZWcfWsAy66Mk+RQO9Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
<div class="gmail_quote">---------- Forwarded message
----------<br>
From: <b class="gmail_sendername">Jeff Goddard</b> <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:jgoddard@emerlyn.com" target="_blank">jgoddard@emerlyn.com</a>></span><br>
Date: Thu, Jan 5, 2017 at 8:57 AM<br>
Subject: Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR
Login to LDAP server failed: {'desc': 'Invalid credentials'}<br>
To: Martin Basti <<a moz-do-not-send="true"
href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>><br>
<br>
<br>
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Jan 5, 2017 at 3:43 AM,
Martin Basti <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p><br>
</p>
<br>
<div
class="m_-22724728160857037m_3310156183138934670gmail-m_-6036249115591493486moz-cite-prefix">On
04.01.2017 22:21, Jeff Goddard wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>I don't want to hijack someone
else's thread but I'm having what
appears to be the same problem and
have not seen a solution presented
yet.<br>
<br>
Here is the output of journalctl -xe
after having tried to start named: <br>
<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
named-pkcs11[3948]: loading
configuration from '/etc/named.conf'<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
named-pkcs11[3948]: reading built-in
trusted keys from file
'/etc/named.iscdlv.key'<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
named-pkcs11[3948]: using default
UDP/IPv4 port range: [1024, 65535]<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
named-pkcs11[3948]: using default
UDP/IPv6 port range: [1024, 65535]<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
named-pkcs11[3948]: listening on
IPv6 interfaces, port 53<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
named-pkcs11[3948]: listening on
IPv4 interface lo, 127.0.0.1#53<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
named-pkcs11[3948]: listening on
IPv4 interface ens32,
10.73.100.31#53<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
named-pkcs11[3948]: generating
session key for dynamic DNS<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
named-pkcs11[3948]: sizing zone task
pool based on 6 zones<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
named-pkcs11[3948]: set up managed
keys zone for view _default, file
'/var/named/dynamic/managed-ke<wbr>ys.bind'<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
named-pkcs11[3948]: bind-dyndb-ldap
version 10.0 compiled at 18:06:06
Nov 11 2016, compiler 4.8.5 20150623
(Red Hat 4.8.5-11)<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
named-pkcs11[3948]: option
'serial_autoincrement' is not
supported, ignoring<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
named-pkcs11[3948]: GSSAPI client
step 1<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
named-pkcs11[3948]: GSSAPI client
step 1<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
ns-slapd[2596]: GSSAPI server step 1<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
named-pkcs11[3948]: GSSAPI client
step 1<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
ns-slapd[2596]: GSSAPI server step 2<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
named-pkcs11[3948]: GSSAPI client
step 2<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
ns-slapd[2596]: GSSAPI server step 3<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
named-pkcs11[3948]: LDAP error:
Invalid credentials: bind to LDAP
server failed<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
named-pkcs11[3948]: couldn't
establish connection in LDAP
connection pool: permission denied<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
named-pkcs11[3948]: dynamic database
'ipa' configuration failed:
permission denied<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
named-pkcs11[3948]: loading
configuration: permission denied<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
named-pkcs11[3948]: exiting (due to
fatal error)<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
systemd[1]: named-pkcs11.service:
control process exited, code=exited
status=1<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
systemd[1]: Failed to start Berkeley
Internet Name Domain (DNS) with
native PKCS#11.<br>
-- Subject: Unit
named-pkcs11.service has failed<br>
-- Defined-By: systemd<br>
-- Support: <a
moz-do-not-send="true"
href="http://lists.freedesktop.org/mailman/listinfo/systemd-devel"
target="_blank">http://lists.freedesktop.org/m<wbr>ailman/listinfo/systemd-devel</a><br>
--<br>
-- Unit named-pkcs11.service has
failed.<br>
--<br>
-- The result is failed.<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
systemd[1]: Unit
named-pkcs11.service entered failed
state.<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
systemd[1]: named-pkcs11.service
failed.<br>
Jan 04 15:48:42 <a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>
polkitd[949]: Unregistered
Authentication Agent for
unix-process:3936:380486 (system bus
name :1.59, object path
/org/freedesktop/Policy<br>
<br>
</div>
Here are the last four entries of
/var/log/dirsrv/slapd-*/access |grep
ipa-dnskeysyncdcat:<br>
<br>
[04/Jan/2017:15:28:37.46322473<wbr>9
-0500] conn=5 op=1129 SRCH
base="dc=internal,dc=emerlyn,d<wbr>c=com"
scope=2
filter="(&(|(objectClass=krbpr<wbr>incipalaux)(objectClass=krbpri<wbr>ncipal)(objectClass=ipakrbprin<wbr>cipal))(|(ipaKrbPrincipalAlias<wbr>=ipa-dnskeysyncd/<a
moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management<wbr>-2.internal.emerlyn.com@<wbr>INTERNAL.EMERLYN.COM</a>)(krbPrinc<wbr>ipalName:caseIgnoreIA5Match:=<wbr>ipa-dnskeysyncd/<a
moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management-<wbr>2.internal.emerlyn.com@<wbr>INTERNAL.EMERLYN.COM</a>)))"
attrs="krbPrincipalName
krbCanonicalName krbUPEnabled
krbPrincipalKey
krbTicketPolicyReference
krbPrincipalExpiration
krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType
krbPwdHistory krbLastPwdChange
krbPrincipalAliases
krbLastSuccessfulAuth
krbLastFailedAuth krbLoginFailedCount
krbPrincipalAuthInd krbExtraData
krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData
ipaUserAuthType
ipatokenRadiusConfigLink objectClass"<br>
[04/Jan/2017:15:28:37.46473966<wbr>1
-0500] conn=5 op=1133 SRCH
base="krbprincipalname=ipa-dns<wbr>keysyncd/<a
moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management-2.inter<wbr>nal.emerlyn.com@INTERNAL.EMERL<wbr>YN.COM</a>,cn=services,cn=accounts<wbr>,dc=internal,dc=emerlyn,dc=com<wbr>"
scope=0 filter="(objectClass=*)"
attrs="objectClass uid cn fqdn
gidNumber krbPrincipalName
krbCanonicalName
krbTicketPolicyReference
krbPrincipalExpiration
krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType
krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth
krbLastFailedAuth krbLoginFailedCount
krbLastAdminUnlock krbTicketFlags
ipaNTSecurityIdentifier
ipaNTLogonScript ipaNTProfilePath
ipaNTHomeDirectory
ipaNTHomeDirectoryDrive"<br>
[04/Jan/2017:15:28:37.46585137<wbr>2
-0500] conn=5 op=1134 MOD
dn="krbprincipalname=ipa-dnske<wbr>ysyncd/<a
moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management-2.interna<wbr>l.emerlyn.com@INTERNAL.EMERLYN<wbr>.COM</a>,cn=services,cn=accounts,d<wbr>c=internal,dc=emerlyn,dc=com"<br>
[04/Jan/2017:15:28:37.47497477<wbr>5
-0500] conn=6 op=1372 SRCH
base="dc=internal,dc=emerlyn,d<wbr>c=com"
scope=2
filter="(&(|(objectClass=krbpr<wbr>incipalaux)(objectClass=krbpri<wbr>ncipal))(krbPrincipalName=ipa-<wbr>dnskeysyncd/<a
moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management-2.in<wbr>ternal.emerlyn.com@INTERNAL.EM<wbr>ERLYN.COM</a>))"
attrs="krbPrincipalName
krbCanonicalName krbUPEnabled
krbPrincipalKey
krbTicketPolicyReference
krbPrincipalExpiration
krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType
krbPwdHistory krbLastPwdChange
krbPrincipalAliases
krbLastSuccessfulAuth
krbLastFailedAuth krbLoginFailedCount
krbPrincipalAuthInd krbExtraData
krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock
passwordHistory ipaKrbAuthzData
ipaUserAuthType
ipatokenRadiusConfigLink objectClass"<br>
[04/Jan/2017:15:28:37.48243617<wbr>2
-0500] conn=281 op=2 RESULT err=0
tag=97 nentries=0 etime=0
dn="krbprincipalname=ipa-dnske<wbr>ysyncd/<a
moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@internal.emerlyn.com"
target="_blank">id-management-2.interna<wbr>l.emerlyn.com@internal.emerlyn<wbr>.com</a>,cn=services,cn=accounts,d<wbr>c=internal,dc=emerlyn,dc=com"<br>
<br>
</div>
My environment:<br>
</div>
Freeipa 4.2.0<br>
</div>
OS is Centos 7.2<br>
<br>
</div>
<div>This is a secondary replica (master) and
the other replica can be pinged but nslookup
and dig fail to provide results even though
the values are in the /etc/hosts file:<br>
<br>
127.0.0.1 localhost localhost.localdomain
localhost4 localhost4.localdomain4<br>
::1 localhost localhost.localdomain
localhost6 localhost6.localdomain6<br>
10.72.100.16 <a moz-do-not-send="true"
href="http://id-management-1.internal.emerlyn.com"
target="_blank">id-management-1.internal.emerl<wbr>yn.com</a><br>
10.73.100.31 <a moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a><br>
<br>
</div>
<div><br>
</div>
<div>Any assistance is in solving this would
be greatly appreciated and thanks for both
the great product and the support already
provided.<br>
<br>
</div>
<div>Jeff<br>
</div>
<div><br>
</div>
</div>
<br>
<fieldset
class="m_-22724728160857037m_3310156183138934670gmail-m_-6036249115591493486mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
Hello,<br>
<br>
what contains the /etc/sysconfig/dirsrv file<br>
<br>
can you kinit as DNS?<br>
<br>
kinit -kt /etc/named.keytab DNS/$HOSTNAME<br>
<br>
Martin^2<br>
<br>
</div>
</blockquote>
</div>
The kinit -kt /etc/named.keytab DNS/$HOSTNAME command
returns nothing<br>
Here is the requested file output:<br>
<br>
# This file is sourced by dirsrv upon startup to set<br>
# the default environment for all directory server
instances.<br>
# To set instance specific defaults, use the file in the
same<br>
# directory called dirsrv-instance where "instance"<br>
# is the name of your directory server instance e.g.<br>
# dirsrv-localhost for the slapd-localhost instance.<br>
<br>
# This file is in systemd EnvironmentFile format - see
man systemd.exec<br>
<br>
# In order to make more file descriptors available<br>
# to the directory server, first make sure the system<br>
# hard limits are raised, then use ulimit - uncomment<br>
# out the following line and change the value to the<br>
# desired value<br>
# ulimit -n 8192<br>
# note - if using systemd, ulimit won't work - you must
edit<br>
# the systemd unit file for directory server to add the<br>
# LimitNOFILE option - see man systemd.exec for more
info<br>
<br>
# A per instance keytab does not make much sense for
servers.<br>
# Kerberos clients use the machine FQDN to obtain a
ticket like ldap/FQDN, there<br>
# is nothing that can make a client understand how to
get a per-instance ticket.<br>
# Therefore by default a keytab should be considered a
per server option.<br>
<br>
# Also this file is sourced for all instances, so again
all<br>
# instances would ultimately get the same keytab.<br>
<br>
# Finally a keytab is normally named either krb5.keytab
or <service>.keytab<br>
<br>
# In order to use SASL/GSSAPI (Kerberos) the directory<br>
# server needs to know where to find its keytab<br>
# file - uncomment the following line and set<br>
# the path and filename appropriately<br>
# if using systemd, omit the "; export VARNAME" at the
end<br>
<br>
# how many seconds to wait for the startpid file to show<br>
# up before we assume there is a problem and fail to
start<br>
# if using systemd, omit the "; export VARNAME" at the
end<br>
#STARTPID_TIME=10 ; export STARTPID_TIME<br>
# how many seconds to wait for the pid file to show<br>
# up before we assume there is a problem and fail to
start<br>
# if using systemd, omit the "; export VARNAME" at the
end<br>
#PID_TIME=600 ; export PID_TIME<br>
KRB5CCNAME=/tmp/krb5cc_389<br>
KRB5_KTNAME=/etc/dirsrv/ds.key<wbr>tab<br>
<br>
</div>
<div class="gmail_extra">I tried to re-install
(ipa-install-dns) and here is the install log. I
highlighted in red below where I think the problem may
be coming from.<br>
<br>
2017-01-05T13:13:47Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysre<wbr>store.state'<br>
2017-01-05T13:13:47Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysre<wbr>store.state'<br>
2017-01-05T13:13:47Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysre<wbr>store.state'<br>
2017-01-05T13:13:47Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysre<wbr>store.state'<br>
2017-01-05T13:13:47Z DEBUG duration: 0 seconds<br>
2017-01-05T13:13:47Z DEBUG [4/8]: setting up kerberos
principal<br>
2017-01-05T13:13:47Z DEBUG Starting external process<br>
2017-01-05T13:13:47Z DEBUG args=kadmin.local -q addprinc
-randkey DNS/<a moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management-2.internal.e<wbr>merlyn.com@INTERNAL.EMERLYN.CO<wbr>M</a>
-x ipa-setup-override-restriction<wbr>s<br>
2017-01-05T13:13:47Z DEBUG Process finished, return
code=0<br>
2017-01-05T13:13:47Z DEBUG stdout=Authenticating as
principal admin/<a moz-do-not-send="true"
href="mailto:admin@INTERNAL.EMERLYN.COM"
target="_blank">admin@INTERNAL.EMERLYN.C<wbr>OM</a>
with password.<br>
<br>
2017-01-05T13:13:47Z DEBUG stderr=WARNING: no policy
specified for DNS/<a moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management-2.internal.e<wbr>merlyn.com@INTERNAL.EMERLYN.CO<wbr>M</a>;
defaulting to no policy<br>
add_principal: Principal or policy already exists while
creating "DNS/<a moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management-2.internal.<wbr>emerlyn.com@INTERNAL.EMERLYN.C<wbr>OM</a>".<br>
<br>
2017-01-05T13:13:47Z DEBUG Backing up system
configuration file '/etc/named.keytab'<br>
2017-01-05T13:13:47Z DEBUG Saving Index File to
'/var/lib/ipa/sysrestore/sysre<wbr>store.index'<br>
2017-01-05T13:13:47Z DEBUG Starting external process<br>
2017-01-05T13:13:47Z DEBUG args=kadmin.local -q ktadd -k
/etc/named.keytab DNS/<a moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management-2.internal.e<wbr>merlyn.com@INTERNAL.EMERLYN.CO<wbr>M</a>
-x ipa-setup-override-restriction<wbr>s<br>
2017-01-05T13:13:47Z DEBUG Process finished, return
code=0<br>
2017-01-05T13:13:47Z DEBUG stdout=Authenticating as
principal admin/<a moz-do-not-send="true"
href="mailto:admin@INTERNAL.EMERLYN.COM"
target="_blank">admin@INTERNAL.EMERLYN.C<wbr>OM</a>
with password.<br>
Entry for principal DNS/<a moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management-2.internal.e<wbr>merlyn.com@INTERNAL.EMERLYN.CO<wbr>M</a>
with kvno 7, encryption type aes256-cts-hmac-sha1-96
added to keytab WRFILE:/etc/named.keytab.<br>
Entry for principal DNS/<a moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management-2.internal.e<wbr>merlyn.com@INTERNAL.EMERLYN.CO<wbr>M</a>
with kvno 7, encryption type aes128-cts-hmac-sha1-96
added to keytab WRFILE:/etc/named.keytab.<br>
Entry for principal DNS/<a moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management-2.internal.e<wbr>merlyn.com@INTERNAL.EMERLYN.CO<wbr>M</a>
with kvno 7, encryption type des3-cbc-sha1 added to
keytab WRFILE:/etc/named.keytab.<br>
Entry for principal DNS/<a moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management-2.internal.e<wbr>merlyn.com@INTERNAL.EMERLYN.CO<wbr>M</a>
with kvno 7, encryption type arcfour-hmac added to
keytab WRFILE:/etc/named.keytab.<br>
Entry for principal DNS/<a moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management-2.internal.e<wbr>merlyn.com@INTERNAL.EMERLYN.CO<wbr>M</a>
with kvno 7, encryption type camellia128-cts-cmac added
to keytab WRFILE:/etc/named.keytab.<br>
Entry for principal DNS/<a moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management-2.internal.e<wbr>merlyn.com@INTERNAL.EMERLYN.CO<wbr>M</a>
with kvno 7, encryption type camellia256-cts-cmac added
to keytab WRFILE:/etc/named.keytab.<br>
<br>
2017-01-05T13:13:47Z DEBUG stderr=<br>
2017-01-05T13:13:47Z DEBUG duration: 0 seconds<br>
2017-01-05T13:13:47Z DEBUG [5/8]: setting up
named.conf<br>
2017-01-05T13:13:47Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysup<wbr>grade.state'<br>
2017-01-05T13:13:47Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysup<wbr>grade.state'<br>
2017-01-05T13:13:47Z DEBUG Saving StateFile to
'/var/lib/ipa/sysupgrade/sysup<wbr>grade.state'<br>
2017-01-05T13:13:47Z DEBUG duration: 0 seconds<br>
2017-01-05T13:13:47Z DEBUG [6/8]: setting up server
configuration<br>
2017-01-05T13:13:47Z DEBUG flushing
ldapi://%2fvar%2frun%2fslapd-I<wbr>NTERNAL-EMERLYN-COM.socket
from SchemaCache<br>
2017-01-05T13:13:47Z DEBUG retrieving schema for
SchemaCache url=ldapi://%2fvar%2frun%2fsla<wbr>pd-INTERNAL-EMERLYN-COM.socket
conn=<ldap.ldapobject.SimpleLD<wbr>APObject instance
at 0x4c48440><br>
2017-01-05T13:13:48Z DEBUG raw: dnsserver_add(u'<a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-<wbr>2.internal.emerlyn.com</a>',
idnssoamname=<DNS name <a moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>.>,
version=u'2.213')<br>
2017-01-05T13:13:48Z DEBUG dnsserver_add(u'<a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-<wbr>2.internal.emerlyn.com</a>',
idnssoamname=<DNS name <a moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-2.internal.emerl<wbr>yn.com</a>.>,
all=False, raw=False, version=u'2.213')<br>
2017-01-05T13:13:48Z DEBUG raw: dnsserver_mod(u'<a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-<wbr>2.internal.emerlyn.com</a>',
idnsforwarders=[u'10.72.100.16<wbr>'],
idnsforwardpolicy=u'only', version=u'2.213')<br>
2017-01-05T13:13:48Z DEBUG dnsserver_mod(u'<a
moz-do-not-send="true"
href="http://id-management-2.internal.emerlyn.com"
target="_blank">id-management-<wbr>2.internal.emerlyn.com</a>',
idnsforwarders=(u'10.72.100.16<wbr>',),
idnsforwardpolicy=u'only', rights=False, all=False,
raw=False, version=u'2.213')<br>
2017-01-05T13:13:48Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysup<wbr>grade.state'<br>
2017-01-05T13:13:48Z DEBUG Saving StateFile to
'/var/lib/ipa/sysupgrade/sysup<wbr>grade.state'<br>
2017-01-05T13:13:48Z DEBUG duration: 0 seconds<br>
2017-01-05T13:13:48Z DEBUG [7/8]: configuring named to
start on boot<br>
2017-01-05T13:13:48Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysre<wbr>store.state'<br>
2017-01-05T13:13:48Z DEBUG Starting external process<br>
2017-01-05T13:13:48Z DEBUG args=/bin/systemctl disable
named-pkcs11.service<br>
2017-01-05T13:13:48Z DEBUG Process finished, return
code=0<br>
2017-01-05T13:13:48Z DEBUG stdout=<br>
2017-01-05T13:13:48Z DEBUG stderr=<br>
2017-01-05T13:13:48Z DEBUG service DNS startup entry
already enabled<br>
2017-01-05T13:13:48Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysre<wbr>store.state'<br>
2017-01-05T13:13:48Z DEBUG Starting external process<br>
2017-01-05T13:13:48Z DEBUG args=/bin/systemctl stop
named.service<br>
2017-01-05T13:13:48Z DEBUG Process finished, return
code=0<br>
2017-01-05T13:13:48Z DEBUG stdout=<br>
2017-01-05T13:13:48Z DEBUG stderr=<br>
2017-01-05T13:13:48Z DEBUG Starting external process<br>
2017-01-05T13:13:48Z DEBUG args=/bin/systemctl mask
named.service<br>
2017-01-05T13:13:48Z DEBUG Process finished, return
code=0<br>
2017-01-05T13:13:48Z DEBUG stdout=<br>
2017-01-05T13:13:48Z DEBUG stderr=Created symlink from
/etc/systemd/system/named.serv<wbr>ice to /dev/null.<br>
<br>
2017-01-05T13:13:48Z DEBUG duration: 0 seconds<br>
<span style="color:rgb(255,0,0)">2017-01-05T13:13:48Z
DEBUG [8/8]: changing resolv.conf to point to
ourselves</span><br>
2017-01-05T13:13:48Z DEBUG duration: 0 seconds<br>
2017-01-05T13:13:48Z DEBUG Done configuring DNS (named).<br>
2017-01-05T13:13:48Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysre<wbr>store.state'<br>
2017-01-05T13:13:48Z DEBUG Starting external process<br>
2017-01-05T13:13:48Z DEBUG args=/bin/systemctl stop
ipa-dnskeysyncd.service<br>
2017-01-05T13:13:48Z DEBUG Process finished, return
code=0<br>
2017-01-05T13:13:48Z DEBUG stdout=<br>
2017-01-05T13:13:48Z DEBUG stderr=<br>
2017-01-05T13:13:48Z DEBUG Configuring DNS key
synchronization service (ipa-dnskeysyncd)<br>
2017-01-05T13:13:48Z DEBUG [1/7]: checking status<br>
2017-01-05T13:13:48Z DEBUG flushing
ldapi://%2fvar%2frun%2fslapd-I<wbr>NTERNAL-EMERLYN-COM.socket
from SchemaCache<br>
2017-01-05T13:13:48Z DEBUG retrieving schema for
SchemaCache url=ldapi://%2fvar%2frun%2fsla<wbr>pd-INTERNAL-EMERLYN-COM.socket
conn=<ldap.ldapobject.SimpleLD<wbr>APObject instance
at 0x4eb2c20><br>
2017-01-05T13:13:48Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysre<wbr>store.state'<br>
2017-01-05T13:13:48Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysre<wbr>store.state'<br>
2017-01-05T13:13:48Z DEBUG duration: 0 seconds<br>
2017-01-05T13:13:48Z DEBUG [2/7]: setting up
bind-dyndb-ldap working directory<br>
2017-01-05T13:13:48Z DEBUG duration: 0 seconds<br>
2017-01-05T13:13:48Z DEBUG [3/7]: setting up kerberos
principal<br>
2017-01-05T13:13:48Z DEBUG Removing service keytab:
/etc/ipa/dnssec/ipa-dnskeysync<wbr>d.keytab<br>
2017-01-05T13:13:48Z DEBUG Starting external process<br>
2017-01-05T13:13:48Z DEBUG args=kadmin.local -q addprinc
-randkey ipa-dnskeysyncd/<a moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management-<wbr>2.internal.emerlyn.com@INTERNA<wbr>L.EMERLYN.COM</a>
-x ipa-setup-override-restriction<wbr>s<br>
2017-01-05T13:13:48Z DEBUG Process finished, return
code=0<br>
2017-01-05T13:13:48Z DEBUG stdout=Authenticating as
principal admin/<a moz-do-not-send="true"
href="mailto:admin@INTERNAL.EMERLYN.COM"
target="_blank">admin@INTERNAL.EMERLYN.C<wbr>OM</a>
with password.<br>
<br>
2017-01-05T13:13:48Z DEBUG stderr=WARNING: no policy
specified for ipa-dnskeysyncd/<a moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management-<wbr>2.internal.emerlyn.com@INTERNA<wbr>L.EMERLYN.COM</a>;
defaulting to no policy<br>
add_principal: Principal or policy already exists while
creating "ipa-dnskeysyncd/<a moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management<wbr>-2.internal.emerlyn.com@<wbr>INTERNAL.EMERLYN.COM</a>".<br>
<br>
2017-01-05T13:13:48Z DEBUG Starting external process<br>
2017-01-05T13:13:48Z DEBUG args=kadmin.local -q ktadd -k
/etc/ipa/dnssec/ipa-dnskeysync<wbr>d.keytab
ipa-dnskeysyncd/<a moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management-<wbr>2.internal.emerlyn.com@INTERNA<wbr>L.EMERLYN.COM</a>
-x ipa-setup-override-restriction<wbr>s<br>
2017-01-05T13:13:49Z DEBUG Process finished, return
code=0<br>
2017-01-05T13:13:49Z DEBUG stdout=Authenticating as
principal admin/<a moz-do-not-send="true"
href="mailto:admin@INTERNAL.EMERLYN.COM"
target="_blank">admin@INTERNAL.EMERLYN.C<wbr>OM</a>
with password.<br>
Entry for principal ipa-dnskeysyncd/<a
moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management-<wbr>2.internal.emerlyn.com@INTERNA<wbr>L.EMERLYN.COM</a>
with kvno 7, encryption type aes256-cts-hmac-sha1-96
added to keytab WRFILE:/etc/ipa/dnssec/ipa-dns<wbr>keysyncd.keytab.<br>
Entry for principal ipa-dnskeysyncd/<a
moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management-<wbr>2.internal.emerlyn.com@INTERNA<wbr>L.EMERLYN.COM</a>
with kvno 7, encryption type aes128-cts-hmac-sha1-96
added to keytab WRFILE:/etc/ipa/dnssec/ipa-dns<wbr>keysyncd.keytab.<br>
Entry for principal ipa-dnskeysyncd/<a
moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management-<wbr>2.internal.emerlyn.com@INTERNA<wbr>L.EMERLYN.COM</a>
with kvno 7, encryption type des3-cbc-sha1 added to
keytab WRFILE:/etc/ipa/dnssec/ipa-dns<wbr>keysyncd.keytab.<br>
Entry for principal ipa-dnskeysyncd/<a
moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management-<wbr>2.internal.emerlyn.com@INTERNA<wbr>L.EMERLYN.COM</a>
with kvno 7, encryption type arcfour-hmac added to
keytab WRFILE:/etc/ipa/dnssec/ipa-dns<wbr>keysyncd.keytab.<br>
Entry for principal ipa-dnskeysyncd/<a
moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management-<wbr>2.internal.emerlyn.com@INTERNA<wbr>L.EMERLYN.COM</a>
with kvno 7, encryption type camellia128-cts-cmac added
to keytab WRFILE:/etc/ipa/dnssec/ipa-dns<wbr>keysyncd.keytab.<br>
Entry for principal ipa-dnskeysyncd/<a
moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM"
target="_blank">id-management-<wbr>2.internal.emerlyn.com@INTERNA<wbr>L.EMERLYN.COM</a>
with kvno 7, encryption type camellia256-cts-cmac added
to keytab WRFILE:/etc/ipa/dnssec/ipa-dns<wbr>keysyncd.keytab.<br>
<br>
2017-01-05T13:13:49Z DEBUG stderr=<br>
2017-01-05T13:13:49Z DEBUG duration: 0 seconds<br>
2017-01-05T13:13:49Z DEBUG [4/7]: setting up SoftHSM<br>
2017-01-05T13:13:49Z DEBUG Creating new softhsm config
file<br>
2017-01-05T13:13:49Z DEBUG duration: 0 seconds<br>
2017-01-05T13:13:49Z DEBUG [5/7]: adding DNSSEC
containers<br>
2017-01-05T13:13:49Z DEBUG flushing
ldapi://%2fvar%2frun%2fslapd-I<wbr>NTERNAL-EMERLYN-COM.socket
from SchemaCache<br>
2017-01-05T13:13:49Z DEBUG retrieving schema for
SchemaCache url=ldapi://%2fvar%2frun%2fsla<wbr>pd-INTERNAL-EMERLYN-COM.socket
conn=<ldap.ldapobject.SimpleLD<wbr>APObject instance
at 0x4ec9998><br>
2017-01-05T13:13:49Z INFO DNSSEC container exists (step
skipped)<br>
2017-01-05T13:13:49Z DEBUG duration: 0 seconds<br>
2017-01-05T13:13:49Z DEBUG [6/7]: creating replica
keys<br>
2017-01-05T13:13:49Z DEBUG Creating replica's key pair<br>
2017-01-05T13:13:49Z DEBUG Storing replica public key to
LDAP, ipk11UniqueId=autogenerate,cn=<wbr>keys,cn=sec,cn=dns,dc=internal<wbr>,dc=emerlyn,dc=com<br>
2017-01-05T13:13:49Z DEBUG flushing
ldapi://%2fvar%2frun%2fslapd-I<wbr>NTERNAL-EMERLYN-COM.socket
from SchemaCache<br>
2017-01-05T13:13:49Z DEBUG retrieving schema for
SchemaCache url=ldapi://%2fvar%2frun%2fsla<wbr>pd-INTERNAL-EMERLYN-COM.socket
conn=<ldap.ldapobject.SimpleLD<wbr>APObject instance
at 0x4eb2830><br>
2017-01-05T13:13:50Z DEBUG Replica public key stored<br>
2017-01-05T13:13:50Z DEBUG Setting CKA_WRAP=False for
old replica keys<br>
2017-01-05T13:13:50Z DEBUG Changing ownership of token
files<br>
2017-01-05T13:13:50Z DEBUG duration: 0 seconds<br>
2017-01-05T13:13:50Z DEBUG [7/7]: configuring
ipa-dnskeysyncd to start on boot<br>
2017-01-05T13:13:50Z DEBUG Starting external process<br>
2017-01-05T13:13:50Z DEBUG args=/bin/systemctl disable
ipa-dnskeysyncd.service<br>
2017-01-05T13:13:50Z DEBUG Process finished, return
code=0<br>
2017-01-05T13:13:50Z DEBUG stdout=<br>
2017-01-05T13:13:50Z DEBUG stderr=<br>
2017-01-05T13:13:50Z DEBUG service DNSKeySync startup
entry already enabled<br>
2017-01-05T13:13:50Z DEBUG duration: 0 seconds<br>
2017-01-05T13:13:50Z DEBUG Done configuring DNS key
synchronization service (ipa-dnskeysyncd).<br>
2017-01-05T13:13:50Z DEBUG Starting external process<br>
2017-01-05T13:13:50Z DEBUG args=/bin/systemctl restart
ipa-dnskeysyncd.service<br>
2017-01-05T13:13:50Z DEBUG Process finished, return
code=0<br>
2017-01-05T13:13:50Z DEBUG stdout=<br>
2017-01-05T13:13:50Z DEBUG stderr=<br>
2017-01-05T13:13:50Z DEBUG Starting external process<br>
2017-01-05T13:13:50Z DEBUG args=/bin/systemctl is-active
ipa-dnskeysyncd.service<br>
2017-01-05T13:13:50Z DEBUG Process finished, return
code=0<br>
2017-01-05T13:13:50Z DEBUG stdout=active<br>
<br>
2017-01-05T13:13:50Z DEBUG stderr=<br>
2017-01-05T13:13:50Z DEBUG Restarting named<br>
2017-01-05T13:13:50Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysre<wbr>store.state'<br>
2017-01-05T13:13:50Z DEBUG Starting external process<br>
2017-01-05T13:13:50Z DEBUG args=/bin/systemctl restart
named-pkcs11.service<br>
2017-01-05T13:13:50Z DEBUG Process finished, return
code=1<br>
2017-01-05T13:13:50Z DEBUG stdout=<br>
2017-01-05T13:13:50Z DEBUG stderr=Job for
named-pkcs11.service failed because the control process
exited with error code. See "systemctl status
named-pkcs11.service" and "journalctl -xe" for details.<br>
<br>
</div>
<div class="gmail_extra">Thank you for assisting.<span
class="m_-22724728160857037HOEnZb"><font
color="#888888"><br clear="all">
</font></span></div>
<span class="m_-22724728160857037HOEnZb"><font
color="#888888">
<div class="gmail_extra"><br>
-- <br>
<div
class="m_-22724728160857037m_3310156183138934670gmail_signature">
<div>Jeff<br>
</div>
</div>
</div>
</font></span></div>
</div>
<br>
</div>
Looping in the rest of the previous recipients<br clear="all">
<div><br>
-- <br>
<div class="m_-22724728160857037gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div>
<div>Jeff Goddard<br>
</div>
<br>
</div>
</div>
<br>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>