[Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing
Sigbjorn Lie
sigbjorn at nixtra.com
Wed Sep 19 20:37:27 UTC 2012
Hi,
I noticed an updated krb5-server package today advertising that it's
fixing the issue with slow GSSAPI binds discussed earlier, so I
installed it in my test environment, set SElinux back to enforcing in
/etc/sysconfig/selinux and rebooted.
The named daemon does not start now. The error below was logged in
/var/log/messages:
Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (KDC returned error
string: PROCESS_TGS)
I am able to start named after setting SElinux in permissive mode
(setenforce 0).
Then to verify: I stop all IPA services (ipactl stop), reenabled selinux
(setenforce 1), and start the IPA services (ipactl start). A new error
is logged in /var/log/messages:
Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed: Invalid
credentials
Sep 19 22:00:49 ipa01 named[5918]: loading configuration: permission denied
Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error)
From the /var/log/krb5kdc.log:
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, <unknown client>
for <unknown server>, Cannot create replay cache file /var/tmp/krbtgt_0:
File exists
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, <unknown client>
for <unknown server>, Cannot create replay cache file /var/tmp/krbtgt_0:
File exists
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH:
DNS/ipa01.ix.test.com at IX.TEST.COM for krbtgt/IX.TEST.COM at IX.TEST.COM,
Additional pre-authentication required
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes
{rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test.com at IX.TEST.COM for
krbtgt/IX.TEST.COM at IX.TEST.COM
/var/named/data/named.run logged nothing.
Any suggestions for how to troubleshoot this issue?
Regards,
Siggi
More information about the Freeipa-users
mailing list