[Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing
Sigbjorn Lie
sigbjorn at nixtra.com
Wed Sep 19 21:30:00 UTC 2012
Ok. I'm fairly new to selinux but I will give it a go tomorrow.
Thanks.
Rgds
S.
Rob Crittenden <rcritten at redhat.com> wrote:
>Sigbjorn Lie wrote:
>> On 09/19/2012 10:48 PM, Rob Crittenden wrote:
>>> Sigbjorn Lie wrote:
>>>> Hi,
>>>>
>>>> I noticed an updated krb5-server package today advertising that
>it's
>>>> fixing the issue with slow GSSAPI binds discussed earlier, so I
>>>> installed it in my test environment, set SElinux back to enforcing
>in
>>>> /etc/sysconfig/selinux and rebooted.
>>>>
>>>> The named daemon does not start now. The error below was logged in
>>>> /var/log/messages:
>>>>
>>>> Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS
>>>> failure. Minor code may provide more information (KDC returned
>error
>>>> string: PROCESS_TGS)
>>>>
>>>> I am able to start named after setting SElinux in permissive mode
>>>> (setenforce 0).
>>>>
>>>> Then to verify: I stop all IPA services (ipactl stop), reenabled
>selinux
>>>> (setenforce 1), and start the IPA services (ipactl start). A new
>error
>>>> is logged in /var/log/messages:
>>>>
>>>> Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed:
>Invalid
>>>> credentials
>>>> Sep 19 22:00:49 ipa01 named[5918]: loading configuration:
>permission
>>>> denied
>>>> Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error)
>>>>
>>>>
>>>> From the /var/log/krb5kdc.log:
>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4
>etypes
>>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, <unknown
>client>
>>>> for <unknown server>, Cannot create replay cache file
>/var/tmp/krbtgt_0:
>>>> File exists
>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4
>etypes
>>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, <unknown
>client>
>>>> for <unknown server>, Cannot create replay cache file
>/var/tmp/krbtgt_0:
>>>> File exists
>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4
>etypes
>>>> {18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH:
>>>> DNS/ipa01.ix.test.com at IX.TEST.COM for
>krbtgt/IX.TEST.COM at IX.TEST.COM,
>>>> Additional pre-authentication required
>>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4
>etypes
>>>> {18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes
>>>> {rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test.com at IX.TEST.COM for
>>>> krbtgt/IX.TEST.COM at IX.TEST.COM
>>>>
>>>> /var/named/data/named.run logged nothing.
>>>>
>>>>
>>>>
>>>> Any suggestions for how to troubleshoot this issue?
>>>
>>> Pure guess, but:
>>>
>>> restorecon /var/tmp/krbtgt_0
>>>
>>> rob
>> Sorry, that did not help. There seem to be a new error in the
>messages
>> file every time I attempt a named restart though. See below for the
>latest:
>>
>> Sep 19 23:01:27 ipa01 named[12638]: default realm from krb5.conf
>> (IX.TEST.COM) does not match tkey-gssapi-credential
>(DNS/ipa01.ix.test.com)
>> Sep 19 23:01:27 ipa01 named[12638]: configuring TKEY: failure
>> Sep 19 23:01:27 ipa01 named[12638]: loading configuration: failure
>> Sep 19 23:01:27 ipa01 named[12638]: exiting (due to fatal error)
>
>I'd continue to check /var/log/audit/audit.log for AVCs.
>
>rob
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120919/199cf4e3/attachment.htm>
More information about the Freeipa-users
mailing list