[Freeipa-users] ipa replica install fails

Simo Sorce simo at redhat.com
Tue Feb 5 16:01:36 UTC 2013 

On Tue, 2013-02-05 at 16:59 +0100, Petr Spacek wrote:
> On 5.2.2013 15:45, Rajnesh Kumar Siwal wrote:
> > Finally , I installed it with "--skip-conncheck":-
> > Now DNS fails to start.
> > I tried ipa-dns-install too:-
> >
> > [root at ipa2 log]# ipa-dns-install
> > The log file for this installation can be found in
> > /var/log/ipaserver-install.log
> > ==============================================================================
> > This program will setup DNS for the IPA Server.
> >
> > This includes:
> >    * Configure DNS (bind)
> >
> > To accept the default shown in brackets, press the Enter key.
> > Existing BIND configuration detected, overwrite? [no]: yes
> > DNS is already configured in this IPA server.
> > [root at ipa2 log]# /etc/init.d/ipa status
> > Directory Service: RUNNING
> > KDC Service: RUNNING
> > KPASSWD Service: RUNNING
> > DNS Service: STOPPED
> > MEMCACHE Service: RUNNING
> > HTTP Service: RUNNING
> > CA Service: RUNNING
> > [root at ipa2 log]# /etc/init.d/named restart
> > Stopping named:                                            [  OK  ]
> > Starting named:                                            [FAILED]
> >
> > ---------------------------------------------------------------------------------------------
> > DNS logs :-
> > Feb  5 09:40:19 ipa2 named[19873]:
> > ----------------------------------------------------
> > Feb  5 09:40:19 ipa2 named[19873]: BIND 9 is maintained by Internet
> > Systems Consortium,
> > Feb  5 09:40:19 ipa2 named[19873]: Inc. (ISC), a non-profit 501(c)(3)
> > public-benefit
> > Feb  5 09:40:19 ipa2 named[19873]: corporation.  Support and training
> > for BIND 9 are
> > Feb  5 09:40:19 ipa2 named[19873]: available at https://www.isc.org/support
> > Feb  5 09:40:19 ipa2 named[19873]:
> > ----------------------------------------------------
> > Feb  5 09:40:19 ipa2 named[19873]: adjusted limit on open files from
> > 102400 to 1048576
> > Feb  5 09:40:19 ipa2 named[19873]: found 2 CPUs, using 2 worker threads
> > Feb  5 09:40:19 ipa2 named[19873]: using up to 4096 sockets
> > Feb  5 09:40:19 ipa2 named[19873]: loading configuration from '/etc/named.conf'
> > Feb  5 09:40:19 ipa2 named[19873]: using default UDP/IPv4 port range:
> > [1024, 65535]
> > Feb  5 09:40:19 ipa2 named[19873]: using default UDP/IPv6 port range:
> > [1024, 65535]
> > Feb  5 09:40:19 ipa2 named[19873]: listening on IPv6 interfaces, port 53
> > Feb  5 09:40:19 ipa2 named[19873]: listening on IPv4 interface lo, 127.0.0.1#53
> > Feb  5 09:40:19 ipa2 named[19873]: listening on IPv4 interface eth0,
> > 172.31.254.205#53
> > Feb  5 09:40:19 ipa2 named[19873]: generating session key for dynamic DNS
> > Feb  5 09:40:19 ipa2 named[19873]: sizing zone task pool based on 6 zones
> > Feb  5 09:40:19 ipa2 named[19873]: set up managed keys zone for view
> > _default, file 'dynamic/managed-keys.bind'
> > Feb  5 09:40:19 ipa2 named[19873]: GSSAPI Error: Unspecified GSS
> > failure.  Minor code may provide more information (Mutual
> > authentication failed)
> > Feb  5 09:40:19 ipa2 named[19873]: bind to LDAP server failed: Local error
> > Feb  5 09:40:19 ipa2 named[19873]: loading configuration: failure
> > Feb  5 09:40:19 ipa2 named[19873]: exiting (due to fatal error)
> > Feb  5 09:40:28 ipa2 kernel: IN=eth0 OUT=
> > MAC=ff:ff:ff:ff:ff:ff:00:22:6b:12:99:bc:08:00 SRC=0.0.0.0
> > DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=60 ID=0 PROTO=UDP
> > SPT=68 DPT=67 LEN=308
> > [root at ipa2 log]# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: admin at XYZ.DMZ
> > Valid starting     Expires            Service principal
> > 02/05/13 14:32:56  02/06/13 14:32:24  krbtgt/XYZ.DMZ at XYZ.DMZ
> > 02/05/13 14:33:16  02/06/13 14:31:34  ldap/ipa2.xyz.dmz at XYZ.DMZ
> 
> The important line is:
>  > Feb  5 09:40:19 ipa2 named[19873]: GSSAPI Error: Unspecified GSS
>  > failure.  Minor code may provide more information (Mutual
>  > authentication failed)
> 
> Did you poke to /etc/named.keytab in any way? Is this server the first 
> installation with this host name? (I.e. was there a host with the same DNS 
> name in the past?)
> 
> I don't understand what went wrong.
> 
> Please provide output from following commands (in this order):
> $ klist -ket /etc/named.keytab
> $ kinit -kt DNS/ipa2.xyz.dmz at XYZ.DMZ
> $ klist
> 
> Simo, is it possible to do something like "kadmin -p admin" and "getprinc 
> DNS/ipa2.xyz.dmz at XYZ.DMZ"?

you could use kadmin.local on the KDC

> It fails:
> 
> kadmin:  getprinc DNS/host.redhat.com at E.TEST
> get_principal: Operation requires ``get'' privilege while retrieving 
> "DNS/host.redhat.com at E.TEST".

Interesting, this shouldn't happen, can you open a bug ?
(only if on 3.x)

> How it is possible to retrieve kvno and other details for IPA principals?

Use kvno command for now.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list