[Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}
Brian J. Murrell
brian at interlinx.bc.ca
Tue Dec 20 11:41:05 UTC 2016
On Tue, 2016-12-20 at 11:55 +0100, Martin Basti wrote:
>
> So there are actually no issues with credentials, it needs more
> debugging, in past we have similar case but we haven't found the
> root
> cause why it doesn't have the right credentials after kinit.
So, to be clear, all I did was kinit. I didn't do anything after that
once the credentials were acquired. Should I have or did you just want
me to test that credential file was usable? I did that as root.
Here's the permissions on that keytab just in case there is a problem
there:
# ls -lZ /etc/ipa/dnssec/ipa-dnskeysyncd.keytab
-r--r-----. root ods unconfined_u:object_r:etc_t:s0 /etc/ipa/dnssec/ipa-dnskeysyncd.keytab
restorecon says that the selinux labels are ok. The file is not in the
RPM (i.e. as a config file) so I have no reference for the permissions
of it.
> Are you
> willing to do more basic level code debugging?
Absolutely.
> BTW this is used only with DNSSEC feature. I you don't use DNSSEC
> signing you can ignore this failing service (ipactl start
> --ignore-service-failures)
Let's also not lose sight of the other problem that occurred at the
same upgrade and that's the having to fall back to simple
authentication of bind with:
arg "auth_method simple";
arg "bind_dn uid=admin,cn=users,cn=accounts,dc=example.com";
arg "password my_password";
in /etc/named.conf due to:
21:12:19 LDAP error: Invalid credentials: bind to LDAP server failed
trying to start bind via systemctl start ipa.
Is it most likely that these two problems are in fact not related?
Cheers,
b.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161220/da0f3936/attachment.sig>
More information about the Freeipa-users
mailing list