[Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}
Petr Spacek
pspacek at redhat.com
Wed Dec 21 07:24:19 UTC 2016
On 20.12.2016 12:41, Brian J. Murrell wrote:
> On Tue, 2016-12-20 at 11:55 +0100, Martin Basti wrote:
>>
>> So there are actually no issues with credentials, it needs more
>> debugging, in past we have similar case but we haven't found the
>> root
>> cause why it doesn't have the right credentials after kinit.
>
> So, to be clear, all I did was kinit. I didn't do anything after that
> once the credentials were acquired. Should I have or did you just want
> me to test that credential file was usable? I did that as root.
> Here's the permissions on that keytab just in case there is a problem
> there:
>
> # ls -lZ /etc/ipa/dnssec/ipa-dnskeysyncd.keytab
> -r--r-----. root ods unconfined_u:object_r:etc_t:s0 /etc/ipa/dnssec/ipa-dnskeysyncd.keytab
>
> restorecon says that the selinux labels are ok. The file is not in the
> RPM (i.e. as a config file) so I have no reference for the permissions
> of it.
>
>> Are you
>> willing to do more basic level code debugging?
>
> Absolutely.
>
>> BTW this is used only with DNSSEC feature. I you don't use DNSSEC
>> signing you can ignore this failing service (ipactl start
>> --ignore-service-failures)
>
> Let's also not lose sight of the other problem that occurred at the
> same upgrade and that's the having to fall back to simple
> authentication of bind with:
>
> arg "auth_method simple";
> arg "bind_dn uid=admin,cn=users,cn=accounts,dc=example.com";
> arg "password my_password";
>
> in /etc/named.conf due to:
>
> 21:12:19 LDAP error: Invalid credentials: bind to LDAP server failed
>
> trying to start bind via systemctl start ipa.
>
> Is it most likely that these two problems are in fact not related?
I guess that they are related because it is basically the very same problem.
The keytab does not work when used from the server application.
The question is: Why is that?
You can try to add line
KRB5_TRACE=/dev/stdout
to
/etc/sysconfig/ipa-dnskeysyncd
and see if there will be some additional information in the the journal.
Maybe you will have to use path like /var/lib/ipa/dnssec/debug.log instead of
/dev/stderr and then look into the new file.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list