[Freeipa-users] DNS service named in one of our IPA server cannot start

lm gnid lmgnid at hotmail.com
Sat Jul 9 00:47:12 UTC 2016 

Hello,

In one of our IPA server, named service suddenly cannot start, so I followed  the link bellow:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart

Found some errors like bellow:

==> messages <==

Jul  8 23:30:30 eupreprd-ops-ipa-01 named-pkcs11[5002]: LDAP error: Invalid credentials: SASL(-14): authorization failure: : bind to LDAP server failed

It should be a "Invalid credentials: bind to LDAP server failed " error, however, the commands bellow shows no issues to me:

[root at eupreprd-ops-ipa-01 ~]# kvno DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM

DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM: kvno = 2

[root at eupreprd-ops-ipa-01 ~]# klist -kt /etc/named.keytab

Keytab name: FILE:/etc/named.keytab

KVNO Timestamp           Principal

---- ------------------- ------------------------------------------------------

   2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM

   2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM

   2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM

   2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM

   2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM

   2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM



[root at eupreprd-ops-ipa-01 ~]# kinit -kt /etc/named.keytab DNS/eupreprd-ops-ipa-01.internal.com

[root at eupreprd-ops-ipa-01 ~]



[root at eupreprd-ops-ipa-01 ~]# ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-INTERNAL-COM.socket"' -Y GSSAPI -b 'cn=dns, dc=internal,dc=com'

...<Lots of results, will not put here>...



For now, I have use the "(Workaround) Use simple LDAP BIND insted of Kerberos" to make it work, but still want to know how to recover to "sasl"?



Thanks in advance!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160709/a9faea87/attachment.htm>

More information about the Freeipa-users mailing list