[Freeipa-users] DNS service named in one of our IPA server cannot start
lm gnid
lmgnid at hotmail.com
Sat Jul 9 00:47:12 UTC 2016
Hello,
In one of our IPA server, named service suddenly cannot start, so I followed the link bellow:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
Found some errors like bellow:
==> messages <==
Jul 8 23:30:30 eupreprd-ops-ipa-01 named-pkcs11[5002]: LDAP error: Invalid credentials: SASL(-14): authorization failure: : bind to LDAP server failed
It should be a "Invalid credentials: bind to LDAP server failed " error, however, the commands bellow shows no issues to me:
[root at eupreprd-ops-ipa-01 ~]# kvno DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM
DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM: kvno = 2
[root at eupreprd-ops-ipa-01 ~]# klist -kt /etc/named.keytab
Keytab name: FILE:/etc/named.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM
2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM
2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM
2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM
2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM
2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM
[root at eupreprd-ops-ipa-01 ~]# kinit -kt /etc/named.keytab DNS/eupreprd-ops-ipa-01.internal.com
[root at eupreprd-ops-ipa-01 ~]
[root at eupreprd-ops-ipa-01 ~]# ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-INTERNAL-COM.socket"' -Y GSSAPI -b 'cn=dns, dc=internal,dc=com'
...<Lots of results, will not put here>...
For now, I have use the "(Workaround) Use simple LDAP BIND insted of Kerberos" to make it work, but still want to know how to recover to "sasl"?
Thanks in advance!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160709/a9faea87/attachment.htm>
More information about the Freeipa-users
mailing list