[Freeipa-users] DNS service named in one of our IPA server cannot start

Petr Spacek pspacek at redhat.com
Tue Jul 12 11:07:20 UTC 2016 

On 9.7.2016 02:47, lm gnid wrote:
> Hello,
> 
> In one of our IPA server, named service suddenly cannot start, so I followed  the link bellow:
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
> 
> Found some errors like bellow:
> 
> ==> messages <==
> 
> Jul  8 23:30:30 eupreprd-ops-ipa-01 named-pkcs11[5002]: LDAP error: Invalid credentials: SASL(-14): authorization failure: : bind to LDAP server failed
> 
> It should be a "Invalid credentials: bind to LDAP server failed " error, however, the commands bellow shows no issues to me:
> 
> [root at eupreprd-ops-ipa-01 ~]# kvno DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM
> 
> DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM: kvno = 2
> 
> [root at eupreprd-ops-ipa-01 ~]# klist -kt /etc/named.keytab
> 
> Keytab name: FILE:/etc/named.keytab
> 
> KVNO Timestamp           Principal
> 
> ---- ------------------- ------------------------------------------------------
> 
>    2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM
> 
>    2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM
> 
>    2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM
> 
>    2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM
> 
>    2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM
> 
>    2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM
> 
> 
> 
> [root at eupreprd-ops-ipa-01 ~]# kinit -kt /etc/named.keytab DNS/eupreprd-ops-ipa-01.internal.com
> 
> [root at eupreprd-ops-ipa-01 ~]
> 
> 
> 
> [root at eupreprd-ops-ipa-01 ~]# ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-INTERNAL-COM.socket"' -Y GSSAPI -b 'cn=dns, dc=internal,dc=com'
> 
> ...<Lots of results, will not put here>...
> 
> 
> 
> For now, I have use the "(Workaround) Use simple LDAP BIND insted of Kerberos" to make it work, but still want to know how to recover to "sasl"?


Huh, this is really weird. The only idea I have is that there is some
replication issue between the IPA servers so server1 has different key for the
DNS service principal than server2.

In theory servers to contact can be chosen randomly (in theory) so named might
have been unlucky and attempted to contact 'wrong' server while kinit might
have been lucky and contacted the 'right' one.

Please check things mentioned in
http://www.freeipa.org/page/Troubleshooting#Replication_issues

I hope it helps!

-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list