[Freeipa-users] DNS service named in one of our IPA server cannot start
Petr Spacek
pspacek at redhat.com
Tue Jul 12 11:07:20 UTC 2016
On 9.7.2016 02:47, lm gnid wrote:
> Hello,
>
> In one of our IPA server, named service suddenly cannot start, so I followed the link bellow:
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
>
> Found some errors like bellow:
>
> ==> messages <==
>
> Jul 8 23:30:30 eupreprd-ops-ipa-01 named-pkcs11[5002]: LDAP error: Invalid credentials: SASL(-14): authorization failure: : bind to LDAP server failed
>
> It should be a "Invalid credentials: bind to LDAP server failed " error, however, the commands bellow shows no issues to me:
>
> [root at eupreprd-ops-ipa-01 ~]# kvno DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM
>
> DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM: kvno = 2
>
> [root at eupreprd-ops-ipa-01 ~]# klist -kt /etc/named.keytab
>
> Keytab name: FILE:/etc/named.keytab
>
> KVNO Timestamp Principal
>
> ---- ------------------- ------------------------------------------------------
>
> 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM
>
> 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM
>
> 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM
>
> 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM
>
> 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM
>
> 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal.com at INTERNAL.COM
>
>
>
> [root at eupreprd-ops-ipa-01 ~]# kinit -kt /etc/named.keytab DNS/eupreprd-ops-ipa-01.internal.com
>
> [root at eupreprd-ops-ipa-01 ~]
>
>
>
> [root at eupreprd-ops-ipa-01 ~]# ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-INTERNAL-COM.socket"' -Y GSSAPI -b 'cn=dns, dc=internal,dc=com'
>
> ...<Lots of results, will not put here>...
>
>
>
> For now, I have use the "(Workaround) Use simple LDAP BIND insted of Kerberos" to make it work, but still want to know how to recover to "sasl"?
Huh, this is really weird. The only idea I have is that there is some
replication issue between the IPA servers so server1 has different key for the
DNS service principal than server2.
In theory servers to contact can be chosen randomly (in theory) so named might
have been unlucky and attempted to contact 'wrong' server while kinit might
have been lucky and contacted the 'right' one.
Please check things mentioned in
http://www.freeipa.org/page/Troubleshooting#Replication_issues
I hope it helps!
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list