[Freeipa-users] LDAP/DNS replication, IPA server service principal key issue
Matt Wells
matt.wells at mosaic451.com
Fri Oct 7 20:03:27 UTC 2016
That's correct. Apparently it's on able to use the Kerberos credential to
utilize that service associated with the server.
Have you examined the key tab itself? Read it in and see what's inside of
it.
On Fri, Oct 7, 2016, 12:20 Fil Di Noto <fdinoto at gmail.com> wrote:
> I'm trying to interpret these log messages. It seems like server ipa03
> has no principal for the DNS service and is not able to replicate LDAP
> to the other 3 IPA servers. If that is correct:
>
> 1. Is "DNS" the service principal it should be using?
> 2. How do I correct this?
> (what concerns me is that ipa03 is the server I designated as
> the server where administrative changes are made in case manual
> replication is needed)
>
>
> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: connection to
> the LDAP server was lost
> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: Failed to get
> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
> DNS/ipa03.example.com at EXAMPLE.COM)
> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: ldap_syncrepl
> will reconnect in 60 seconds
> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: connection to
> the LDAP server was lost
> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: Failed to get
> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
> DNS/ipa03.example.com at EXAMPLE.COM)
> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: ldap_syncrepl
> will reconnect in 60 seconds
> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: connection to
> the LDAP server was lost
> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: Failed to get
> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
> DNS/ipa03.example.com at EXAMPLE.COM)
> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: ldap_syncrepl
> will reconnect in 60 seconds
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
--
Matt Wells
Chief Systems Architect
RHCA II, RHCVA - #110-000-353
(702) 808-0424
matt.wells at mosaic451.com
Las Vegas | Phoenix | Portland Mosaic451.com
CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or
may otherwise be privileged. If you are not intended recipient, you are
hereby notified that you have received this transmittal in error and that
any review, dissemination, distribution or copying of this transmittal is
strictly prohibited. If you have received this communication in error,
please notify this office, and immediately delete this message and all its
attachments, if any.
1*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161007/2726f2a0/attachment.htm>
More information about the Freeipa-users
mailing list