[Freeipa-users] LDAP/DNS replication, IPA server service principal key issue

Fri Oct 7 20:24:40 UTC 2016

klist /etc/named.keytab
klist: Bad format in credentials cache

It's actually like this on all the servers, and I assume it is only
showing up in the logs for the 1 server because that is the server
where we make changes and it is trying to push changes out to the
rest.

If it were any other server than an IPA server I would just manually
ipa-getkeytab, but since it's also a KDC I'm having doubts about how
to proceed. What do you think Matt?

On Fri, Oct 7, 2016 at 1:03 PM, Matt Wells <matt.wells at mosaic451.com> wrote:
> That's correct. Apparently it's on able to use the Kerberos credential to
> utilize that service associated with the server.
> Have you examined the key tab itself? Read it in and see what's inside of
> it.
>
>
> On Fri, Oct 7, 2016, 12:20 Fil Di Noto <fdinoto at gmail.com> wrote:
>>
>> I'm trying to interpret these log messages. It seems like server ipa03
>> has no principal for the DNS service and is not able to replicate LDAP
>> to the other 3 IPA servers. If that is correct:
>>
>> 1. Is "DNS" the service principal it should be using?
>> 2. How do I correct this?
>>         (what concerns me is that ipa03 is the server I designated as
>> the server where administrative changes are made in case manual
>> replication is needed)
>>
>>
>> Oct  7 18:38:47 ipa02.example.com named-pkcs11[4959]: connection to
>> the LDAP server was lost
>> Oct  7 18:38:47 ipa02.example.com named-pkcs11[4959]: Failed to get
>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
>> DNS/ipa03.example.com at EXAMPLE.COM)
>> Oct  7 18:38:47 ipa02.example.com named-pkcs11[4959]: ldap_syncrepl
>> will reconnect in 60 seconds
>> Oct  7 18:39:00 ipa04.example.com named-pkcs11[4537]: connection to
>> the LDAP server was lost
>> Oct  7 18:39:00 ipa04.example.com named-pkcs11[4537]: Failed to get
>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
>> DNS/ipa03.example.com at EXAMPLE.COM)
>> Oct  7 18:39:00 ipa04.example.com named-pkcs11[4537]: ldap_syncrepl
>> will reconnect in 60 seconds
>> Oct  7 18:39:16 ipa01.example.com named-pkcs11[15697]: connection to
>> the LDAP server was lost
>> Oct  7 18:39:16 ipa01.example.com named-pkcs11[15697]: Failed to get
>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
>> DNS/ipa03.example.com at EXAMPLE.COM)
>> Oct  7 18:39:16 ipa01.example.com named-pkcs11[15697]: ldap_syncrepl
>> will reconnect in 60 seconds
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
> --
> Matt Wells
> Chief Systems Architect
> RHCA II, RHCVA - #110-000-353
> (702) 808-0424
> matt.wells at mosaic451.com
>  Las Vegas | Phoenix | Portland Mosaic451.com
> CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or
> may otherwise be privileged. If you are not intended recipient, you are
> hereby notified that you have received this transmittal in error and that
> any review, dissemination, distribution or copying of this transmittal is
> strictly prohibited. If you have received this communication in error,
> please notify this office, and immediately delete this message and all its
> attachments, if any.
> 1*