[Freeipa-users] LDAP/DNS replication, IPA server service principal key issue

Fil Di Noto fdinoto at gmail.com
Fri Oct 7 21:05:59 UTC 2016 

I forgot to add the -k in the klist command. Actually the keytab looks
correct. I noticed the file permissions were 0400 named:named but all
other service keytabs I see are 0600. I thought that might be an issue
so I tried changing the permissions to 0600 on all the servers but it
hasn't changed the result.

Any clue on whether those permissions (0400) are correct? I know folks
like to do named like that with chroots and such but that seems wrong
to me.

On Fri, Oct 7, 2016 at 1:24 PM, Fil Di Noto <fdinoto at gmail.com> wrote:
> klist /etc/named.keytab
> klist: Bad format in credentials cache
>
> It's actually like this on all the servers, and I assume it is only
> showing up in the logs for the 1 server because that is the server
> where we make changes and it is trying to push changes out to the
> rest.
>
> If it were any other server than an IPA server I would just manually
> ipa-getkeytab, but since it's also a KDC I'm having doubts about how
> to proceed. What do you think Matt?
>
> On Fri, Oct 7, 2016 at 1:03 PM, Matt Wells <matt.wells at mosaic451.com> wrote:
>> That's correct. Apparently it's on able to use the Kerberos credential to
>> utilize that service associated with the server.
>> Have you examined the key tab itself? Read it in and see what's inside of
>> it.
>>
>>
>> On Fri, Oct 7, 2016, 12:20 Fil Di Noto <fdinoto at gmail.com> wrote:
>>>
>>> I'm trying to interpret these log messages. It seems like server ipa03
>>> has no principal for the DNS service and is not able to replicate LDAP
>>> to the other 3 IPA servers. If that is correct:
>>>
>>> 1. Is "DNS" the service principal it should be using?
>>> 2. How do I correct this?
>>>         (what concerns me is that ipa03 is the server I designated as
>>> the server where administrative changes are made in case manual
>>> replication is needed)
>>>
>>>
>>> Oct  7 18:38:47 ipa02.example.com named-pkcs11[4959]: connection to
>>> the LDAP server was lost
>>> Oct  7 18:38:47 ipa02.example.com named-pkcs11[4959]: Failed to get
>>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
>>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
>>> DNS/ipa03.example.com at EXAMPLE.COM)
>>> Oct  7 18:38:47 ipa02.example.com named-pkcs11[4959]: ldap_syncrepl
>>> will reconnect in 60 seconds
>>> Oct  7 18:39:00 ipa04.example.com named-pkcs11[4537]: connection to
>>> the LDAP server was lost
>>> Oct  7 18:39:00 ipa04.example.com named-pkcs11[4537]: Failed to get
>>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
>>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
>>> DNS/ipa03.example.com at EXAMPLE.COM)
>>> Oct  7 18:39:00 ipa04.example.com named-pkcs11[4537]: ldap_syncrepl
>>> will reconnect in 60 seconds
>>> Oct  7 18:39:16 ipa01.example.com named-pkcs11[15697]: connection to
>>> the LDAP server was lost
>>> Oct  7 18:39:16 ipa01.example.com named-pkcs11[15697]: Failed to get
>>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
>>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
>>> DNS/ipa03.example.com at EXAMPLE.COM)
>>> Oct  7 18:39:16 ipa01.example.com named-pkcs11[15697]: ldap_syncrepl
>>> will reconnect in 60 seconds
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>
>> --
>> Matt Wells
>> Chief Systems Architect
>> RHCA II, RHCVA - #110-000-353
>> (702) 808-0424
>> matt.wells at mosaic451.com
>>  Las Vegas | Phoenix | Portland Mosaic451.com
>> CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or
>> may otherwise be privileged. If you are not intended recipient, you are
>> hereby notified that you have received this transmittal in error and that
>> any review, dissemination, distribution or copying of this transmittal is
>> strictly prohibited. If you have received this communication in error,
>> please notify this office, and immediately delete this message and all its
>> attachments, if any.
>> 1*

More information about the Freeipa-users mailing list