[Freeipa-users] LDAP/DNS replication, IPA server service principal key issue

Fil Di Noto fdinoto at gmail.com
Fri Oct 7 21:45:44 UTC 2016 

Found it. Nothing to do with keytabs or their permissions. It was
settings in named.conf (sasl_user) which had the wrong server name.

On Fri, Oct 7, 2016 at 2:05 PM, Fil Di Noto <fdinoto at gmail.com> wrote:
> I forgot to add the -k in the klist command. Actually the keytab looks
> correct. I noticed the file permissions were 0400 named:named but all
> other service keytabs I see are 0600. I thought that might be an issue
> so I tried changing the permissions to 0600 on all the servers but it
> hasn't changed the result.
>
> Any clue on whether those permissions (0400) are correct? I know folks
> like to do named like that with chroots and such but that seems wrong
> to me.
>
> On Fri, Oct 7, 2016 at 1:24 PM, Fil Di Noto <fdinoto at gmail.com> wrote:
>> klist /etc/named.keytab
>> klist: Bad format in credentials cache
>>
>> It's actually like this on all the servers, and I assume it is only
>> showing up in the logs for the 1 server because that is the server
>> where we make changes and it is trying to push changes out to the
>> rest.
>>
>> If it were any other server than an IPA server I would just manually
>> ipa-getkeytab, but since it's also a KDC I'm having doubts about how
>> to proceed. What do you think Matt?
>>
>> On Fri, Oct 7, 2016 at 1:03 PM, Matt Wells <matt.wells at mosaic451.com> wrote:
>>> That's correct. Apparently it's on able to use the Kerberos credential to
>>> utilize that service associated with the server.
>>> Have you examined the key tab itself? Read it in and see what's inside of
>>> it.
>>>
>>>
>>> On Fri, Oct 7, 2016, 12:20 Fil Di Noto <fdinoto at gmail.com> wrote:
>>>>
>>>> I'm trying to interpret these log messages. It seems like server ipa03
>>>> has no principal for the DNS service and is not able to replicate LDAP
>>>> to the other 3 IPA servers. If that is correct:
>>>>
>>>> 1. Is "DNS" the service principal it should be using?
>>>> 2. How do I correct this?
>>>>         (what concerns me is that ipa03 is the server I designated as
>>>> the server where administrative changes are made in case manual
>>>> replication is needed)
>>>>
>>>>
>>>> Oct  7 18:38:47 ipa02.example.com named-pkcs11[4959]: connection to
>>>> the LDAP server was lost
>>>> Oct  7 18:38:47 ipa02.example.com named-pkcs11[4959]: Failed to get
>>>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
>>>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
>>>> DNS/ipa03.example.com at EXAMPLE.COM)
>>>> Oct  7 18:38:47 ipa02.example.com named-pkcs11[4959]: ldap_syncrepl
>>>> will reconnect in 60 seconds
>>>> Oct  7 18:39:00 ipa04.example.com named-pkcs11[4537]: connection to
>>>> the LDAP server was lost
>>>> Oct  7 18:39:00 ipa04.example.com named-pkcs11[4537]: Failed to get
>>>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
>>>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
>>>> DNS/ipa03.example.com at EXAMPLE.COM)
>>>> Oct  7 18:39:00 ipa04.example.com named-pkcs11[4537]: ldap_syncrepl
>>>> will reconnect in 60 seconds
>>>> Oct  7 18:39:16 ipa01.example.com named-pkcs11[15697]: connection to
>>>> the LDAP server was lost
>>>> Oct  7 18:39:16 ipa01.example.com named-pkcs11[15697]: Failed to get
>>>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
>>>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
>>>> DNS/ipa03.example.com at EXAMPLE.COM)
>>>> Oct  7 18:39:16 ipa01.example.com named-pkcs11[15697]: ldap_syncrepl
>>>> will reconnect in 60 seconds
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>
>>> --
>>> Matt Wells
>>> Chief Systems Architect
>>> RHCA II, RHCVA - #110-000-353
>>> (702) 808-0424
>>> matt.wells at mosaic451.com
>>>  Las Vegas | Phoenix | Portland Mosaic451.com
>>> CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or
>>> may otherwise be privileged. If you are not intended recipient, you are
>>> hereby notified that you have received this transmittal in error and that
>>> any review, dissemination, distribution or copying of this transmittal is
>>> strictly prohibited. If you have received this communication in error,
>>> please notify this office, and immediately delete this message and all its
>>> attachments, if any.
>>> 1*

More information about the Freeipa-users mailing list