[Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}
Jeff Goddard
jgoddard at emerlyn.com
Wed Jan 4 21:21:09 UTC 2017
I don't want to hijack someone else's thread but I'm having what appears to
be the same problem and have not seen a solution presented yet.
Here is the output of journalctl -xe after having tried to start named:
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
loading configuration from '/etc/named.conf'
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
reading built-in trusted keys from file '/etc/named.iscdlv.key'
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
using default UDP/IPv4 port range: [1024, 65535]
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
using default UDP/IPv6 port range: [1024, 65535]
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
listening on IPv6 interfaces, port 53
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
listening on IPv4 interface lo, 127.0.0.1#53
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
listening on IPv4 interface ens32, 10.73.100.31#53
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
generating session key for dynamic DNS
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
sizing zone task pool based on 6 zones
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
set up managed keys zone for view _default, file
'/var/named/dynamic/managed-keys.bind'
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
bind-dyndb-ldap version 10.0 compiled at 18:06:06 Nov 11 2016, compiler
4.8.5 20150623 (Red Hat 4.8.5-11)
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
option 'serial_autoincrement' is not supported, ignoring
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
GSSAPI client step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
GSSAPI client step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com ns-slapd[2596]: GSSAPI
server step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
GSSAPI client step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com ns-slapd[2596]: GSSAPI
server step 2
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
GSSAPI client step 2
Jan 04 15:48:42 id-management-2.internal.emerlyn.com ns-slapd[2596]: GSSAPI
server step 3
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
LDAP error: Invalid credentials: bind to LDAP server failed
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
couldn't establish connection in LDAP connection pool: permission denied
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
dynamic database 'ipa' configuration failed: permission denied
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
loading configuration: permission denied
Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
exiting (due to fatal error)
Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]:
named-pkcs11.service: control process exited, code=exited status=1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]: Failed to
start Berkeley Internet Name Domain (DNS) with native PKCS#11.
-- Subject: Unit named-pkcs11.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit named-pkcs11.service has failed.
--
-- The result is failed.
Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]: Unit
named-pkcs11.service entered failed state.
Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]:
named-pkcs11.service failed.
Jan 04 15:48:42 id-management-2.internal.emerlyn.com polkitd[949]:
Unregistered Authentication Agent for unix-process:3936:380486 (system bus
name :1.59, object path /org/freedesktop/Policy
Here are the last four entries of /var/log/dirsrv/slapd-*/access |grep
ipa-dnskeysyncdcat:
[04/Jan/2017:15:28:37.463224739 -0500] conn=5 op=1129 SRCH
base="dc=internal,dc=emerlyn,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ipa-dnskeysyncd/
id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
)(krbPrincipalName:caseIgnoreIA5Match:=ipa-dnskeysyncd/
id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM)))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink objectClass"
[04/Jan/2017:15:28:37.464739661 -0500] conn=5 op=1133 SRCH
base="krbprincipalname=ipa-dnskeysyncd/
id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com"
scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber
krbPrincipalName krbCanonicalName krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth
krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags
ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath
ipaNTHomeDirectory ipaNTHomeDirectoryDrive"
[04/Jan/2017:15:28:37.465851372 -0500] conn=5 op=1134 MOD
dn="krbprincipalname=ipa-dnskeysyncd/
id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com"
[04/Jan/2017:15:28:37.474974775 -0500] conn=6 op=1372 SRCH
base="dc=internal,dc=emerlyn,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ipa-dnskeysyncd/
id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink objectClass"
[04/Jan/2017:15:28:37.482436172 -0500] conn=281 op=2 RESULT err=0 tag=97
nentries=0 etime=0 dn="krbprincipalname=ipa-dnskeysyncd/
id-management-2.internal.emerlyn.com at internal.emerlyn.com
,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com"
My environment:
Freeipa 4.2.0
OS is Centos 7.2
This is a secondary replica (master) and the other replica can be pinged
but nslookup and dig fail to provide results even though the values are in
the /etc/hosts file:
127.0.0.1 localhost localhost.localdomain localhost4
localhost4.localdomain4
::1 localhost localhost.localdomain localhost6
localhost6.localdomain6
10.72.100.16 id-management-1.internal.emerlyn.com
10.73.100.31 id-management-2.internal.emerlyn.com
Any assistance is in solving this would be greatly appreciated and thanks
for both the great product and the support already provided.
Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170104/a270b267/attachment.htm>
More information about the Freeipa-users
mailing list