[Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}
Martin Basti
mbasti at redhat.com
Thu Jan 5 08:43:05 UTC 2017
On 04.01.2017 22:21, Jeff Goddard wrote:
> I don't want to hijack someone else's thread but I'm having what
> appears to be the same problem and have not seen a solution presented yet.
>
> Here is the output of journalctl -xe after having tried to start named:
>
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
> loading configuration from '/etc/named.conf'
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
> reading built-in trusted keys from file '/etc/named.iscdlv.key'
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
> using default UDP/IPv4 port range: [1024, 65535]
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
> using default UDP/IPv6 port range: [1024, 65535]
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
> listening on IPv6 interfaces, port 53
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
> listening on IPv4 interface lo, 127.0.0.1#53
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
> listening on IPv4 interface ens32, 10.73.100.31#53
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
> generating session key for dynamic DNS
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
> sizing zone task pool based on 6 zones
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]: set
> up managed keys zone for view _default, file
> '/var/named/dynamic/managed-keys.bind'
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
> bind-dyndb-ldap version 10.0 compiled at 18:06:06 Nov 11 2016,
> compiler 4.8.5 20150623 (Red Hat 4.8.5-11)
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
> option 'serial_autoincrement' is not supported, ignoring
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
> GSSAPI client step 1
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
> GSSAPI client step 1
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> ns-slapd[2596]: GSSAPI
> server step 1
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
> GSSAPI client step 1
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> ns-slapd[2596]: GSSAPI
> server step 2
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
> GSSAPI client step 2
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> ns-slapd[2596]: GSSAPI
> server step 3
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]: LDAP
> error: Invalid credentials: bind to LDAP server failed
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
> couldn't establish connection in LDAP connection pool: permission denied
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
> dynamic database 'ipa' configuration failed: permission denied
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
> loading configuration: permission denied
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
> exiting (due to fatal error)
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> systemd[1]:
> named-pkcs11.service: control process exited, code=exited status=1
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> systemd[1]: Failed to
> start Berkeley Internet Name Domain (DNS) with native PKCS#11.
> -- Subject: Unit named-pkcs11.service has failed
> -- Defined-By: systemd
> -- Support:
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> <http://lists.freedesktop.org/mailman/listinfo/systemd-devel>
> --
> -- Unit named-pkcs11.service has failed.
> --
> -- The result is failed.
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> systemd[1]: Unit
> named-pkcs11.service entered failed state.
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> systemd[1]:
> named-pkcs11.service failed.
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com> polkitd[949]:
> Unregistered Authentication Agent for unix-process:3936:380486 (system
> bus name :1.59, object path /org/freedesktop/Policy
>
> Here are the last four entries of /var/log/dirsrv/slapd-*/access |grep
> ipa-dnskeysyncdcat:
>
> [04/Jan/2017:15:28:37.463224739 -0500] conn=5 op=1129 SRCH
> base="dc=internal,dc=emerlyn,dc=com" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>)(krbPrincipalName:caseIgnoreIA5Match:=ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>)))"
> attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
> krbLoginFailedCount krbPrincipalAuthInd krbExtraData
> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
> [04/Jan/2017:15:28:37.464739661 -0500] conn=5 op=1133 SRCH
> base="krbprincipalname=ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com"
> scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn
> gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference
> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> krbPrincipalType krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
> krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier
> ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory
> ipaNTHomeDirectoryDrive"
> [04/Jan/2017:15:28:37.465851372 -0500] conn=5 op=1134 MOD
> dn="krbprincipalname=ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com"
> [04/Jan/2017:15:28:37.474974775 -0500] conn=6 op=1372 SRCH
> base="dc=internal,dc=emerlyn,dc=com" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>))"
> attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
> krbLoginFailedCount krbPrincipalAuthInd krbExtraData
> krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
> [04/Jan/2017:15:28:37.482436172 -0500] conn=281 op=2 RESULT err=0
> tag=97 nentries=0 etime=0
> dn="krbprincipalname=ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at internal.emerlyn.com
> <mailto:id-management-2.internal.emerlyn.com at internal.emerlyn.com>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com"
>
> My environment:
> Freeipa 4.2.0
> OS is Centos 7.2
>
> This is a secondary replica (master) and the other replica can be
> pinged but nslookup and dig fail to provide results even though the
> values are in the /etc/hosts file:
>
> 127.0.0.1 localhost localhost.localdomain localhost4
> localhost4.localdomain4
> ::1 localhost localhost.localdomain localhost6
> localhost6.localdomain6
> 10.72.100.16 id-management-1.internal.emerlyn.com
> <http://id-management-1.internal.emerlyn.com>
> 10.73.100.31 id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com>
>
>
> Any assistance is in solving this would be greatly appreciated and
> thanks for both the great product and the support already provided.
>
> Jeff
>
>
>
Hello,
what contains the /etc/sysconfig/dirsrv file
can you kinit as DNS?
kinit -kt /etc/named.keytab DNS/$HOSTNAME
Martin^2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170105/415b2f32/attachment.htm>
More information about the Freeipa-users
mailing list