[Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}
Jeff Goddard
jgoddard at emerlyn.com
Thu Jan 5 13:48:08 UTC 2017
Running the command displays no output.
Here is the config file output:
# This file is sourced by dirsrv upon startup to set
# the default environment for all directory server instances.
# To set instance specific defaults, use the file in the same
# directory called dirsrv-instance where "instance"
# is the name of your directory server instance e.g.
# dirsrv-localhost for the slapd-localhost instance.
# This file is in systemd EnvironmentFile format - see man systemd.exec
# In order to make more file descriptors available
# to the directory server, first make sure the system
# hard limits are raised, then use ulimit - uncomment
# out the following line and change the value to the
# desired value
# ulimit -n 8192
# note - if using systemd, ulimit won't work - you must edit
# the systemd unit file for directory server to add the
# LimitNOFILE option - see man systemd.exec for more info
# A per instance keytab does not make much sense for servers.
# Kerberos clients use the machine FQDN to obtain a ticket like ldap/FQDN,
there
# is nothing that can make a client understand how to get a per-instance
ticket.
# Therefore by default a keytab should be considered a per server option.
# Also this file is sourced for all instances, so again all
# instances would ultimately get the same keytab.
# Finally a keytab is normally named either krb5.keytab or <service>.keytab
# In order to use SASL/GSSAPI (Kerberos) the directory
# server needs to know where to find its keytab
# file - uncomment the following line and set
# the path and filename appropriately
# if using systemd, omit the "; export VARNAME" at the end
# how many seconds to wait for the startpid file to show
# up before we assume there is a problem and fail to start
# if using systemd, omit the "; export VARNAME" at the end
#STARTPID_TIME=10 ; export STARTPID_TIME
# how many seconds to wait for the pid file to show
# up before we assume there is a problem and fail to start
# if using systemd, omit the "; export VARNAME" at the end
#PID_TIME=600 ; export PID_TIME
KRB5CCNAME=/tmp/krb5cc_389
KRB5_KTNAME=/etc/dirsrv/ds.keytab
I tried reinstalling with ipa-dns-install and it failed with errors. From
the logs it looks like it sets resolve.conf to 127.0.0.1 and then tries to
do lookups and fails. Here are selections from the logs:
2017-01-05T13:13:47Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:47Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:47Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:47Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:47Z DEBUG duration: 0 seconds
2017-01-05T13:13:47Z DEBUG [4/8]: setting up kerberos principal
2017-01-05T13:13:47Z DEBUG Starting external process
2017-01-05T13:13:47Z DEBUG args=kadmin.local -q addprinc -randkey DNS/
id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM -x
ipa-setup-override-restrictions
2017-01-05T13:13:47Z DEBUG Process finished, return code=0
2017-01-05T13:13:47Z DEBUG stdout=Authenticating as principal admin/
admin at INTERNAL.EMERLYN.COM with password.
2017-01-05T13:13:47Z DEBUG stderr=WARNING: no policy specified for DNS/
id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM; defaulting to no
policy
add_principal: Principal or policy already exists while creating "DNS/
id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM".
2017-01-05T13:13:47Z DEBUG Backing up system configuration file
'/etc/named.keytab'
2017-01-05T13:13:47Z DEBUG Saving Index File to
'/var/lib/ipa/sysrestore/sysrestore.index'
2017-01-05T13:13:47Z DEBUG Starting external process
2017-01-05T13:13:47Z DEBUG args=kadmin.local -q ktadd -k /etc/named.keytab
DNS/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM -x
ipa-setup-override-restrictions
2017-01-05T13:13:47Z DEBUG Process finished, return code=0
2017-01-05T13:13:47Z DEBUG stdout=Authenticating as principal admin/
admin at INTERNAL.EMERLYN.COM with password.
Entry for principal DNS/
id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM with kvno 7,
encryption type aes256-cts-hmac-sha1-96 added to keytab
WRFILE:/etc/named.keytab.
Entry for principal DNS/
id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM with kvno 7,
encryption type aes128-cts-hmac-sha1-96 added to keytab
WRFILE:/etc/named.keytab.
Entry for principal DNS/
id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM with kvno 7,
encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/named.keytab.
Entry for principal DNS/
id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM with kvno 7,
encryption type arcfour-hmac added to keytab WRFILE:/etc/named.keytab.
Entry for principal DNS/
id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM with kvno 7,
encryption type camellia128-cts-cmac added to keytab
WRFILE:/etc/named.keytab.
Entry for principal DNS/
id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM with kvno 7,
encryption type camellia256-cts-cmac added to keytab
WRFILE:/etc/named.keytab.
2017-01-05T13:13:47Z DEBUG stderr=
2017-01-05T13:13:47Z DEBUG duration: 0 seconds
2017-01-05T13:13:47Z DEBUG [5/8]: setting up named.conf
2017-01-05T13:13:47Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2017-01-05T13:13:47Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2017-01-05T13:13:47Z DEBUG Saving StateFile to
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2017-01-05T13:13:47Z DEBUG duration: 0 seconds
2017-01-05T13:13:47Z DEBUG [6/8]: setting up server configuration
2017-01-05T13:13:47Z DEBUG flushing
ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache
2017-01-05T13:13:47Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4c48440>
2017-01-05T13:13:48Z DEBUG raw: dnsserver_add(u'
id-management-2.internal.emerlyn.com', idnssoamname=<DNS name
id-management-2.internal.emerlyn.com.>, version=u'2.213')
2017-01-05T13:13:48Z DEBUG dnsserver_add(u'
id-management-2.internal.emerlyn.com', idnssoamname=<DNS name
id-management-2.internal.emerlyn.com.>, all=False, raw=False,
version=u'2.213')
2017-01-05T13:13:48Z DEBUG raw: dnsserver_mod(u'
id-management-2.internal.emerlyn.com', idnsforwarders=[u'10.72.100.16'],
idnsforwardpolicy=u'only', version=u'2.213')
2017-01-05T13:13:48Z DEBUG dnsserver_mod(u'
id-management-2.internal.emerlyn.com', idnsforwarders=(u'10.72.100.16',),
idnsforwardpolicy=u'only', rights=False, all=False, raw=False,
version=u'2.213')
2017-01-05T13:13:48Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2017-01-05T13:13:48Z DEBUG Saving StateFile to
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2017-01-05T13:13:48Z DEBUG duration: 0 seconds
2017-01-05T13:13:48Z DEBUG [7/8]: configuring named to start on boot
2017-01-05T13:13:48Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:48Z DEBUG Starting external process
2017-01-05T13:13:48Z DEBUG args=/bin/systemctl disable named-pkcs11.service
2017-01-05T13:13:48Z DEBUG Process finished, return code=0
2017-01-05T13:13:48Z DEBUG stdout=
2017-01-05T13:13:48Z DEBUG stderr=
2017-01-05T13:13:48Z DEBUG service DNS startup entry already enabled
2017-01-05T13:13:48Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:48Z DEBUG Starting external process
2017-01-05T13:13:48Z DEBUG args=/bin/systemctl stop named.service
2017-01-05T13:13:48Z DEBUG Process finished, return code=0
2017-01-05T13:13:48Z DEBUG stdout=
2017-01-05T13:13:48Z DEBUG stderr=
2017-01-05T13:13:48Z DEBUG Starting external process
2017-01-05T13:13:48Z DEBUG args=/bin/systemctl mask named.service
2017-01-05T13:13:48Z DEBUG Process finished, return code=0
2017-01-05T13:13:48Z DEBUG stdout=
2017-01-05T13:13:48Z DEBUG stderr=Created symlink from
/etc/systemd/system/named.service to /dev/null.
2017-01-05T13:13:48Z DEBUG duration: 0 seconds
2017-01-05T13:13:48Z DEBUG [8/8]: changing resolv.conf to point to
ourselves
2017-01-05T13:13:48Z DEBUG duration: 0 seconds
2017-01-05T13:13:48Z DEBUG Done configuring DNS (named).
2017-01-05T13:13:48Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:48Z DEBUG Starting external process
2017-01-05T13:13:48Z DEBUG args=/bin/systemctl stop ipa-dnskeysyncd.service
2017-01-05T13:13:48Z DEBUG Process finished, return code=0
2017-01-05T13:13:48Z DEBUG stdout=
2017-01-05T13:13:48Z DEBUG stderr=
2017-01-05T13:13:48Z DEBUG Configuring DNS key synchronization service
(ipa-dnskeysyncd)
2017-01-05T13:13:48Z DEBUG [1/7]: checking status
2017-01-05T13:13:48Z DEBUG flushing
ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache
2017-01-05T13:13:48Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4eb2c20>
2017-01-05T13:13:48Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:48Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:48Z DEBUG duration: 0 seconds
2017-01-05T13:13:48Z DEBUG [2/7]: setting up bind-dyndb-ldap working
directory
2017-01-05T13:13:48Z DEBUG duration: 0 seconds
2017-01-05T13:13:48Z DEBUG [3/7]: setting up kerberos principal
2017-01-05T13:13:48Z DEBUG Removing service keytab:
/etc/ipa/dnssec/ipa-dnskeysyncd.keytab
2017-01-05T13:13:48Z DEBUG Starting external process
2017-01-05T13:13:48Z DEBUG args=kadmin.local -q addprinc -randkey
ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
-x ipa-setup-override-restrictions
2017-01-05T13:13:48Z DEBUG Process finished, return code=0
2017-01-05T13:13:48Z DEBUG stdout=Authenticating as principal admin/
admin at INTERNAL.EMERLYN.COM with password.
2017-01-05T13:13:48Z DEBUG stderr=WARNING: no policy specified for
ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM;
defaulting to no policy
add_principal: Principal or policy already exists while creating
"ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM".
2017-01-05T13:13:48Z DEBUG Starting external process
2017-01-05T13:13:48Z DEBUG args=kadmin.local -q ktadd -k
/etc/ipa/dnssec/ipa-dnskeysyncd.keytab ipa-dnskeysyncd/
id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM -x
ipa-setup-override-restrictions
2017-01-05T13:13:49Z DEBUG Process finished, return code=0
2017-01-05T13:13:49Z DEBUG stdout=Authenticating as principal admin/
admin at INTERNAL.EMERLYN.COM with password.
Entry for principal ipa-dnskeysyncd/
id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM with kvno 7,
encryption type aes256-cts-hmac-sha1-96 added to keytab
WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
Entry for principal ipa-dnskeysyncd/
id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM with kvno 7,
encryption type aes128-cts-hmac-sha1-96 added to keytab
WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
Entry for principal ipa-dnskeysyncd/
id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM with kvno 7,
encryption type des3-cbc-sha1 added to keytab
WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
Entry for principal ipa-dnskeysyncd/
id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM with kvno 7,
encryption type arcfour-hmac added to keytab
WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
Entry for principal ipa-dnskeysyncd/
id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM with kvno 7,
encryption type camellia128-cts-cmac added to keytab
WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
Entry for principal ipa-dnskeysyncd/
id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM with kvno 7,
encryption type camellia256-cts-cmac added to keytab
WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
2017-01-05T13:13:49Z DEBUG stderr=
2017-01-05T13:13:49Z DEBUG duration: 0 seconds
2017-01-05T13:13:49Z DEBUG [4/7]: setting up SoftHSM
2017-01-05T13:13:49Z DEBUG Creating new softhsm config file
2017-01-05T13:13:49Z DEBUG duration: 0 seconds
2017-01-05T13:13:49Z DEBUG [5/7]: adding DNSSEC containers
2017-01-05T13:13:49Z DEBUG flushing
ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache
2017-01-05T13:13:49Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4ec9998>
2017-01-05T13:13:49Z INFO DNSSEC container exists (step skipped)
2017-01-05T13:13:49Z DEBUG duration: 0 seconds
2017-01-05T13:13:49Z DEBUG [6/7]: creating replica keys
2017-01-05T13:13:49Z DEBUG Creating replica's key pair
2017-01-05T13:13:49Z DEBUG Storing replica public key to LDAP,
ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=internal,dc=emerlyn,dc=com
2017-01-05T13:13:49Z DEBUG flushing
ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache
2017-01-05T13:13:49Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4eb2830>
2017-01-05T13:13:50Z DEBUG Replica public key stored
2017-01-05T13:13:50Z DEBUG Setting CKA_WRAP=False for old replica keys
2017-01-05T13:13:50Z DEBUG Changing ownership of token files
2017-01-05T13:13:50Z DEBUG duration: 0 seconds
2017-01-05T13:13:50Z DEBUG [7/7]: configuring ipa-dnskeysyncd to start on
boot
2017-01-05T13:13:50Z DEBUG Starting external process
2017-01-05T13:13:50Z DEBUG args=/bin/systemctl disable
ipa-dnskeysyncd.service
2017-01-05T13:13:50Z DEBUG Process finished, return code=0
2017-01-05T13:13:50Z DEBUG stdout=
2017-01-05T13:13:50Z DEBUG stderr=
2017-01-05T13:13:50Z DEBUG service DNSKeySync startup entry already enabled
2017-01-05T13:13:50Z DEBUG duration: 0 seconds
2017-01-05T13:13:50Z DEBUG Done configuring DNS key synchronization service
(ipa-dnskeysyncd).
2017-01-05T13:13:50Z DEBUG Starting external process
2017-01-05T13:13:50Z DEBUG args=/bin/systemctl restart
ipa-dnskeysyncd.service
2017-01-05T13:13:50Z DEBUG Process finished, return code=0
2017-01-05T13:13:50Z DEBUG stdout=
2017-01-05T13:13:50Z DEBUG stderr=
2017-01-05T13:13:50Z DEBUG Starting external process
2017-01-05T13:13:50Z DEBUG args=/bin/systemctl is-active
ipa-dnskeysyncd.service
2017-01-05T13:13:50Z DEBUG Process finished, return code=0
2017-01-05T13:13:50Z DEBUG stdout=active
2017-01-05T13:13:50Z DEBUG stderr=
2017-01-05T13:13:50Z DEBUG Restarting named
2017-01-05T13:13:50Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:50Z DEBUG Starting external process
2017-01-05T13:13:50Z DEBUG args=/bin/systemctl restart named-pkcs11.service
2017-01-05T13:13:50Z DEBUG Process finished, return code=1
2017-01-05T13:13:50Z DEBUG stdout=
2017-01-05T13:13:50Z DEBUG stderr=Job for named-pkcs11.service failed
because the control process exited with error code. See "systemctl status
named-pkcs11.service" and "journalctl -xe" for details.
It looks to me like the change in resolve.conf is causing all subsequent
lookups to fail.
Jeff
On Thu, Jan 5, 2017 at 3:43 AM, Martin Basti <mbasti at redhat.com> wrote:
>
>
> On 04.01.2017 22:21, Jeff Goddard wrote:
>
> I don't want to hijack someone else's thread but I'm having what appears
> to be the same problem and have not seen a solution presented yet.
>
> Here is the output of journalctl -xe after having tried to start named:
>
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> loading configuration from '/etc/named.conf'
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> reading built-in trusted keys from file '/etc/named.iscdlv.key'
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> using default UDP/IPv4 port range: [1024, 65535]
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> using default UDP/IPv6 port range: [1024, 65535]
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> listening on IPv6 interfaces, port 53
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> listening on IPv4 interface lo, 127.0.0.1#53
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> listening on IPv4 interface ens32, 10.73.100.31#53
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> generating session key for dynamic DNS
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> sizing zone task pool based on 6 zones
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> set up managed keys zone for view _default, file
> '/var/named/dynamic/managed-keys.bind'
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> bind-dyndb-ldap version 10.0 compiled at 18:06:06 Nov 11 2016, compiler
> 4.8.5 20150623 (Red Hat 4.8.5-11)
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> option 'serial_autoincrement' is not supported, ignoring
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> GSSAPI client step 1
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> GSSAPI client step 1
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com ns-slapd[2596]:
> GSSAPI server step 1
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> GSSAPI client step 1
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com ns-slapd[2596]:
> GSSAPI server step 2
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> GSSAPI client step 2
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com ns-slapd[2596]:
> GSSAPI server step 3
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> LDAP error: Invalid credentials: bind to LDAP server failed
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> couldn't establish connection in LDAP connection pool: permission denied
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> dynamic database 'ipa' configuration failed: permission denied
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> loading configuration: permission denied
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
> exiting (due to fatal error)
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]:
> named-pkcs11.service: control process exited, code=exited status=1
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]: Failed
> to start Berkeley Internet Name Domain (DNS) with native PKCS#11.
> -- Subject: Unit named-pkcs11.service has failed
> -- Defined-By: systemd
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> --
> -- Unit named-pkcs11.service has failed.
> --
> -- The result is failed.
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]: Unit
> named-pkcs11.service entered failed state.
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]:
> named-pkcs11.service failed.
> Jan 04 15:48:42 id-management-2.internal.emerlyn.com polkitd[949]:
> Unregistered Authentication Agent for unix-process:3936:380486 (system bus
> name :1.59, object path /org/freedesktop/Policy
>
> Here are the last four entries of /var/log/dirsrv/slapd-*/access |grep
> ipa-dnskeysyncdcat:
>
> [04/Jan/2017:15:28:37.463224739 -0500] conn=5 op=1129 SRCH
> base="dc=internal,dc=emerlyn,dc=com" scope=2 filter="(&(|(objectClass=
> krbprincipalaux)(objectClass=krbprincipal)(objectClass=
> ipakrbprincipal))(|(ipaKrbPrincipalAlias=ipa-dnskeysyncd/id-management-2.
> internal.emerlyn.com at INTERNAL.EMERLYN.COM)(krbPrincipalName:
> caseIgnoreIA5Match:=ipa-dnskeysyncd/id-management-2.
> internal.emerlyn.com at INTERNAL.EMERLYN.COM)))" attrs="krbPrincipalName
> krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference
> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
> krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
> krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
> passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
> objectClass"
> [04/Jan/2017:15:28:37.464739661 -0500] conn=5 op=1133 SRCH
> base="krbprincipalname=ipa-dnskeysyncd/id-management-2.
> internal.emerlyn.com at INTERNAL.EMERLYN.COM,cn=services,cn=
> accounts,dc=internal,dc=emerlyn,dc=com" scope=0 filter="(objectClass=*)"
> attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
> krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript
> ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive"
> [04/Jan/2017:15:28:37.465851372 -0500] conn=5 op=1134 MOD
> dn="krbprincipalname=ipa-dnskeysyncd/id-management-2.
> internal.emerlyn.com at INTERNAL.EMERLYN.COM,cn=services,cn=
> accounts,dc=internal,dc=emerlyn,dc=com"
> [04/Jan/2017:15:28:37.474974775 -0500] conn=6 op=1372 SRCH
> base="dc=internal,dc=emerlyn,dc=com" scope=2 filter="(&(|(objectClass=
> krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ipa-
> dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM))"
> attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
> krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
> ipatokenRadiusConfigLink objectClass"
> [04/Jan/2017:15:28:37.482436172 -0500] conn=281 op=2 RESULT err=0 tag=97
> nentries=0 etime=0 dn="krbprincipalname=ipa-dnskeysyncd/id-management-2.
> internal.emerlyn.com at internal.emerlyn.com,cn=services,cn=
> accounts,dc=internal,dc=emerlyn,dc=com"
>
> My environment:
> Freeipa 4.2.0
> OS is Centos 7.2
>
> This is a secondary replica (master) and the other replica can be pinged
> but nslookup and dig fail to provide results even though the values are in
> the /etc/hosts file:
>
> 127.0.0.1 localhost localhost.localdomain localhost4
> localhost4.localdomain4
> ::1 localhost localhost.localdomain localhost6
> localhost6.localdomain6
> 10.72.100.16 id-management-1.internal.emerlyn.com
> 10.73.100.31 id-management-2.internal.emerlyn.com
>
>
> Any assistance is in solving this would be greatly appreciated and thanks
> for both the great product and the support already provided.
>
> Jeff
>
>
>
>
>
> Hello,
>
> what contains the /etc/sysconfig/dirsrv file
>
> can you kinit as DNS?
>
> kinit -kt /etc/named.keytab DNS/$HOSTNAME
>
> Martin^2
>
>
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170105/6f3e7c24/attachment.htm>
More information about the Freeipa-users
mailing list