[Freeipa-users] Fwd: ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}
Martin Basti
mbasti at redhat.com
Thu Jan 5 14:08:26 UTC 2017
Hello,
could you check this link
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials:bindtoLDAPserverfailed
kinit prints nothing when it works, so it works in your case, can you
after kinit as DNS service try to use ldapsearch -Y GSSAPI ?
Martin
On 05.01.2017 14:58, Jeff Goddard wrote:
>
> ---------- Forwarded message ----------
> From: *Jeff Goddard* <jgoddard at emerlyn.com <mailto:jgoddard at emerlyn.com>>
> Date: Thu, Jan 5, 2017 at 8:57 AM
> Subject: Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP
> server failed: {'desc': 'Invalid credentials'}
> To: Martin Basti <mbasti at redhat.com <mailto:mbasti at redhat.com>>
>
>
>
>
> On Thu, Jan 5, 2017 at 3:43 AM, Martin Basti <mbasti at redhat.com
> <mailto:mbasti at redhat.com>> wrote:
>
>
>
> On 04.01.2017 22:21, Jeff Goddard wrote:
>> I don't want to hijack someone else's thread but I'm having what
>> appears to be the same problem and have not seen a solution
>> presented yet.
>>
>> Here is the output of journalctl -xe after having tried to start
>> named:
>>
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
>> loading configuration from '/etc/named.conf'
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
>> reading built-in trusted keys from file '/etc/named.iscdlv.key'
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
>> using default UDP/IPv4 port range: [1024, 65535]
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
>> using default UDP/IPv6 port range: [1024, 65535]
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
>> listening on IPv6 interfaces, port 53
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
>> listening on IPv4 interface lo, 127.0.0.1#53
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
>> listening on IPv4 interface ens32, 10.73.100.31#53
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
>> generating session key for dynamic DNS
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
>> sizing zone task pool based on 6 zones
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
>> set up managed keys zone for view _default, file
>> '/var/named/dynamic/managed-keys.bind'
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
>> bind-dyndb-ldap version 10.0 compiled at 18:06:06 Nov 11 2016,
>> compiler 4.8.5 20150623 (Red Hat 4.8.5-11)
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
>> option 'serial_autoincrement' is not supported, ignoring
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
>> GSSAPI client step 1
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
>> GSSAPI client step 1
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> ns-slapd[2596]:
>> GSSAPI server step 1
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
>> GSSAPI client step 1
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> ns-slapd[2596]:
>> GSSAPI server step 2
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
>> GSSAPI client step 2
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> ns-slapd[2596]:
>> GSSAPI server step 3
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
>> LDAP error: Invalid credentials: bind to LDAP server failed
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
>> couldn't establish connection in LDAP connection pool: permission
>> denied
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
>> dynamic database 'ipa' configuration failed: permission denied
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
>> loading configuration: permission denied
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
>> exiting (due to fatal error)
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> systemd[1]:
>> named-pkcs11.service: control process exited, code=exited status=1
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> systemd[1]: Failed
>> to start Berkeley Internet Name Domain (DNS) with native PKCS#11.
>> -- Subject: Unit named-pkcs11.service has failed
>> -- Defined-By: systemd
>> -- Support:
>> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>> <http://lists.freedesktop.org/mailman/listinfo/systemd-devel>
>> --
>> -- Unit named-pkcs11.service has failed.
>> --
>> -- The result is failed.
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> systemd[1]: Unit
>> named-pkcs11.service entered failed state.
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> systemd[1]:
>> named-pkcs11.service failed.
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com> polkitd[949]:
>> Unregistered Authentication Agent for unix-process:3936:380486
>> (system bus name :1.59, object path /org/freedesktop/Policy
>>
>> Here are the last four entries of /var/log/dirsrv/slapd-*/access
>> |grep ipa-dnskeysyncdcat:
>>
>> [04/Jan/2017:15:28:37.463224739 -0500] conn=5 op=1129 SRCH
>> base="dc=internal,dc=emerlyn,dc=com" scope=2
>> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>)(krbPrincipalName:caseIgnoreIA5Match:=ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>)))"
>> attrs="krbPrincipalName krbCanonicalName krbUPEnabled
>> krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration
>> krbPasswordExpiration krbPwdPolicyReference krbPrincipalType
>> krbPwdHistory krbLastPwdChange krbPrincipalAliases
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
>> krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
>> krbObjectReferences krbTicketFlags krbMaxTicketLife
>> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
>> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>> [04/Jan/2017:15:28:37.464739661 -0500] conn=5 op=1133 SRCH
>> base="krbprincipalname=ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com"
>> scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn
>> gidNumber krbPrincipalName krbCanonicalName
>> krbTicketPolicyReference krbPrincipalExpiration
>> krbPasswordExpiration krbPwdPolicyReference krbPrincipalType
>> krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth
>> krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock
>> krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript
>> ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive"
>> [04/Jan/2017:15:28:37.465851372 -0500] conn=5 op=1134 MOD
>> dn="krbprincipalname=ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com"
>> [04/Jan/2017:15:28:37.474974775 -0500] conn=6 op=1372 SRCH
>> base="dc=internal,dc=emerlyn,dc=com" scope=2
>> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>))"
>> attrs="krbPrincipalName krbCanonicalName krbUPEnabled
>> krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration
>> krbPasswordExpiration krbPwdPolicyReference krbPrincipalType
>> krbPwdHistory krbLastPwdChange krbPrincipalAliases
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
>> krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
>> krbObjectReferences krbTicketFlags krbMaxTicketLife
>> krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
>> ipaUserAuthType ipatokenRadiusConfigLink objectClass"
>> [04/Jan/2017:15:28:37.482436172 -0500] conn=281 op=2 RESULT err=0
>> tag=97 nentries=0 etime=0
>> dn="krbprincipalname=ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at internal.emerlyn.com
>> <mailto:id-management-2.internal.emerlyn.com at internal.emerlyn.com>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com"
>>
>> My environment:
>> Freeipa 4.2.0
>> OS is Centos 7.2
>>
>> This is a secondary replica (master) and the other replica can be
>> pinged but nslookup and dig fail to provide results even though
>> the values are in the /etc/hosts file:
>>
>> 127.0.0.1 localhost localhost.localdomain localhost4
>> localhost4.localdomain4
>> ::1 localhost localhost.localdomain localhost6
>> localhost6.localdomain6
>> 10.72.100.16 id-management-1.internal.emerlyn.com
>> <http://id-management-1.internal.emerlyn.com>
>> 10.73.100.31 id-management-2.internal.emerlyn.com
>> <http://id-management-2.internal.emerlyn.com>
>>
>>
>> Any assistance is in solving this would be greatly appreciated
>> and thanks for both the great product and the support already
>> provided.
>>
>> Jeff
>>
>>
>>
>
>
> Hello,
>
> what contains the /etc/sysconfig/dirsrv file
>
> can you kinit as DNS?
>
> kinit -kt /etc/named.keytab DNS/$HOSTNAME
>
> Martin^2
>
> The kinit -kt /etc/named.keytab DNS/$HOSTNAME command returns nothing
> Here is the requested file output:
>
> # This file is sourced by dirsrv upon startup to set
> # the default environment for all directory server instances.
> # To set instance specific defaults, use the file in the same
> # directory called dirsrv-instance where "instance"
> # is the name of your directory server instance e.g.
> # dirsrv-localhost for the slapd-localhost instance.
>
> # This file is in systemd EnvironmentFile format - see man systemd.exec
>
> # In order to make more file descriptors available
> # to the directory server, first make sure the system
> # hard limits are raised, then use ulimit - uncomment
> # out the following line and change the value to the
> # desired value
> # ulimit -n 8192
> # note - if using systemd, ulimit won't work - you must edit
> # the systemd unit file for directory server to add the
> # LimitNOFILE option - see man systemd.exec for more info
>
> # A per instance keytab does not make much sense for servers.
> # Kerberos clients use the machine FQDN to obtain a ticket like
> ldap/FQDN, there
> # is nothing that can make a client understand how to get a
> per-instance ticket.
> # Therefore by default a keytab should be considered a per server option.
>
> # Also this file is sourced for all instances, so again all
> # instances would ultimately get the same keytab.
>
> # Finally a keytab is normally named either krb5.keytab or
> <service>.keytab
>
> # In order to use SASL/GSSAPI (Kerberos) the directory
> # server needs to know where to find its keytab
> # file - uncomment the following line and set
> # the path and filename appropriately
> # if using systemd, omit the "; export VARNAME" at the end
>
> # how many seconds to wait for the startpid file to show
> # up before we assume there is a problem and fail to start
> # if using systemd, omit the "; export VARNAME" at the end
> #STARTPID_TIME=10 ; export STARTPID_TIME
> # how many seconds to wait for the pid file to show
> # up before we assume there is a problem and fail to start
> # if using systemd, omit the "; export VARNAME" at the end
> #PID_TIME=600 ; export PID_TIME
> KRB5CCNAME=/tmp/krb5cc_389
> KRB5_KTNAME=/etc/dirsrv/ds.keytab
>
> I tried to re-install (ipa-install-dns) and here is the install log. I
> highlighted in red below where I think the problem may be coming from.
>
> 2017-01-05T13:13:47Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-01-05T13:13:47Z DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-01-05T13:13:47Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-01-05T13:13:47Z DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-01-05T13:13:47Z DEBUG duration: 0 seconds
> 2017-01-05T13:13:47Z DEBUG [4/8]: setting up kerberos principal
> 2017-01-05T13:13:47Z DEBUG Starting external process
> 2017-01-05T13:13:47Z DEBUG args=kadmin.local -q addprinc -randkey
> DNS/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM> -x
> ipa-setup-override-restrictions
> 2017-01-05T13:13:47Z DEBUG Process finished, return code=0
> 2017-01-05T13:13:47Z DEBUG stdout=Authenticating as principal
> admin/admin at INTERNAL.EMERLYN.COM <mailto:admin at INTERNAL.EMERLYN.COM>
> with password.
>
> 2017-01-05T13:13:47Z DEBUG stderr=WARNING: no policy specified for
> DNS/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>;
> defaulting to no policy
> add_principal: Principal or policy already exists while creating
> "DNS/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>".
>
> 2017-01-05T13:13:47Z DEBUG Backing up system configuration file
> '/etc/named.keytab'
> 2017-01-05T13:13:47Z DEBUG Saving Index File to
> '/var/lib/ipa/sysrestore/sysrestore.index'
> 2017-01-05T13:13:47Z DEBUG Starting external process
> 2017-01-05T13:13:47Z DEBUG args=kadmin.local -q ktadd -k
> /etc/named.keytab
> DNS/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM> -x
> ipa-setup-override-restrictions
> 2017-01-05T13:13:47Z DEBUG Process finished, return code=0
> 2017-01-05T13:13:47Z DEBUG stdout=Authenticating as principal
> admin/admin at INTERNAL.EMERLYN.COM <mailto:admin at INTERNAL.EMERLYN.COM>
> with password.
> Entry for principal
> DNS/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
> with kvno 7, encryption type aes256-cts-hmac-sha1-96 added to keytab
> WRFILE:/etc/named.keytab.
> Entry for principal
> DNS/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
> with kvno 7, encryption type aes128-cts-hmac-sha1-96 added to keytab
> WRFILE:/etc/named.keytab.
> Entry for principal
> DNS/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
> with kvno 7, encryption type des3-cbc-sha1 added to keytab
> WRFILE:/etc/named.keytab.
> Entry for principal
> DNS/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
> with kvno 7, encryption type arcfour-hmac added to keytab
> WRFILE:/etc/named.keytab.
> Entry for principal
> DNS/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
> with kvno 7, encryption type camellia128-cts-cmac added to keytab
> WRFILE:/etc/named.keytab.
> Entry for principal
> DNS/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
> with kvno 7, encryption type camellia256-cts-cmac added to keytab
> WRFILE:/etc/named.keytab.
>
> 2017-01-05T13:13:47Z DEBUG stderr=
> 2017-01-05T13:13:47Z DEBUG duration: 0 seconds
> 2017-01-05T13:13:47Z DEBUG [5/8]: setting up named.conf
> 2017-01-05T13:13:47Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysupgrade/sysupgrade.state'
> 2017-01-05T13:13:47Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysupgrade/sysupgrade.state'
> 2017-01-05T13:13:47Z DEBUG Saving StateFile to
> '/var/lib/ipa/sysupgrade/sysupgrade.state'
> 2017-01-05T13:13:47Z DEBUG duration: 0 seconds
> 2017-01-05T13:13:47Z DEBUG [6/8]: setting up server configuration
> 2017-01-05T13:13:47Z DEBUG flushing
> ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache
> 2017-01-05T13:13:47Z DEBUG retrieving schema for SchemaCache
> url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4c48440>
> 2017-01-05T13:13:48Z DEBUG raw:
> dnsserver_add(u'id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com>', idnssoamname=<DNS name
> id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com>.>, version=u'2.213')
> 2017-01-05T13:13:48Z DEBUG
> dnsserver_add(u'id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com>', idnssoamname=<DNS name
> id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com>.>, all=False, raw=False,
> version=u'2.213')
> 2017-01-05T13:13:48Z DEBUG raw:
> dnsserver_mod(u'id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com>',
> idnsforwarders=[u'10.72.100.16'], idnsforwardpolicy=u'only',
> version=u'2.213')
> 2017-01-05T13:13:48Z DEBUG
> dnsserver_mod(u'id-management-2.internal.emerlyn.com
> <http://id-management-2.internal.emerlyn.com>',
> idnsforwarders=(u'10.72.100.16',), idnsforwardpolicy=u'only',
> rights=False, all=False, raw=False, version=u'2.213')
> 2017-01-05T13:13:48Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysupgrade/sysupgrade.state'
> 2017-01-05T13:13:48Z DEBUG Saving StateFile to
> '/var/lib/ipa/sysupgrade/sysupgrade.state'
> 2017-01-05T13:13:48Z DEBUG duration: 0 seconds
> 2017-01-05T13:13:48Z DEBUG [7/8]: configuring named to start on boot
> 2017-01-05T13:13:48Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-01-05T13:13:48Z DEBUG Starting external process
> 2017-01-05T13:13:48Z DEBUG args=/bin/systemctl disable
> named-pkcs11.service
> 2017-01-05T13:13:48Z DEBUG Process finished, return code=0
> 2017-01-05T13:13:48Z DEBUG stdout=
> 2017-01-05T13:13:48Z DEBUG stderr=
> 2017-01-05T13:13:48Z DEBUG service DNS startup entry already enabled
> 2017-01-05T13:13:48Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-01-05T13:13:48Z DEBUG Starting external process
> 2017-01-05T13:13:48Z DEBUG args=/bin/systemctl stop named.service
> 2017-01-05T13:13:48Z DEBUG Process finished, return code=0
> 2017-01-05T13:13:48Z DEBUG stdout=
> 2017-01-05T13:13:48Z DEBUG stderr=
> 2017-01-05T13:13:48Z DEBUG Starting external process
> 2017-01-05T13:13:48Z DEBUG args=/bin/systemctl mask named.service
> 2017-01-05T13:13:48Z DEBUG Process finished, return code=0
> 2017-01-05T13:13:48Z DEBUG stdout=
> 2017-01-05T13:13:48Z DEBUG stderr=Created symlink from
> /etc/systemd/system/named.service to /dev/null.
>
> 2017-01-05T13:13:48Z DEBUG duration: 0 seconds
> 2017-01-05T13:13:48Z DEBUG [8/8]: changing resolv.conf to point to
> ourselves
> 2017-01-05T13:13:48Z DEBUG duration: 0 seconds
> 2017-01-05T13:13:48Z DEBUG Done configuring DNS (named).
> 2017-01-05T13:13:48Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-01-05T13:13:48Z DEBUG Starting external process
> 2017-01-05T13:13:48Z DEBUG args=/bin/systemctl stop
> ipa-dnskeysyncd.service
> 2017-01-05T13:13:48Z DEBUG Process finished, return code=0
> 2017-01-05T13:13:48Z DEBUG stdout=
> 2017-01-05T13:13:48Z DEBUG stderr=
> 2017-01-05T13:13:48Z DEBUG Configuring DNS key synchronization service
> (ipa-dnskeysyncd)
> 2017-01-05T13:13:48Z DEBUG [1/7]: checking status
> 2017-01-05T13:13:48Z DEBUG flushing
> ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache
> 2017-01-05T13:13:48Z DEBUG retrieving schema for SchemaCache
> url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4eb2c20>
> 2017-01-05T13:13:48Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-01-05T13:13:48Z DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-01-05T13:13:48Z DEBUG duration: 0 seconds
> 2017-01-05T13:13:48Z DEBUG [2/7]: setting up bind-dyndb-ldap working
> directory
> 2017-01-05T13:13:48Z DEBUG duration: 0 seconds
> 2017-01-05T13:13:48Z DEBUG [3/7]: setting up kerberos principal
> 2017-01-05T13:13:48Z DEBUG Removing service keytab:
> /etc/ipa/dnssec/ipa-dnskeysyncd.keytab
> 2017-01-05T13:13:48Z DEBUG Starting external process
> 2017-01-05T13:13:48Z DEBUG args=kadmin.local -q addprinc -randkey
> ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM> -x
> ipa-setup-override-restrictions
> 2017-01-05T13:13:48Z DEBUG Process finished, return code=0
> 2017-01-05T13:13:48Z DEBUG stdout=Authenticating as principal
> admin/admin at INTERNAL.EMERLYN.COM <mailto:admin at INTERNAL.EMERLYN.COM>
> with password.
>
> 2017-01-05T13:13:48Z DEBUG stderr=WARNING: no policy specified for
> ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>;
> defaulting to no policy
> add_principal: Principal or policy already exists while creating
> "ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>".
>
> 2017-01-05T13:13:48Z DEBUG Starting external process
> 2017-01-05T13:13:48Z DEBUG args=kadmin.local -q ktadd -k
> /etc/ipa/dnssec/ipa-dnskeysyncd.keytab
> ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM> -x
> ipa-setup-override-restrictions
> 2017-01-05T13:13:49Z DEBUG Process finished, return code=0
> 2017-01-05T13:13:49Z DEBUG stdout=Authenticating as principal
> admin/admin at INTERNAL.EMERLYN.COM <mailto:admin at INTERNAL.EMERLYN.COM>
> with password.
> Entry for principal
> ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
> with kvno 7, encryption type aes256-cts-hmac-sha1-96 added to keytab
> WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
> Entry for principal
> ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
> with kvno 7, encryption type aes128-cts-hmac-sha1-96 added to keytab
> WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
> Entry for principal
> ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
> with kvno 7, encryption type des3-cbc-sha1 added to keytab
> WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
> Entry for principal
> ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
> with kvno 7, encryption type arcfour-hmac added to keytab
> WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
> Entry for principal
> ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
> with kvno 7, encryption type camellia128-cts-cmac added to keytab
> WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
> Entry for principal
> ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
> with kvno 7, encryption type camellia256-cts-cmac added to keytab
> WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
>
> 2017-01-05T13:13:49Z DEBUG stderr=
> 2017-01-05T13:13:49Z DEBUG duration: 0 seconds
> 2017-01-05T13:13:49Z DEBUG [4/7]: setting up SoftHSM
> 2017-01-05T13:13:49Z DEBUG Creating new softhsm config file
> 2017-01-05T13:13:49Z DEBUG duration: 0 seconds
> 2017-01-05T13:13:49Z DEBUG [5/7]: adding DNSSEC containers
> 2017-01-05T13:13:49Z DEBUG flushing
> ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache
> 2017-01-05T13:13:49Z DEBUG retrieving schema for SchemaCache
> url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4ec9998>
> 2017-01-05T13:13:49Z INFO DNSSEC container exists (step skipped)
> 2017-01-05T13:13:49Z DEBUG duration: 0 seconds
> 2017-01-05T13:13:49Z DEBUG [6/7]: creating replica keys
> 2017-01-05T13:13:49Z DEBUG Creating replica's key pair
> 2017-01-05T13:13:49Z DEBUG Storing replica public key to LDAP,
> ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=internal,dc=emerlyn,dc=com
> 2017-01-05T13:13:49Z DEBUG flushing
> ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache
> 2017-01-05T13:13:49Z DEBUG retrieving schema for SchemaCache
> url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4eb2830>
> 2017-01-05T13:13:50Z DEBUG Replica public key stored
> 2017-01-05T13:13:50Z DEBUG Setting CKA_WRAP=False for old replica keys
> 2017-01-05T13:13:50Z DEBUG Changing ownership of token files
> 2017-01-05T13:13:50Z DEBUG duration: 0 seconds
> 2017-01-05T13:13:50Z DEBUG [7/7]: configuring ipa-dnskeysyncd to
> start on boot
> 2017-01-05T13:13:50Z DEBUG Starting external process
> 2017-01-05T13:13:50Z DEBUG args=/bin/systemctl disable
> ipa-dnskeysyncd.service
> 2017-01-05T13:13:50Z DEBUG Process finished, return code=0
> 2017-01-05T13:13:50Z DEBUG stdout=
> 2017-01-05T13:13:50Z DEBUG stderr=
> 2017-01-05T13:13:50Z DEBUG service DNSKeySync startup entry already
> enabled
> 2017-01-05T13:13:50Z DEBUG duration: 0 seconds
> 2017-01-05T13:13:50Z DEBUG Done configuring DNS key synchronization
> service (ipa-dnskeysyncd).
> 2017-01-05T13:13:50Z DEBUG Starting external process
> 2017-01-05T13:13:50Z DEBUG args=/bin/systemctl restart
> ipa-dnskeysyncd.service
> 2017-01-05T13:13:50Z DEBUG Process finished, return code=0
> 2017-01-05T13:13:50Z DEBUG stdout=
> 2017-01-05T13:13:50Z DEBUG stderr=
> 2017-01-05T13:13:50Z DEBUG Starting external process
> 2017-01-05T13:13:50Z DEBUG args=/bin/systemctl is-active
> ipa-dnskeysyncd.service
> 2017-01-05T13:13:50Z DEBUG Process finished, return code=0
> 2017-01-05T13:13:50Z DEBUG stdout=active
>
> 2017-01-05T13:13:50Z DEBUG stderr=
> 2017-01-05T13:13:50Z DEBUG Restarting named
> 2017-01-05T13:13:50Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-01-05T13:13:50Z DEBUG Starting external process
> 2017-01-05T13:13:50Z DEBUG args=/bin/systemctl restart
> named-pkcs11.service
> 2017-01-05T13:13:50Z DEBUG Process finished, return code=1
> 2017-01-05T13:13:50Z DEBUG stdout=
> 2017-01-05T13:13:50Z DEBUG stderr=Job for named-pkcs11.service failed
> because the control process exited with error code. See "systemctl
> status named-pkcs11.service" and "journalctl -xe" for details.
>
> Thank you for assisting.
>
> --
> Jeff
>
> Looping in the rest of the previous recipients
>
> --
> Jeff Goddard
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170105/11080cf1/attachment.htm>
More information about the Freeipa-users
mailing list