[Freeipa-users] DNS service fails to start on replica master

Tomas Krizek tkrizek at redhat.com
Thu Jan 5 16:50:09 UTC 2017 

On 01/05/2017 04:11 PM, Jeff Goddard wrote:
> I'm starting a new thread rather than continuing to submit under:
> https://www.redhat.com/archives/freeipa-users/2017-January/msg00108.html.
>
> My problem is that I cannot get the DNS service to start on one of my
> replica masters. From the previous message thread:
>
> Hello,
>
> could you check this link
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials:bindtoLDAPserverfailed
> <https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials:bindtoLDAPserverfailed>
>
> kinit prints nothing when it works, so it works in your case, can you
> after kinit as DNS service try to use ldapsearch -Y GSSAPI ?
>
> Martin
>
> Reading the article and following the steps I get this as a result of:
>
> ipa privilege-show 'DNS Servers' --all --raw
>
>   dn: cn=DNS Servers,cn=privileges,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   cn: DNS Servers
>   description: DNS Servers
>   member:
> krbprincipalname=DNS/id-management-1.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-1.internal.emerlyn.com at INTERNAL.EMERLYN.COM>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   member:
> krbprincipalname=ipa-dnskeysyncd/id-management-1.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-1.internal.emerlyn.com at INTERNAL.EMERLYN.COM>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   member:
> krbprincipalname=DNS/idmfs-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:idmfs-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   member:
> krbprincipalname=ipa-dnskeysyncd/idmfs-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:idmfs-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   member:
> krbprincipalname=ipa-dnskeysyncd/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   member:
> krbprincipalname=DNS/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>+nsuniqueid=be8eda7e-fcd311e5-859e9ada-0ab343c0,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   member:
> krbprincipalname=DNS/id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM
> <mailto:id-management-2.internal.emerlyn.com at INTERNAL.EMERLYN.COM>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Read DNS
> Configuration,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Write DNS
> Configuration,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Add DNS
> Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Manage DNSSEC
> keys,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Manage DNSSEC
> metadata,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Read DNS
> Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Remove DNS
> Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Update DNS
> Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   objectClass: top
>   objectClass: groupofnames
>   objectClass: nestedgroup
>
From the previous thread's logs, it seems there is an issue when
bind-dyndb-ldap attempts to connect to the LDAP server. The link Martin
posted has some good advice on how to troubleshoot this.

I don't understand whether you went through the steps and identified any
issue.

Does your setup use simple authentication or Kerberos?
When you try to manually set named.conf to use the other option, does it
work?
Are you able to authenticate to LDAP using these methods in commands
like ldapsearch?
>
> Jeff
>
>
>

-- 
Tomas Krizek

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170105/9592d41d/attachment.htm>

More information about the Freeipa-users mailing list