<div dir="ltr"><div><div><div><div><div>I don't want to hijack someone else's thread but I'm having what appears to be the same problem and have not seen a solution presented yet.<br><br>Here is the output of journalctl -xe after having tried to start named: <br><br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: loading configuration from '/etc/named.conf'<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: reading built-in trusted keys from file '/etc/named.iscdlv.key'<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: using default UDP/IPv4 port range: [1024, 65535]<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: using default UDP/IPv6 port range: [1024, 65535]<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: listening on IPv6 interfaces, port 53<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: listening on IPv4 interface lo, 127.0.0.1#53<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: listening on IPv4 interface ens32, 10.73.100.31#53<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: generating session key for dynamic DNS<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: sizing zone task pool based on 6 zones<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-<wbr>keys.bind'<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: bind-dyndb-ldap version 10.0 compiled at 18:06:06 Nov 11 2016, compiler 4.8.5 20150623 (Red Hat 4.8.5-11)<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: option 'serial_autoincrement' is not supported, ignoring<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: GSSAPI client step 1<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: GSSAPI client step 1<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> ns-slapd[2596]: GSSAPI server step 1<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: GSSAPI client step 1<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> ns-slapd[2596]: GSSAPI server step 2<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: GSSAPI client step 2<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> ns-slapd[2596]: GSSAPI server step 3<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: LDAP error: Invalid credentials: bind to LDAP server failed<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: couldn't establish connection in LDAP connection pool: permission denied<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: dynamic database 'ipa' configuration failed: permission denied<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: loading configuration: permission denied<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: exiting (due to fatal error)<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> systemd[1]: named-pkcs11.service: control process exited, code=exited status=1<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.<br>-- Subject: Unit named-pkcs11.service has failed<br>-- Defined-By: systemd<br>-- Support: <a href="http://lists.freedesktop.org/mailman/listinfo/systemd-devel" target="_blank">http://lists.freedesktop.org/<wbr>mailman/listinfo/systemd-devel</a><br>--<br>-- Unit named-pkcs11.service has failed.<br>--<br>-- The result is failed.<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> systemd[1]: Unit named-pkcs11.service entered failed state.<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> systemd[1]: named-pkcs11.service failed.<br>Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> polkitd[949]: Unregistered Authentication Agent for unix-process:3936:380486 (system bus name :1.59, object path /org/freedesktop/Policy<br><br></div>Here are the last four entries of /var/log/dirsrv/slapd-*/access |grep ipa-dnskeysyncdcat:<br><br>[04/Jan/2017:15:28:37.463224739 -0500] conn=5 op=1129 SRCH base="dc=internal,dc=emerlyn,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>)(krbPrincipalName:caseIgnoreIA5Match:=ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"<br>[04/Jan/2017:15:28:37.464739661 -0500] conn=5 op=1133 SRCH base="krbprincipalname=ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com" scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive"<br>[04/Jan/2017:15:28:37.465851372 -0500] conn=5 op=1134 MOD dn="krbprincipalname=ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com"<br>[04/Jan/2017:15:28:37.474974775 -0500] conn=6 op=1372 SRCH base="dc=internal,dc=emerlyn,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"<br>[04/Jan/2017:15:28:37.482436172 -0500] conn=281 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@internal.emerlyn.com">id-management-2.internal.emerlyn.com@internal.emerlyn.com</a>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com"<br><br></div>My environment:<br></div>Freeipa 4.2.0<br></div>OS is Centos 7.2<br><br></div><div>This is a secondary replica (master) and the other replica can be pinged but nslookup and dig fail to provide results even though the values are in the /etc/hosts file:<br><br>127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4<br>::1         localhost localhost.localdomain localhost6 localhost6.localdomain6<br>10.72.100.16 <a href="http://id-management-1.internal.emerlyn.com">id-management-1.internal.emerlyn.com</a><br>10.73.100.31 <a href="http://id-management-2.internal.emerlyn.com">id-management-2.internal.emerlyn.com</a><br><br></div><div><br></div><div>Any assistance is in solving this would be greatly appreciated and thanks for both the great product and the support already provided.<br><br></div><div>Jeff<br></div><div><br></div><div><div><div><div><div><div><div></div></div></div></div></div></div></div></div>