<div dir="ltr"><div> <div class="gmail_quote">---------- Forwarded message ---------- From: Jeff Goddard <<a href="mailto:jgoddard@emerlyn.com" target="_blank">jgoddard@emerlyn.com</a>> Date: Thu, Jan 5, 2017 at 8:57 AM Subject: Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'} To: Martin Basti <<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>> <div dir="ltr"> <div class="gmail_extra"> <div class="gmail_quote">On Thu, Jan 5, 2017 at 3:43 AM, Martin Basti <<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div bgcolor="#FFFFFF"> <div class="m_-22724728160857037m_3310156183138934670gmail-m_-6036249115591493486moz-cite-prefix">On 04.01.2017 22:21, Jeff Goddard wrote: </div> <blockquote type="cite"> <div dir="ltr"> <div> <div> <div> <div> <div>I don't want to hijack someone else's thread but I'm having what appears to be the same problem and have not seen a solution presented yet. Here is the output of journalctl -xe after having tried to start named: Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: loading configuration from '/etc/named.conf' Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: reading built-in trusted keys from file '/etc/named.iscdlv.key' Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: using default UDP/IPv4 port range: [1024, 65535] Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: using default UDP/IPv6 port range: [1024, 65535] Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: listening on IPv6 interfaces, port 53 Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: listening on IPv4 interface lo, 127.0.0.1#53 Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: listening on IPv4 interface ens32, 10.73.100.31#53 Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: generating session key for dynamic DNS Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: sizing zone task pool based on 6 zones Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind' Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: bind-dyndb-ldap version 10.0 compiled at 18:06:06 Nov 11 2016, compiler 4.8.5 20150623 (Red Hat 4.8.5-11) Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: option 'serial_autoincrement' is not supported, ignoring Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: GSSAPI client step 1 Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: GSSAPI client step 1 Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> ns-slapd[2596]: GSSAPI server step 1 Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: GSSAPI client step 1 Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> ns-slapd[2596]: GSSAPI server step 2 Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: GSSAPI client step 2 Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> ns-slapd[2596]: GSSAPI server step 3 Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: LDAP error: Invalid credentials: bind to LDAP server failed Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: couldn't establish connection in LDAP connection pool: permission denied Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: dynamic database 'ipa' configuration failed: permission denied Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: loading configuration: permission denied Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: exiting (due to fatal error) Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> systemd[1]: named-pkcs11.service: control process exited, code=exited status=1 Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11. -- Subject: Unit named-pkcs11.service has failed -- Defined-By: systemd -- Support: <a href="http://lists.freedesktop.org/mailman/listinfo/systemd-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/systemd-devel</a> -- -- Unit named-pkcs11.service has failed. -- -- The result is failed. Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> systemd[1]: Unit named-pkcs11.service entered failed state. Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> systemd[1]: named-pkcs11.service failed. Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> polkitd[949]: Unregistered Authentication Agent for unix-process:3936:380486 (system bus name :1.59, object path /org/freedesktop/Policy </div> Here are the last four entries of /var/log/dirsrv/slapd-*/access |grep ipa-dnskeysyncdcat: [04/Jan/2017:15:28:37.463224739 -0500] conn=5 op=1129 SRCH base="dc=internal,dc=emerlyn,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>)(krbPrincipalName:caseIgnoreIA5Match:=ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [04/Jan/2017:15:28:37.464739661 -0500] conn=5 op=1133 SRCH base="krbprincipalname=ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com" scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive" [04/Jan/2017:15:28:37.465851372 -0500] conn=5 op=1134 MOD dn="krbprincipalname=ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com" [04/Jan/2017:15:28:37.474974775 -0500] conn=6 op=1372 SRCH base="dc=internal,dc=emerlyn,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [04/Jan/2017:15:28:37.482436172 -0500] conn=281 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com@internal.emerlyn.com</a>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com" </div> My environment: </div> Freeipa 4.2.0 </div> OS is Centos 7.2 </div> <div>This is a secondary replica (master) and the other replica can be pinged but nslookup and dig fail to provide results even though the values are in the /etc/hosts file: 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.72.100.16 <a href="http://id-management-1.internal.emerlyn.com" target="_blank">id-management-1.internal.emerlyn.com</a> 10.73.100.31 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> </div> <div> </div> <div>Any assistance is in solving this would be greatly appreciated and thanks for both the great product and the support already provided. </div> <div>Jeff </div> <div> </div> </div> <fieldset class="m_-22724728160857037m_3310156183138934670gmail-m_-6036249115591493486mimeAttachmentHeader"></fieldset> </blockquote> Hello, what contains the /etc/sysconfig/dirsrv file can you kinit as DNS? kinit -kt /etc/named.keytab DNS/$HOSTNAME Martin^2 </div> </blockquote></div>The kinit -kt /etc/named.keytab DNS/$HOSTNAME command returns nothing Here is the requested file output: # This file is sourced by dirsrv upon startup to set # the default environment for all directory server instances. # To set instance specific defaults, use the file in the same # directory called dirsrv-instance where "instance" # is the name of your directory server instance e.g. # dirsrv-localhost for the slapd-localhost instance. # This file is in systemd EnvironmentFile format - see man systemd.exec # In order to make more file descriptors available # to the directory server, first make sure the system # hard limits are raised, then use ulimit - uncomment # out the following line and change the value to the # desired value # ulimit -n 8192 # note - if using systemd, ulimit won't work - you must edit # the systemd unit file for directory server to add the # LimitNOFILE option - see man systemd.exec for more info # A per instance keytab does not make much sense for servers. # Kerberos clients use the machine FQDN to obtain a ticket like ldap/FQDN, there # is nothing that can make a client understand how to get a per-instance ticket. # Therefore by default a keytab should be considered a per server option. # Also this file is sourced for all instances, so again all # instances would ultimately get the same keytab. # Finally a keytab is normally named either krb5.keytab or <service>.keytab # In order to use SASL/GSSAPI (Kerberos) the directory # server needs to know where to find its keytab # file - uncomment the following line and set # the path and filename appropriately # if using systemd, omit the "; export VARNAME" at the end # how many seconds to wait for the startpid file to show # up before we assume there is a problem and fail to start # if using systemd, omit the "; export VARNAME" at the end #STARTPID_TIME=10 ; export STARTPID_TIME # how many seconds to wait for the pid file to show # up before we assume there is a problem and fail to start # if using systemd, omit the "; export VARNAME" at the end #PID_TIME=600 ; export PID_TIME KRB5CCNAME=/tmp/krb5cc_389 KRB5_KTNAME=/etc/dirsrv/ds.keytab </div><div class="gmail_extra">I tried to re-install (ipa-install-dns) and here is the install log. I highlighted in red below where I think the problem may be coming from. 2017-01-05T13:13:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:47Z DEBUG duration: 0 seconds 2017-01-05T13:13:47Z DEBUG [4/8]: setting up kerberos principal 2017-01-05T13:13:47Z DEBUG Starting external process 2017-01-05T13:13:47Z DEBUG args=kadmin.local -q addprinc -randkey DNS/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> -x ipa-setup-override-restrictions 2017-01-05T13:13:47Z DEBUG Process finished, return code=0 2017-01-05T13:13:47Z DEBUG stdout=Authenticating as principal admin/<a href="mailto:admin@INTERNAL.EMERLYN.COM" target="_blank">admin@INTERNAL.EMERLYN.COM</a> with password. 2017-01-05T13:13:47Z DEBUG stderr=WARNING: no policy specified for DNS/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>; defaulting to no policy add_principal: Principal or policy already exists while creating "DNS/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>". 2017-01-05T13:13:47Z DEBUG Backing up system configuration file '/etc/named.keytab' 2017-01-05T13:13:47Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2017-01-05T13:13:47Z DEBUG Starting external process 2017-01-05T13:13:47Z DEBUG args=kadmin.local -q ktadd -k /etc/named.keytab DNS/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> -x ipa-setup-override-restrictions 2017-01-05T13:13:47Z DEBUG Process finished, return code=0 2017-01-05T13:13:47Z DEBUG stdout=Authenticating as principal admin/<a href="mailto:admin@INTERNAL.EMERLYN.COM" target="_blank">admin@INTERNAL.EMERLYN.COM</a> with password. Entry for principal DNS/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/named.keytab. Entry for principal DNS/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/named.keytab. Entry for principal DNS/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/named.keytab. Entry for principal DNS/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type arcfour-hmac added to keytab WRFILE:/etc/named.keytab. Entry for principal DNS/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/named.keytab. Entry for principal DNS/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/named.keytab. 2017-01-05T13:13:47Z DEBUG stderr= 2017-01-05T13:13:47Z DEBUG duration: 0 seconds 2017-01-05T13:13:47Z DEBUG [5/8]: setting up named.conf 2017-01-05T13:13:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2017-01-05T13:13:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2017-01-05T13:13:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2017-01-05T13:13:47Z DEBUG duration: 0 seconds 2017-01-05T13:13:47Z DEBUG [6/8]: setting up server configuration 2017-01-05T13:13:47Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache 2017-01-05T13:13:47Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4c48440> 2017-01-05T13:13:48Z DEBUG raw: dnsserver_add(u'<a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a>', idnssoamname=<DNS name <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a>.>, version=u'2.213') 2017-01-05T13:13:48Z DEBUG dnsserver_add(u'<a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a>', idnssoamname=<DNS name <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a>.>, all=False, raw=False, version=u'2.213') 2017-01-05T13:13:48Z DEBUG raw: dnsserver_mod(u'<a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a>', idnsforwarders=[u'10.72.100.16'], idnsforwardpolicy=u'only', version=u'2.213') 2017-01-05T13:13:48Z DEBUG dnsserver_mod(u'<a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a>', idnsforwarders=(u'10.72.100.16',), idnsforwardpolicy=u'only', rights=False, all=False, raw=False, version=u'2.213') 2017-01-05T13:13:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2017-01-05T13:13:48Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2017-01-05T13:13:48Z DEBUG duration: 0 seconds 2017-01-05T13:13:48Z DEBUG [7/8]: configuring named to start on boot 2017-01-05T13:13:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:48Z DEBUG Starting external process 2017-01-05T13:13:48Z DEBUG args=/bin/systemctl disable named-pkcs11.service 2017-01-05T13:13:48Z DEBUG Process finished, return code=0 2017-01-05T13:13:48Z DEBUG stdout= 2017-01-05T13:13:48Z DEBUG stderr= 2017-01-05T13:13:48Z DEBUG service DNS startup entry already enabled 2017-01-05T13:13:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:48Z DEBUG Starting external process 2017-01-05T13:13:48Z DEBUG args=/bin/systemctl stop named.service 2017-01-05T13:13:48Z DEBUG Process finished, return code=0 2017-01-05T13:13:48Z DEBUG stdout= 2017-01-05T13:13:48Z DEBUG stderr= 2017-01-05T13:13:48Z DEBUG Starting external process 2017-01-05T13:13:48Z DEBUG args=/bin/systemctl mask named.service 2017-01-05T13:13:48Z DEBUG Process finished, return code=0 2017-01-05T13:13:48Z DEBUG stdout= 2017-01-05T13:13:48Z DEBUG stderr=Created symlink from /etc/systemd/system/named.service to /dev/null. 2017-01-05T13:13:48Z DEBUG duration: 0 seconds 2017-01-05T13:13:48Z DEBUG [8/8]: changing resolv.conf to point to ourselves 2017-01-05T13:13:48Z DEBUG duration: 0 seconds 2017-01-05T13:13:48Z DEBUG Done configuring DNS (named). 2017-01-05T13:13:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:48Z DEBUG Starting external process 2017-01-05T13:13:48Z DEBUG args=/bin/systemctl stop ipa-dnskeysyncd.service 2017-01-05T13:13:48Z DEBUG Process finished, return code=0 2017-01-05T13:13:48Z DEBUG stdout= 2017-01-05T13:13:48Z DEBUG stderr= 2017-01-05T13:13:48Z DEBUG Configuring DNS key synchronization service (ipa-dnskeysyncd) 2017-01-05T13:13:48Z DEBUG [1/7]: checking status 2017-01-05T13:13:48Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache 2017-01-05T13:13:48Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4eb2c20> 2017-01-05T13:13:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:48Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:48Z DEBUG duration: 0 seconds 2017-01-05T13:13:48Z DEBUG [2/7]: setting up bind-dyndb-ldap working directory 2017-01-05T13:13:48Z DEBUG duration: 0 seconds 2017-01-05T13:13:48Z DEBUG [3/7]: setting up kerberos principal 2017-01-05T13:13:48Z DEBUG Removing service keytab: /etc/ipa/dnssec/ipa-dnskeysyncd.keytab 2017-01-05T13:13:48Z DEBUG Starting external process 2017-01-05T13:13:48Z DEBUG args=kadmin.local -q addprinc -randkey ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> -x ipa-setup-override-restrictions 2017-01-05T13:13:48Z DEBUG Process finished, return code=0 2017-01-05T13:13:48Z DEBUG stdout=Authenticating as principal admin/<a href="mailto:admin@INTERNAL.EMERLYN.COM" target="_blank">admin@INTERNAL.EMERLYN.COM</a> with password. 2017-01-05T13:13:48Z DEBUG stderr=WARNING: no policy specified for ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>; defaulting to no policy add_principal: Principal or policy already exists while creating "ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>". 2017-01-05T13:13:48Z DEBUG Starting external process 2017-01-05T13:13:48Z DEBUG args=kadmin.local -q ktadd -k /etc/ipa/dnssec/ipa-dnskeysyncd.keytab ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> -x ipa-setup-override-restrictions 2017-01-05T13:13:49Z DEBUG Process finished, return code=0 2017-01-05T13:13:49Z DEBUG stdout=Authenticating as principal admin/<a href="mailto:admin@INTERNAL.EMERLYN.COM" target="_blank">admin@INTERNAL.EMERLYN.COM</a> with password. Entry for principal ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab. Entry for principal ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab. Entry for principal ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab. Entry for principal ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type arcfour-hmac added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab. Entry for principal ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab. Entry for principal ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab. 2017-01-05T13:13:49Z DEBUG stderr= 2017-01-05T13:13:49Z DEBUG duration: 0 seconds 2017-01-05T13:13:49Z DEBUG [4/7]: setting up SoftHSM 2017-01-05T13:13:49Z DEBUG Creating new softhsm config file 2017-01-05T13:13:49Z DEBUG duration: 0 seconds 2017-01-05T13:13:49Z DEBUG [5/7]: adding DNSSEC containers 2017-01-05T13:13:49Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache 2017-01-05T13:13:49Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4ec9998> 2017-01-05T13:13:49Z INFO DNSSEC container exists (step skipped) 2017-01-05T13:13:49Z DEBUG duration: 0 seconds 2017-01-05T13:13:49Z DEBUG [6/7]: creating replica keys 2017-01-05T13:13:49Z DEBUG Creating replica's key pair 2017-01-05T13:13:49Z DEBUG Storing replica public key to LDAP, ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=internal,dc=emerlyn,dc=com 2017-01-05T13:13:49Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache 2017-01-05T13:13:49Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4eb2830> 2017-01-05T13:13:50Z DEBUG Replica public key stored 2017-01-05T13:13:50Z DEBUG Setting CKA_WRAP=False for old replica keys 2017-01-05T13:13:50Z DEBUG Changing ownership of token files 2017-01-05T13:13:50Z DEBUG duration: 0 seconds 2017-01-05T13:13:50Z DEBUG [7/7]: configuring ipa-dnskeysyncd to start on boot 2017-01-05T13:13:50Z DEBUG Starting external process 2017-01-05T13:13:50Z DEBUG args=/bin/systemctl disable ipa-dnskeysyncd.service 2017-01-05T13:13:50Z DEBUG Process finished, return code=0 2017-01-05T13:13:50Z DEBUG stdout= 2017-01-05T13:13:50Z DEBUG stderr= 2017-01-05T13:13:50Z DEBUG service DNSKeySync startup entry already enabled 2017-01-05T13:13:50Z DEBUG duration: 0 seconds 2017-01-05T13:13:50Z DEBUG Done configuring DNS key synchronization service (ipa-dnskeysyncd). 2017-01-05T13:13:50Z DEBUG Starting external process 2017-01-05T13:13:50Z DEBUG args=/bin/systemctl restart ipa-dnskeysyncd.service 2017-01-05T13:13:50Z DEBUG Process finished, return code=0 2017-01-05T13:13:50Z DEBUG stdout= 2017-01-05T13:13:50Z DEBUG stderr= 2017-01-05T13:13:50Z DEBUG Starting external process 2017-01-05T13:13:50Z DEBUG args=/bin/systemctl is-active ipa-dnskeysyncd.service 2017-01-05T13:13:50Z DEBUG Process finished, return code=0 2017-01-05T13:13:50Z DEBUG stdout=active 2017-01-05T13:13:50Z DEBUG stderr= 2017-01-05T13:13:50Z DEBUG Restarting named 2017-01-05T13:13:50Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:50Z DEBUG Starting external process 2017-01-05T13:13:50Z DEBUG args=/bin/systemctl restart named-pkcs11.service 2017-01-05T13:13:50Z DEBUG Process finished, return code=1 2017-01-05T13:13:50Z DEBUG stdout= 2017-01-05T13:13:50Z DEBUG stderr=Job for named-pkcs11.service failed because the control process exited with error code. See "systemctl status named-pkcs11.service" and "journalctl -xe" for details. </div><div class="gmail_extra">Thank you for assisting. </div><div class="gmail_extra"> -- <div class="m_-22724728160857037m_3310156183138934670gmail_signature"><div>Jeff </div></div> </div></div> </div> </div>Looping in the rest of the previous recipients <div> -- <div class="m_-22724728160857037gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div><div>Jeff Goddard </div> </div></div> </div></div> </div></div>