<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <p><br> </p> <br> <div class="moz-cite-prefix">On 04.01.2017 22:21, Jeff Goddard wrote:<br> </div> <blockquote cite="mid:CA+No-6G9eriuj+sU8S24zqddNaFZLsuWrG5whCO169GkLb6kww@mail.gmail.com" type="cite"> <div dir="ltr"> <div> <div> <div> <div> <div>I don't want to hijack someone else's thread but I'm having what appears to be the same problem and have not seen a solution presented yet.<br> <br> Here is the output of journalctl -xe after having tried to start named: <br> <br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: loading configuration from '/etc/named.conf'<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: reading built-in trusted keys from file '/etc/named.iscdlv.key'<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: using default UDP/IPv4 port range: [1024, 65535]<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: using default UDP/IPv6 port range: [1024, 65535]<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: listening on IPv6 interfaces, port 53<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: listening on IPv4 interface lo, 127.0.0.1#53<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: listening on IPv4 interface ens32, 10.73.100.31#53<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: generating session key for dynamic DNS<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: sizing zone task pool based on 6 zones<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-<wbr>keys.bind'<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: bind-dyndb-ldap version 10.0 compiled at 18:06:06 Nov 11 2016, compiler 4.8.5 20150623 (Red Hat 4.8.5-11)<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: option 'serial_autoincrement' is not supported, ignoring<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: GSSAPI client step 1<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: GSSAPI client step 1<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> ns-slapd[2596]: GSSAPI server step 1<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: GSSAPI client step 1<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> ns-slapd[2596]: GSSAPI server step 2<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: GSSAPI client step 2<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> ns-slapd[2596]: GSSAPI server step 3<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: LDAP error: Invalid credentials: bind to LDAP server failed<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: couldn't establish connection in LDAP connection pool: permission denied<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: dynamic database 'ipa' configuration failed: permission denied<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: loading configuration: permission denied<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> named-pkcs11[3948]: exiting (due to fatal error)<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> systemd[1]: named-pkcs11.service: control process exited, code=exited status=1<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.<br> -- Subject: Unit named-pkcs11.service has failed<br> -- Defined-By: systemd<br> -- Support: <a moz-do-not-send="true" href="http://lists.freedesktop.org/mailman/listinfo/systemd-devel" target="_blank">http://lists.freedesktop.org/<wbr>mailman/listinfo/systemd-devel</a><br> --<br> -- Unit named-pkcs11.service has failed.<br> --<br> -- The result is failed.<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> systemd[1]: Unit named-pkcs11.service entered failed state.<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> systemd[1]: named-pkcs11.service failed.<br> Jan 04 15:48:42 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.<wbr>emerlyn.com</a> polkitd[949]: Unregistered Authentication Agent for unix-process:3936:380486 (system bus name :1.59, object path /org/freedesktop/Policy<br> <br> </div> Here are the last four entries of /var/log/dirsrv/slapd-*/access |grep ipa-dnskeysyncdcat:<br> <br> [04/Jan/2017:15:28:37.463224739 -0500] conn=5 op=1129 SRCH base="dc=internal,dc=emerlyn,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ipa-dnskeysyncd/<a moz-do-not-send="true" href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>)(krbPrincipalName:caseIgnoreIA5Match:=ipa-dnskeysyncd/<a moz-do-not-send="true" href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"<br> [04/Jan/2017:15:28:37.464739661 -0500] conn=5 op=1133 SRCH base="krbprincipalname=ipa-dnskeysyncd/<a moz-do-not-send="true" href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com" scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive"<br> [04/Jan/2017:15:28:37.465851372 -0500] conn=5 op=1134 MOD dn="krbprincipalname=ipa-dnskeysyncd/<a moz-do-not-send="true" href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com"<br> [04/Jan/2017:15:28:37.474974775 -0500] conn=6 op=1372 SRCH base="dc=internal,dc=emerlyn,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ipa-dnskeysyncd/<a moz-do-not-send="true" href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"<br> [04/Jan/2017:15:28:37.482436172 -0500] conn=281 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=ipa-dnskeysyncd/<a moz-do-not-send="true" href="mailto:id-management-2.internal.emerlyn.com@internal.emerlyn.com">id-management-2.internal.emerlyn.com@internal.emerlyn.com</a>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com"<br> <br> </div> My environment:<br> </div> Freeipa 4.2.0<br> </div> OS is Centos 7.2<br> <br> </div> <div>This is a secondary replica (master) and the other replica can be pinged but nslookup and dig fail to provide results even though the values are in the /etc/hosts file:<br> <br> 127.0.0.1�� localhost localhost.localdomain localhost4 localhost4.localdomain4<br> ::1�� localhost localhost.localdomain localhost6 localhost6.localdomain6<br> 10.72.100.16 <a moz-do-not-send="true" href="http://id-management-1.internal.emerlyn.com">id-management-1.internal.emerlyn.com</a><br> 10.73.100.31 <a moz-do-not-send="true" href="http://id-management-2.internal.emerlyn.com">id-management-2.internal.emerlyn.com</a><br> <br> </div> <div><br> </div> <div>Any assistance is in solving this would be greatly appreciated and thanks for both the great product and the support already provided.<br> <br> </div> <div>Jeff<br> </div> <div><br> </div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> </blockquote> <br> <br> Hello,<br> <br> what contains the� /etc/sysconfig/dirsrv file<br> <br> can you kinit as DNS?<br> <br> kinit -kt /etc/named.keytab DNS/$HOSTNAME<br> <br> Martin^2<br> <br> </body> </html>