<div dir="ltr"><div><div><div><div>I re-read and walked through the troubleshooting steps. I have a mismatch in Key Version Numbers in the keytab file:<br><br><br></div>Trying to renew the keytab file results in this error:<br><br>Failed to parse result: PrincipalName not found.<br><br>Retrying with pre-4.0 keytab retrieval method...<br>Failed to parse result: PrincipalName not found.<br><br>Failed to get keytab!<br>Failed to get keytab<br><br></div>Using simple authentication does work but I would prefer to find a solution to the Kerberos problem. Do you have any further suggestions?<br><br></div>Thanks,<br><br></div>Jeff<br><div><div><div><br><div><br><div><div><br><br><br><div><div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jan 5, 2017 at 11:50 AM, Tomas Krizek <span dir="ltr"><<a href="mailto:tkrizek@redhat.com" target="_blank">tkrizek@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF">
    <tt>On 01/05/2017 04:11 PM, Jeff Goddard wrote:</tt><tt><br>
    </tt>
    <blockquote type="cite">
      <div dir="ltr">
        <div><tt>I'm starting a new thread rather than continuing to
            submit under: </tt><tt><a href="https://www.redhat.com/archives/freeipa-users/2017-January/msg00108.html" target="_blank">https://www.redhat.com/<wbr>archives/freeipa-users/2017-<wbr>January/msg00108.html</a></tt><tt>.</tt><tt><br>
          </tt><tt><br>
          </tt></div>
        <tt>My problem is that I cannot get the DNS service to start on
          one of my replica masters. From the previous message thread: </tt><tt><br>
        </tt>
        <p><tt>Hello,</tt><tt><br>
          </tt> </p>
        <p><tt>could you check this link
          </tt><tt><a class="gmail-m_6898014303089533638gmail-m_3423967822105621510moz-txt-link-freetext" href="https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials:bindtoLDAPserverfailed" target="_blank">https://fedorahosted.org/bind-<wbr>dyndb-ldap/wiki/BIND9/NamedCan<wbr>notStart#a4.Invalidcredentials<wbr>:bindtoLDAPserverfailed</a></tt><tt><br>
          </tt> </p>
        <p><tt>kinit prints nothing when it works, so it works in your
            case, can you after kinit as DNS service try to use
            ldapsearch -Y GSSAPI ?</tt></p>
        <p><tt>Martin</tt><tt><br>
          </tt> </p>
        <p><tt>Reading the article and following the steps I get this as
            a result of:</tt></p>
        <p><tt> ipa privilege-show 'DNS Servers' --all --raw</tt></p>
        <p><tt>  dn: cn=DNS
            Servers,cn=privileges,cn=pbac,<wbr>dc=internal,dc=emerlyn,dc=com</tt><tt><br>
          </tt><tt>  cn: DNS Servers</tt><tt><br>
          </tt><tt>  description: DNS Servers</tt><tt><br>
          </tt><tt>  member: krbprincipalname=DNS/</tt><tt><a href="mailto:id-management-1.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-<wbr>management-1.internal.emerlyn.<wbr>com@INTERNAL.EMERLYN.COM</a></tt><tt>,cn=<wbr>services,cn=accounts,dc=<wbr>internal,dc=emerlyn,dc=com</tt><tt><br>
          </tt><tt>  member: krbprincipalname=ipa-<wbr>dnskeysyncd/</tt><tt><a href="mailto:id-management-1.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-1.<wbr>internal.emerlyn.com@INTERNAL.<wbr>EMERLYN.COM</a></tt><tt>,cn=services,cn=<wbr>accounts,dc=internal,dc=<wbr>emerlyn,dc=com</tt><tt><br>
          </tt><tt>  member: krbprincipalname=DNS/</tt><tt><a href="mailto:idmfs-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">idmfs-01.<wbr>internal.emerlyn.com@INTERNAL.<wbr>EMERLYN.COM</a></tt><tt>,cn=services,cn=<wbr>accounts,dc=internal,dc=<wbr>emerlyn,dc=com</tt><tt><br>
          </tt><tt>  member: krbprincipalname=ipa-<wbr>dnskeysyncd/</tt><tt><a href="mailto:idmfs-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">idmfs-01.internal.<wbr>emerlyn.com@INTERNAL.EMERLYN.<wbr>COM</a></tt><tt>,cn=services,cn=accounts,<wbr>dc=internal,dc=emerlyn,dc=com</tt><tt><br>
          </tt><tt>  member: krbprincipalname=ipa-<wbr>dnskeysyncd/</tt><tt><a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.<wbr>internal.emerlyn.com@INTERNAL.<wbr>EMERLYN.COM</a></tt><tt>,cn=services,cn=<wbr>accounts,dc=internal,dc=<wbr>emerlyn,dc=com</tt><tt><br>
          </tt><tt>  member: krbprincipalname=DNS/</tt><tt><a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-<wbr>management-2.internal.emerlyn.<wbr>com@INTERNAL.EMERLYN.COM</a></tt><tt>+<wbr>nsuniqueid=be8eda7e-fcd311e5-<wbr>859e9ada-0ab343c0,cn=services,<wbr>cn=accounts,dc=internal,dc=<wbr>emerlyn,dc=com</tt><tt><br>
          </tt><tt>  member: krbprincipalname=DNS/</tt><tt><a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-<wbr>management-2.internal.emerlyn.<wbr>com@INTERNAL.EMERLYN.COM</a></tt><tt>,cn=<wbr>services,cn=accounts,dc=<wbr>internal,dc=emerlyn,dc=com</tt><tt><br>
          </tt><tt>  memberof: cn=System: Read DNS
            Configuration,cn=permissions,<wbr>cn=pbac,dc=internal,dc=<wbr>emerlyn,dc=com</tt><tt><br>
          </tt><tt>  memberof: cn=System: Write DNS
            Configuration,cn=permissions,<wbr>cn=pbac,dc=internal,dc=<wbr>emerlyn,dc=com</tt><tt><br>
          </tt><tt>  memberof: cn=System: Add DNS
            Entries,cn=permissions,cn=<wbr>pbac,dc=internal,dc=emerlyn,<wbr>dc=com</tt><tt><br>
          </tt><tt>  memberof: cn=System: Manage DNSSEC
            keys,cn=permissions,cn=pbac,<wbr>dc=internal,dc=emerlyn,dc=com</tt><tt><br>
          </tt><tt>  memberof: cn=System: Manage DNSSEC
            metadata,cn=permissions,cn=<wbr>pbac,dc=internal,dc=emerlyn,<wbr>dc=com</tt><tt><br>
          </tt><tt>  memberof: cn=System: Read DNS
            Entries,cn=permissions,cn=<wbr>pbac,dc=internal,dc=emerlyn,<wbr>dc=com</tt><tt><br>
          </tt><tt>  memberof: cn=System: Remove DNS
            Entries,cn=permissions,cn=<wbr>pbac,dc=internal,dc=emerlyn,<wbr>dc=com</tt><tt><br>
          </tt><tt>  memberof: cn=System: Update DNS
            Entries,cn=permissions,cn=<wbr>pbac,dc=internal,dc=emerlyn,<wbr>dc=com</tt><tt><br>
          </tt><tt>  objectClass: top</tt><tt><br>
          </tt><tt>  objectClass: groupofnames</tt><tt><br>
          </tt><tt>  objectClass: nestedgroup</tt><tt><br>
          </tt></p>
      </div>
    </blockquote>
    <tt>From the previous thread's logs, it seems there is an issue when
      bind-dyndb-ldap attempts to connect to the LDAP server. The link
      Martin posted has some good advice on how to troubleshoot this. <br>
      <br>
      I don't understand whether you went through the steps and
      identified any issue.<br>
      <br>
      Does your setup use simple authentication or Kerberos?<br>
      When you try to manually set named.conf to use the other option,
      does it work?<br>
      Are you able to authenticate to LDAP using these methods in
      commands like ldapsearch?<br>
    </tt>
    <blockquote type="cite">
      <div dir="ltr">
        <p><tt>Jeff</tt><tt><br>
          </tt></p>
      </div>
      <tt><br>
      </tt>
      <fieldset class="gmail-m_6898014303089533638mimeAttachmentHeader"></fieldset>
      <tt><br><span class="gmail-HOEnZb"><font color="#888888">
      </font></span></tt><span class="gmail-HOEnZb"><font color="#888888">
    </font></span></blockquote><span class="gmail-HOEnZb"><font color="#888888">
    <tt><br>
    </tt>
    <pre class="gmail-m_6898014303089533638moz-signature" cols="72">-- 
Tomas Krizek</pre>
  </font></span></div>

</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div><br></div><br></div></div>
</div></div></div></div></div></div></div></div></div></div></div></div>