<div dir="ltr">Running the command displays no output. <div> Here is the config file output: # This file is sourced by dirsrv upon startup to set # the default environment for all directory server instances. # To set instance specific defaults, use the file in the same # directory called dirsrv-instance where "instance" # is the name of your directory server instance e.g. # dirsrv-localhost for the slapd-localhost instance. # This file is in systemd EnvironmentFile format - see man systemd.exec # In order to make more file descriptors available # to the directory server, first make sure the system # hard limits are raised, then use ulimit - uncomment # out the following line and change the value to the # desired value # ulimit -n 8192 # note - if using systemd, ulimit won't work - you must edit # the systemd unit file for directory server to add the # LimitNOFILE option - see man systemd.exec for more info # A per instance keytab does not make much sense for servers. # Kerberos clients use the machine FQDN to obtain a ticket like ldap/FQDN, there # is nothing that can make a client understand how to get a per-instance ticket. # Therefore by default a keytab should be considered a per server option. # Also this file is sourced for all instances, so again all # instances would ultimately get the same keytab. # Finally a keytab is normally named either krb5.keytab or <service>.keytab # In order to use SASL/GSSAPI (Kerberos) the directory # server needs to know where to find its keytab # file - uncomment the following line and set # the path and filename appropriately # if using systemd, omit the "; export VARNAME" at the end # how many seconds to wait for the startpid file to show # up before we assume there is a problem and fail to start # if using systemd, omit the "; export VARNAME" at the end #STARTPID_TIME=10 ; export STARTPID_TIME # how many seconds to wait for the pid file to show # up before we assume there is a problem and fail to start # if using systemd, omit the "; export VARNAME" at the end #PID_TIME=600 ; export PID_TIME KRB5CCNAME=/tmp/krb5cc_389 KRB5_KTNAME=/etc/dirsrv/ds.keytab </div><div>I tried reinstalling with ipa-dns-install and it failed with errors. From the logs it looks like it sets resolve.conf to 127.0.0.1 and then tries to do lookups and fails. Here are selections from the logs: 2017-01-05T13:13:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:47Z DEBUG duration: 0 seconds 2017-01-05T13:13:47Z DEBUG [4/8]: setting up kerberos principal 2017-01-05T13:13:47Z DEBUG Starting external process 2017-01-05T13:13:47Z DEBUG args=kadmin.local -q addprinc -randkey DNS/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> -x ipa-setup-override-restrictions 2017-01-05T13:13:47Z DEBUG Process finished, return code=0 2017-01-05T13:13:47Z DEBUG stdout=Authenticating as principal admin/<a href="mailto:admin@INTERNAL.EMERLYN.COM">admin@INTERNAL.EMERLYN.COM</a> with password. 2017-01-05T13:13:47Z DEBUG stderr=WARNING: no policy specified for DNS/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>; defaulting to no policy add_principal: Principal or policy already exists while creating "DNS/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>". 2017-01-05T13:13:47Z DEBUG Backing up system configuration file '/etc/named.keytab' 2017-01-05T13:13:47Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2017-01-05T13:13:47Z DEBUG Starting external process 2017-01-05T13:13:47Z DEBUG args=kadmin.local -q ktadd -k /etc/named.keytab DNS/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> -x ipa-setup-override-restrictions 2017-01-05T13:13:47Z DEBUG Process finished, return code=0 2017-01-05T13:13:47Z DEBUG stdout=Authenticating as principal admin/<a href="mailto:admin@INTERNAL.EMERLYN.COM">admin@INTERNAL.EMERLYN.COM</a> with password. Entry for principal DNS/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/named.keytab. Entry for principal DNS/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/named.keytab. Entry for principal DNS/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/named.keytab. Entry for principal DNS/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type arcfour-hmac added to keytab WRFILE:/etc/named.keytab. Entry for principal DNS/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/named.keytab. Entry for principal DNS/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/named.keytab. 2017-01-05T13:13:47Z DEBUG stderr= 2017-01-05T13:13:47Z DEBUG duration: 0 seconds 2017-01-05T13:13:47Z DEBUG [5/8]: setting up named.conf 2017-01-05T13:13:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2017-01-05T13:13:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2017-01-05T13:13:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2017-01-05T13:13:47Z DEBUG duration: 0 seconds 2017-01-05T13:13:47Z DEBUG [6/8]: setting up server configuration 2017-01-05T13:13:47Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache 2017-01-05T13:13:47Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4c48440> 2017-01-05T13:13:48Z DEBUG raw: dnsserver_add(u'<a href="http://id-management-2.internal.emerlyn.com">id-management-2.internal.emerlyn.com</a>', idnssoamname=<DNS name <a href="http://id-management-2.internal.emerlyn.com">id-management-2.internal.emerlyn.com</a>.>, version=u'2.213') 2017-01-05T13:13:48Z DEBUG dnsserver_add(u'<a href="http://id-management-2.internal.emerlyn.com">id-management-2.internal.emerlyn.com</a>', idnssoamname=<DNS name <a href="http://id-management-2.internal.emerlyn.com">id-management-2.internal.emerlyn.com</a>.>, all=False, raw=False, version=u'2.213') 2017-01-05T13:13:48Z DEBUG raw: dnsserver_mod(u'<a href="http://id-management-2.internal.emerlyn.com">id-management-2.internal.emerlyn.com</a>', idnsforwarders=[u'10.72.100.16'], idnsforwardpolicy=u'only', version=u'2.213') 2017-01-05T13:13:48Z DEBUG dnsserver_mod(u'<a href="http://id-management-2.internal.emerlyn.com">id-management-2.internal.emerlyn.com</a>', idnsforwarders=(u'10.72.100.16',), idnsforwardpolicy=u'only', rights=False, all=False, raw=False, version=u'2.213') 2017-01-05T13:13:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2017-01-05T13:13:48Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2017-01-05T13:13:48Z DEBUG duration: 0 seconds 2017-01-05T13:13:48Z DEBUG [7/8]: configuring named to start on boot 2017-01-05T13:13:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:48Z DEBUG Starting external process 2017-01-05T13:13:48Z DEBUG args=/bin/systemctl disable named-pkcs11.service 2017-01-05T13:13:48Z DEBUG Process finished, return code=0 2017-01-05T13:13:48Z DEBUG stdout= 2017-01-05T13:13:48Z DEBUG stderr= 2017-01-05T13:13:48Z DEBUG service DNS startup entry already enabled 2017-01-05T13:13:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:48Z DEBUG Starting external process 2017-01-05T13:13:48Z DEBUG args=/bin/systemctl stop named.service 2017-01-05T13:13:48Z DEBUG Process finished, return code=0 2017-01-05T13:13:48Z DEBUG stdout= 2017-01-05T13:13:48Z DEBUG stderr= 2017-01-05T13:13:48Z DEBUG Starting external process 2017-01-05T13:13:48Z DEBUG args=/bin/systemctl mask named.service 2017-01-05T13:13:48Z DEBUG Process finished, return code=0 2017-01-05T13:13:48Z DEBUG stdout= 2017-01-05T13:13:48Z DEBUG stderr=Created symlink from /etc/systemd/system/named.service to /dev/null. 2017-01-05T13:13:48Z DEBUG duration: 0 seconds 2017-01-05T13:13:48Z DEBUG [8/8]: changing resolv.conf to point to ourselves 2017-01-05T13:13:48Z DEBUG duration: 0 seconds 2017-01-05T13:13:48Z DEBUG Done configuring DNS (named). 2017-01-05T13:13:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:48Z DEBUG Starting external process 2017-01-05T13:13:48Z DEBUG args=/bin/systemctl stop ipa-dnskeysyncd.service 2017-01-05T13:13:48Z DEBUG Process finished, return code=0 2017-01-05T13:13:48Z DEBUG stdout= 2017-01-05T13:13:48Z DEBUG stderr= 2017-01-05T13:13:48Z DEBUG Configuring DNS key synchronization service (ipa-dnskeysyncd) 2017-01-05T13:13:48Z DEBUG [1/7]: checking status 2017-01-05T13:13:48Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache 2017-01-05T13:13:48Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4eb2c20> 2017-01-05T13:13:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:48Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:48Z DEBUG duration: 0 seconds 2017-01-05T13:13:48Z DEBUG [2/7]: setting up bind-dyndb-ldap working directory 2017-01-05T13:13:48Z DEBUG duration: 0 seconds 2017-01-05T13:13:48Z DEBUG [3/7]: setting up kerberos principal 2017-01-05T13:13:48Z DEBUG Removing service keytab: /etc/ipa/dnssec/ipa-dnskeysyncd.keytab 2017-01-05T13:13:48Z DEBUG Starting external process 2017-01-05T13:13:48Z DEBUG args=kadmin.local -q addprinc -randkey ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> -x ipa-setup-override-restrictions 2017-01-05T13:13:48Z DEBUG Process finished, return code=0 2017-01-05T13:13:48Z DEBUG stdout=Authenticating as principal admin/<a href="mailto:admin@INTERNAL.EMERLYN.COM">admin@INTERNAL.EMERLYN.COM</a> with password. 2017-01-05T13:13:48Z DEBUG stderr=WARNING: no policy specified for ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>; defaulting to no policy add_principal: Principal or policy already exists while creating "ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>". 2017-01-05T13:13:48Z DEBUG Starting external process 2017-01-05T13:13:48Z DEBUG args=kadmin.local -q ktadd -k /etc/ipa/dnssec/ipa-dnskeysyncd.keytab ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> -x ipa-setup-override-restrictions 2017-01-05T13:13:49Z DEBUG Process finished, return code=0 2017-01-05T13:13:49Z DEBUG stdout=Authenticating as principal admin/<a href="mailto:admin@INTERNAL.EMERLYN.COM">admin@INTERNAL.EMERLYN.COM</a> with password. Entry for principal ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab. Entry for principal ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab. Entry for principal ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab. Entry for principal ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type arcfour-hmac added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab. Entry for principal ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab. Entry for principal ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a> with kvno 7, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab. 2017-01-05T13:13:49Z DEBUG stderr= 2017-01-05T13:13:49Z DEBUG duration: 0 seconds 2017-01-05T13:13:49Z DEBUG [4/7]: setting up SoftHSM 2017-01-05T13:13:49Z DEBUG Creating new softhsm config file 2017-01-05T13:13:49Z DEBUG duration: 0 seconds 2017-01-05T13:13:49Z DEBUG [5/7]: adding DNSSEC containers 2017-01-05T13:13:49Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache 2017-01-05T13:13:49Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4ec9998> 2017-01-05T13:13:49Z INFO DNSSEC container exists (step skipped) 2017-01-05T13:13:49Z DEBUG duration: 0 seconds 2017-01-05T13:13:49Z DEBUG [6/7]: creating replica keys 2017-01-05T13:13:49Z DEBUG Creating replica's key pair 2017-01-05T13:13:49Z DEBUG Storing replica public key to LDAP, ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=internal,dc=emerlyn,dc=com 2017-01-05T13:13:49Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache 2017-01-05T13:13:49Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4eb2830> 2017-01-05T13:13:50Z DEBUG Replica public key stored 2017-01-05T13:13:50Z DEBUG Setting CKA_WRAP=False for old replica keys 2017-01-05T13:13:50Z DEBUG Changing ownership of token files 2017-01-05T13:13:50Z DEBUG duration: 0 seconds 2017-01-05T13:13:50Z DEBUG [7/7]: configuring ipa-dnskeysyncd to start on boot 2017-01-05T13:13:50Z DEBUG Starting external process 2017-01-05T13:13:50Z DEBUG args=/bin/systemctl disable ipa-dnskeysyncd.service 2017-01-05T13:13:50Z DEBUG Process finished, return code=0 2017-01-05T13:13:50Z DEBUG stdout= 2017-01-05T13:13:50Z DEBUG stderr= 2017-01-05T13:13:50Z DEBUG service DNSKeySync startup entry already enabled 2017-01-05T13:13:50Z DEBUG duration: 0 seconds 2017-01-05T13:13:50Z DEBUG Done configuring DNS key synchronization service (ipa-dnskeysyncd). 2017-01-05T13:13:50Z DEBUG Starting external process 2017-01-05T13:13:50Z DEBUG args=/bin/systemctl restart ipa-dnskeysyncd.service 2017-01-05T13:13:50Z DEBUG Process finished, return code=0 2017-01-05T13:13:50Z DEBUG stdout= 2017-01-05T13:13:50Z DEBUG stderr= 2017-01-05T13:13:50Z DEBUG Starting external process 2017-01-05T13:13:50Z DEBUG args=/bin/systemctl is-active ipa-dnskeysyncd.service 2017-01-05T13:13:50Z DEBUG Process finished, return code=0 2017-01-05T13:13:50Z DEBUG stdout=active 2017-01-05T13:13:50Z DEBUG stderr= 2017-01-05T13:13:50Z DEBUG Restarting named 2017-01-05T13:13:50Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:50Z DEBUG Starting external process 2017-01-05T13:13:50Z DEBUG args=/bin/systemctl restart named-pkcs11.service 2017-01-05T13:13:50Z DEBUG Process finished, return code=1 2017-01-05T13:13:50Z DEBUG stdout= 2017-01-05T13:13:50Z DEBUG stderr=Job for named-pkcs11.service failed because the control process exited with error code. See "systemctl status named-pkcs11.service" and "journalctl -xe" for details. </div><div>It looks to me like the change in resolve.conf is causing all subsequent lookups to fail. </div><div>Jeff </div><div> </div><div> </div><div> </div><div> <div class="gmail_extra"> <div class="gmail_quote">On Thu, Jan 5, 2017 at 3:43 AM, Martin Basti <<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div bgcolor="#FFFFFF"> <div class="gmail-m_-7480147556481762824moz-cite-prefix">On 04.01.2017 22:21, Jeff Goddard wrote: </div> <blockquote type="cite"> <div dir="ltr"> <div> <div> <div> <div> <div>I don't want to hijack someone else's thread but I'm having what appears to be the same problem and have not seen a solution presented yet. Here is the output of journalctl -xe after having tried to start named: Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: loading configuration from '/etc/named.conf' Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: reading built-in trusted keys from file '/etc/named.iscdlv.key' Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: using default UDP/IPv4 port range: [1024, 65535] Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: using default UDP/IPv6 port range: [1024, 65535] Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: listening on IPv6 interfaces, port 53 Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: listening on IPv4 interface lo, 127.0.0.1#53 Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: listening on IPv4 interface ens32, 10.73.100.31#53 Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: generating session key for dynamic DNS Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: sizing zone task pool based on 6 zones Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind' Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: bind-dyndb-ldap version 10.0 compiled at 18:06:06 Nov 11 2016, compiler 4.8.5 20150623 (Red Hat 4.8.5-11) Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: option 'serial_autoincrement' is not supported, ignoring Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: GSSAPI client step 1 Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: GSSAPI client step 1 Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> ns-slapd[2596]: GSSAPI server step 1 Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: GSSAPI client step 1 Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> ns-slapd[2596]: GSSAPI server step 2 Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: GSSAPI client step 2 Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> ns-slapd[2596]: GSSAPI server step 3 Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: LDAP error: Invalid credentials: bind to LDAP server failed Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: couldn't establish connection in LDAP connection pool: permission denied Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: dynamic database 'ipa' configuration failed: permission denied Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: loading configuration: permission denied Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> named-pkcs11[3948]: exiting (due to fatal error) Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> systemd[1]: named-pkcs11.service: control process exited, code=exited status=1 Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11. -- Subject: Unit named-pkcs11.service has failed -- Defined-By: systemd -- Support: <a href="http://lists.freedesktop.org/mailman/listinfo/systemd-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/systemd-devel</a> -- -- Unit named-pkcs11.service has failed. -- -- The result is failed. Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> systemd[1]: Unit named-pkcs11.service entered failed state. Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> systemd[1]: named-pkcs11.service failed. Jan 04 15:48:42 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> polkitd[949]: Unregistered Authentication Agent for unix-process:3936:380486 (system bus name :1.59, object path /org/freedesktop/Policy </div> Here are the last four entries of /var/log/dirsrv/slapd-*/access |grep ipa-dnskeysyncdcat: [04/Jan/2017:15:28:37.463224739 -0500] conn=5 op=1129 SRCH base="dc=internal,dc=emerlyn,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>)(krbPrincipalName:caseIgnoreIA5Match:=ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [04/Jan/2017:15:28:37.464739661 -0500] conn=5 op=1133 SRCH base="krbprincipalname=ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com" scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive" [04/Jan/2017:15:28:37.465851372 -0500] conn=5 op=1134 MOD dn="krbprincipalname=ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com" [04/Jan/2017:15:28:37.474974775 -0500] conn=6 op=1372 SRCH base="dc=internal,dc=emerlyn,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [04/Jan/2017:15:28:37.482436172 -0500] conn=281 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com@internal.emerlyn.com</a>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com" </div> My environment: </div> Freeipa 4.2.0 </div> OS is Centos 7.2 </div> <div>This is a secondary replica (master) and the other replica can be pinged but nslookup and dig fail to provide results even though the values are in the /etc/hosts file: 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.72.100.16 <a href="http://id-management-1.internal.emerlyn.com" target="_blank">id-management-1.internal.emerlyn.com</a> 10.73.100.31 <a href="http://id-management-2.internal.emerlyn.com" target="_blank">id-management-2.internal.emerlyn.com</a> </div> <div> </div> <div>Any assistance is in solving this would be greatly appreciated and thanks for both the great product and the support already provided. </div> <div>Jeff </div> <div> </div> </div> <fieldset class="gmail-m_-7480147556481762824mimeAttachmentHeader"></fieldset> </blockquote> Hello, what contains the /etc/sysconfig/dirsrv file can you kinit as DNS? kinit -kt /etc/named.keytab DNS/$HOSTNAME Martin^2 </div> </blockquote></div> -- <div class="gmail_signature"><div dir="ltr"><div> </div> </div></div> </div></div></div>