<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<tt>On 01/05/2017 04:11 PM, Jeff Goddard wrote:</tt><tt><br>
</tt>
<blockquote
cite="mid:CA+No-6H8NS5A7UuF2sSjiR9_Z6BC_O+VF16RN6yhv83Wvma+4w@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><tt>I'm starting a new thread rather than continuing to
submit under: </tt><tt><a moz-do-not-send="true"
href="https://www.redhat.com/archives/freeipa-users/2017-January/msg00108.html">https://www.redhat.com/archives/freeipa-users/2017-January/msg00108.html</a></tt><tt>.</tt><tt><br>
</tt><tt><br>
</tt></div>
<tt>My problem is that I cannot get the DNS service to start on
one of my replica masters. From the previous message thread: </tt><tt><br>
</tt>
<p><tt>Hello,</tt><tt><br>
</tt> </p>
<p><tt>could you check this link
</tt><tt><a moz-do-not-send="true"
class="gmail-m_3423967822105621510moz-txt-link-freetext"
href="https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials:bindtoLDAPserverfailed"
target="_blank">https://fedorahosted.org/bind-<wbr>dyndb-ldap/wiki/BIND9/<wbr>NamedCannotStart#a4.<wbr>Invalidcredentials:<wbr>bindtoLDAPserverfailed</a></tt><tt><br>
</tt> </p>
<p><tt>kinit prints nothing when it works, so it works in your
case, can you after kinit as DNS service try to use
ldapsearch -Y GSSAPI ?</tt></p>
<p><tt>Martin</tt><tt><br>
</tt> </p>
<p><tt>Reading the article and following the steps I get this as
a result of:</tt></p>
<p><tt> ipa privilege-show 'DNS Servers' --all --raw</tt></p>
<p><tt> dn: cn=DNS
Servers,cn=privileges,cn=pbac,dc=internal,dc=emerlyn,dc=com</tt><tt><br>
</tt><tt> cn: DNS Servers</tt><tt><br>
</tt><tt> description: DNS Servers</tt><tt><br>
</tt><tt> member: krbprincipalname=DNS/</tt><tt><a
moz-do-not-send="true"
href="mailto:id-management-1.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-1.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a></tt><tt>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com</tt><tt><br>
</tt><tt> member: krbprincipalname=ipa-dnskeysyncd/</tt><tt><a
moz-do-not-send="true"
href="mailto:id-management-1.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-1.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a></tt><tt>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com</tt><tt><br>
</tt><tt> member: krbprincipalname=DNS/</tt><tt><a
moz-do-not-send="true"
href="mailto:idmfs-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM">idmfs-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a></tt><tt>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com</tt><tt><br>
</tt><tt> member: krbprincipalname=ipa-dnskeysyncd/</tt><tt><a
moz-do-not-send="true"
href="mailto:idmfs-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM">idmfs-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a></tt><tt>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com</tt><tt><br>
</tt><tt> member: krbprincipalname=ipa-dnskeysyncd/</tt><tt><a
moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a></tt><tt>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com</tt><tt><br>
</tt><tt> member: krbprincipalname=DNS/</tt><tt><a
moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a></tt><tt>+nsuniqueid=be8eda7e-fcd311e5-859e9ada-0ab343c0,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com</tt><tt><br>
</tt><tt> member: krbprincipalname=DNS/</tt><tt><a
moz-do-not-send="true"
href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a></tt><tt>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com</tt><tt><br>
</tt><tt> memberof: cn=System: Read DNS
Configuration,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com</tt><tt><br>
</tt><tt> memberof: cn=System: Write DNS
Configuration,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com</tt><tt><br>
</tt><tt> memberof: cn=System: Add DNS
Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com</tt><tt><br>
</tt><tt> memberof: cn=System: Manage DNSSEC
keys,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com</tt><tt><br>
</tt><tt> memberof: cn=System: Manage DNSSEC
metadata,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com</tt><tt><br>
</tt><tt> memberof: cn=System: Read DNS
Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com</tt><tt><br>
</tt><tt> memberof: cn=System: Remove DNS
Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com</tt><tt><br>
</tt><tt> memberof: cn=System: Update DNS
Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com</tt><tt><br>
</tt><tt> objectClass: top</tt><tt><br>
</tt><tt> objectClass: groupofnames</tt><tt><br>
</tt><tt> objectClass: nestedgroup</tt><tt><br>
</tt></p>
</div>
</blockquote>
<tt>From the previous thread's logs, it seems there is an issue when
bind-dyndb-ldap attempts to connect to the LDAP server. The link
Martin posted has some good advice on how to troubleshoot this. <br>
<br>
I don't understand whether you went through the steps and
identified any issue.<br>
<br>
Does your setup use simple authentication or Kerberos?<br>
When you try to manually set named.conf to use the other option,
does it work?<br>
Are you able to authenticate to LDAP using these methods in
commands like ldapsearch?<br>
</tt>
<blockquote
cite="mid:CA+No-6H8NS5A7UuF2sSjiR9_Z6BC_O+VF16RN6yhv83Wvma+4w@mail.gmail.com"
type="cite">
<div dir="ltr">
<p><tt>Jeff</tt><tt><br>
</tt></p>
</div>
<tt><br>
</tt>
<fieldset class="mimeAttachmentHeader"></fieldset>
<tt><br>
</tt>
</blockquote>
<tt><br>
</tt>
<pre class="moz-signature" cols="72">--
Tomas Krizek</pre>
</body>
</html>