<div dir="ltr"><div>I'm starting a new thread rather than continuing to submit under: <a href="https://www.redhat.com/archives/freeipa-users/2017-January/msg00108.html">https://www.redhat.com/archives/freeipa-users/2017-January/msg00108.html</a>.<br><br></div>My problem is that I cannot get the DNS service to start on one of my replica masters. From the previous message thread: <br><p>Hello,<br>
    </p>
    <p>could you check this link
<a class="gmail-m_3423967822105621510moz-txt-link-freetext" href="https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials:bindtoLDAPserverfailed" target="_blank">https://fedorahosted.org/bind-<wbr>dyndb-ldap/wiki/BIND9/<wbr>NamedCannotStart#a4.<wbr>Invalidcredentials:<wbr>bindtoLDAPserverfailed</a><br>
    </p>
    <p>kinit prints nothing when it works, so it works in your case, can
      you after kinit as DNS service try to use ldapsearch -Y GSSAPI ?</p>
    <p><br>
    </p>
    <p>Martin<br>
    </p>
    <p>Reading the article and following the steps I get this as a result of:</p><p> ipa privilege-show 'DNS Servers' --all --raw</p><p>  dn: cn=DNS Servers,cn=privileges,cn=pbac,dc=internal,dc=emerlyn,dc=com<br>  cn: DNS Servers<br>  description: DNS Servers<br>  member: krbprincipalname=DNS/<a href="mailto:id-management-1.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-1.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com<br>  member: krbprincipalname=ipa-dnskeysyncd/<a href="mailto:id-management-1.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-1.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com<br>  member: krbprincipalname=DNS/<a href="mailto:idmfs-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM">idmfs-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com<br>  member: krbprincipalname=ipa-dnskeysyncd/<a href="mailto:idmfs-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM">idmfs-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com<br>  member: krbprincipalname=ipa-dnskeysyncd/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com<br>  member: krbprincipalname=DNS/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>+nsuniqueid=be8eda7e-fcd311e5-859e9ada-0ab343c0,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com<br>  member: krbprincipalname=DNS/<a href="mailto:id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM">id-management-2.internal.emerlyn.com@INTERNAL.EMERLYN.COM</a>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com<br>  memberof: cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com<br>  memberof: cn=System: Write DNS Configuration,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com<br>  memberof: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com<br>  memberof: cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com<br>  memberof: cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com<br>  memberof: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com<br>  memberof: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com<br>  memberof: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com<br>  objectClass: top<br>  objectClass: groupofnames<br>  objectClass: nestedgroup<br></p><p><br></p><p>Jeff<br></p></div>