Hi,

I noticed an updated krb5-server package today advertising that it's fixing the issue with slow GSSAPI binds discussed earlier, so I installed it in my test environment, set SElinux back to enforcing in /etc/sysconfig/selinux and rebooted.


The named daemon does not start now. The error below was logged in /var/log/messages:

Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC returned error string: PROCESS_TGS)

I am able to start named after setting SElinux in permissive mode (setenforce 0).

Then to verify: I stop all IPA services (ipactl stop), reenabled selinux (setenforce 1), and start the IPA services (ipactl start). A new error is logged in /var/log/messages:

Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed: Invalid credentials
Sep 19 22:00:49 ipa01 named[5918]: loading configuration: permission denied
Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error)


From the /var/log/krb5kdc.log:
Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, <unknown client> for <unknown server>, Cannot create replay cache file /var/tmp/krbtgt_0: File exists Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, <unknown client> for <unknown server>, Cannot create replay cache file /var/tmp/krbtgt_0: File exists Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH: DNS/ipa01.ix.test....@ix.test.com for krbtgt/ix.test....@ix.test.com, Additional pre-authentication required Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes {rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test....@ix.test.com for krbtgt/ix.test....@ix.test.com

/var/named/data/named.run logged nothing.



Any suggestions for how to troubleshoot this issue?



Regards,
Siggi


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to