On 29.5.2013 15:50, John Moyer wrote:
        I changed both the host file (actually did that before emailing) and 
now I have changed the DNS manually in LDAP.  I restart ipa and it still fails 
on DNS startup.   It says the following (after I manually start everything else)

May 29 13:16:15 ip- named[9076]: set up managed keys zone for view _default, 
file 'dynamic/managed-keys.bind'
May 29 13:16:15 ip- named[9076]: GSSAPI Error: Unspecified GSS failure.  Minor 
code may provide more information (Server krbtgt/ec2.inter...@example.com not 
found in Kerberos database)
May 29 13:16:15 ip- named[9076]: bind to LDAP server failed: Local error
May 29 13:16:15 ip- named[9076]: loading configuration: failure
May 29 13:16:15 ip- named[9076]: exiting (due to fatal error)

The important piece is:
> Server krbtgt/ec2.inter...@example.com not found in Kerberos database

Some very basic instructions are at
See https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart

IMHO Kerberos libraries are confused by the crazy network setup inside EC2.

Does your /etc/krb5.conf point to internal or external name?

Does your /etc/hosts point to internal or external name?

I would try to include *internal* IPs in /etc/hosts, because internal IPs are what libraries see on local interfaces.

Please do the experiments described above and let us now. Also, you can join #freeipa channel on FreeNode, I will be around for next hour (at least).

Petr^2 Spacek

On May 29, 2013, at 4:11 AM, Petr Spacek <pspa...@redhat.com> wrote:

On 29.5.2013 07:42, John Moyer wrote:
Yea I replaced both certs, however, in my troubleshooting I've found more I'll 
say symptoms or potential problems, which may stem from this or be independent 
from it.

1. Showing this error message on restarting the service:
     EXAMPLE-COM...[29/May/2013:05:30:58 +0000] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family 
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's 
certificate issuer has been marked as not trusted by the user.)

2. This is on an AWS machine, and when I rebooted the internal IP of the 
machine changed.  I'm not sure if there are values in the Directory Server that 
would have that internal IP in there which would cause a problem.  The external 
IP and DNS have stayed the same and I've tried to have all install values match 
the external IP or external name for this exact reason.

3. The named service will no longer start, here are the errors getting put in 
the /var/log/messages
May 29 05:31:01 ip-10-1-3-5 named[5592]: sizing zone task pool based on 6 zones
May 29 05:31:01 ip-10-1-3-5 named[5592]: /etc/named.conf:12: no forwarders 
seen; disabling forwarding
May 29 05:31:01 ip-10-1-3-5 named[5592]: set up managed keys zone for view 
_default, file 'dynamic/managed-keys.bind'
  May 29 05:31:19 ip-10-1-3-5 named[5592]: Failed to init credentials (Cannot 
contact any KDC for realm 'EXAMPLE.COM')
  May 29 05:31:19 ip-10-1-3-5 named[5592]: loading configuration: failure May 
29 05:31:19 ip-10-1-3-5 named[5592]: exiting (due to fatal error)

Any help in a right direction or theory to a right direction would be much 
appreciated!
Problems 2 and 3 might be caused by incorrect IP address in /etc/hosts and IPA 
DNS. Please correct content of /etc/hosts, start IPA and then correct IP 
addresses in IPA DNS.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to