On 29.5.2013 15:50, John Moyer wrote:
I changed both the host file (actually did that before emailing) and
now I have changed the DNS manually in LDAP. I restart ipa and it still fails
on DNS startup. It says the following (after I manually start everything else)
May 29 13:16:15 ip- named: set up managed keys zone for view _default,
May 29 13:16:15 ip- named: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information (Server krbtgt/ec2.inter...@example.com not
found in Kerberos database)
May 29 13:16:15 ip- named: bind to LDAP server failed: Local error
May 29 13:16:15 ip- named: loading configuration: failure
May 29 13:16:15 ip- named: exiting (due to fatal error)
The important piece is:
> Server krbtgt/ec2.inter...@example.com not found in Kerberos database
Some very basic instructions are at
IMHO Kerberos libraries are confused by the crazy network setup inside EC2.
Does your /etc/krb5.conf point to internal or external name?
Does your /etc/hosts point to internal or external name?
I would try to include *internal* IPs in /etc/hosts, because internal IPs are
what libraries see on local interfaces.
Please do the experiments described above and let us now. Also, you can join
#freeipa channel on FreeNode, I will be around for next hour (at least).
On May 29, 2013, at 4:11 AM, Petr Spacek <pspa...@redhat.com> wrote:
On 29.5.2013 07:42, John Moyer wrote:
Yea I replaced both certs, however, in my troubleshooting I've found more I'll
say symptoms or potential problems, which may stem from this or be independent
1. Showing this error message on restarting the service:
EXAMPLE-COM...[29/May/2013:05:30:58 +0000] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's
certificate issuer has been marked as not trusted by the user.)
2. This is on an AWS machine, and when I rebooted the internal IP of the
machine changed. I'm not sure if there are values in the Directory Server that
would have that internal IP in there which would cause a problem. The external
IP and DNS have stayed the same and I've tried to have all install values match
the external IP or external name for this exact reason.
3. The named service will no longer start, here are the errors getting put in
May 29 05:31:01 ip-10-1-3-5 named: sizing zone task pool based on 6 zones
May 29 05:31:01 ip-10-1-3-5 named: /etc/named.conf:12: no forwarders
seen; disabling forwarding
May 29 05:31:01 ip-10-1-3-5 named: set up managed keys zone for view
_default, file 'dynamic/managed-keys.bind'
May 29 05:31:19 ip-10-1-3-5 named: Failed to init credentials (Cannot
contact any KDC for realm 'EXAMPLE.COM')
May 29 05:31:19 ip-10-1-3-5 named: loading configuration: failure May
29 05:31:19 ip-10-1-3-5 named: exiting (due to fatal error)
Any help in a right direction or theory to a right direction would be much
Problems 2 and 3 might be caused by incorrect IP address in /etc/hosts and IPA
DNS. Please correct content of /etc/hosts, start IPA and then correct IP
addresses in IPA DNS.
Freeipa-users mailing list