Petr, 

        Oh thanks for that webpage!  So now named starts, it was because my 
hostname was ip-10.x.x.x I then tried to change it to ip-10.x.x.x.ec2.internal 
(standard fqdn for AWS).   Then I remembered that during setup I had to change 
it to ipa.example.com.   Once I did that it started!  Now I just have the cert 
issue, I'll email back after I gather more of the details around the remaining 
issues I'm having.   Thanks for your help! 

Thanks, 
_____________________________________________________
John Moyer
Director, IT Operations


On May 29, 2013, at 10:24 AM, Petr Spacek <pspa...@redhat.com> wrote:

> On 29.5.2013 15:50, John Moyer wrote:
>>      I changed both the host file (actually did that before emailing) and 
>> now I have changed the DNS manually in LDAP.  I restart ipa and it still 
>> fails on DNS startup.   It says the following (after I manually start 
>> everything else)
>> 
>> May 29 13:16:15 ip- named[9076]: set up managed keys zone for view _default, 
>> file 'dynamic/managed-keys.bind'
>> May 29 13:16:15 ip- named[9076]: GSSAPI Error: Unspecified GSS failure.  
>> Minor code may provide more information (Server 
>> krbtgt/ec2.inter...@example.com not found in Kerberos database)
>> May 29 13:16:15 ip- named[9076]: bind to LDAP server failed: Local error
>> May 29 13:16:15 ip- named[9076]: loading configuration: failure
>> May 29 13:16:15 ip- named[9076]: exiting (due to fatal error)
> 
> The important piece is:
> > Server krbtgt/ec2.inter...@example.com not found in Kerberos database
> 
> Some very basic instructions are at
> See https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
> 
> IMHO Kerberos libraries are confused by the crazy network setup inside EC2.
> 
> Does your /etc/krb5.conf point to internal or external name?
> 
> Does your /etc/hosts point to internal or external name?
> 
> I would try to include *internal* IPs in /etc/hosts, because internal IPs are 
> what libraries see on local interfaces.
> 
> Please do the experiments described above and let us now. Also, you can join 
> #freeipa channel on FreeNode, I will be around for next hour (at least).
> 
> Petr^2 Spacek
> 
>> On May 29, 2013, at 4:11 AM, Petr Spacek <pspa...@redhat.com> wrote:
>> 
>>> On 29.5.2013 07:42, John Moyer wrote:
>>>> Yea I replaced both certs, however, in my troubleshooting I've found more 
>>>> I'll say symptoms or potential problems, which may stem from this or be 
>>>> independent from it.
>>>> 
>>>> 1. Showing this error message on restarting the service:
>>>>     EXAMPLE-COM...[29/May/2013:05:30:58 +0000] - SSL alert: 
>>>> CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of 
>>>> family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error 
>>>> -8172 - Peer's certificate issuer has been marked as not trusted by the 
>>>> user.)
>>>> 
>>>> 2. This is on an AWS machine, and when I rebooted the internal IP of the 
>>>> machine changed.  I'm not sure if there are values in the Directory Server 
>>>> that would have that internal IP in there which would cause a problem.  
>>>> The external IP and DNS have stayed the same and I've tried to have all 
>>>> install values match the external IP or external name for this exact 
>>>> reason.
>>>> 
>>>> 3. The named service will no longer start, here are the errors getting put 
>>>> in the /var/log/messages
>>>> May 29 05:31:01 ip-10-1-3-5 named[5592]: sizing zone task pool based on 6 
>>>> zones
>>>> May 29 05:31:01 ip-10-1-3-5 named[5592]: /etc/named.conf:12: no forwarders 
>>>> seen; disabling forwarding
>>>> May 29 05:31:01 ip-10-1-3-5 named[5592]: set up managed keys zone for view 
>>>> _default, file 'dynamic/managed-keys.bind'
>>>>  May 29 05:31:19 ip-10-1-3-5 named[5592]: Failed to init credentials 
>>>> (Cannot contact any KDC for realm 'EXAMPLE.COM')
>>>>  May 29 05:31:19 ip-10-1-3-5 named[5592]: loading configuration: failure 
>>>> May 29 05:31:19 ip-10-1-3-5 named[5592]: exiting (due to fatal error)
>>>> 
>>>> Any help in a right direction or theory to a right direction would be much 
>>>> appreciated!
>>> Problems 2 and 3 might be caused by incorrect IP address in /etc/hosts and 
>>> IPA DNS. Please correct content of /etc/hosts, start IPA and then correct 
>>> IP addresses in IPA DNS.


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to