Re: [Freeipa-users] IPA Master Issue - Not starting

Wed, 20 Aug 2014 01:11:31 -0700 

Hi Petr,

Thanks for your help the other day.

Something is bringing down my master instance.

i am seeing mismatch on master

[root@master init.d]# kvno DNS/master.domain....@domain.com
DNS/master.domain....@domain.com: kvno = 8
[root@master init.d]# klist -kt /etc/named.keytab
Keytab name: FILE:/etc/named.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
  33 08/20/14 16:41:42 DNS/master.domain....@domain.com
  33 08/20/14 16:41:42 DNS/master.domain....@domain.com
  33 08/20/14 16:41:42 DNS/master.domain....@domain.com
  33 08/20/14 16:41:42 DNS/master.domain....@domain.com
  34 08/20/14 16:53:29 DNS/master.domain....@domain.com
  34 08/20/14 16:53:29 DNS/master.domain....@domain.com
  34 08/20/14 16:53:29 DNS/master.domain....@domain.com
  34 08/20/14 16:53:29 DNS/master.domain....@domain.com
  35 08/20/14 16:59:37 DNS/master.domain....@domain.com
  35 08/20/14 16:59:37 DNS/master.domain....@domain.com
  35 08/20/14 16:59:37 DNS/master.domain....@domain.com
  35 08/20/14 16:59:37 DNS/master.domain....@domain.com
  38 08/20/14 17:02:30 DNS/master.domain....@domain.com
  38 08/20/14 17:02:30 DNS/master.domain....@domain.com
  38 08/20/14 17:02:30 DNS/master.domain....@domain.com
  38 08/20/14 17:02:30 DNS/master.domain....@domain.com
  41 08/20/14 17:07:45 DNS/master.domain....@domain.com
  41 08/20/14 17:07:45 DNS/master.domain....@domain.com
  41 08/20/14 17:07:45 DNS/master.domain....@domain.com
  41 08/20/14 17:07:45 DNS/master.domain....@domain.com
  42 08/20/14 17:13:17 DNS/master.domain....@domain.com
  42 08/20/14 17:13:17 DNS/master.domain....@domain.com
  42 08/20/14 17:13:17 DNS/master.domain....@domain.com
  42 08/20/14 17:13:17 DNS/master.domain....@domain.com
  45 08/20/14 17:20:34 DNS/master.domain....@domain.com
  45 08/20/14 17:20:34 DNS/master.domain....@domain.com
  45 08/20/14 17:20:34 DNS/master.domain....@domain.com
  45 08/20/14 17:20:34 DNS/master.domain....@domain.com
  46 08/20/14 17:35:00 DNS/master.domain....@domain.com
  46 08/20/14 17:35:00 DNS/master.domain....@domain.com
  46 08/20/14 17:35:00 DNS/master.domain....@domain.com
  46 08/20/14 17:35:00 DNS/master.domain....@domain.com
  47 08/20/14 17:37:43 DNS/master.domain....@domain.com
  47 08/20/14 17:37:43 DNS/master.domain....@domain.com
  47 08/20/14 17:37:43 DNS/master.domain....@domain.com
  47 08/20/14 17:37:43 DNS/master.domain....@domain.com
  48 08/20/14 17:41:42 DNS/master.domain....@domain.com
  48 08/20/14 17:41:42 DNS/master.domain....@domain.com
  48 08/20/14 17:41:42 DNS/master.domain....@domain.com
  48 08/20/14 17:41:42 DNS/master.domain....@domain.com
  49 08/20/14 17:43:43 DNS/master.domain....@domain.com
  49 08/20/14 17:43:44 DNS/master.domain....@domain.com
  49 08/20/14 17:43:44 DNS/master.domain....@domain.com
  49 08/20/14 17:43:44 DNS/master.domain....@domain.com
[root@master init.d]# 


also here is output from /var/log/messages whilst trying to ipactl start



[root@master init.d]# sudo ipactl start
Starting Directory Service
Starting dirsrv: 
    domain-COM...                                   [  OK  ]
    PKI-IPA...                                             [  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC:                                   [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server:                          [  OK  ]
Starting DNS Service
Starting named: 2014-08-20T18:00:22.098747+10:00 master named[20827]: starting 
BIND 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 -u named
2014-08-20T18:00:22.099552+10:00 master named[20827]: built with 
'--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' 
'--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' 
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' 
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' 
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' 
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' 
'--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' 
'--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' 
'--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' 
'--with-gssapi=yes' '--disable-isc-spnego' 
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 
'--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu' 
'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 
'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions 
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= 
-DDIG_SIGCHASE'
2014-08-20T18:00:22.099633+10:00 master named[20827]: 
----------------------------------------------------
2014-08-20T18:00:22.099688+10:00 master named[20827]: BIND 9 is maintained by 
Internet Systems Consortium,
2014-08-20T18:00:22.099750+10:00 master named[20827]: Inc. (ISC), a non-profit 
501(c)(3) public-benefit 
2014-08-20T18:00:22.099803+10:00 master named[20827]: corporation.  Support and 
training for BIND 9 are 
2014-08-20T18:00:22.099864+10:00 master named[20827]: available at 
https://www.isc.org/support
2014-08-20T18:00:22.099925+10:00 master named[20827]: 
----------------------------------------------------
2014-08-20T18:00:22.099998+10:00 master named[20827]: adjusted limit on open 
files from 62000 to 1048576
2014-08-20T18:00:22.100207+10:00 master named[20827]: found 1 CPU, using 1 
worker thread
2014-08-20T18:00:22.100484+10:00 master named[20827]: using up to 4096 sockets
2014-08-20T18:00:22.103796+10:00 master named[20827]: loading configuration 
from '/etc/named.conf'
2014-08-20T18:00:22.104495+10:00 master named[20827]: using default UDP/IPv4 
port range: [1024, 65535]
2014-08-20T18:00:22.104728+10:00 master named[20827]: using default UDP/IPv6 
port range: [1024, 65535]
2014-08-20T18:00:22.106090+10:00 master named[20827]: listening on IPv6 
interfaces, port 53
2014-08-20T18:00:22.108167+10:00 master named[20827]: listening on IPv4 
interface lo, 127.0.0.1#53
2014-08-20T18:00:22.108571+10:00 master named[20827]: listening on IPv4 
interface eth0, 10.3.11.16#53
2014-08-20T18:00:22.109760+10:00 master named[20827]: generating session key 
for dynamic DNS
2014-08-20T18:00:22.109997+10:00 master named[20827]: sizing zone task pool 
based on 5 zones
2014-08-20T18:00:22.112660+10:00 master named[20827]: set up managed keys zone 
for view _default, file 'dynamic/managed-keys.bind'
2014-08-20T18:00:22.129607+10:00 master named[20827]: Failed to init 
credentials (Generic preauthentication failure)
2014-08-20T18:00:22.130031+10:00 master named[20827]: loading configuration: 
failure
2014-08-20T18:00:22.130285+10:00 master named[20827]: exiting (due to fatal 
error)
                                                           [FAILED]
Failed to start DNS Service
Shutting down
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Kerberos 5 Admin Server: 2014-08-20T18:00:23.833115+10:00 master 
ns-slapd: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more 
information (Server krbtgt/localdom...@domain.com not found in Kerberos 
database)
                                                           [  OK  ]
Stopping named:                                            [  OK  ]
Stopping httpd:                                            [FAILED]
Stopping pki-ca:                                           [  OK  ]
Shutting down dirsrv: 
    domain-COM...                                   [  OK  ]
    PKI-IPA...                                             [  OK  ]
Aborting ipactl
[root@master init.d]# 

however there is still a mismatch when i try to get key tab from secondary 
using command
ipa-getkeytab -s secondary.domain.com -p DNS/master.domain....@domain.com -k 
/etc/named.keytab

i am unable to regenerate the key tab on the master as ldap is not running.


Any ideas?


Thankyou,

Peter.


> On 15 Aug 2014, at 5:10 pm, Petr Spacek <pspa...@redhat.com> wrote:
> 
> Hello,
> 
> On 15.8.2014 03:52, Peter Grant wrote:
>> 2014-08-15T11:43:46.434383+10:00 host named[6470]: Failed to init 
>> credentials (Decrypt integrity check failed)
>> 
>> 2014-08-15T11:43:46.434884+10:00 host named[6470]: loading configuration: 
>> failure
>> 
>> 2014-08-15T11:43:46.434991+10:00 host named[6470]: exiting (due to fatal 
>> error)
>> 
>> 2014-08-15T11:43:47.435187+10:00 host ns-slapd: GSSAPI Error: Unspecified 
>> GSS failure.  Minor code may provide more information (Cannot contact any 
>> KDC for realm ‘DOMAIN.COM')
> 
> For named issue please follow instructions on
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a3.FailedtoinitcredentialsorFailedtogetinitialcredentialsDecryptintegritycheckfailedorClientscredentialshavebeenrevoked
> 
> It seems that /etc/named.keytab is somehow corrupted or obsolete.
> 
> Also, KDC logs in /var/log/krb5kdc.log can tell you more.
> 
> I hope that others will add ideas about other errors.
> 
> -- 
> Petr^2 Spacek
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to