Hi Petr, Thanks for your help the other day.
Something is bringing down my master instance. i am seeing mismatch on master [root@master init.d]# kvno DNS/master.domain....@domain.com DNS/master.domain....@domain.com: kvno = 8 [root@master init.d]# klist -kt /etc/named.keytab Keytab name: FILE:/etc/named.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 33 08/20/14 16:41:42 DNS/master.domain....@domain.com 33 08/20/14 16:41:42 DNS/master.domain....@domain.com 33 08/20/14 16:41:42 DNS/master.domain....@domain.com 33 08/20/14 16:41:42 DNS/master.domain....@domain.com 34 08/20/14 16:53:29 DNS/master.domain....@domain.com 34 08/20/14 16:53:29 DNS/master.domain....@domain.com 34 08/20/14 16:53:29 DNS/master.domain....@domain.com 34 08/20/14 16:53:29 DNS/master.domain....@domain.com 35 08/20/14 16:59:37 DNS/master.domain....@domain.com 35 08/20/14 16:59:37 DNS/master.domain....@domain.com 35 08/20/14 16:59:37 DNS/master.domain....@domain.com 35 08/20/14 16:59:37 DNS/master.domain....@domain.com 38 08/20/14 17:02:30 DNS/master.domain....@domain.com 38 08/20/14 17:02:30 DNS/master.domain....@domain.com 38 08/20/14 17:02:30 DNS/master.domain....@domain.com 38 08/20/14 17:02:30 DNS/master.domain....@domain.com 41 08/20/14 17:07:45 DNS/master.domain....@domain.com 41 08/20/14 17:07:45 DNS/master.domain....@domain.com 41 08/20/14 17:07:45 DNS/master.domain....@domain.com 41 08/20/14 17:07:45 DNS/master.domain....@domain.com 42 08/20/14 17:13:17 DNS/master.domain....@domain.com 42 08/20/14 17:13:17 DNS/master.domain....@domain.com 42 08/20/14 17:13:17 DNS/master.domain....@domain.com 42 08/20/14 17:13:17 DNS/master.domain....@domain.com 45 08/20/14 17:20:34 DNS/master.domain....@domain.com 45 08/20/14 17:20:34 DNS/master.domain....@domain.com 45 08/20/14 17:20:34 DNS/master.domain....@domain.com 45 08/20/14 17:20:34 DNS/master.domain....@domain.com 46 08/20/14 17:35:00 DNS/master.domain....@domain.com 46 08/20/14 17:35:00 DNS/master.domain....@domain.com 46 08/20/14 17:35:00 DNS/master.domain....@domain.com 46 08/20/14 17:35:00 DNS/master.domain....@domain.com 47 08/20/14 17:37:43 DNS/master.domain....@domain.com 47 08/20/14 17:37:43 DNS/master.domain....@domain.com 47 08/20/14 17:37:43 DNS/master.domain....@domain.com 47 08/20/14 17:37:43 DNS/master.domain....@domain.com 48 08/20/14 17:41:42 DNS/master.domain....@domain.com 48 08/20/14 17:41:42 DNS/master.domain....@domain.com 48 08/20/14 17:41:42 DNS/master.domain....@domain.com 48 08/20/14 17:41:42 DNS/master.domain....@domain.com 49 08/20/14 17:43:43 DNS/master.domain....@domain.com 49 08/20/14 17:43:44 DNS/master.domain....@domain.com 49 08/20/14 17:43:44 DNS/master.domain....@domain.com 49 08/20/14 17:43:44 DNS/master.domain....@domain.com [root@master init.d]# also here is output from /var/log/messages whilst trying to ipactl start [root@master init.d]# sudo ipactl start Starting Directory Service Starting dirsrv: domain-COM... [ OK ] PKI-IPA... [ OK ] Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting DNS Service Starting named: 2014-08-20T18:00:22.098747+10:00 master named[20827]: starting BIND 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 -u named 2014-08-20T18:00:22.099552+10:00 master named[20827]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE' 2014-08-20T18:00:22.099633+10:00 master named[20827]: ---------------------------------------------------- 2014-08-20T18:00:22.099688+10:00 master named[20827]: BIND 9 is maintained by Internet Systems Consortium, 2014-08-20T18:00:22.099750+10:00 master named[20827]: Inc. (ISC), a non-profit 501(c)(3) public-benefit 2014-08-20T18:00:22.099803+10:00 master named[20827]: corporation. Support and training for BIND 9 are 2014-08-20T18:00:22.099864+10:00 master named[20827]: available at https://www.isc.org/support 2014-08-20T18:00:22.099925+10:00 master named[20827]: ---------------------------------------------------- 2014-08-20T18:00:22.099998+10:00 master named[20827]: adjusted limit on open files from 62000 to 1048576 2014-08-20T18:00:22.100207+10:00 master named[20827]: found 1 CPU, using 1 worker thread 2014-08-20T18:00:22.100484+10:00 master named[20827]: using up to 4096 sockets 2014-08-20T18:00:22.103796+10:00 master named[20827]: loading configuration from '/etc/named.conf' 2014-08-20T18:00:22.104495+10:00 master named[20827]: using default UDP/IPv4 port range: [1024, 65535] 2014-08-20T18:00:22.104728+10:00 master named[20827]: using default UDP/IPv6 port range: [1024, 65535] 2014-08-20T18:00:22.106090+10:00 master named[20827]: listening on IPv6 interfaces, port 53 2014-08-20T18:00:22.108167+10:00 master named[20827]: listening on IPv4 interface lo, 127.0.0.1#53 2014-08-20T18:00:22.108571+10:00 master named[20827]: listening on IPv4 interface eth0, 10.3.11.16#53 2014-08-20T18:00:22.109760+10:00 master named[20827]: generating session key for dynamic DNS 2014-08-20T18:00:22.109997+10:00 master named[20827]: sizing zone task pool based on 5 zones 2014-08-20T18:00:22.112660+10:00 master named[20827]: set up managed keys zone for view _default, file 'dynamic/managed-keys.bind' 2014-08-20T18:00:22.129607+10:00 master named[20827]: Failed to init credentials (Generic preauthentication failure) 2014-08-20T18:00:22.130031+10:00 master named[20827]: loading configuration: failure 2014-08-20T18:00:22.130285+10:00 master named[20827]: exiting (due to fatal error) [FAILED] Failed to start DNS Service Shutting down Stopping Kerberos 5 KDC: [ OK ] Stopping Kerberos 5 Admin Server: 2014-08-20T18:00:23.833115+10:00 master ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/localdom...@domain.com not found in Kerberos database) [ OK ] Stopping named: [ OK ] Stopping httpd: [FAILED] Stopping pki-ca: [ OK ] Shutting down dirsrv: domain-COM... [ OK ] PKI-IPA... [ OK ] Aborting ipactl [root@master init.d]# however there is still a mismatch when i try to get key tab from secondary using command ipa-getkeytab -s secondary.domain.com -p DNS/master.domain....@domain.com -k /etc/named.keytab i am unable to regenerate the key tab on the master as ldap is not running. Any ideas? Thankyou, Peter. > On 15 Aug 2014, at 5:10 pm, Petr Spacek <pspa...@redhat.com> wrote: > > Hello, > > On 15.8.2014 03:52, Peter Grant wrote: >> 2014-08-15T11:43:46.434383+10:00 host named[6470]: Failed to init >> credentials (Decrypt integrity check failed) >> >> 2014-08-15T11:43:46.434884+10:00 host named[6470]: loading configuration: >> failure >> >> 2014-08-15T11:43:46.434991+10:00 host named[6470]: exiting (due to fatal >> error) >> >> 2014-08-15T11:43:47.435187+10:00 host ns-slapd: GSSAPI Error: Unspecified >> GSS failure. Minor code may provide more information (Cannot contact any >> KDC for realm ‘DOMAIN.COM') > > For named issue please follow instructions on > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a3.FailedtoinitcredentialsorFailedtogetinitialcredentialsDecryptintegritycheckfailedorClientscredentialshavebeenrevoked > > It seems that /etc/named.keytab is somehow corrupted or obsolete. > > Also, KDC logs in /var/log/krb5kdc.log can tell you more. > > I hope that others will add ideas about other errors. > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project