On 20.8.2014 10:02, Peter Grant wrote:
Hi Petr,
Thanks for your help the other day.
Something is bringing down my master instance.
i am seeing mismatch on master
[root@master init.d]# kvno DNS/[email protected]
DNS/[email protected]: kvno = 8
[root@master init.d]# klist -kt /etc/named.keytab
Keytab name: FILE:/etc/named.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
33 08/20/14 16:41:42 DNS/[email protected]
33 08/20/14 16:41:42 DNS/[email protected]
33 08/20/14 16:41:42 DNS/[email protected]
33 08/20/14 16:41:42 DNS/[email protected]
34 08/20/14 16:53:29 DNS/[email protected]
34 08/20/14 16:53:29 DNS/[email protected]
34 08/20/14 16:53:29 DNS/[email protected]
34 08/20/14 16:53:29 DNS/[email protected]
35 08/20/14 16:59:37 DNS/[email protected]
35 08/20/14 16:59:37 DNS/[email protected]
35 08/20/14 16:59:37 DNS/[email protected]
35 08/20/14 16:59:37 DNS/[email protected]
38 08/20/14 17:02:30 DNS/[email protected]
38 08/20/14 17:02:30 DNS/[email protected]
38 08/20/14 17:02:30 DNS/[email protected]
38 08/20/14 17:02:30 DNS/[email protected]
41 08/20/14 17:07:45 DNS/[email protected]
41 08/20/14 17:07:45 DNS/[email protected]
41 08/20/14 17:07:45 DNS/[email protected]
41 08/20/14 17:07:45 DNS/[email protected]
42 08/20/14 17:13:17 DNS/[email protected]
42 08/20/14 17:13:17 DNS/[email protected]
42 08/20/14 17:13:17 DNS/[email protected]
42 08/20/14 17:13:17 DNS/[email protected]
45 08/20/14 17:20:34 DNS/[email protected]
45 08/20/14 17:20:34 DNS/[email protected]
45 08/20/14 17:20:34 DNS/[email protected]
45 08/20/14 17:20:34 DNS/[email protected]
46 08/20/14 17:35:00 DNS/[email protected]
46 08/20/14 17:35:00 DNS/[email protected]
46 08/20/14 17:35:00 DNS/[email protected]
46 08/20/14 17:35:00 DNS/[email protected]
47 08/20/14 17:37:43 DNS/[email protected]
47 08/20/14 17:37:43 DNS/[email protected]
47 08/20/14 17:37:43 DNS/[email protected]
47 08/20/14 17:37:43 DNS/[email protected]
48 08/20/14 17:41:42 DNS/[email protected]
48 08/20/14 17:41:42 DNS/[email protected]
48 08/20/14 17:41:42 DNS/[email protected]
48 08/20/14 17:41:42 DNS/[email protected]
49 08/20/14 17:43:43 DNS/[email protected]
49 08/20/14 17:43:44 DNS/[email protected]
49 08/20/14 17:43:44 DNS/[email protected]
49 08/20/14 17:43:44 DNS/[email protected]
[root@master init.d]#
also here is output from /var/log/messages whilst trying to ipactl start
[root@master init.d]# sudo ipactl start
Starting Directory Service
Starting dirsrv:
domain-COM... [ OK ]
PKI-IPA... [ OK ]
Starting KDC Service
Starting Kerberos 5 KDC: [ OK ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [ OK ]
Starting DNS Service
Starting named: 2014-08-20T18:00:22.098747+10:00 master named[20827]: starting
BIND 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 -u named
2014-08-20T18:00:22.099552+10:00 master named[20827]: built with
'--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu'
'--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool'
'--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic'
'--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes'
'--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes'
'--with-gssapi=yes' '--disable-isc-spnego'
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
'--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu'
'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FO!
RTIFY_SOUR
CE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64
-mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
2014-08-20T18:00:22.099633+10:00 master named[20827]:
----------------------------------------------------
2014-08-20T18:00:22.099688+10:00 master named[20827]: BIND 9 is maintained by
Internet Systems Consortium,
2014-08-20T18:00:22.099750+10:00 master named[20827]: Inc. (ISC), a non-profit
501(c)(3) public-benefit
2014-08-20T18:00:22.099803+10:00 master named[20827]: corporation. Support and
training for BIND 9 are
2014-08-20T18:00:22.099864+10:00 master named[20827]: available at
https://www.isc.org/support
2014-08-20T18:00:22.099925+10:00 master named[20827]:
----------------------------------------------------
2014-08-20T18:00:22.099998+10:00 master named[20827]: adjusted limit on open
files from 62000 to 1048576
2014-08-20T18:00:22.100207+10:00 master named[20827]: found 1 CPU, using 1
worker thread
2014-08-20T18:00:22.100484+10:00 master named[20827]: using up to 4096 sockets
2014-08-20T18:00:22.103796+10:00 master named[20827]: loading configuration
from '/etc/named.conf'
2014-08-20T18:00:22.104495+10:00 master named[20827]: using default UDP/IPv4
port range: [1024, 65535]
2014-08-20T18:00:22.104728+10:00 master named[20827]: using default UDP/IPv6
port range: [1024, 65535]
2014-08-20T18:00:22.106090+10:00 master named[20827]: listening on IPv6
interfaces, port 53
2014-08-20T18:00:22.108167+10:00 master named[20827]: listening on IPv4
interface lo, 127.0.0.1#53
2014-08-20T18:00:22.108571+10:00 master named[20827]: listening on IPv4
interface eth0, 10.3.11.16#53
2014-08-20T18:00:22.109760+10:00 master named[20827]: generating session key
for dynamic DNS
2014-08-20T18:00:22.109997+10:00 master named[20827]: sizing zone task pool
based on 5 zones
2014-08-20T18:00:22.112660+10:00 master named[20827]: set up managed keys zone
for view _default, file 'dynamic/managed-keys.bind'
2014-08-20T18:00:22.129607+10:00 master named[20827]: Failed to init
credentials (Generic preauthentication failure)
2014-08-20T18:00:22.130031+10:00 master named[20827]: loading configuration:
failure
2014-08-20T18:00:22.130285+10:00 master named[20827]: exiting (due to fatal
error)
[FAILED]
Failed to start DNS Service
Shutting down
Stopping Kerberos 5 KDC: [ OK ]
Stopping Kerberos 5 Admin Server: 2014-08-20T18:00:23.833115+10:00 master
ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more
information (Server krbtgt/[email protected] not found in Kerberos
database)
This seems to be more serious - I suspect that replication between replicas
doesn't work because replica is not able to authenticate.
The error message is suspicious but I'm not sure that it is not result of
obfuscation. Please try to apply this article to ns-slapd on your broken master:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a2.Serverldapsrv01EXAMPLE.COMnotfoundinKerberosdatabase
Maybe /etc/hosts is somehow misconfigured.
[ OK ]
Stopping named: [ OK ]
Stopping httpd: [FAILED]
Stopping pki-ca: [ OK ]
Shutting down dirsrv:
domain-COM... [ OK ]
PKI-IPA... [ OK ]
Aborting ipactl
[root@master init.d]#
however there is still a mismatch when i try to get key tab from secondary
using command
ipa-getkeytab -s secondary.domain.com -p DNS/[email protected] -k
/etc/named.keytab
Maybe it is caused by broken replication (one KDC have different keys than the
other KDC). I would start with replication problems and focus on named later.
Petr^2 Spacek
i am unable to regenerate the key tab on the master as ldap is not running.
Any ideas?
Thankyou,
Peter.
On 15 Aug 2014, at 5:10 pm, Petr Spacek <[email protected]> wrote:
Hello,
On 15.8.2014 03:52, Peter Grant wrote:
2014-08-15T11:43:46.434383+10:00 host named[6470]: Failed to init credentials
(Decrypt integrity check failed)
2014-08-15T11:43:46.434884+10:00 host named[6470]: loading configuration:
failure
2014-08-15T11:43:46.434991+10:00 host named[6470]: exiting (due to fatal error)
2014-08-15T11:43:47.435187+10:00 host ns-slapd: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Cannot contact any KDC for
realm ‘DOMAIN.COM')
For named issue please follow instructions on
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a3.FailedtoinitcredentialsorFailedtogetinitialcredentialsDecryptintegritycheckfailedorClientscredentialshavebeenrevoked
It seems that /etc/named.keytab is somehow corrupted or obsolete.
Also, KDC logs in /var/log/krb5kdc.log can tell you more.
I hope that others will add ideas about other errors.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
