Hmm, this is really weird. It should log message "Initial LDAP dump is done, sychronizing with ODS and BIND" which is apparently not there. Maybe LDAP server is doing something weird ...
Could you inspect /var/log/dirsrv/*/access_log and look for lines similar to ones in the attached file, please? It should start with log message like "connection from local to /var/run/slapd-*". This line will have identifier like "conn=84". We are looking for conn number (e.g. "conn=84") which is related to BIND DN "dn="krbprincipalname=ipa-dnskeysyncd/*". If you find the right conn number, look for other lines containing the same conn number and operation "SRCH base="cn=dns,*". This SRCH line will have specific identifier like "conn=84 op=3". Now you have identifier for particular operation. Look for RESULT line with the same ID. How does it look? Can you copy&paste complete all lines with identifier conn=??? you found? Thanks! Petr^2 Spacek On 3.5.2016 13:37, Gary T. Giesen wrote: > See attached. > > GTG > > -----Original Message----- > From: Petr Spacek [mailto:pspa...@redhat.com] > Sent: May-03-16 7:33 AM > To: Gary T. Giesen <ggiesen+freeipa-us...@giesen.me>; > freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing > > On 3.5.2016 13:28, Gary T. Giesen wrote: >> 1. Confirmed, it was already set to ISMASTER=1 >> >> 2. Logs: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is: None >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones: {'203dbe2d-8d9c-1 >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: >> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is: host.exa > > The log seems to be truncated. Please attach it as a file to avoid > truncation and line wrapping problems. > > Thanks > Petr^2 Spacek > >> >> >> 3. # rpm -q ipa-server >> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >> >> -----Original Message----- >> From: freeipa-users-boun...@redhat.com >> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek >> Sent: May-03-16 7:08 AM >> To: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing >> >> Okay, this is a problem. It should list your zone example.com because >> it has DNSSEC signing enabled. >> >> Make sure you are working on host.example.com (the host listed by the >> ldapsearch above). >> >> I would check two things: >> 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1". If >> it does not, re-run ipa-dns-install with --dnssec-master option to fix > that. >> >> 2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and >> make sure that it contains line "debug=True" and restart >> ipa-dnskeysyncd when you are done with it. >> >> The log should be much longer after this change. >> >> I hope it will help to identify the root cause. >> >> What IPA version do you use? >> $ rpm -q freeipa-server >> >> Petr^2 Spacek >> >> >> >>> Per the instructions, I've restarted ipa-dnskeysyncd, but it has had >>> no effect. The only log entries I see are: >>> >>> # journalctl -u ipa-dnskeysyncd >>> >>> May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key daemon... >>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa : >> INFO >>> Signal 15 received: Shutting down! >>> May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon. >>> May 02 20:35:52 host.example.com systemd[1]: Starting IPA key daemon... >>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING: >>> session memcached servers not running >>> May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa : >> INFO >>> LDAP bind... >>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 >>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1 >>> May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 1 >>> May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 2 >>> May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa : >> INFO >>> Commencing sync process >>> >>> >>> >>> Can anyone advise on next steps? I've been banging my head against a >>> wall for a couple days now and would really appreciate some help. -- Petr^2 Spacek
conn=84 fd=112 slot=112 connection from local to /var/run/slapd-DOM-033-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket conn=84 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI conn=84 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress conn=84 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI conn=84 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress conn=84 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI conn=84 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=ipa-dnskeysyncd/vm-033.abc.idm.lab.eng.brq.redhat....@dom-033.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=dom-033,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" conn=84 op=3 SRCH base="cn=dns,dc=dom-033,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" scope=2 filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey))" attrs=ALL conn=84 op=3 RESULT err=441 tag=121 nentries=0 etime=0
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
