Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

Thu, 05 Jan 2017 00:47:13 -0800 


On 04.01.2017 22:21, Jeff Goddard wrote:

I don't want to hijack someone else's thread but I'm having what 
appears to be the same problem and have not seen a solution presented yet.


Here is the output of journalctl -xe after having tried to start named:


Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]: 
loading configuration from '/etc/named.conf'
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]: 
reading built-in trusted keys from file '/etc/named.iscdlv.key'
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]: 
using default UDP/IPv4 port range: [1024, 65535]
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]: 
using default UDP/IPv6 port range: [1024, 65535]
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]: 
listening on IPv6 interfaces, port 53
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]: 
listening on IPv4 interface lo, 127.0.0.1#53
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]: 
listening on IPv4 interface ens32, 10.73.100.31#53
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]: 
generating session key for dynamic DNS
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]: 
sizing zone task pool based on 6 zones
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]: set 
up managed keys zone for view _default, file 
'/var/named/dynamic/managed-keys.bind'
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]: 
bind-dyndb-ldap version 10.0 compiled at 18:06:06 Nov 11 2016, 
compiler 4.8.5 20150623 (Red Hat 4.8.5-11)
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]: 
option 'serial_autoincrement' is not supported, ignoring
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]: 
GSSAPI client step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]: 
GSSAPI client step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> ns-slapd[2596]: GSSAPI 
server step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]: 
GSSAPI client step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> ns-slapd[2596]: GSSAPI 
server step 2
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]: 
GSSAPI client step 2
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> ns-slapd[2596]: GSSAPI 
server step 3
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]: LDAP 
error: Invalid credentials: bind to LDAP server failed
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]: 
couldn't establish connection in LDAP connection pool: permission denied
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]: 
dynamic database 'ipa' configuration failed: permission denied
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]: 
loading configuration: permission denied
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]: 
exiting (due to fatal error)
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> systemd[1]: 
named-pkcs11.service: control process exited, code=exited status=1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> systemd[1]: Failed to 
start Berkeley Internet Name Domain (DNS) with native PKCS#11.

-- Subject: Unit named-pkcs11.service has failed
-- Defined-By: systemd

-- Support: 
http://lists.freedesktop.org/mailman/listinfo/systemd-devel 
<http://lists.freedesktop.org/mailman/listinfo/systemd-devel>

--
-- Unit named-pkcs11.service has failed.
--
-- The result is failed.

Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> systemd[1]: Unit 
named-pkcs11.service entered failed state.
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> systemd[1]: 
named-pkcs11.service failed.
Jan 04 15:48:42 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com> polkitd[949]: 
Unregistered Authentication Agent for unix-process:3936:380486 (system 
bus name :1.59, object path /org/freedesktop/Policy



Here are the last four entries of /var/log/dirsrv/slapd-*/access |grep 
ipa-dnskeysyncdcat:



[04/Jan/2017:15:28:37.463224739 -0500] conn=5 op=1129 SRCH 
base="dc=internal,dc=emerlyn,dc=com" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com 
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>)(krbPrincipalName:caseIgnoreIA5Match:=ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com 
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>)))" 
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey 
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration 
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth 
krbLoginFailedCount krbPrincipalAuthInd krbExtraData 
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife 
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData 
ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[04/Jan/2017:15:28:37.464739661 -0500] conn=5 op=1133 SRCH 
base="krbprincipalname=ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com 
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com" 
scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn 
gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference 
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference 
krbPrincipalType krbLastPwdChange krbPrincipalAliases 
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount 
krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier 
ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory 
ipaNTHomeDirectoryDrive"
[04/Jan/2017:15:28:37.465851372 -0500] conn=5 op=1134 MOD 
dn="krbprincipalname=ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com 
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com"
[04/Jan/2017:15:28:37.474974775 -0500] conn=6 op=1372 SRCH 
base="dc=internal,dc=emerlyn,dc=com" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com 
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>))" 
attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey 
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration 
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth 
krbLoginFailedCount krbPrincipalAuthInd krbExtraData 
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife 
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData 
ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[04/Jan/2017:15:28:37.482436172 -0500] conn=281 op=2 RESULT err=0 
tag=97 nentries=0 etime=0 
dn="krbprincipalname=ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com 
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com"


My environment:
Freeipa 4.2.0
OS is Centos 7.2


This is a secondary replica (master) and the other replica can be 
pinged but nslookup and dig fail to provide results even though the 
values are in the /etc/hosts file:



127.0.0.1   localhost localhost.localdomain localhost4 
localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 
localhost6.localdomain6
10.72.100.16 id-management-1.internal.emerlyn.com 
<http://id-management-1.internal.emerlyn.com>
10.73.100.31 id-management-2.internal.emerlyn.com 
<http://id-management-2.internal.emerlyn.com>




Any assistance is in solving this would be greatly appreciated and 
thanks for both the great product and the support already provided.


Jeff






Hello,

what contains the  /etc/sysconfig/dirsrv file

can you kinit as DNS?

kinit -kt /etc/named.keytab DNS/$HOSTNAME

Martin^2


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




























					Reply via email to