Hello,

could you check this link https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials:bindtoLDAPserverfailed


kinit prints nothing when it works, so it works in your case, can you after kinit as DNS service try to use ldapsearch -Y GSSAPI ?


Martin



On 05.01.2017 14:58, Jeff Goddard wrote:

---------- Forwarded message ----------
From: *Jeff Goddard* <jgodd...@emerlyn.com <mailto:jgodd...@emerlyn.com>>
Date: Thu, Jan 5, 2017 at 8:57 AM
Subject: Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}
To: Martin Basti <mba...@redhat.com <mailto:mba...@redhat.com>>




On Thu, Jan 5, 2017 at 3:43 AM, Martin Basti <mba...@redhat.com <mailto:mba...@redhat.com>> wrote:



    On 04.01.2017 22:21, Jeff Goddard wrote:
    I don't want to hijack someone else's thread but I'm having what
    appears to be the same problem and have not seen a solution
    presented yet.

    Here is the output of journalctl -xe after having tried to start
    named:

    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
    loading configuration from '/etc/named.conf'
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
    reading built-in trusted keys from file '/etc/named.iscdlv.key'
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
    using default UDP/IPv4 port range: [1024, 65535]
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
    using default UDP/IPv6 port range: [1024, 65535]
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
    listening on IPv6 interfaces, port 53
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
    listening on IPv4 interface lo, 127.0.0.1#53
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
    listening on IPv4 interface ens32, 10.73.100.31#53
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
    generating session key for dynamic DNS
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
    sizing zone task pool based on 6 zones
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
    set up managed keys zone for view _default, file
    '/var/named/dynamic/managed-keys.bind'
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
    bind-dyndb-ldap version 10.0 compiled at 18:06:06 Nov 11 2016,
    compiler 4.8.5 20150623 (Red Hat 4.8.5-11)
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
    option 'serial_autoincrement' is not supported, ignoring
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
    GSSAPI client step 1
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
    GSSAPI client step 1
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> ns-slapd[2596]:
    GSSAPI server step 1
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
    GSSAPI client step 1
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> ns-slapd[2596]:
    GSSAPI server step 2
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
    GSSAPI client step 2
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> ns-slapd[2596]:
    GSSAPI server step 3
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
    LDAP error: Invalid credentials: bind to LDAP server failed
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
    couldn't establish connection in LDAP connection pool: permission
    denied
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
    dynamic database 'ipa' configuration failed: permission denied
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
    loading configuration: permission denied
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
    exiting (due to fatal error)
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> systemd[1]:
    named-pkcs11.service: control process exited, code=exited status=1
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> systemd[1]: Failed
    to start Berkeley Internet Name Domain (DNS) with native PKCS#11.
    -- Subject: Unit named-pkcs11.service has failed
    -- Defined-By: systemd
    -- Support:
    http://lists.freedesktop.org/mailman/listinfo/systemd-devel
    <http://lists.freedesktop.org/mailman/listinfo/systemd-devel>
    --
    -- Unit named-pkcs11.service has failed.
    --
    -- The result is failed.
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> systemd[1]: Unit
    named-pkcs11.service entered failed state.
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> systemd[1]:
    named-pkcs11.service failed.
    Jan 04 15:48:42 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com> polkitd[949]:
    Unregistered Authentication Agent for unix-process:3936:380486
    (system bus name :1.59, object path /org/freedesktop/Policy

    Here are the last four entries of /var/log/dirsrv/slapd-*/access
    |grep ipa-dnskeysyncdcat:

    [04/Jan/2017:15:28:37.463224739 -0500] conn=5 op=1129 SRCH
    base="dc=internal,dc=emerlyn,dc=com" scope=2
    
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
    
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>)(krbPrincipalName:caseIgnoreIA5Match:=ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
    <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>)))"
    attrs="krbPrincipalName krbCanonicalName krbUPEnabled
    krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration
    krbPasswordExpiration krbPwdPolicyReference krbPrincipalType
    krbPwdHistory krbLastPwdChange krbPrincipalAliases
    krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
    krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
    krbObjectReferences krbTicketFlags krbMaxTicketLife
    krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
    ipaUserAuthType ipatokenRadiusConfigLink objectClass"
    [04/Jan/2017:15:28:37.464739661 -0500] conn=5 op=1133 SRCH
    
base="krbprincipalname=ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
    
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com"
    scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn
    gidNumber krbPrincipalName krbCanonicalName
    krbTicketPolicyReference krbPrincipalExpiration
    krbPasswordExpiration krbPwdPolicyReference krbPrincipalType
    krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth
    krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock
    krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript
    ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive"
    [04/Jan/2017:15:28:37.465851372 -0500] conn=5 op=1134 MOD
    
dn="krbprincipalname=ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
    
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com"
    [04/Jan/2017:15:28:37.474974775 -0500] conn=6 op=1372 SRCH
    base="dc=internal,dc=emerlyn,dc=com" scope=2
    
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
    <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>))"
    attrs="krbPrincipalName krbCanonicalName krbUPEnabled
    krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration
    krbPasswordExpiration krbPwdPolicyReference krbPrincipalType
    krbPwdHistory krbLastPwdChange krbPrincipalAliases
    krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
    krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
    krbObjectReferences krbTicketFlags krbMaxTicketLife
    krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
    ipaUserAuthType ipatokenRadiusConfigLink objectClass"
    [04/Jan/2017:15:28:37.482436172 -0500] conn=281 op=2 RESULT err=0
    tag=97 nentries=0 etime=0
    
dn="krbprincipalname=ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
    
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com"

    My environment:
    Freeipa 4.2.0
    OS is Centos 7.2

    This is a secondary replica (master) and the other replica can be
    pinged but nslookup and dig fail to provide results even though
    the values are in the /etc/hosts file:

    127.0.0.1   localhost localhost.localdomain localhost4
    localhost4.localdomain4
    ::1         localhost localhost.localdomain localhost6
    localhost6.localdomain6
    10.72.100.16 id-management-1.internal.emerlyn.com
    <http://id-management-1.internal.emerlyn.com>
    10.73.100.31 id-management-2.internal.emerlyn.com
    <http://id-management-2.internal.emerlyn.com>


    Any assistance is in solving this would be greatly appreciated
    and thanks for both the great product and the support already
    provided.

    Jeff





    Hello,

    what contains the  /etc/sysconfig/dirsrv file

    can you kinit as DNS?

    kinit -kt /etc/named.keytab DNS/$HOSTNAME

    Martin^2

The kinit -kt /etc/named.keytab DNS/$HOSTNAME command returns nothing
Here is the requested file output:

# This file is sourced by dirsrv upon startup to set
# the default environment for all directory server instances.
# To set instance specific defaults, use the file in the same
# directory called dirsrv-instance where "instance"
# is the name of your directory server instance e.g.
# dirsrv-localhost for the slapd-localhost instance.

# This file is in systemd EnvironmentFile format - see man systemd.exec

# In order to make more file descriptors available
# to the directory server, first make sure the system
# hard limits are raised, then use ulimit - uncomment
# out the following line and change the value to the
# desired value
# ulimit -n 8192
# note - if using systemd, ulimit won't work -  you must edit
# the systemd unit file for directory server to add the
# LimitNOFILE option - see man systemd.exec for more info

# A per instance keytab does not make much sense for servers.
# Kerberos clients use the machine FQDN to obtain a ticket like ldap/FQDN, there # is nothing that can make a client understand how to get a per-instance ticket.
# Therefore by default a keytab should be considered a per server option.

# Also this file is sourced for all instances, so again all
# instances would ultimately get the same keytab.

# Finally a keytab is normally named either krb5.keytab or <service>.keytab

# In order to use SASL/GSSAPI (Kerberos) the directory
# server needs to know where to find its keytab
# file - uncomment the following line and set
# the path and filename appropriately
# if using systemd, omit the "; export VARNAME" at the end

# how many seconds to wait for the startpid file to show
# up before we assume there is a problem and fail to start
# if using systemd, omit the "; export VARNAME" at the end
#STARTPID_TIME=10 ; export STARTPID_TIME
# how many seconds to wait for the pid file to show
# up before we assume there is a problem and fail to start
# if using systemd, omit the "; export VARNAME" at the end
#PID_TIME=600 ; export PID_TIME
KRB5CCNAME=/tmp/krb5cc_389
KRB5_KTNAME=/etc/dirsrv/ds.keytab

I tried to re-install (ipa-install-dns) and here is the install log. I highlighted in red below where I think the problem may be coming from.

2017-01-05T13:13:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:47Z DEBUG   duration: 0 seconds
2017-01-05T13:13:47Z DEBUG   [4/8]: setting up kerberos principal
2017-01-05T13:13:47Z DEBUG Starting external process
2017-01-05T13:13:47Z DEBUG args=kadmin.local -q addprinc -randkey DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com> -x ipa-setup-override-restrictions
2017-01-05T13:13:47Z DEBUG Process finished, return code=0
2017-01-05T13:13:47Z DEBUG stdout=Authenticating as principal admin/ad...@internal.emerlyn.com <mailto:ad...@internal.emerlyn.com> with password.

2017-01-05T13:13:47Z DEBUG stderr=WARNING: no policy specified for DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>; defaulting to no policy add_principal: Principal or policy already exists while creating "DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>".

2017-01-05T13:13:47Z DEBUG Backing up system configuration file '/etc/named.keytab' 2017-01-05T13:13:47Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index'
2017-01-05T13:13:47Z DEBUG Starting external process
2017-01-05T13:13:47Z DEBUG args=kadmin.local -q ktadd -k /etc/named.keytab DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com> -x ipa-setup-override-restrictions
2017-01-05T13:13:47Z DEBUG Process finished, return code=0
2017-01-05T13:13:47Z DEBUG stdout=Authenticating as principal admin/ad...@internal.emerlyn.com <mailto:ad...@internal.emerlyn.com> with password. Entry for principal DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com> with kvno 7, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/named.keytab. Entry for principal DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com> with kvno 7, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/named.keytab. Entry for principal DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com> with kvno 7, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/named.keytab. Entry for principal DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com> with kvno 7, encryption type arcfour-hmac added to keytab WRFILE:/etc/named.keytab. Entry for principal DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com> with kvno 7, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/named.keytab. Entry for principal DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com> with kvno 7, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/named.keytab.

2017-01-05T13:13:47Z DEBUG stderr=
2017-01-05T13:13:47Z DEBUG   duration: 0 seconds
2017-01-05T13:13:47Z DEBUG   [5/8]: setting up named.conf
2017-01-05T13:13:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2017-01-05T13:13:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2017-01-05T13:13:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state'
2017-01-05T13:13:47Z DEBUG   duration: 0 seconds
2017-01-05T13:13:47Z DEBUG   [6/8]: setting up server configuration
2017-01-05T13:13:47Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache 2017-01-05T13:13:47Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4c48440> 2017-01-05T13:13:48Z DEBUG raw: dnsserver_add(u'id-management-2.internal.emerlyn.com <http://id-management-2.internal.emerlyn.com>', idnssoamname=<DNS name id-management-2.internal.emerlyn.com <http://id-management-2.internal.emerlyn.com>.>, version=u'2.213') 2017-01-05T13:13:48Z DEBUG dnsserver_add(u'id-management-2.internal.emerlyn.com <http://id-management-2.internal.emerlyn.com>', idnssoamname=<DNS name id-management-2.internal.emerlyn.com <http://id-management-2.internal.emerlyn.com>.>, all=False, raw=False, version=u'2.213') 2017-01-05T13:13:48Z DEBUG raw: dnsserver_mod(u'id-management-2.internal.emerlyn.com <http://id-management-2.internal.emerlyn.com>', idnsforwarders=[u'10.72.100.16'], idnsforwardpolicy=u'only', version=u'2.213') 2017-01-05T13:13:48Z DEBUG dnsserver_mod(u'id-management-2.internal.emerlyn.com <http://id-management-2.internal.emerlyn.com>', idnsforwarders=(u'10.72.100.16',), idnsforwardpolicy=u'only', rights=False, all=False, raw=False, version=u'2.213') 2017-01-05T13:13:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2017-01-05T13:13:48Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state'
2017-01-05T13:13:48Z DEBUG   duration: 0 seconds
2017-01-05T13:13:48Z DEBUG   [7/8]: configuring named to start on boot
2017-01-05T13:13:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:48Z DEBUG Starting external process
2017-01-05T13:13:48Z DEBUG args=/bin/systemctl disable named-pkcs11.service
2017-01-05T13:13:48Z DEBUG Process finished, return code=0
2017-01-05T13:13:48Z DEBUG stdout=
2017-01-05T13:13:48Z DEBUG stderr=
2017-01-05T13:13:48Z DEBUG service DNS startup entry already enabled
2017-01-05T13:13:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:48Z DEBUG Starting external process
2017-01-05T13:13:48Z DEBUG args=/bin/systemctl stop named.service
2017-01-05T13:13:48Z DEBUG Process finished, return code=0
2017-01-05T13:13:48Z DEBUG stdout=
2017-01-05T13:13:48Z DEBUG stderr=
2017-01-05T13:13:48Z DEBUG Starting external process
2017-01-05T13:13:48Z DEBUG args=/bin/systemctl mask named.service
2017-01-05T13:13:48Z DEBUG Process finished, return code=0
2017-01-05T13:13:48Z DEBUG stdout=
2017-01-05T13:13:48Z DEBUG stderr=Created symlink from /etc/systemd/system/named.service to /dev/null.

2017-01-05T13:13:48Z DEBUG   duration: 0 seconds
2017-01-05T13:13:48Z DEBUG [8/8]: changing resolv.conf to point to ourselves
2017-01-05T13:13:48Z DEBUG   duration: 0 seconds
2017-01-05T13:13:48Z DEBUG Done configuring DNS (named).
2017-01-05T13:13:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:48Z DEBUG Starting external process
2017-01-05T13:13:48Z DEBUG args=/bin/systemctl stop ipa-dnskeysyncd.service
2017-01-05T13:13:48Z DEBUG Process finished, return code=0
2017-01-05T13:13:48Z DEBUG stdout=
2017-01-05T13:13:48Z DEBUG stderr=
2017-01-05T13:13:48Z DEBUG Configuring DNS key synchronization service (ipa-dnskeysyncd)
2017-01-05T13:13:48Z DEBUG   [1/7]: checking status
2017-01-05T13:13:48Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache 2017-01-05T13:13:48Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4eb2c20> 2017-01-05T13:13:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:48Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:48Z DEBUG   duration: 0 seconds
2017-01-05T13:13:48Z DEBUG [2/7]: setting up bind-dyndb-ldap working directory
2017-01-05T13:13:48Z DEBUG   duration: 0 seconds
2017-01-05T13:13:48Z DEBUG   [3/7]: setting up kerberos principal
2017-01-05T13:13:48Z DEBUG Removing service keytab: /etc/ipa/dnssec/ipa-dnskeysyncd.keytab
2017-01-05T13:13:48Z DEBUG Starting external process
2017-01-05T13:13:48Z DEBUG args=kadmin.local -q addprinc -randkey ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com> -x ipa-setup-override-restrictions
2017-01-05T13:13:48Z DEBUG Process finished, return code=0
2017-01-05T13:13:48Z DEBUG stdout=Authenticating as principal admin/ad...@internal.emerlyn.com <mailto:ad...@internal.emerlyn.com> with password.

2017-01-05T13:13:48Z DEBUG stderr=WARNING: no policy specified for ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>; defaulting to no policy add_principal: Principal or policy already exists while creating "ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>".

2017-01-05T13:13:48Z DEBUG Starting external process
2017-01-05T13:13:48Z DEBUG args=kadmin.local -q ktadd -k /etc/ipa/dnssec/ipa-dnskeysyncd.keytab ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com> -x ipa-setup-override-restrictions
2017-01-05T13:13:49Z DEBUG Process finished, return code=0
2017-01-05T13:13:49Z DEBUG stdout=Authenticating as principal admin/ad...@internal.emerlyn.com <mailto:ad...@internal.emerlyn.com> with password. Entry for principal ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com> with kvno 7, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab. Entry for principal ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com> with kvno 7, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab. Entry for principal ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com> with kvno 7, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab. Entry for principal ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com> with kvno 7, encryption type arcfour-hmac added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab. Entry for principal ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com> with kvno 7, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab. Entry for principal ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com> with kvno 7, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.

2017-01-05T13:13:49Z DEBUG stderr=
2017-01-05T13:13:49Z DEBUG   duration: 0 seconds
2017-01-05T13:13:49Z DEBUG   [4/7]: setting up SoftHSM
2017-01-05T13:13:49Z DEBUG Creating new softhsm config file
2017-01-05T13:13:49Z DEBUG   duration: 0 seconds
2017-01-05T13:13:49Z DEBUG   [5/7]: adding DNSSEC containers
2017-01-05T13:13:49Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache 2017-01-05T13:13:49Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4ec9998>
2017-01-05T13:13:49Z INFO DNSSEC container exists (step skipped)
2017-01-05T13:13:49Z DEBUG   duration: 0 seconds
2017-01-05T13:13:49Z DEBUG   [6/7]: creating replica keys
2017-01-05T13:13:49Z DEBUG Creating replica's key pair
2017-01-05T13:13:49Z DEBUG Storing replica public key to LDAP, ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=internal,dc=emerlyn,dc=com 2017-01-05T13:13:49Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache 2017-01-05T13:13:49Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4eb2830>
2017-01-05T13:13:50Z DEBUG Replica public key stored
2017-01-05T13:13:50Z DEBUG Setting CKA_WRAP=False for old replica keys
2017-01-05T13:13:50Z DEBUG Changing ownership of token files
2017-01-05T13:13:50Z DEBUG   duration: 0 seconds
2017-01-05T13:13:50Z DEBUG [7/7]: configuring ipa-dnskeysyncd to start on boot
2017-01-05T13:13:50Z DEBUG Starting external process
2017-01-05T13:13:50Z DEBUG args=/bin/systemctl disable ipa-dnskeysyncd.service
2017-01-05T13:13:50Z DEBUG Process finished, return code=0
2017-01-05T13:13:50Z DEBUG stdout=
2017-01-05T13:13:50Z DEBUG stderr=
2017-01-05T13:13:50Z DEBUG service DNSKeySync startup entry already enabled
2017-01-05T13:13:50Z DEBUG   duration: 0 seconds
2017-01-05T13:13:50Z DEBUG Done configuring DNS key synchronization service (ipa-dnskeysyncd).
2017-01-05T13:13:50Z DEBUG Starting external process
2017-01-05T13:13:50Z DEBUG args=/bin/systemctl restart ipa-dnskeysyncd.service
2017-01-05T13:13:50Z DEBUG Process finished, return code=0
2017-01-05T13:13:50Z DEBUG stdout=
2017-01-05T13:13:50Z DEBUG stderr=
2017-01-05T13:13:50Z DEBUG Starting external process
2017-01-05T13:13:50Z DEBUG args=/bin/systemctl is-active ipa-dnskeysyncd.service
2017-01-05T13:13:50Z DEBUG Process finished, return code=0
2017-01-05T13:13:50Z DEBUG stdout=active

2017-01-05T13:13:50Z DEBUG stderr=
2017-01-05T13:13:50Z DEBUG Restarting named
2017-01-05T13:13:50Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:50Z DEBUG Starting external process
2017-01-05T13:13:50Z DEBUG args=/bin/systemctl restart named-pkcs11.service
2017-01-05T13:13:50Z DEBUG Process finished, return code=1
2017-01-05T13:13:50Z DEBUG stdout=
2017-01-05T13:13:50Z DEBUG stderr=Job for named-pkcs11.service failed because the control process exited with error code. See "systemctl status named-pkcs11.service" and "journalctl -xe" for details.

Thank you for assisting.

--
Jeff

Looping in the rest of the previous recipients

--
Jeff Goddard





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to