---------- Forwarded message ----------
From: *Jeff Goddard* <jgodd...@emerlyn.com <mailto:jgodd...@emerlyn.com>>
Date: Thu, Jan 5, 2017 at 8:57 AM
Subject: Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP
server failed: {'desc': 'Invalid credentials'}
To: Martin Basti <mba...@redhat.com <mailto:mba...@redhat.com>>
On Thu, Jan 5, 2017 at 3:43 AM, Martin Basti <mba...@redhat.com
<mailto:mba...@redhat.com>> wrote:
On 04.01.2017 22:21, Jeff Goddard wrote:
I don't want to hijack someone else's thread but I'm having what
appears to be the same problem and have not seen a solution
presented yet.
Here is the output of journalctl -xe after having tried to start
named:
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
loading configuration from '/etc/named.conf'
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
reading built-in trusted keys from file '/etc/named.iscdlv.key'
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
using default UDP/IPv4 port range: [1024, 65535]
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
using default UDP/IPv6 port range: [1024, 65535]
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
listening on IPv6 interfaces, port 53
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
listening on IPv4 interface lo, 127.0.0.1#53
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
listening on IPv4 interface ens32, 10.73.100.31#53
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
generating session key for dynamic DNS
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
sizing zone task pool based on 6 zones
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
set up managed keys zone for view _default, file
'/var/named/dynamic/managed-keys.bind'
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
bind-dyndb-ldap version 10.0 compiled at 18:06:06 Nov 11 2016,
compiler 4.8.5 20150623 (Red Hat 4.8.5-11)
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
option 'serial_autoincrement' is not supported, ignoring
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
GSSAPI client step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
GSSAPI client step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> ns-slapd[2596]:
GSSAPI server step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
GSSAPI client step 1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> ns-slapd[2596]:
GSSAPI server step 2
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
GSSAPI client step 2
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> ns-slapd[2596]:
GSSAPI server step 3
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
LDAP error: Invalid credentials: bind to LDAP server failed
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
couldn't establish connection in LDAP connection pool: permission
denied
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
dynamic database 'ipa' configuration failed: permission denied
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
loading configuration: permission denied
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> named-pkcs11[3948]:
exiting (due to fatal error)
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> systemd[1]:
named-pkcs11.service: control process exited, code=exited status=1
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> systemd[1]: Failed
to start Berkeley Internet Name Domain (DNS) with native PKCS#11.
-- Subject: Unit named-pkcs11.service has failed
-- Defined-By: systemd
-- Support:
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
<http://lists.freedesktop.org/mailman/listinfo/systemd-devel>
--
-- Unit named-pkcs11.service has failed.
--
-- The result is failed.
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> systemd[1]: Unit
named-pkcs11.service entered failed state.
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> systemd[1]:
named-pkcs11.service failed.
Jan 04 15:48:42 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com> polkitd[949]:
Unregistered Authentication Agent for unix-process:3936:380486
(system bus name :1.59, object path /org/freedesktop/Policy
Here are the last four entries of /var/log/dirsrv/slapd-*/access
|grep ipa-dnskeysyncdcat:
[04/Jan/2017:15:28:37.463224739 -0500] conn=5 op=1129 SRCH
base="dc=internal,dc=emerlyn,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>)(krbPrincipalName:caseIgnoreIA5Match:=ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>)))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled
krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType
krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[04/Jan/2017:15:28:37.464739661 -0500] conn=5 op=1133 SRCH
base="krbprincipalname=ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com"
scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn
gidNumber krbPrincipalName krbCanonicalName
krbTicketPolicyReference krbPrincipalExpiration
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth
krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock
krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript
ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive"
[04/Jan/2017:15:28:37.465851372 -0500] conn=5 op=1134 MOD
dn="krbprincipalname=ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com"
[04/Jan/2017:15:28:37.474974775 -0500] conn=6 op=1372 SRCH
base="dc=internal,dc=emerlyn,dc=com" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>))"
attrs="krbPrincipalName krbCanonicalName krbUPEnabled
krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType
krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[04/Jan/2017:15:28:37.482436172 -0500] conn=281 op=2 RESULT err=0
tag=97 nentries=0 etime=0
dn="krbprincipalname=ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com"
My environment:
Freeipa 4.2.0
OS is Centos 7.2
This is a secondary replica (master) and the other replica can be
pinged but nslookup and dig fail to provide results even though
the values are in the /etc/hosts file:
127.0.0.1 localhost localhost.localdomain localhost4
localhost4.localdomain4
::1 localhost localhost.localdomain localhost6
localhost6.localdomain6
10.72.100.16 id-management-1.internal.emerlyn.com
<http://id-management-1.internal.emerlyn.com>
10.73.100.31 id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com>
Any assistance is in solving this would be greatly appreciated
and thanks for both the great product and the support already
provided.
Jeff
Hello,
what contains the /etc/sysconfig/dirsrv file
can you kinit as DNS?
kinit -kt /etc/named.keytab DNS/$HOSTNAME
Martin^2
The kinit -kt /etc/named.keytab DNS/$HOSTNAME command returns nothing
Here is the requested file output:
# This file is sourced by dirsrv upon startup to set
# the default environment for all directory server instances.
# To set instance specific defaults, use the file in the same
# directory called dirsrv-instance where "instance"
# is the name of your directory server instance e.g.
# dirsrv-localhost for the slapd-localhost instance.
# This file is in systemd EnvironmentFile format - see man systemd.exec
# In order to make more file descriptors available
# to the directory server, first make sure the system
# hard limits are raised, then use ulimit - uncomment
# out the following line and change the value to the
# desired value
# ulimit -n 8192
# note - if using systemd, ulimit won't work - you must edit
# the systemd unit file for directory server to add the
# LimitNOFILE option - see man systemd.exec for more info
# A per instance keytab does not make much sense for servers.
# Kerberos clients use the machine FQDN to obtain a ticket like
ldap/FQDN, there
# is nothing that can make a client understand how to get a
per-instance ticket.
# Therefore by default a keytab should be considered a per server option.
# Also this file is sourced for all instances, so again all
# instances would ultimately get the same keytab.
# Finally a keytab is normally named either krb5.keytab or
<service>.keytab
# In order to use SASL/GSSAPI (Kerberos) the directory
# server needs to know where to find its keytab
# file - uncomment the following line and set
# the path and filename appropriately
# if using systemd, omit the "; export VARNAME" at the end
# how many seconds to wait for the startpid file to show
# up before we assume there is a problem and fail to start
# if using systemd, omit the "; export VARNAME" at the end
#STARTPID_TIME=10 ; export STARTPID_TIME
# how many seconds to wait for the pid file to show
# up before we assume there is a problem and fail to start
# if using systemd, omit the "; export VARNAME" at the end
#PID_TIME=600 ; export PID_TIME
KRB5CCNAME=/tmp/krb5cc_389
KRB5_KTNAME=/etc/dirsrv/ds.keytab
I tried to re-install (ipa-install-dns) and here is the install log. I
highlighted in red below where I think the problem may be coming from.
2017-01-05T13:13:47Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:47Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:47Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:47Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:47Z DEBUG duration: 0 seconds
2017-01-05T13:13:47Z DEBUG [4/8]: setting up kerberos principal
2017-01-05T13:13:47Z DEBUG Starting external process
2017-01-05T13:13:47Z DEBUG args=kadmin.local -q addprinc -randkey
DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com> -x
ipa-setup-override-restrictions
2017-01-05T13:13:47Z DEBUG Process finished, return code=0
2017-01-05T13:13:47Z DEBUG stdout=Authenticating as principal
admin/ad...@internal.emerlyn.com <mailto:ad...@internal.emerlyn.com>
with password.
2017-01-05T13:13:47Z DEBUG stderr=WARNING: no policy specified for
DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>;
defaulting to no policy
add_principal: Principal or policy already exists while creating
"DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>".
2017-01-05T13:13:47Z DEBUG Backing up system configuration file
'/etc/named.keytab'
2017-01-05T13:13:47Z DEBUG Saving Index File to
'/var/lib/ipa/sysrestore/sysrestore.index'
2017-01-05T13:13:47Z DEBUG Starting external process
2017-01-05T13:13:47Z DEBUG args=kadmin.local -q ktadd -k
/etc/named.keytab
DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com> -x
ipa-setup-override-restrictions
2017-01-05T13:13:47Z DEBUG Process finished, return code=0
2017-01-05T13:13:47Z DEBUG stdout=Authenticating as principal
admin/ad...@internal.emerlyn.com <mailto:ad...@internal.emerlyn.com>
with password.
Entry for principal
DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>
with kvno 7, encryption type aes256-cts-hmac-sha1-96 added to keytab
WRFILE:/etc/named.keytab.
Entry for principal
DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>
with kvno 7, encryption type aes128-cts-hmac-sha1-96 added to keytab
WRFILE:/etc/named.keytab.
Entry for principal
DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>
with kvno 7, encryption type des3-cbc-sha1 added to keytab
WRFILE:/etc/named.keytab.
Entry for principal
DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>
with kvno 7, encryption type arcfour-hmac added to keytab
WRFILE:/etc/named.keytab.
Entry for principal
DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>
with kvno 7, encryption type camellia128-cts-cmac added to keytab
WRFILE:/etc/named.keytab.
Entry for principal
DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>
with kvno 7, encryption type camellia256-cts-cmac added to keytab
WRFILE:/etc/named.keytab.
2017-01-05T13:13:47Z DEBUG stderr=
2017-01-05T13:13:47Z DEBUG duration: 0 seconds
2017-01-05T13:13:47Z DEBUG [5/8]: setting up named.conf
2017-01-05T13:13:47Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2017-01-05T13:13:47Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2017-01-05T13:13:47Z DEBUG Saving StateFile to
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2017-01-05T13:13:47Z DEBUG duration: 0 seconds
2017-01-05T13:13:47Z DEBUG [6/8]: setting up server configuration
2017-01-05T13:13:47Z DEBUG flushing
ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache
2017-01-05T13:13:47Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4c48440>
2017-01-05T13:13:48Z DEBUG raw:
dnsserver_add(u'id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com>', idnssoamname=<DNS name
id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com>.>, version=u'2.213')
2017-01-05T13:13:48Z DEBUG
dnsserver_add(u'id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com>', idnssoamname=<DNS name
id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com>.>, all=False, raw=False,
version=u'2.213')
2017-01-05T13:13:48Z DEBUG raw:
dnsserver_mod(u'id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com>',
idnsforwarders=[u'10.72.100.16'], idnsforwardpolicy=u'only',
version=u'2.213')
2017-01-05T13:13:48Z DEBUG
dnsserver_mod(u'id-management-2.internal.emerlyn.com
<http://id-management-2.internal.emerlyn.com>',
idnsforwarders=(u'10.72.100.16',), idnsforwardpolicy=u'only',
rights=False, all=False, raw=False, version=u'2.213')
2017-01-05T13:13:48Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2017-01-05T13:13:48Z DEBUG Saving StateFile to
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2017-01-05T13:13:48Z DEBUG duration: 0 seconds
2017-01-05T13:13:48Z DEBUG [7/8]: configuring named to start on boot
2017-01-05T13:13:48Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:48Z DEBUG Starting external process
2017-01-05T13:13:48Z DEBUG args=/bin/systemctl disable
named-pkcs11.service
2017-01-05T13:13:48Z DEBUG Process finished, return code=0
2017-01-05T13:13:48Z DEBUG stdout=
2017-01-05T13:13:48Z DEBUG stderr=
2017-01-05T13:13:48Z DEBUG service DNS startup entry already enabled
2017-01-05T13:13:48Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:48Z DEBUG Starting external process
2017-01-05T13:13:48Z DEBUG args=/bin/systemctl stop named.service
2017-01-05T13:13:48Z DEBUG Process finished, return code=0
2017-01-05T13:13:48Z DEBUG stdout=
2017-01-05T13:13:48Z DEBUG stderr=
2017-01-05T13:13:48Z DEBUG Starting external process
2017-01-05T13:13:48Z DEBUG args=/bin/systemctl mask named.service
2017-01-05T13:13:48Z DEBUG Process finished, return code=0
2017-01-05T13:13:48Z DEBUG stdout=
2017-01-05T13:13:48Z DEBUG stderr=Created symlink from
/etc/systemd/system/named.service to /dev/null.
2017-01-05T13:13:48Z DEBUG duration: 0 seconds
2017-01-05T13:13:48Z DEBUG [8/8]: changing resolv.conf to point to
ourselves
2017-01-05T13:13:48Z DEBUG duration: 0 seconds
2017-01-05T13:13:48Z DEBUG Done configuring DNS (named).
2017-01-05T13:13:48Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:48Z DEBUG Starting external process
2017-01-05T13:13:48Z DEBUG args=/bin/systemctl stop
ipa-dnskeysyncd.service
2017-01-05T13:13:48Z DEBUG Process finished, return code=0
2017-01-05T13:13:48Z DEBUG stdout=
2017-01-05T13:13:48Z DEBUG stderr=
2017-01-05T13:13:48Z DEBUG Configuring DNS key synchronization service
(ipa-dnskeysyncd)
2017-01-05T13:13:48Z DEBUG [1/7]: checking status
2017-01-05T13:13:48Z DEBUG flushing
ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache
2017-01-05T13:13:48Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4eb2c20>
2017-01-05T13:13:48Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:48Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:48Z DEBUG duration: 0 seconds
2017-01-05T13:13:48Z DEBUG [2/7]: setting up bind-dyndb-ldap working
directory
2017-01-05T13:13:48Z DEBUG duration: 0 seconds
2017-01-05T13:13:48Z DEBUG [3/7]: setting up kerberos principal
2017-01-05T13:13:48Z DEBUG Removing service keytab:
/etc/ipa/dnssec/ipa-dnskeysyncd.keytab
2017-01-05T13:13:48Z DEBUG Starting external process
2017-01-05T13:13:48Z DEBUG args=kadmin.local -q addprinc -randkey
ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com> -x
ipa-setup-override-restrictions
2017-01-05T13:13:48Z DEBUG Process finished, return code=0
2017-01-05T13:13:48Z DEBUG stdout=Authenticating as principal
admin/ad...@internal.emerlyn.com <mailto:ad...@internal.emerlyn.com>
with password.
2017-01-05T13:13:48Z DEBUG stderr=WARNING: no policy specified for
ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>;
defaulting to no policy
add_principal: Principal or policy already exists while creating
"ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>".
2017-01-05T13:13:48Z DEBUG Starting external process
2017-01-05T13:13:48Z DEBUG args=kadmin.local -q ktadd -k
/etc/ipa/dnssec/ipa-dnskeysyncd.keytab
ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com> -x
ipa-setup-override-restrictions
2017-01-05T13:13:49Z DEBUG Process finished, return code=0
2017-01-05T13:13:49Z DEBUG stdout=Authenticating as principal
admin/ad...@internal.emerlyn.com <mailto:ad...@internal.emerlyn.com>
with password.
Entry for principal
ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>
with kvno 7, encryption type aes256-cts-hmac-sha1-96 added to keytab
WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
Entry for principal
ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>
with kvno 7, encryption type aes128-cts-hmac-sha1-96 added to keytab
WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
Entry for principal
ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>
with kvno 7, encryption type des3-cbc-sha1 added to keytab
WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
Entry for principal
ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>
with kvno 7, encryption type arcfour-hmac added to keytab
WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
Entry for principal
ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>
with kvno 7, encryption type camellia128-cts-cmac added to keytab
WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
Entry for principal
ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
<mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>
with kvno 7, encryption type camellia256-cts-cmac added to keytab
WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab.
2017-01-05T13:13:49Z DEBUG stderr=
2017-01-05T13:13:49Z DEBUG duration: 0 seconds
2017-01-05T13:13:49Z DEBUG [4/7]: setting up SoftHSM
2017-01-05T13:13:49Z DEBUG Creating new softhsm config file
2017-01-05T13:13:49Z DEBUG duration: 0 seconds
2017-01-05T13:13:49Z DEBUG [5/7]: adding DNSSEC containers
2017-01-05T13:13:49Z DEBUG flushing
ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache
2017-01-05T13:13:49Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4ec9998>
2017-01-05T13:13:49Z INFO DNSSEC container exists (step skipped)
2017-01-05T13:13:49Z DEBUG duration: 0 seconds
2017-01-05T13:13:49Z DEBUG [6/7]: creating replica keys
2017-01-05T13:13:49Z DEBUG Creating replica's key pair
2017-01-05T13:13:49Z DEBUG Storing replica public key to LDAP,
ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=internal,dc=emerlyn,dc=com
2017-01-05T13:13:49Z DEBUG flushing
ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache
2017-01-05T13:13:49Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4eb2830>
2017-01-05T13:13:50Z DEBUG Replica public key stored
2017-01-05T13:13:50Z DEBUG Setting CKA_WRAP=False for old replica keys
2017-01-05T13:13:50Z DEBUG Changing ownership of token files
2017-01-05T13:13:50Z DEBUG duration: 0 seconds
2017-01-05T13:13:50Z DEBUG [7/7]: configuring ipa-dnskeysyncd to
start on boot
2017-01-05T13:13:50Z DEBUG Starting external process
2017-01-05T13:13:50Z DEBUG args=/bin/systemctl disable
ipa-dnskeysyncd.service
2017-01-05T13:13:50Z DEBUG Process finished, return code=0
2017-01-05T13:13:50Z DEBUG stdout=
2017-01-05T13:13:50Z DEBUG stderr=
2017-01-05T13:13:50Z DEBUG service DNSKeySync startup entry already
enabled
2017-01-05T13:13:50Z DEBUG duration: 0 seconds
2017-01-05T13:13:50Z DEBUG Done configuring DNS key synchronization
service (ipa-dnskeysyncd).
2017-01-05T13:13:50Z DEBUG Starting external process
2017-01-05T13:13:50Z DEBUG args=/bin/systemctl restart
ipa-dnskeysyncd.service
2017-01-05T13:13:50Z DEBUG Process finished, return code=0
2017-01-05T13:13:50Z DEBUG stdout=
2017-01-05T13:13:50Z DEBUG stderr=
2017-01-05T13:13:50Z DEBUG Starting external process
2017-01-05T13:13:50Z DEBUG args=/bin/systemctl is-active
ipa-dnskeysyncd.service
2017-01-05T13:13:50Z DEBUG Process finished, return code=0
2017-01-05T13:13:50Z DEBUG stdout=active
2017-01-05T13:13:50Z DEBUG stderr=
2017-01-05T13:13:50Z DEBUG Restarting named
2017-01-05T13:13:50Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-05T13:13:50Z DEBUG Starting external process
2017-01-05T13:13:50Z DEBUG args=/bin/systemctl restart
named-pkcs11.service
2017-01-05T13:13:50Z DEBUG Process finished, return code=1
2017-01-05T13:13:50Z DEBUG stdout=
2017-01-05T13:13:50Z DEBUG stderr=Job for named-pkcs11.service failed
because the control process exited with error code. See "systemctl
status named-pkcs11.service" and "journalctl -xe" for details.
Thank you for assisting.
--
Jeff
Looping in the rest of the previous recipients
--
Jeff Goddard