I cannot. I get:

dap_sasl_interactive_bind_s: Can't contact LDAP server (-1)


On Thu, Jan 5, 2017 at 9:08 AM, Martin Basti <mba...@redhat.com> wrote:

> Hello,
>
> could you check this link https://fedorahosted.org/bind-
> dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials:
> bindtoLDAPserverfailed
>
> kinit prints nothing when it works, so it works in your case, can you
> after kinit as DNS service try to use ldapsearch -Y GSSAPI ?
>
>
> Martin
>
>
>
> On 05.01.2017 14:58, Jeff Goddard wrote:
>
>
> ---------- Forwarded message ----------
> From: Jeff Goddard <jgodd...@emerlyn.com>
> Date: Thu, Jan 5, 2017 at 8:57 AM
> Subject: Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP
> server failed: {'desc': 'Invalid credentials'}
> To: Martin Basti <mba...@redhat.com>
>
>
>
>
> On Thu, Jan 5, 2017 at 3:43 AM, Martin Basti <mba...@redhat.com> wrote:
>
>>
>>
>> On 04.01.2017 22:21, Jeff Goddard wrote:
>>
>> I don't want to hijack someone else's thread but I'm having what appears
>> to be the same problem and have not seen a solution presented yet.
>>
>> Here is the output of journalctl -xe after having tried to start named:
>>
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> loading configuration from '/etc/named.conf'
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> reading built-in trusted keys from file '/etc/named.iscdlv.key'
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> using default UDP/IPv4 port range: [1024, 65535]
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> using default UDP/IPv6 port range: [1024, 65535]
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> listening on IPv6 interfaces, port 53
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> listening on IPv4 interface lo, 127.0.0.1#53
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> listening on IPv4 interface ens32, 10.73.100.31#53
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> generating session key for dynamic DNS
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> sizing zone task pool based on 6 zones
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> set up managed keys zone for view _default, file
>> '/var/named/dynamic/managed-keys.bind'
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> bind-dyndb-ldap version 10.0 compiled at 18:06:06 Nov 11 2016, compiler
>> 4.8.5 20150623 (Red Hat 4.8.5-11)
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> option 'serial_autoincrement' is not supported, ignoring
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> GSSAPI client step 1
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> GSSAPI client step 1
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com ns-slapd[2596]:
>> GSSAPI server step 1
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> GSSAPI client step 1
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com ns-slapd[2596]:
>> GSSAPI server step 2
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> GSSAPI client step 2
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com ns-slapd[2596]:
>> GSSAPI server step 3
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> LDAP error: Invalid credentials: bind to LDAP server failed
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> couldn't establish connection in LDAP connection pool: permission denied
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> dynamic database 'ipa' configuration failed: permission denied
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> loading configuration: permission denied
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]:
>> exiting (due to fatal error)
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]:
>> named-pkcs11.service: control process exited, code=exited status=1
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]: Failed
>> to start Berkeley Internet Name Domain (DNS) with native PKCS#11.
>> -- Subject: Unit named-pkcs11.service has failed
>> -- Defined-By: systemd
>> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>> --
>> -- Unit named-pkcs11.service has failed.
>> --
>> -- The result is failed.
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]: Unit
>> named-pkcs11.service entered failed state.
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]:
>> named-pkcs11.service failed.
>> Jan 04 15:48:42 id-management-2.internal.emerlyn.com polkitd[949]:
>> Unregistered Authentication Agent for unix-process:3936:380486 (system bus
>> name :1.59, object path /org/freedesktop/Policy
>>
>> Here are the last four entries of /var/log/dirsrv/slapd-*/access |grep
>> ipa-dnskeysyncdcat:
>>
>> [04/Jan/2017:15:28:37.463224739 -0500] conn=5 op=1129 SRCH
>> base="dc=internal,dc=emerlyn,dc=com" scope=2
>> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbpri
>> ncipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias
>> =ipa-dnskeysyncd/id-management-2.internal.emerlyn.com@INTERN
>> AL.EMERLYN.COM)(krbPrincipalName:caseIgnoreIA5Match:=ipa-dnskeysyncd/
>> id-management-2.internal.emerlyn....@internal.emerlyn.com)))"
>> attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
>> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
>> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
>> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
>> krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
>> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
>> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
>> ipatokenRadiusConfigLink objectClass"
>> [04/Jan/2017:15:28:37.464739661 -0500] conn=5 op=1133 SRCH
>> base="krbprincipalname=ipa-dnskeysyncd/id-management-2.inter
>> nal.emerlyn....@internal.emerlyn.com,cn=services,cn=accounts
>> ,dc=internal,dc=emerlyn,dc=com" scope=0 filter="(objectClass=*)"
>> attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName
>> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
>> krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
>> krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript
>> ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive"
>> [04/Jan/2017:15:28:37.465851372 -0500] conn=5 op=1134 MOD
>> dn="krbprincipalname=ipa-dnskeysyncd/id-management-2.interna
>> l.emerlyn....@internal.emerlyn.com,cn=services,cn=accounts,d
>> c=internal,dc=emerlyn,dc=com"
>> [04/Jan/2017:15:28:37.474974775 -0500] conn=6 op=1372 SRCH
>> base="dc=internal,dc=emerlyn,dc=com" scope=2
>> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbpri
>> ncipal))(krbPrincipalName=ipa-dnskeysyncd/id-management-2.in
>> ternal.emerlyn....@internal.emerlyn.com))" attrs="krbPrincipalName
>> krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference
>> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
>> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
>> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
>> krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
>> krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
>> passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
>> objectClass"
>> [04/Jan/2017:15:28:37.482436172 -0500] conn=281 op=2 RESULT err=0 tag=97
>> nentries=0 etime=0 dn="krbprincipalname=ipa-dnskeysyncd/
>> id-management-2.internal.emerlyn....@internal.emerlyn.com
>> ,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com"
>>
>> My environment:
>> Freeipa 4.2.0
>> OS is Centos 7.2
>>
>> This is a secondary replica (master) and the other replica can be pinged
>> but nslookup and dig fail to provide results even though the values are in
>> the /etc/hosts file:
>>
>> 127.0.0.1   localhost localhost.localdomain localhost4
>> localhost4.localdomain4
>> ::1         localhost localhost.localdomain localhost6
>> localhost6.localdomain6
>> 10.72.100.16 id-management-1.internal.emerlyn.com
>> 10.73.100.31 id-management-2.internal.emerlyn.com
>>
>>
>> Any assistance is in solving this would be greatly appreciated and thanks
>> for both the great product and the support already provided.
>>
>> Jeff
>>
>>
>>
>>
>>
>> Hello,
>>
>> what contains the  /etc/sysconfig/dirsrv file
>>
>> can you kinit as DNS?
>>
>> kinit -kt /etc/named.keytab DNS/$HOSTNAME
>>
>> Martin^2
>>
>> The kinit -kt /etc/named.keytab DNS/$HOSTNAME command returns nothing
> Here is the requested file output:
>
> # This file is sourced by dirsrv upon startup to set
> # the default environment for all directory server instances.
> # To set instance specific defaults, use the file in the same
> # directory called dirsrv-instance where "instance"
> # is the name of your directory server instance e.g.
> # dirsrv-localhost for the slapd-localhost instance.
>
> # This file is in systemd EnvironmentFile format - see man systemd.exec
>
> # In order to make more file descriptors available
> # to the directory server, first make sure the system
> # hard limits are raised, then use ulimit - uncomment
> # out the following line and change the value to the
> # desired value
> # ulimit -n 8192
> # note - if using systemd, ulimit won't work -  you must edit
> # the systemd unit file for directory server to add the
> # LimitNOFILE option - see man systemd.exec for more info
>
> # A per instance keytab does not make much sense for servers.
> # Kerberos clients use the machine FQDN to obtain a ticket like ldap/FQDN,
> there
> # is nothing that can make a client understand how to get a per-instance
> ticket.
> # Therefore by default a keytab should be considered a per server option.
>
> # Also this file is sourced for all instances, so again all
> # instances would ultimately get the same keytab.
>
> # Finally a keytab is normally named either krb5.keytab or <service>.keytab
>
> # In order to use SASL/GSSAPI (Kerberos) the directory
> # server needs to know where to find its keytab
> # file - uncomment the following line and set
> # the path and filename appropriately
> # if using systemd, omit the "; export VARNAME" at the end
>
> # how many seconds to wait for the startpid file to show
> # up before we assume there is a problem and fail to start
> # if using systemd, omit the "; export VARNAME" at the end
> #STARTPID_TIME=10 ; export STARTPID_TIME
> # how many seconds to wait for the pid file to show
> # up before we assume there is a problem and fail to start
> # if using systemd, omit the "; export VARNAME" at the end
> #PID_TIME=600 ; export PID_TIME
> KRB5CCNAME=/tmp/krb5cc_389
> KRB5_KTNAME=/etc/dirsrv/ds.keytab
>
> I tried to re-install (ipa-install-dns) and here is the install log. I
> highlighted in red below where I think the problem may be coming from.
>
> 2017-01-05T13:13:47Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-01-05T13:13:47Z DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-01-05T13:13:47Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-01-05T13:13:47Z DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-01-05T13:13:47Z DEBUG   duration: 0 seconds
> 2017-01-05T13:13:47Z DEBUG   [4/8]: setting up kerberos principal
> 2017-01-05T13:13:47Z DEBUG Starting external process
> 2017-01-05T13:13:47Z DEBUG args=kadmin.local -q addprinc -randkey DNS/
> id-management-2.internal.emerlyn....@internal.emerlyn.com -x
> ipa-setup-override-restrictions
> 2017-01-05T13:13:47Z DEBUG Process finished, return code=0
> 2017-01-05T13:13:47Z DEBUG stdout=Authenticating as principal admin/
> ad...@internal.emerlyn.com with password.
>
> 2017-01-05T13:13:47Z DEBUG stderr=WARNING: no policy specified for DNS/
> id-management-2.internal.emerlyn....@internal.emerlyn.com; defaulting to
> no policy
> add_principal: Principal or policy already exists while creating "DNS/
> id-management-2.internal.emerlyn....@internal.emerlyn.com".
>
> 2017-01-05T13:13:47Z DEBUG Backing up system configuration file
> '/etc/named.keytab'
> 2017-01-05T13:13:47Z DEBUG Saving Index File to
> '/var/lib/ipa/sysrestore/sysrestore.index'
> 2017-01-05T13:13:47Z DEBUG Starting external process
> 2017-01-05T13:13:47Z DEBUG args=kadmin.local -q ktadd -k /etc/named.keytab
> DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com -x
> ipa-setup-override-restrictions
> 2017-01-05T13:13:47Z DEBUG Process finished, return code=0
> 2017-01-05T13:13:47Z DEBUG stdout=Authenticating as principal admin/
> ad...@internal.emerlyn.com with password.
> Entry for principal DNS/id-management-2.internal.e
> merlyn....@internal.emerlyn.com with kvno 7, encryption type
> aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/named.keytab.
> Entry for principal DNS/id-management-2.internal.e
> merlyn....@internal.emerlyn.com with kvno 7, encryption type
> aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/named.keytab.
> Entry for principal DNS/id-management-2.internal.e
> merlyn....@internal.emerlyn.com with kvno 7, encryption type
> des3-cbc-sha1 added to keytab WRFILE:/etc/named.keytab.
> Entry for principal DNS/id-management-2.internal.e
> merlyn....@internal.emerlyn.com with kvno 7, encryption type arcfour-hmac
> added to keytab WRFILE:/etc/named.keytab.
> Entry for principal DNS/id-management-2.internal.e
> merlyn....@internal.emerlyn.com with kvno 7, encryption type
> camellia128-cts-cmac added to keytab WRFILE:/etc/named.keytab.
> Entry for principal DNS/id-management-2.internal.e
> merlyn....@internal.emerlyn.com with kvno 7, encryption type
> camellia256-cts-cmac added to keytab WRFILE:/etc/named.keytab.
>
> 2017-01-05T13:13:47Z DEBUG stderr=
> 2017-01-05T13:13:47Z DEBUG   duration: 0 seconds
> 2017-01-05T13:13:47Z DEBUG   [5/8]: setting up named.conf
> 2017-01-05T13:13:47Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysupgrade/sysupgrade.state'
> 2017-01-05T13:13:47Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysupgrade/sysupgrade.state'
> 2017-01-05T13:13:47Z DEBUG Saving StateFile to
> '/var/lib/ipa/sysupgrade/sysupgrade.state'
> 2017-01-05T13:13:47Z DEBUG   duration: 0 seconds
> 2017-01-05T13:13:47Z DEBUG   [6/8]: setting up server configuration
> 2017-01-05T13:13:47Z DEBUG flushing 
> ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket
> from SchemaCache
> 2017-01-05T13:13:47Z DEBUG retrieving schema for SchemaCache
> url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4c48440>
> 2017-01-05T13:13:48Z DEBUG raw: dnsserver_add(u'id-management-
> 2.internal.emerlyn.com', idnssoamname=<DNS name
> id-management-2.internal.emerlyn.com.>, version=u'2.213')
> 2017-01-05T13:13:48Z DEBUG dnsserver_add(u'id-management-
> 2.internal.emerlyn.com', idnssoamname=<DNS name
> id-management-2.internal.emerlyn.com.>, all=False, raw=False,
> version=u'2.213')
> 2017-01-05T13:13:48Z DEBUG raw: dnsserver_mod(u'id-management-
> 2.internal.emerlyn.com', idnsforwarders=[u'10.72.100.16'],
> idnsforwardpolicy=u'only', version=u'2.213')
> 2017-01-05T13:13:48Z DEBUG dnsserver_mod(u'id-management-
> 2.internal.emerlyn.com', idnsforwarders=(u'10.72.100.16',),
> idnsforwardpolicy=u'only', rights=False, all=False, raw=False,
> version=u'2.213')
> 2017-01-05T13:13:48Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysupgrade/sysupgrade.state'
> 2017-01-05T13:13:48Z DEBUG Saving StateFile to
> '/var/lib/ipa/sysupgrade/sysupgrade.state'
> 2017-01-05T13:13:48Z DEBUG   duration: 0 seconds
> 2017-01-05T13:13:48Z DEBUG   [7/8]: configuring named to start on boot
> 2017-01-05T13:13:48Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-01-05T13:13:48Z DEBUG Starting external process
> 2017-01-05T13:13:48Z DEBUG args=/bin/systemctl disable named-pkcs11.service
> 2017-01-05T13:13:48Z DEBUG Process finished, return code=0
> 2017-01-05T13:13:48Z DEBUG stdout=
> 2017-01-05T13:13:48Z DEBUG stderr=
> 2017-01-05T13:13:48Z DEBUG service DNS startup entry already enabled
> 2017-01-05T13:13:48Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-01-05T13:13:48Z DEBUG Starting external process
> 2017-01-05T13:13:48Z DEBUG args=/bin/systemctl stop named.service
> 2017-01-05T13:13:48Z DEBUG Process finished, return code=0
> 2017-01-05T13:13:48Z DEBUG stdout=
> 2017-01-05T13:13:48Z DEBUG stderr=
> 2017-01-05T13:13:48Z DEBUG Starting external process
> 2017-01-05T13:13:48Z DEBUG args=/bin/systemctl mask named.service
> 2017-01-05T13:13:48Z DEBUG Process finished, return code=0
> 2017-01-05T13:13:48Z DEBUG stdout=
> 2017-01-05T13:13:48Z DEBUG stderr=Created symlink from
> /etc/systemd/system/named.service to /dev/null.
>
> 2017-01-05T13:13:48Z DEBUG   duration: 0 seconds
> 2017-01-05T13:13:48Z DEBUG   [8/8]: changing resolv.conf to point to
> ourselves
> 2017-01-05T13:13:48Z DEBUG   duration: 0 seconds
> 2017-01-05T13:13:48Z DEBUG Done configuring DNS (named).
> 2017-01-05T13:13:48Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-01-05T13:13:48Z DEBUG Starting external process
> 2017-01-05T13:13:48Z DEBUG args=/bin/systemctl stop ipa-dnskeysyncd.service
> 2017-01-05T13:13:48Z DEBUG Process finished, return code=0
> 2017-01-05T13:13:48Z DEBUG stdout=
> 2017-01-05T13:13:48Z DEBUG stderr=
> 2017-01-05T13:13:48Z DEBUG Configuring DNS key synchronization service
> (ipa-dnskeysyncd)
> 2017-01-05T13:13:48Z DEBUG   [1/7]: checking status
> 2017-01-05T13:13:48Z DEBUG flushing 
> ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket
> from SchemaCache
> 2017-01-05T13:13:48Z DEBUG retrieving schema for SchemaCache
> url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4eb2c20>
> 2017-01-05T13:13:48Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-01-05T13:13:48Z DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-01-05T13:13:48Z DEBUG   duration: 0 seconds
> 2017-01-05T13:13:48Z DEBUG   [2/7]: setting up bind-dyndb-ldap working
> directory
> 2017-01-05T13:13:48Z DEBUG   duration: 0 seconds
> 2017-01-05T13:13:48Z DEBUG   [3/7]: setting up kerberos principal
> 2017-01-05T13:13:48Z DEBUG Removing service keytab:
> /etc/ipa/dnssec/ipa-dnskeysyncd.keytab
> 2017-01-05T13:13:48Z DEBUG Starting external process
> 2017-01-05T13:13:48Z DEBUG args=kadmin.local -q addprinc -randkey
> ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
> -x ipa-setup-override-restrictions
> 2017-01-05T13:13:48Z DEBUG Process finished, return code=0
> 2017-01-05T13:13:48Z DEBUG stdout=Authenticating as principal admin/
> ad...@internal.emerlyn.com with password.
>
> 2017-01-05T13:13:48Z DEBUG stderr=WARNING: no policy specified for
> ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com;
> defaulting to no policy
> add_principal: Principal or policy already exists while creating
> "ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
> ".
>
> 2017-01-05T13:13:48Z DEBUG Starting external process
> 2017-01-05T13:13:48Z DEBUG args=kadmin.local -q ktadd -k
> /etc/ipa/dnssec/ipa-dnskeysyncd.keytab ipa-dnskeysyncd/id-management-
> 2.internal.emerlyn....@internal.emerlyn.com -x
> ipa-setup-override-restrictions
> 2017-01-05T13:13:49Z DEBUG Process finished, return code=0
> 2017-01-05T13:13:49Z DEBUG stdout=Authenticating as principal admin/
> ad...@internal.emerlyn.com with password.
> Entry for principal ipa-dnskeysyncd/id-management-
> 2.internal.emerlyn....@internal.emerlyn.com with kvno 7, encryption type
> aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/ipa/dnssec/ipa-dns
> keysyncd.keytab.
> Entry for principal ipa-dnskeysyncd/id-management-
> 2.internal.emerlyn....@internal.emerlyn.com with kvno 7, encryption type
> aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/ipa/dnssec/ipa-dns
> keysyncd.keytab.
> Entry for principal ipa-dnskeysyncd/id-management-
> 2.internal.emerlyn....@internal.emerlyn.com with kvno 7, encryption type
> des3-cbc-sha1 added to keytab WRFILE:/etc/ipa/dnssec/ipa-dns
> keysyncd.keytab.
> Entry for principal ipa-dnskeysyncd/id-management-
> 2.internal.emerlyn....@internal.emerlyn.com with kvno 7, encryption type
> arcfour-hmac added to keytab WRFILE:/etc/ipa/dnssec/ipa-dns
> keysyncd.keytab.
> Entry for principal ipa-dnskeysyncd/id-management-
> 2.internal.emerlyn....@internal.emerlyn.com with kvno 7, encryption type
> camellia128-cts-cmac added to keytab WRFILE:/etc/ipa/dnssec/ipa-dns
> keysyncd.keytab.
> Entry for principal ipa-dnskeysyncd/id-management-
> 2.internal.emerlyn....@internal.emerlyn.com with kvno 7, encryption type
> camellia256-cts-cmac added to keytab WRFILE:/etc/ipa/dnssec/ipa-dns
> keysyncd.keytab.
>
> 2017-01-05T13:13:49Z DEBUG stderr=
> 2017-01-05T13:13:49Z DEBUG   duration: 0 seconds
> 2017-01-05T13:13:49Z DEBUG   [4/7]: setting up SoftHSM
> 2017-01-05T13:13:49Z DEBUG Creating new softhsm config file
> 2017-01-05T13:13:49Z DEBUG   duration: 0 seconds
> 2017-01-05T13:13:49Z DEBUG   [5/7]: adding DNSSEC containers
> 2017-01-05T13:13:49Z DEBUG flushing 
> ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket
> from SchemaCache
> 2017-01-05T13:13:49Z DEBUG retrieving schema for SchemaCache
> url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4ec9998>
> 2017-01-05T13:13:49Z INFO DNSSEC container exists (step skipped)
> 2017-01-05T13:13:49Z DEBUG   duration: 0 seconds
> 2017-01-05T13:13:49Z DEBUG   [6/7]: creating replica keys
> 2017-01-05T13:13:49Z DEBUG Creating replica's key pair
> 2017-01-05T13:13:49Z DEBUG Storing replica public key to LDAP,
> ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=internal
> ,dc=emerlyn,dc=com
> 2017-01-05T13:13:49Z DEBUG flushing 
> ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket
> from SchemaCache
> 2017-01-05T13:13:49Z DEBUG retrieving schema for SchemaCache
> url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4eb2830>
> 2017-01-05T13:13:50Z DEBUG Replica public key stored
> 2017-01-05T13:13:50Z DEBUG Setting CKA_WRAP=False for old replica keys
> 2017-01-05T13:13:50Z DEBUG Changing ownership of token files
> 2017-01-05T13:13:50Z DEBUG   duration: 0 seconds
> 2017-01-05T13:13:50Z DEBUG   [7/7]: configuring ipa-dnskeysyncd to start
> on boot
> 2017-01-05T13:13:50Z DEBUG Starting external process
> 2017-01-05T13:13:50Z DEBUG args=/bin/systemctl disable
> ipa-dnskeysyncd.service
> 2017-01-05T13:13:50Z DEBUG Process finished, return code=0
> 2017-01-05T13:13:50Z DEBUG stdout=
> 2017-01-05T13:13:50Z DEBUG stderr=
> 2017-01-05T13:13:50Z DEBUG service DNSKeySync startup entry already enabled
> 2017-01-05T13:13:50Z DEBUG   duration: 0 seconds
> 2017-01-05T13:13:50Z DEBUG Done configuring DNS key synchronization
> service (ipa-dnskeysyncd).
> 2017-01-05T13:13:50Z DEBUG Starting external process
> 2017-01-05T13:13:50Z DEBUG args=/bin/systemctl restart
> ipa-dnskeysyncd.service
> 2017-01-05T13:13:50Z DEBUG Process finished, return code=0
> 2017-01-05T13:13:50Z DEBUG stdout=
> 2017-01-05T13:13:50Z DEBUG stderr=
> 2017-01-05T13:13:50Z DEBUG Starting external process
> 2017-01-05T13:13:50Z DEBUG args=/bin/systemctl is-active
> ipa-dnskeysyncd.service
> 2017-01-05T13:13:50Z DEBUG Process finished, return code=0
> 2017-01-05T13:13:50Z DEBUG stdout=active
>
> 2017-01-05T13:13:50Z DEBUG stderr=
> 2017-01-05T13:13:50Z DEBUG Restarting named
> 2017-01-05T13:13:50Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2017-01-05T13:13:50Z DEBUG Starting external process
> 2017-01-05T13:13:50Z DEBUG args=/bin/systemctl restart named-pkcs11.service
> 2017-01-05T13:13:50Z DEBUG Process finished, return code=1
> 2017-01-05T13:13:50Z DEBUG stdout=
> 2017-01-05T13:13:50Z DEBUG stderr=Job for named-pkcs11.service failed
> because the control process exited with error code. See "systemctl status
> named-pkcs11.service" and "journalctl -xe" for details.
>
> Thank you for assisting.
>
> --
> Jeff
>
> Looping in the rest of the previous recipients
>
> --
> Jeff Goddard
>
>
>
>
>
>


-- 
Jeff
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to