I'm starting a new thread rather than continuing to submit under: https://www.redhat.com/archives/freeipa-users/2017-January/msg00108.html.
My problem is that I cannot get the DNS service to start on one of my replica masters. From the previous message thread: Hello, could you check this link https://fedorahosted.org/bind- dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials: bindtoLDAPserverfailed kinit prints nothing when it works, so it works in your case, can you after kinit as DNS service try to use ldapsearch -Y GSSAPI ? Martin Reading the article and following the steps I get this as a result of: ipa privilege-show 'DNS Servers' --all --raw dn: cn=DNS Servers,cn=privileges,cn=pbac,dc=internal,dc=emerlyn,dc=com cn: DNS Servers description: DNS Servers member: krbprincipalname=DNS/ [email protected] ,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com member: krbprincipalname=ipa-dnskeysyncd/ [email protected] ,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com member: krbprincipalname=DNS/ [email protected] ,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com member: krbprincipalname=ipa-dnskeysyncd/ [email protected] ,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com member: krbprincipalname=ipa-dnskeysyncd/ [email protected] ,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com member: krbprincipalname=DNS/ [email protected] +nsuniqueid=be8eda7e-fcd311e5-859e9ada-0ab343c0,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com member: krbprincipalname=DNS/ [email protected] ,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com memberof: cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com memberof: cn=System: Write DNS Configuration,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com memberof: cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com memberof: cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com memberof: cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com memberof: cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com memberof: cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com memberof: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com objectClass: top objectClass: groupofnames objectClass: nestedgroup Jeff
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
