I'm starting a new thread rather than continuing to submit under:
https://www.redhat.com/archives/freeipa-users/2017-January/msg00108.html.

My problem is that I cannot get the DNS service to start on one of my
replica masters. From the previous message thread:

Hello,

could you check this link https://fedorahosted.org/bind-
dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials:
bindtoLDAPserverfailed

kinit prints nothing when it works, so it works in your case, can you after
kinit as DNS service try to use ldapsearch -Y GSSAPI ?


Martin

Reading the article and following the steps I get this as a result of:

ipa privilege-show 'DNS Servers' --all --raw

  dn: cn=DNS Servers,cn=privileges,cn=pbac,dc=internal,dc=emerlyn,dc=com
  cn: DNS Servers
  description: DNS Servers
  member: krbprincipalname=DNS/
id-management-1.internal.emerlyn....@internal.emerlyn.com
,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
  member: krbprincipalname=ipa-dnskeysyncd/
id-management-1.internal.emerlyn....@internal.emerlyn.com
,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
  member: krbprincipalname=DNS/
idmfs-01.internal.emerlyn....@internal.emerlyn.com
,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
  member: krbprincipalname=ipa-dnskeysyncd/
idmfs-01.internal.emerlyn....@internal.emerlyn.com
,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
  member: krbprincipalname=ipa-dnskeysyncd/
id-management-2.internal.emerlyn....@internal.emerlyn.com
,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
  member: krbprincipalname=DNS/
id-management-2.internal.emerlyn....@internal.emerlyn.com
+nsuniqueid=be8eda7e-fcd311e5-859e9ada-0ab343c0,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
  member: krbprincipalname=DNS/
id-management-2.internal.emerlyn....@internal.emerlyn.com
,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
  memberof: cn=System: Read DNS
Configuration,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
  memberof: cn=System: Write DNS
Configuration,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
  memberof: cn=System: Add DNS
Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
  memberof: cn=System: Manage DNSSEC
keys,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
  memberof: cn=System: Manage DNSSEC
metadata,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
  memberof: cn=System: Read DNS
Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
  memberof: cn=System: Remove DNS
Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
  memberof: cn=System: Update DNS
Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
  objectClass: top
  objectClass: groupofnames
  objectClass: nestedgroup


Jeff
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to