On 01/05/2017 04:11 PM, Jeff Goddard wrote:
> I'm starting a new thread rather than continuing to submit under:
> https://www.redhat.com/archives/freeipa-users/2017-January/msg00108.html.
>
> My problem is that I cannot get the DNS service to start on one of my
> replica masters. From the previous message thread:
>
> Hello,
>
> could you check this link
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials:bindtoLDAPserverfailed
> <https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials:bindtoLDAPserverfailed>
>
> kinit prints nothing when it works, so it works in your case, can you
> after kinit as DNS service try to use ldapsearch -Y GSSAPI ?
>
> Martin
>
> Reading the article and following the steps I get this as a result of:
>
> ipa privilege-show 'DNS Servers' --all --raw
>
>   dn: cn=DNS Servers,cn=privileges,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   cn: DNS Servers
>   description: DNS Servers
>   member:
> krbprincipalname=DNS/id-management-1.internal.emerlyn....@internal.emerlyn.com
> <mailto:id-management-1.internal.emerlyn....@internal.emerlyn.com>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   member:
> krbprincipalname=ipa-dnskeysyncd/id-management-1.internal.emerlyn....@internal.emerlyn.com
> <mailto:id-management-1.internal.emerlyn....@internal.emerlyn.com>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   member:
> krbprincipalname=DNS/idmfs-01.internal.emerlyn....@internal.emerlyn.com
> <mailto:idmfs-01.internal.emerlyn....@internal.emerlyn.com>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   member:
> krbprincipalname=ipa-dnskeysyncd/idmfs-01.internal.emerlyn....@internal.emerlyn.com
> <mailto:idmfs-01.internal.emerlyn....@internal.emerlyn.com>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   member:
> krbprincipalname=ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com
> <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   member:
> krbprincipalname=DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com
> <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>+nsuniqueid=be8eda7e-fcd311e5-859e9ada-0ab343c0,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   member:
> krbprincipalname=DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com
> <mailto:id-management-2.internal.emerlyn....@internal.emerlyn.com>,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Read DNS
> Configuration,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Write DNS
> Configuration,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Add DNS
> Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Manage DNSSEC
> keys,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Manage DNSSEC
> metadata,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Read DNS
> Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Remove DNS
> Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Update DNS
> Entries,cn=permissions,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   objectClass: top
>   objectClass: groupofnames
>   objectClass: nestedgroup
>
From the previous thread's logs, it seems there is an issue when
bind-dyndb-ldap attempts to connect to the LDAP server. The link Martin
posted has some good advice on how to troubleshoot this.

I don't understand whether you went through the steps and identified any
issue.

Does your setup use simple authentication or Kerberos?
When you try to manually set named.conf to use the other option, does it
work?
Are you able to authenticate to LDAP using these methods in commands
like ldapsearch?
>
> Jeff
>
>
>

-- 
Tomas Krizek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to