I re-read and walked through the troubleshooting steps. I have a mismatch
in Key Version Numbers in the keytab file:


Trying to renew the keytab file results in this error:

Failed to parse result: PrincipalName not found.

Retrying with pre-4.0 keytab retrieval method...
Failed to parse result: PrincipalName not found.

Failed to get keytab!
Failed to get keytab

Using simple authentication does work but I would prefer to find a solution
to the Kerberos problem. Do you have any further suggestions?

Thanks,

Jeff






On Thu, Jan 5, 2017 at 11:50 AM, Tomas Krizek <tkri...@redhat.com> wrote:

> On 01/05/2017 04:11 PM, Jeff Goddard wrote:
>
> I'm starting a new thread rather than continuing to submit under:
> https://www.redhat.com/archives/freeipa-users/2017-January/msg00108.html.
>
> My problem is that I cannot get the DNS service to start on one of my
> replica masters. From the previous message thread:
>
> Hello,
>
> could you check this link https://fedorahosted.org/bind-
> dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials
> :bindtoLDAPserverfailed
>
> kinit prints nothing when it works, so it works in your case, can you
> after kinit as DNS service try to use ldapsearch -Y GSSAPI ?
>
> Martin
>
> Reading the article and following the steps I get this as a result of:
>
> ipa privilege-show 'DNS Servers' --all --raw
>
>   dn: cn=DNS Servers,cn=privileges,cn=pbac,dc=internal,dc=emerlyn,dc=com
>   cn: DNS Servers
>   description: DNS Servers
>   member: krbprincipalname=DNS/id-management-1.internal.emerlyn.
> c...@internal.emerlyn.com,cn=services,cn=accounts,dc=
> internal,dc=emerlyn,dc=com
>   member: krbprincipalname=ipa-dnskeysyncd/id-management-1.
> internal.emerlyn....@internal.emerlyn.com,cn=services,cn=
> accounts,dc=internal,dc=emerlyn,dc=com
>   member: krbprincipalname=DNS/idmfs-01.internal.emerlyn.com@INTERNAL.
> EMERLYN.COM,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   member: krbprincipalname=ipa-dnskeysyncd/idmfs-01.internal.
> emerlyn....@internal.emerlyn.com,cn=services,cn=accounts,
> dc=internal,dc=emerlyn,dc=com
>   member: krbprincipalname=ipa-dnskeysyncd/id-management-2.
> internal.emerlyn....@internal.emerlyn.com,cn=services,cn=
> accounts,dc=internal,dc=emerlyn,dc=com
>   member: krbprincipalname=DNS/id-management-2.internal.emerlyn.
> c...@internal.emerlyn.com+nsuniqueid=be8eda7e-fcd311e5-
> 859e9ada-0ab343c0,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com
>   member: krbprincipalname=DNS/id-management-2.internal.emerlyn.
> c...@internal.emerlyn.com,cn=services,cn=accounts,dc=
> internal,dc=emerlyn,dc=com
>   memberof: cn=System: Read DNS Configuration,cn=permissions,
> cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Write DNS Configuration,cn=permissions,
> cn=pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Add DNS Entries,cn=permissions,cn=
> pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac,
> dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Manage DNSSEC metadata,cn=permissions,cn=
> pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Read DNS Entries,cn=permissions,cn=
> pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Remove DNS Entries,cn=permissions,cn=
> pbac,dc=internal,dc=emerlyn,dc=com
>   memberof: cn=System: Update DNS Entries,cn=permissions,cn=
> pbac,dc=internal,dc=emerlyn,dc=com
>   objectClass: top
>   objectClass: groupofnames
>   objectClass: nestedgroup
>
> From the previous thread's logs, it seems there is an issue when
> bind-dyndb-ldap attempts to connect to the LDAP server. The link Martin
> posted has some good advice on how to troubleshoot this.
>
> I don't understand whether you went through the steps and identified any
> issue.
>
> Does your setup use simple authentication or Kerberos?
> When you try to manually set named.conf to use the other option, does it
> work?
> Are you able to authenticate to LDAP using these methods in commands like
> ldapsearch?
>
> Jeff
>
>
>
> --
> Tomas Krizek
>
>


--
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to