I re-read and walked through the troubleshooting steps. I have a mismatch in Key Version Numbers in the keytab file:
Trying to renew the keytab file results in this error: Failed to parse result: PrincipalName not found. Retrying with pre-4.0 keytab retrieval method... Failed to parse result: PrincipalName not found. Failed to get keytab! Failed to get keytab Using simple authentication does work but I would prefer to find a solution to the Kerberos problem. Do you have any further suggestions? Thanks, Jeff On Thu, Jan 5, 2017 at 11:50 AM, Tomas Krizek <[email protected]> wrote: > On 01/05/2017 04:11 PM, Jeff Goddard wrote: > > I'm starting a new thread rather than continuing to submit under: > https://www.redhat.com/archives/freeipa-users/2017-January/msg00108.html. > > My problem is that I cannot get the DNS service to start on one of my > replica masters. From the previous message thread: > > Hello, > > could you check this link https://fedorahosted.org/bind- > dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials > :bindtoLDAPserverfailed > > kinit prints nothing when it works, so it works in your case, can you > after kinit as DNS service try to use ldapsearch -Y GSSAPI ? > > Martin > > Reading the article and following the steps I get this as a result of: > > ipa privilege-show 'DNS Servers' --all --raw > > dn: cn=DNS Servers,cn=privileges,cn=pbac,dc=internal,dc=emerlyn,dc=com > cn: DNS Servers > description: DNS Servers > member: krbprincipalname=DNS/id-management-1.internal.emerlyn. > [email protected],cn=services,cn=accounts,dc= > internal,dc=emerlyn,dc=com > member: krbprincipalname=ipa-dnskeysyncd/id-management-1. > [email protected],cn=services,cn= > accounts,dc=internal,dc=emerlyn,dc=com > member: krbprincipalname=DNS/idmfs-01.internal.emerlyn.com@INTERNAL. > EMERLYN.COM,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com > member: krbprincipalname=ipa-dnskeysyncd/idmfs-01.internal. > [email protected],cn=services,cn=accounts, > dc=internal,dc=emerlyn,dc=com > member: krbprincipalname=ipa-dnskeysyncd/id-management-2. > [email protected],cn=services,cn= > accounts,dc=internal,dc=emerlyn,dc=com > member: krbprincipalname=DNS/id-management-2.internal.emerlyn. > [email protected]+nsuniqueid=be8eda7e-fcd311e5- > 859e9ada-0ab343c0,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com > member: krbprincipalname=DNS/id-management-2.internal.emerlyn. > [email protected],cn=services,cn=accounts,dc= > internal,dc=emerlyn,dc=com > memberof: cn=System: Read DNS Configuration,cn=permissions, > cn=pbac,dc=internal,dc=emerlyn,dc=com > memberof: cn=System: Write DNS Configuration,cn=permissions, > cn=pbac,dc=internal,dc=emerlyn,dc=com > memberof: cn=System: Add DNS Entries,cn=permissions,cn= > pbac,dc=internal,dc=emerlyn,dc=com > memberof: cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac, > dc=internal,dc=emerlyn,dc=com > memberof: cn=System: Manage DNSSEC metadata,cn=permissions,cn= > pbac,dc=internal,dc=emerlyn,dc=com > memberof: cn=System: Read DNS Entries,cn=permissions,cn= > pbac,dc=internal,dc=emerlyn,dc=com > memberof: cn=System: Remove DNS Entries,cn=permissions,cn= > pbac,dc=internal,dc=emerlyn,dc=com > memberof: cn=System: Update DNS Entries,cn=permissions,cn= > pbac,dc=internal,dc=emerlyn,dc=com > objectClass: top > objectClass: groupofnames > objectClass: nestedgroup > > From the previous thread's logs, it seems there is an issue when > bind-dyndb-ldap attempts to connect to the LDAP server. The link Martin > posted has some good advice on how to troubleshoot this. > > I don't understand whether you went through the steps and identified any > issue. > > Does your setup use simple authentication or Kerberos? > When you try to manually set named.conf to use the other option, does it > work? > Are you able to authenticate to LDAP using these methods in commands like > ldapsearch? > > Jeff > > > > -- > Tomas Krizek > > --
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
