subject:"\[Freeipa\-users\] LDAP\/DNS replication, IPA server service principal key issue"

Re: [Freeipa-users] LDAP/DNS replication, IPA server service principal key issue

2016-10-07 Thread Fil Di Noto

Found it. Nothing to do with keytabs or their permissions. It was
settings in named.conf (sasl_user) which had the wrong server name.

On Fri, Oct 7, 2016 at 2:05 PM, Fil Di Noto  wrote:
> I forgot to add the -k in the klist command. Actually the keytab looks
> correct. I noticed the file permissions were 0400 named:named but all
> other service keytabs I see are 0600. I thought that might be an issue
> so I tried changing the permissions to 0600 on all the servers but it
> hasn't changed the result.
>
> Any clue on whether those permissions (0400) are correct? I know folks
> like to do named like that with chroots and such but that seems wrong
> to me.
>
> On Fri, Oct 7, 2016 at 1:24 PM, Fil Di Noto  wrote:
>> klist /etc/named.keytab
>> klist: Bad format in credentials cache
>>
>> It's actually like this on all the servers, and I assume it is only
>> showing up in the logs for the 1 server because that is the server
>> where we make changes and it is trying to push changes out to the
>> rest.
>>
>> If it were any other server than an IPA server I would just manually
>> ipa-getkeytab, but since it's also a KDC I'm having doubts about how
>> to proceed. What do you think Matt?
>>
>> On Fri, Oct 7, 2016 at 1:03 PM, Matt Wells  wrote:
>>> That's correct. Apparently it's on able to use the Kerberos credential to
>>> utilize that service associated with the server.
>>> Have you examined the key tab itself? Read it in and see what's inside of
>>> it.
>>>
>>>
>>> On Fri, Oct 7, 2016, 12:20 Fil Di Noto  wrote:

 I'm trying to interpret these log messages. It seems like server ipa03
 has no principal for the DNS service and is not able to replicate LDAP
 to the other 3 IPA servers. If that is correct:

 1. Is "DNS" the service principal it should be using?
 2. How do I correct this?
 (what concerns me is that ipa03 is the server I designated as
 the server where administrative changes are made in case manual
 replication is needed)


 Oct  7 18:38:47 ipa02.example.com named-pkcs11[4959]: connection to
 the LDAP server was lost
 Oct  7 18:38:47 ipa02.example.com named-pkcs11[4959]: Failed to get
 initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
 keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
 DNS/ipa03.example@example.com)
 Oct  7 18:38:47 ipa02.example.com named-pkcs11[4959]: ldap_syncrepl
 will reconnect in 60 seconds
 Oct  7 18:39:00 ipa04.example.com named-pkcs11[4537]: connection to
 the LDAP server was lost
 Oct  7 18:39:00 ipa04.example.com named-pkcs11[4537]: Failed to get
 initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
 keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
 DNS/ipa03.example@example.com)
 Oct  7 18:39:00 ipa04.example.com named-pkcs11[4537]: ldap_syncrepl
 will reconnect in 60 seconds
 Oct  7 18:39:16 ipa01.example.com named-pkcs11[15697]: connection to
 the LDAP server was lost
 Oct  7 18:39:16 ipa01.example.com named-pkcs11[15697]: Failed to get
 initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
 keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
 DNS/ipa03.example@example.com)
 Oct  7 18:39:16 ipa01.example.com named-pkcs11[15697]: ldap_syncrepl
 will reconnect in 60 seconds

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project
>>>
>>> --
>>> Matt Wells
>>> Chief Systems Architect
>>> RHCA II, RHCVA - #110-000-353
>>> (702) 808-0424
>>> matt.we...@mosaic451.com
>>>  Las Vegas | Phoenix | Portland Mosaic451.com
>>> CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or
>>> may otherwise be privileged. If you are not intended recipient, you are
>>> hereby notified that you have received this transmittal in error and that
>>> any review, dissemination, distribution or copying of this transmittal is
>>> strictly prohibited. If you have received this communication in error,
>>> please notify this office, and immediately delete this message and all its
>>> attachments, if any.
>>> 1*

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] LDAP/DNS replication, IPA server service principal key issue

2016-10-07 Thread Fil Di Noto

I forgot to add the -k in the klist command. Actually the keytab looks
correct. I noticed the file permissions were 0400 named:named but all
other service keytabs I see are 0600. I thought that might be an issue
so I tried changing the permissions to 0600 on all the servers but it
hasn't changed the result.

Any clue on whether those permissions (0400) are correct? I know folks
like to do named like that with chroots and such but that seems wrong
to me.

On Fri, Oct 7, 2016 at 1:24 PM, Fil Di Noto  wrote:
> klist /etc/named.keytab
> klist: Bad format in credentials cache
>
> It's actually like this on all the servers, and I assume it is only
> showing up in the logs for the 1 server because that is the server
> where we make changes and it is trying to push changes out to the
> rest.
>
> If it were any other server than an IPA server I would just manually
> ipa-getkeytab, but since it's also a KDC I'm having doubts about how
> to proceed. What do you think Matt?
>
> On Fri, Oct 7, 2016 at 1:03 PM, Matt Wells  wrote:
>> That's correct. Apparently it's on able to use the Kerberos credential to
>> utilize that service associated with the server.
>> Have you examined the key tab itself? Read it in and see what's inside of
>> it.
>>
>>
>> On Fri, Oct 7, 2016, 12:20 Fil Di Noto  wrote:
>>>
>>> I'm trying to interpret these log messages. It seems like server ipa03
>>> has no principal for the DNS service and is not able to replicate LDAP
>>> to the other 3 IPA servers. If that is correct:
>>>
>>> 1. Is "DNS" the service principal it should be using?
>>> 2. How do I correct this?
>>> (what concerns me is that ipa03 is the server I designated as
>>> the server where administrative changes are made in case manual
>>> replication is needed)
>>>
>>>
>>> Oct  7 18:38:47 ipa02.example.com named-pkcs11[4959]: connection to
>>> the LDAP server was lost
>>> Oct  7 18:38:47 ipa02.example.com named-pkcs11[4959]: Failed to get
>>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
>>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
>>> DNS/ipa03.example@example.com)
>>> Oct  7 18:38:47 ipa02.example.com named-pkcs11[4959]: ldap_syncrepl
>>> will reconnect in 60 seconds
>>> Oct  7 18:39:00 ipa04.example.com named-pkcs11[4537]: connection to
>>> the LDAP server was lost
>>> Oct  7 18:39:00 ipa04.example.com named-pkcs11[4537]: Failed to get
>>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
>>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
>>> DNS/ipa03.example@example.com)
>>> Oct  7 18:39:00 ipa04.example.com named-pkcs11[4537]: ldap_syncrepl
>>> will reconnect in 60 seconds
>>> Oct  7 18:39:16 ipa01.example.com named-pkcs11[15697]: connection to
>>> the LDAP server was lost
>>> Oct  7 18:39:16 ipa01.example.com named-pkcs11[15697]: Failed to get
>>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
>>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
>>> DNS/ipa03.example@example.com)
>>> Oct  7 18:39:16 ipa01.example.com named-pkcs11[15697]: ldap_syncrepl
>>> will reconnect in 60 seconds
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>
>> --
>> Matt Wells
>> Chief Systems Architect
>> RHCA II, RHCVA - #110-000-353
>> (702) 808-0424
>> matt.we...@mosaic451.com
>>  Las Vegas | Phoenix | Portland Mosaic451.com
>> CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or
>> may otherwise be privileged. If you are not intended recipient, you are
>> hereby notified that you have received this transmittal in error and that
>> any review, dissemination, distribution or copying of this transmittal is
>> strictly prohibited. If you have received this communication in error,
>> please notify this office, and immediately delete this message and all its
>> attachments, if any.
>> 1*

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] LDAP/DNS replication, IPA server service principal key issue

2016-10-07 Thread Fil Di Noto

klist /etc/named.keytab
klist: Bad format in credentials cache

It's actually like this on all the servers, and I assume it is only
showing up in the logs for the 1 server because that is the server
where we make changes and it is trying to push changes out to the
rest.

If it were any other server than an IPA server I would just manually
ipa-getkeytab, but since it's also a KDC I'm having doubts about how
to proceed. What do you think Matt?

On Fri, Oct 7, 2016 at 1:03 PM, Matt Wells  wrote:
> That's correct. Apparently it's on able to use the Kerberos credential to
> utilize that service associated with the server.
> Have you examined the key tab itself? Read it in and see what's inside of
> it.
>
>
> On Fri, Oct 7, 2016, 12:20 Fil Di Noto  wrote:
>>
>> I'm trying to interpret these log messages. It seems like server ipa03
>> has no principal for the DNS service and is not able to replicate LDAP
>> to the other 3 IPA servers. If that is correct:
>>
>> 1. Is "DNS" the service principal it should be using?
>> 2. How do I correct this?
>> (what concerns me is that ipa03 is the server I designated as
>> the server where administrative changes are made in case manual
>> replication is needed)
>>
>>
>> Oct  7 18:38:47 ipa02.example.com named-pkcs11[4959]: connection to
>> the LDAP server was lost
>> Oct  7 18:38:47 ipa02.example.com named-pkcs11[4959]: Failed to get
>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
>> DNS/ipa03.example@example.com)
>> Oct  7 18:38:47 ipa02.example.com named-pkcs11[4959]: ldap_syncrepl
>> will reconnect in 60 seconds
>> Oct  7 18:39:00 ipa04.example.com named-pkcs11[4537]: connection to
>> the LDAP server was lost
>> Oct  7 18:39:00 ipa04.example.com named-pkcs11[4537]: Failed to get
>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
>> DNS/ipa03.example@example.com)
>> Oct  7 18:39:00 ipa04.example.com named-pkcs11[4537]: ldap_syncrepl
>> will reconnect in 60 seconds
>> Oct  7 18:39:16 ipa01.example.com named-pkcs11[15697]: connection to
>> the LDAP server was lost
>> Oct  7 18:39:16 ipa01.example.com named-pkcs11[15697]: Failed to get
>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
>> DNS/ipa03.example@example.com)
>> Oct  7 18:39:16 ipa01.example.com named-pkcs11[15697]: ldap_syncrepl
>> will reconnect in 60 seconds
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
> --
> Matt Wells
> Chief Systems Architect
> RHCA II, RHCVA - #110-000-353
> (702) 808-0424
> matt.we...@mosaic451.com
>  Las Vegas | Phoenix | Portland Mosaic451.com
> CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or
> may otherwise be privileged. If you are not intended recipient, you are
> hereby notified that you have received this transmittal in error and that
> any review, dissemination, distribution or copying of this transmittal is
> strictly prohibited. If you have received this communication in error,
> please notify this office, and immediately delete this message and all its
> attachments, if any.
> 1*

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] LDAP/DNS replication, IPA server service principal key issue

2016-10-07 Thread Fil Di Noto

I'm trying to interpret these log messages. It seems like server ipa03
has no principal for the DNS service and is not able to replicate LDAP
to the other 3 IPA servers. If that is correct:

1. Is "DNS" the service principal it should be using?
2. How do I correct this?
(what concerns me is that ipa03 is the server I designated as
the server where administrative changes are made in case manual
replication is needed)


Oct  7 18:38:47 ipa02.example.com named-pkcs11[4959]: connection to
the LDAP server was lost
Oct  7 18:38:47 ipa02.example.com named-pkcs11[4959]: Failed to get
initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
DNS/ipa03.example@example.com)
Oct  7 18:38:47 ipa02.example.com named-pkcs11[4959]: ldap_syncrepl
will reconnect in 60 seconds
Oct  7 18:39:00 ipa04.example.com named-pkcs11[4537]: connection to
the LDAP server was lost
Oct  7 18:39:00 ipa04.example.com named-pkcs11[4537]: Failed to get
initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
DNS/ipa03.example@example.com)
Oct  7 18:39:00 ipa04.example.com named-pkcs11[4537]: ldap_syncrepl
will reconnect in 60 seconds
Oct  7 18:39:16 ipa01.example.com named-pkcs11[15697]: connection to
the LDAP server was lost
Oct  7 18:39:16 ipa01.example.com named-pkcs11[15697]: Failed to get
initial credentials (TGT) using principal 'DNS/ipa03.example.com' and
keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for
DNS/ipa03.example@example.com)
Oct  7 18:39:16 ipa01.example.com named-pkcs11[15697]: ldap_syncrepl
will reconnect in 60 seconds

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] LDAP/DNS replication, IPA server service principal key issue

Re: [Freeipa-users] LDAP/DNS replication, IPA server service principal key issue

Re: [Freeipa-users] LDAP/DNS replication, IPA server service principal key issue

[Freeipa-users] LDAP/DNS replication, IPA server service principal key issue

4 matches

Site Navigation

Mail list logo

Footer information