Re: [Freeipa-users] LDAP/DNS replication, IPA server service principal key issue
Found it. Nothing to do with keytabs or their permissions. It was settings in named.conf (sasl_user) which had the wrong server name. On Fri, Oct 7, 2016 at 2:05 PM, Fil Di Notowrote: > I forgot to add the -k in the klist command. Actually the keytab looks > correct. I noticed the file permissions were 0400 named:named but all > other service keytabs I see are 0600. I thought that might be an issue > so I tried changing the permissions to 0600 on all the servers but it > hasn't changed the result. > > Any clue on whether those permissions (0400) are correct? I know folks > like to do named like that with chroots and such but that seems wrong > to me. > > On Fri, Oct 7, 2016 at 1:24 PM, Fil Di Noto wrote: >> klist /etc/named.keytab >> klist: Bad format in credentials cache >> >> It's actually like this on all the servers, and I assume it is only >> showing up in the logs for the 1 server because that is the server >> where we make changes and it is trying to push changes out to the >> rest. >> >> If it were any other server than an IPA server I would just manually >> ipa-getkeytab, but since it's also a KDC I'm having doubts about how >> to proceed. What do you think Matt? >> >> On Fri, Oct 7, 2016 at 1:03 PM, Matt Wells wrote: >>> That's correct. Apparently it's on able to use the Kerberos credential to >>> utilize that service associated with the server. >>> Have you examined the key tab itself? Read it in and see what's inside of >>> it. >>> >>> >>> On Fri, Oct 7, 2016, 12:20 Fil Di Noto wrote: I'm trying to interpret these log messages. It seems like server ipa03 has no principal for the DNS service and is not able to replicate LDAP to the other 3 IPA servers. If that is correct: 1. Is "DNS" the service principal it should be using? 2. How do I correct this? (what concerns me is that ipa03 is the server I designated as the server where administrative changes are made in case manual replication is needed) Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: connection to the LDAP server was lost Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: Failed to get initial credentials (TGT) using principal 'DNS/ipa03.example.com' and keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for DNS/ipa03.example@example.com) Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: ldap_syncrepl will reconnect in 60 seconds Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: connection to the LDAP server was lost Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: Failed to get initial credentials (TGT) using principal 'DNS/ipa03.example.com' and keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for DNS/ipa03.example@example.com) Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: ldap_syncrepl will reconnect in 60 seconds Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: connection to the LDAP server was lost Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: Failed to get initial credentials (TGT) using principal 'DNS/ipa03.example.com' and keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for DNS/ipa03.example@example.com) Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: ldap_syncrepl will reconnect in 60 seconds -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project >>> >>> -- >>> Matt Wells >>> Chief Systems Architect >>> RHCA II, RHCVA - #110-000-353 >>> (702) 808-0424 >>> matt.we...@mosaic451.com >>> Las Vegas | Phoenix | Portland Mosaic451.com >>> CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or >>> may otherwise be privileged. If you are not intended recipient, you are >>> hereby notified that you have received this transmittal in error and that >>> any review, dissemination, distribution or copying of this transmittal is >>> strictly prohibited. If you have received this communication in error, >>> please notify this office, and immediately delete this message and all its >>> attachments, if any. >>> 1* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP/DNS replication, IPA server service principal key issue
I forgot to add the -k in the klist command. Actually the keytab looks correct. I noticed the file permissions were 0400 named:named but all other service keytabs I see are 0600. I thought that might be an issue so I tried changing the permissions to 0600 on all the servers but it hasn't changed the result. Any clue on whether those permissions (0400) are correct? I know folks like to do named like that with chroots and such but that seems wrong to me. On Fri, Oct 7, 2016 at 1:24 PM, Fil Di Notowrote: > klist /etc/named.keytab > klist: Bad format in credentials cache > > It's actually like this on all the servers, and I assume it is only > showing up in the logs for the 1 server because that is the server > where we make changes and it is trying to push changes out to the > rest. > > If it were any other server than an IPA server I would just manually > ipa-getkeytab, but since it's also a KDC I'm having doubts about how > to proceed. What do you think Matt? > > On Fri, Oct 7, 2016 at 1:03 PM, Matt Wells wrote: >> That's correct. Apparently it's on able to use the Kerberos credential to >> utilize that service associated with the server. >> Have you examined the key tab itself? Read it in and see what's inside of >> it. >> >> >> On Fri, Oct 7, 2016, 12:20 Fil Di Noto wrote: >>> >>> I'm trying to interpret these log messages. It seems like server ipa03 >>> has no principal for the DNS service and is not able to replicate LDAP >>> to the other 3 IPA servers. If that is correct: >>> >>> 1. Is "DNS" the service principal it should be using? >>> 2. How do I correct this? >>> (what concerns me is that ipa03 is the server I designated as >>> the server where administrative changes are made in case manual >>> replication is needed) >>> >>> >>> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: connection to >>> the LDAP server was lost >>> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: Failed to get >>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and >>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for >>> DNS/ipa03.example@example.com) >>> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: ldap_syncrepl >>> will reconnect in 60 seconds >>> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: connection to >>> the LDAP server was lost >>> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: Failed to get >>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and >>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for >>> DNS/ipa03.example@example.com) >>> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: ldap_syncrepl >>> will reconnect in 60 seconds >>> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: connection to >>> the LDAP server was lost >>> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: Failed to get >>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and >>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for >>> DNS/ipa03.example@example.com) >>> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: ldap_syncrepl >>> will reconnect in 60 seconds >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> >> -- >> Matt Wells >> Chief Systems Architect >> RHCA II, RHCVA - #110-000-353 >> (702) 808-0424 >> matt.we...@mosaic451.com >> Las Vegas | Phoenix | Portland Mosaic451.com >> CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or >> may otherwise be privileged. If you are not intended recipient, you are >> hereby notified that you have received this transmittal in error and that >> any review, dissemination, distribution or copying of this transmittal is >> strictly prohibited. If you have received this communication in error, >> please notify this office, and immediately delete this message and all its >> attachments, if any. >> 1* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP/DNS replication, IPA server service principal key issue
klist /etc/named.keytab klist: Bad format in credentials cache It's actually like this on all the servers, and I assume it is only showing up in the logs for the 1 server because that is the server where we make changes and it is trying to push changes out to the rest. If it were any other server than an IPA server I would just manually ipa-getkeytab, but since it's also a KDC I'm having doubts about how to proceed. What do you think Matt? On Fri, Oct 7, 2016 at 1:03 PM, Matt Wellswrote: > That's correct. Apparently it's on able to use the Kerberos credential to > utilize that service associated with the server. > Have you examined the key tab itself? Read it in and see what's inside of > it. > > > On Fri, Oct 7, 2016, 12:20 Fil Di Noto wrote: >> >> I'm trying to interpret these log messages. It seems like server ipa03 >> has no principal for the DNS service and is not able to replicate LDAP >> to the other 3 IPA servers. If that is correct: >> >> 1. Is "DNS" the service principal it should be using? >> 2. How do I correct this? >> (what concerns me is that ipa03 is the server I designated as >> the server where administrative changes are made in case manual >> replication is needed) >> >> >> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: connection to >> the LDAP server was lost >> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: Failed to get >> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and >> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for >> DNS/ipa03.example@example.com) >> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: ldap_syncrepl >> will reconnect in 60 seconds >> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: connection to >> the LDAP server was lost >> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: Failed to get >> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and >> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for >> DNS/ipa03.example@example.com) >> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: ldap_syncrepl >> will reconnect in 60 seconds >> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: connection to >> the LDAP server was lost >> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: Failed to get >> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and >> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for >> DNS/ipa03.example@example.com) >> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: ldap_syncrepl >> will reconnect in 60 seconds >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > -- > Matt Wells > Chief Systems Architect > RHCA II, RHCVA - #110-000-353 > (702) 808-0424 > matt.we...@mosaic451.com > Las Vegas | Phoenix | Portland Mosaic451.com > CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or > may otherwise be privileged. If you are not intended recipient, you are > hereby notified that you have received this transmittal in error and that > any review, dissemination, distribution or copying of this transmittal is > strictly prohibited. If you have received this communication in error, > please notify this office, and immediately delete this message and all its > attachments, if any. > 1* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] LDAP/DNS replication, IPA server service principal key issue
I'm trying to interpret these log messages. It seems like server ipa03 has no principal for the DNS service and is not able to replicate LDAP to the other 3 IPA servers. If that is correct: 1. Is "DNS" the service principal it should be using? 2. How do I correct this? (what concerns me is that ipa03 is the server I designated as the server where administrative changes are made in case manual replication is needed) Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: connection to the LDAP server was lost Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: Failed to get initial credentials (TGT) using principal 'DNS/ipa03.example.com' and keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for DNS/ipa03.example@example.com) Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: ldap_syncrepl will reconnect in 60 seconds Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: connection to the LDAP server was lost Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: Failed to get initial credentials (TGT) using principal 'DNS/ipa03.example.com' and keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for DNS/ipa03.example@example.com) Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: ldap_syncrepl will reconnect in 60 seconds Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: connection to the LDAP server was lost Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: Failed to get initial credentials (TGT) using principal 'DNS/ipa03.example.com' and keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for DNS/ipa03.example@example.com) Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: ldap_syncrepl will reconnect in 60 seconds -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project