On 9.7.2016 02:47, lm gnid wrote: > Hello, > > In one of our IPA server, named service suddenly cannot start, so I followed > the link bellow: > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart > > Found some errors like bellow: > > ==> messages <== > > Jul 8 23:30:30 eupreprd-ops-ipa-01 named-pkcs11[5002]: LDAP error: Invalid > credentials: SASL(-14): authorization failure: : bind to LDAP server failed > > It should be a "Invalid credentials: bind to LDAP server failed " error, > however, the commands bellow shows no issues to me: > > [root@eupreprd-ops-ipa-01 ~]# kvno > DNS/eupreprd-ops-ipa-01.internal....@internal.com > > DNS/eupreprd-ops-ipa-01.internal....@internal.com: kvno = 2 > > [root@eupreprd-ops-ipa-01 ~]# klist -kt /etc/named.keytab > > Keytab name: FILE:/etc/named.keytab > > KVNO Timestamp Principal > > ---- ------------------- > ------------------------------------------------------ > > 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal....@internal.com > > 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal....@internal.com > > 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal....@internal.com > > 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal....@internal.com > > 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal....@internal.com > > 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal....@internal.com > > > > [root@eupreprd-ops-ipa-01 ~]# kinit -kt /etc/named.keytab > DNS/eupreprd-ops-ipa-01.internal.com > > [root@eupreprd-ops-ipa-01 ~] > > > > [root@eupreprd-ops-ipa-01 ~]# ldapsearch -H > 'ldapi://%2fvar%2frun%2fslapd-INTERNAL-COM.socket"' -Y GSSAPI -b 'cn=dns, > dc=internal,dc=com' > > ...<Lots of results, will not put here>... > > > > For now, I have use the "(Workaround) Use simple LDAP BIND insted of > Kerberos" to make it work, but still want to know how to recover to "sasl"?
Huh, this is really weird. The only idea I have is that there is some replication issue between the IPA servers so server1 has different key for the DNS service principal than server2. In theory servers to contact can be chosen randomly (in theory) so named might have been unlucky and attempted to contact 'wrong' server while kinit might have been lucky and contacted the 'right' one. Please check things mentioned in http://www.freeipa.org/page/Troubleshooting#Replication_issues I hope it helps! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
