Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-12 Thread Simo Sorce
On 10/11/15 11:54, Gronde, Christopher (Contractor) wrote: # ldapsearch -x -D 'cn=Directory Manager' -W -b cn=mapping,cn=sasl,cn=config Enter LDAP Password: # extended LDIF # # LDAPv3 # base

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-11 Thread Martin Babinsky
:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1 etime=0 [10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 SRCH base="cn=Name Only,cn=mapping,cn=sasl,cn=config" scope=0 filter="(|(objectclass=*)(objectclass=ldapsubentry))" attrs=ALL [10/Nov/2015:14:12:16 -0500] conn=In

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Rich Megginson
red [root@comipa02 ~]# ldapmodify -a -D "cn=config" -W Enter LDAP Password: ldap_bind: Inappropriate authentication (48) -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Tuesday, November 10, 2015 9:48 AM To: Gronde, Christopher (Contractor) <christopher.gro...

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Martin Basti
260 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz Sent: Tuesday, November 10, 2015 9:03 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Gronde, Christopher (Contractor)
Neither came back with anything # ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b "dc=itmodev,dc=gov" '(uid=ldap/comipa01.itmodev.gov)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Martin Babinsky
On 11/10/2015 05:16 PM, Gronde, Christopher (Contractor) wrote: Neither came back with anything # ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b "dc=itmodev,dc=gov" '(uid=ldap/comipa01.itmodev.gov)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Rich Megginson
On 11/10/2015 09:49 AM, Gronde, Christopher (Contractor) wrote: Note comipa01 is the master and comipa02 is the replica that is having the KDC issue # ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b "dc=itmodev,dc=gov" '(krbprincipalname=ldap/comipa01.itmodev.gov*)' Enter LDAP

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Gronde, Christopher (Contractor)
e: [Freeipa-users] krb5kdc will not start (kerberos >> authentication error) >> >> >> On 11/10/2015 02:40 PM, Alexander Bokovoy wrote: >>> On Tue, 10 Nov 2015, Gronde, Christopher (Contractor) wrote: >>>> Where can I verify or change the credentials it i

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Rich Megginson
On 11/10/2015 09:39 AM, Martin Babinsky wrote: On 11/10/2015 05:16 PM, Gronde, Christopher (Contractor) wrote: Neither came back with anything # ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b "dc=itmodev,dc=gov" '(uid=ldap/comipa01.itmodev.gov)' Enter LDAP Password: #

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Gronde, Christopher (Contractor)
2 result: 0 Success # numResponses: 142 # numEntries: 141 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz Sent: Tuesday, November 10, 2015 11:37 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] kr

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Rich Megginson
On 11/10/2015 09:16 AM, Gronde, Christopher (Contractor) wrote: Neither came back with anything # ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b "dc=itmodev,dc=gov" '(uid=ldap/comipa01.itmodev.gov)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Ludwig Krispenz
Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Tuesday, November 10, 2015 9:48 AM To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov> Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authenticat

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Ludwig Krispenz
4 op=0 fd=64 closed - U1 [10/Nov/2015:10:16:57 -0500] conn=45 fd=64 slot=64 connection from 172.16.100.161 to 172.16.100.161 [10/Nov/2015:10:16:57 -0500] conn=45 op=0 UNBIND [10/Nov/2015:10:16:57 -0500] conn=45 op=0 fd=64 closed - U1 -Original Message- From: Ludwig Krispenz [mailto:lkris...@

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Gronde, Christopher (Contractor)
Note comipa01 is the master and comipa02 is the replica that is having the KDC issue # ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b "dc=itmodev,dc=gov" '(krbprincipalname=ldap/comipa01.itmodev.gov*)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Rob Crittenden
> > -Original Message- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz > Sent: Tuesday, November 10, 2015 11:37 AM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] krb5kdc will not start (kerbe

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Ludwig Krispenz
what do you get if you search for "objectclass=krbprincipal" ? On 11/10/2015 05:27 PM, Rich Megginson wrote: On 11/10/2015 09:16 AM, Gronde, Christopher (Contractor) wrote: Neither came back with anything # ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b "dc=itmodev,dc=gov"

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Gronde, Christopher (Contractor)
day, November 10, 2015 9:48 AM To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov> Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error) On 11/10/2015 03:32 PM, Gronde, Christopher (Contractor) wrote: > How do I

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Gronde, Christopher (Contractor)
# ldapsearch -x -D 'cn=Directory Manager' -W -b cn=mapping,cn=sasl,cn=config Enter LDAP Password: # extended LDIF # # LDAPv3 # base

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Martin Babinsky
On 11/10/2015 05:54 PM, Gronde, Christopher (Contractor) wrote: # ldapsearch -x -D 'cn=Directory Manager' -W -b cn=mapping,cn=sasl,cn=config Enter LDAP Password: # extended LDIF # # LDAPv3 # base

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Gronde, Christopher (Contractor)
ay, November 10, 2015 12:03 PM To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>; Rob Crittenden <rcrit...@redhat.com>; Ludwig Krispenz <lkris...@redhat.com>; freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Gronde, Christopher (Contractor)
This is the mappings from the Master...it looks very different from the replica # ldapsearch -x -D 'cn=Directory Manager' -W -b cn=mapping,cn=sasl,cn=config Enter LDAP Password: # extended LDIF # # LDAPv3 # base

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Gronde, Christopher (Contractor)
class=ldapsubentry))" attrs=ALL [10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1 etime=0 [10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 SRCH base="cn=Name Only,cn=mapping,cn=sasl,cn=config" scope=0 filter="(|(objectclass=*)(objectclass=ld

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Rob Crittenden
Gronde, Christopher (Contractor) wrote: > Is it possible to delete the mapping and try it and if it doesn't work or > breaks something else add it back? How would I go about deleting this > mapping? Or adding the mapping for principal name in the right order? > So what I'd do is this: Do

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Ludwig Krispenz
<rcrit...@redhat.com>; Ludwig Krispenz <lkris...@redhat.com>; freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error) On 11/10/2015 05:54 PM, Gronde, Christopher (Contractor) wrote: # ldapsearch -x -D 'cn=Directory Manager' -W -b cn=

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Rich Megginson
12:03 PM To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>; Rob Crittenden <rcrit...@redhat.com>; Ludwig Krispenz <lkris...@redhat.com>; freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error) On 11/10/201

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Rich Megginson
) <christopher.gro...@fincen.gov>; Rob Crittenden <rcrit...@redhat.com>; Ludwig Krispenz <lkris...@redhat.com>; freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error) On 11/10/2015 05:54 PM, Gronde, Christopher (Contractor) wrote: # ld

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Gronde, Christopher (Contractor)
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rich Megginson Sent: Tuesday, November 10, 2015 12:26 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error) On 11/10/2015 10:25 AM, Ludwig Krispenz wrote: > > On 11/10/2015 06:08 PM,

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Ludwig Krispenz
: Martin Babinsky [mailto:mbabi...@redhat.com] Sent: Tuesday, November 10, 2015 12:03 PM To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>; Rob Crittenden <rcrit...@redhat.com>; Ludwig Krispenz <lkris...@redhat.com>; freeipa-users@redhat.com Subject: Re: [Free

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Gronde, Christopher (Contractor)
; ongoing. This is normal for SASL GSSAPI. >> >> err=49 is wrong password or username, i.e. credentials were incorrect. >> It may also mean that LDAP server side was unable to process Kerberos >> negotiation due to not having a current Kerberos ticket for own >> service >&

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Ludwig Krispenz
: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz Sent: Tuesday, November 10, 2015 9:03 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error) On 11/10/2015 02:40 PM, Alexander Bokovoy

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Ludwig Krispenz
15 8:18 AM To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov> Cc: Rob Crittenden <rcrit...@redhat.com>; freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error) On Tue, 10 Nov 2015, Gronde, Christopher (Contractor) wrote:

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Gronde, Christopher (Contractor)
en.gov> Cc: Rob Crittenden <rcrit...@redhat.com>; freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error) On Tue, 10 Nov 2015, Gronde, Christopher (Contractor) wrote: >Where can I verify or change the credentials it is trying to use? Is

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Alexander Bokovoy
m> Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error) Gronde, Christopher (Contractor) wrote: Nothing bad came back and there is definitely data in the tree. Ok, I guess I'd try to start the kdc again and then watch the

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Gronde, Christopher (Contractor)
c: Rob Crittenden <rcrit...@redhat.com>; freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error) On Tue, 10 Nov 2015, Gronde, Christopher (Contractor) wrote: >When I tried to start the service again I got no response from ta

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Alexander Bokovoy
ristopher.gro...@fincen.gov> Cc: Rob Crittenden <rcrit...@redhat.com>; freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error) On Tue, 10 Nov 2015, Gronde, Christopher (Contractor) wrote: When I tried to start the service again I got

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Gronde, Christopher (Contractor)
er 09, 2015 3:26 PM To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>; Alexander Bokovoy <aboko...@redhat.com> Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error) Gronde, Christopher (Contractor) wrote: >

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-09 Thread Gronde, Christopher (Contractor)
t.com> Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error) Gronde, Christopher (Contractor) wrote: > I restarted dirsrv and attempted to start krb5kdc and this is what the > error log shows > > # tail /var/log/dirsrv/

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-09 Thread Gronde, Christopher (Contractor)
[mailto:aboko...@redhat.com] Sent: Monday, November 09, 2015 10:51 AM To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov> Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error) On Mon, 09 Nov 2015, Gronde, Chris

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-09 Thread Alexander Bokovoy
On Mon, 09 Nov 2015, Gronde, Christopher (Contractor) wrote: Hello all! On my replica IPA server after fixing a cert issue that had been going on for sometime, I have all my certs figured out but the krb5kdc service will not start. # service krb5kdc start Starting Kerberos 5 KDC: krb5kdc:

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-09 Thread Rob Crittenden
; To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov> > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication > error) > > On Mon, 09 Nov 2015, Gronde, Christopher (Contractor) wrote: >> Hello all!

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-09 Thread Gronde, Christopher (Contractor)
(Contractor) <christopher.gro...@fincen.gov>; Alexander Bokovoy <aboko...@redhat.com> Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error) Gronde, Christopher (Contractor) wrote: > Nothing bad came back and there is definitely da

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-09 Thread Rob Crittenden
t; Alexander Bokovoy <aboko...@redhat.com> > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication > error) > > Gronde, Christopher (Contractor) wrote: >> I restarted dirsrv and attempted to start krb5kdc and this is wha