So I started working through the guide below and most of the steps just worked. No errors, which was odd. For example:
# kinit -kt /etc/named.keytab DNS/ipa3.my.net
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: DNS/ipa3.my.net@MY.NET
Valid starting
12/06/2018 14:51:08 12/07/2018 14:51:08 krbtgt/MY.NET@MY.NET
# ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-MY-NET.socket' -Y
GSSAPI -b 'cn=dns,dc=my,dc=net'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
That's the first such error I received as I worked my way down the page, but there's no real guidance there as to what to do when this fails. The text assumes it'll work, but the previous steps didn't turn up anything wrong...
I've been completely unable to turn on any sort of Kerberos logging despite attempting both approaches in the guide.
I'll check it out. Thanks, Flo!
On 12/06/2018 08:39 AM, Florence Blanc-Renaud wrote:
On 12/6/18 1:32 PM, Bret Wortman via FreeIPA-users wrote:
After a reboot, my IPA replica won't start. I've tracked it down to an error in the named startup. From /var/log/messages(all messags from named-pkcs11):
bind-dyndb-ldap version 11.1 compiled at 13:38:22 Aug 23 2017, complier 4.8.5 20150623 (Red Hat 4.8.5-16)
LDAP error: Invalid credentials: bind to LDAP server failed
couldn't establish connection in LDAP connection pool: permission denied
dynamic database 'ipa' configuration failed:
loading configuration: permission denied
exiting (due to fatal error)
So I tried manually:
# kinit -kt /etc/named.keytab DNS/ipa3.my.net@MY.NET
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: DNS/asipa3.my.net@MY.NET
Valid starting Expires Service principal
12/06/2018 12:26:17 12/07/2018 12:26:17 krbtgt/MY.NET@MY.NET
I've restarted now using ipactl start --ignore-service-failure but where should I be looking next to get this fixed?
Hi,
you can find a lot of information in this page:
https://docs.pagure.org/bind-dyndb-ldap/BIND9/NamedCannotStart.html
flo
--
photo
*Bret Wortman*
Founder, Damascus Products, LLC
855-644-2783 <tel:855-644-2783> | bret@wrapbuddies.co <mailto:bret@wrapbuddies.co>
http://wrapbuddies.co/
70 Main St. Suite 23 Warrenton, VA 20186
<http://facebook.com/wrapbuddiesco>
<http://www.linkedin.com/in/bretwortman>
<http://twitter.com/wrapbuddiesco>
<http://instagram.com/wrapbuddies>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org