So I started working through the guide below and most of the steps just worked. No errors, which was odd. For example:

# kinit -kt /etc/named.keytab DNS/ipa3.my.net
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: DNS/ipa3.my.net@MY.NET

Valid starting

12/06/2018 14:51:08  12/07/2018 14:51:08  krbtgt/MY.NET@MY.NET
# ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-MY-NET.socket' -Y GSSAPI -b 'cn=dns,dc=my,dc=net'

SASL/GSSAPI authentication started

ldap_sasl_interactive_bind_s: Invalid credentials (49)

That's the first such error I received as I worked my way down the page, but there's no real guidance there as to what to do when this fails. The text assumes it'll work, but the previous steps didn't turn up anything wrong...

I've been completely unable to turn on any sort of Kerberos logging despite attempting both approaches in the guide.



On 12/06/2018 08:42 AM, Bret Wortman via FreeIPA-users wrote:

I'll check it out. Thanks, Flo!


On 12/06/2018 08:39 AM, Florence Blanc-Renaud wrote:
On 12/6/18 1:32 PM, Bret Wortman via FreeIPA-users wrote:
After a reboot, my IPA replica won't start. I've tracked it down to an error in the named startup. From /var/log/messages(all messags from named-pkcs11):

bind-dyndb-ldap version 11.1 compiled at 13:38:22 Aug 23 2017, complier 4.8.5 20150623 (Red Hat 4.8.5-16)
LDAP error: Invalid credentials: bind to LDAP server failed
couldn't establish connection in LDAP connection pool: permission denied
dynamic database 'ipa' configuration failed:
loading configuration: permission denied
exiting (due to fatal error)

So I tried manually:

# kinit -kt /etc/named.keytab DNS/ipa3.my.net@MY.NET
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: DNS/asipa3.my.net@MY.NET

Valid starting       Expires              Service principal
12/06/2018 12:26:17  12/07/2018 12:26:17 krbtgt/MY.NET@MY.NET

I've restarted now using ipactl start --ignore-service-failure but where should I be looking next to get this fixed?


Hi,

you can find a lot of information in this page:
https://docs.pagure.org/bind-dyndb-ldap/BIND9/NamedCannotStart.html

flo

-- 
photo    
    
*Bret Wortman*
Founder, Damascus Products, LLC

855-644-2783 <tel:855-644-2783> | bret@wrapbuddies.co <mailto:bret@wrapbuddies.co>

http://wrapbuddies.co/

70 Main St. Suite 23 Warrenton, VA 20186

<http://facebook.com/wrapbuddiesco>    
    <http://www.linkedin.com/in/bretwortman>    
    <http://twitter.com/wrapbuddiesco>    
    <http://instagram.com/wrapbuddies>    



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org





_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org