I'm in the process of migrating my production IPA servers from RH6 to CentOS6. I have successfully completed this in our QA environments with very few issues, but it seems that our production environment wants to be difficult.
After conversion to CentOS 6, dirsrv is functioning and replicating. A quick status check shows everything started up except memcached and named. Logs show this ..
en2210s named 5366 - - sizing zone task pool based on 6 zones en2210s named 5366 - - /etc/named.conf:12: no forwarders seen; disabling forwarding en2210s named 5366 - - set up managed keys zone for view _default, file 'dynamic/managed-keys.bind' en2210s named 5366 - - GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/SOCKET@SFMC.CO not found in Kerberos database) en2210s named 5366 - - bind to LDAP server failed: Local error en2210s named 5366 - - dynamic database 'ipa' configuration failed: failure en2210s named 5366 - - loading configuration: failure en2210s named 5366 - - exiting (due to fatal error)
Had a quick check of the dns keytab, and the contents of /etc/named.keytab match what is currently in kerberos. The options in named.conf still matches what is on the other replicas. I've been hunting around for some answers in Google, but so far I'm not finding a lot of clues.
Can someone lead my down a path here?
Terry
Terry Soucy via FreeIPA-users wrote:
I'm in the process of migrating my production IPA servers from RH6 to CentOS6. I have successfully completed this in our QA environments with very few issues, but it seems that our production environment wants to be difficult.
After conversion to CentOS 6, dirsrv is functioning and replicating. A quick status check shows everything started up except memcached and named. Logs show this ..
en2210s named 5366 - - sizing zone task pool based on 6 zones en2210s named 5366 - - /etc/named.conf:12: no forwarders seen; disabling forwarding en2210s named 5366 - - set up managed keys zone for view _default, file 'dynamic/managed-keys.bind' en2210s named 5366 - - GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/SOCKET@SFMC.CO mailto:SOCKET@SFMC.CO not found in Kerberos database) en2210s named 5366 - - bind to LDAP server failed: Local error en2210s named 5366 - - dynamic database 'ipa' configuration failed: failure en2210s named 5366 - - loading configuration: failure en2210s named 5366 - - exiting (due to fatal error)
Had a quick check of the dns keytab, and the contents of /etc/named.keytab match what is currently in kerberos. The options in named.conf still matches what is on the other replicas. I've been hunting around for some answers in Google, but so far I'm not finding a lot of clues.
Can someone lead my down a path here?
Are you converting a live RHEL system to a live CentOS system on the same box? It would be far safer to create new replicas in CentOS and retire the RHEL machines.
rob
This is a live conversion. We are currently not in a position to deploy new servers for this.
I've worked around the issue by changing the auth to simple in named.conf, but would like to revert back to kerberos auth.
On Mon, Jan 27, 2020 at 12:03 PM Rob Crittenden rcritten@redhat.com wrote:
Terry Soucy via FreeIPA-users wrote:
I'm in the process of migrating my production IPA servers from RH6 to CentOS6. I have successfully completed this in our QA environments with very few issues, but it seems that our production environment wants to be difficult.
After conversion to CentOS 6, dirsrv is functioning and replicating. A quick status check shows everything started up except memcached and named. Logs show this ..
en2210s named 5366 - - sizing zone task pool based on 6 zones en2210s named 5366 - - /etc/named.conf:12: no forwarders seen; disabling forwarding en2210s named 5366 - - set up managed keys zone for view _default, file 'dynamic/managed-keys.bind' en2210s named 5366 - - GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/SOCKET@SFMC.CO mailto:SOCKET@SFMC.CO not found in Kerberos database) en2210s named 5366 - - bind to LDAP server failed: Local error en2210s named 5366 - - dynamic database 'ipa' configuration failed:
failure
en2210s named 5366 - - loading configuration: failure en2210s named 5366 - - exiting (due to fatal error)
Had a quick check of the dns keytab, and the contents of /etc/named.keytab match what is currently in kerberos. The options in named.conf still matches what is on the other replicas. I've been hunting around for some answers in Google, but so far I'm not finding a lot of clues.
Can someone lead my down a path here?
Are you converting a live RHEL system to a live CentOS system on the same box? It would be far safer to create new replicas in CentOS and retire the RHEL machines.
rob
freeipa-users@lists.fedorahosted.org
-
Rob Crittenden -
Terry Soucy