Woot!
We had a stale, old server vm that got powered on. Once we shut it
downand then cycled these, they worked just fine.
Weird, but we're past this. Thanks!
On 12/07/2018 07:52 AM, Bret Wortman via FreeIPA-users wrote:
Other symptoms:
# kinit admin
:
# ipa help user
ipa: ERROR: No valid Negotiate header in server response
This is now happening on our primary IPA server.
On 12/07/2018 07:42 AM, Bret Wortman via FreeIPA-users wrote:
> I'm seeing this in /var/log/messages periodically:
>
> systemd: Starting IPA key daemon...
> ipa-dnskeysyncd: ipa : INFO LDAP bind...
> ipa-dnskeysyncd: ipa : ERROR Login to LDAP server failed:
> {'desc': 'Invalid credentials'}
> ipa-dnskeysyncd: Traceback (most recent call last):
> ipa-dnskeysyncd: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 94, in
> <module>
> ipa-dnskeysyncd: ldap_connection.sasl_interactive_bind_s("",
> ipaldap.SASL_GSSAPI)
> ipa-dnskeysyncd: File
> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 850, in
> sasl_interactive_bind_s
> ipa-dnskeysyncd: res =
> self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs)
> ipa-dnskeysyncd: File
> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 818, in
> _apply_method_s
> ipa-dnskeysyncd: return func(self,*args,**kwargs)
> ipa-dnskeysyncd: File
> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 229, in
> sasl_interactive_bind_s
> ipa-dnskeysyncd: return
>
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
> ipa-dnskeysyncd: File
> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in
> _ldap_call
> ipa-dnskeysyncd: result = func(*args,**kwargs)
> ipa-dnskeysyncd: INVALID_CREDENTIALS:{'desc': 'Invalid credentials'}
> systemd: ipa-dnskeysyncd.service: main process exited, code=exited,
> status=1/FAILURE
> systemd: Unit ipa-dnskeysyncd.service entered failed state
> systemd: ipa-dnskeysyncd.service failed.
>
> Also, my main server is now spitting this into /var/log/messages on a
> regular basis:
>
> GSSAPI Error: Unspecified GSS failure. Minor code may provide more
> information (Credential cache is empty)
>
> Our whole development group is essential down while this is going on.
> No one can log on, DNS resolution isn't working at all, Kerberos
> tickets aren't working the way they should, and the IPA web UI isn't
> letting me log in via Kerberos _or_ with the admin account and its
> password (which _does_ work to grab the admin Kerberos ticket).
>
> I'm very confused.
>
>
> Bret
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...