Hello, FreeIPA on CentOS 7.8 just stopped working and I’m unable to fix it by myself. After reading a lot of threads here on the list, it appears that I’ve the same issue as this topic: https://www.mail-archive.com/[email protected]/msg05501.html
Since Kerberos is apparently not working as expected, I cannot use FreeIPA and none of the services are working correctly. Following the debug guide I was able to at least start named with single authentication to further debug. (Workaround 1 of https://docs.pagure.org/bind-dyndb-ldap/BIND9/NamedCannotStart.html) And now I’m stuck on item 5 of the same manual. [root@neumann2 ~]# KRB5_TRACE=/dev/stderr ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-CLUSTER-CETENE-GOV-BR.socket' -Y GSSAPI -b 'cn=dns,dc=cluster,dc=cetene,dc=gov,dc=br<ldapi://%2fvar%2frun%2fslapd-CLUSTER-CETENE-GOV-BR.socket'%20-Y%20GSSAPI%20-b%20'cn=dns,dc=cluster,dc=cetene,dc=gov,dc=br>' SASL/GSSAPI authentication started [6588] 1612932571.244080: ccselect module realm chose cache KEYRING:persistent:0:krb_ccache_UuVdVRC with client principal DNS/[email protected]<mailto:DNS/[email protected]> for server principal ldap/[email protected]<mailto:ldap/[email protected]> [6588] 1612932571.244081: Getting credentials DNS/[email protected]<mailto:DNS/[email protected]> -> ldap/[email protected]<mailto:ldap/[email protected]> using ccache KEYRING:persistent:0:krb_ccache_UuVdVRC [6588] 1612932571.244082: Retrieving DNS/[email protected]<mailto:DNS/[email protected]> -> ldap/[email protected]<mailto:ldap/[email protected]> from KEYRING:persistent:0:krb_ccache_UuVdVRC with result: 0/Success [6588] 1612932571.244084: Creating authenticator for DNS/[email protected]<mailto:DNS/[email protected]> -> ldap/[email protected]<mailto:ldap/[email protected]>, seqnum 1040975659, subkey aes256-cts/48E9, session key aes256-cts/DF1E ldap_sasl_interactive_bind_s: Invalid credentials (49) [root@neumann2 ~]# ipa privilege-show 'DNS Servers' --all --raw ipa: ERROR: Insufficient access: Invalid credentials [root@neumann2 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_UuVdVRC Default principal: DNS/[email protected]<mailto:DNS/[email protected]> Valid starting Expires Service principal 02/10/2021 01:52:43 02/11/2021 01:49:04 HTTP/[email protected]<mailto:HTTP/[email protected]> 02/10/2021 01:49:16 02/11/2021 01:49:04 ldap/[email protected]<mailto:ldap/[email protected]> 02/10/2021 01:49:04 02/11/2021 01:49:04 krbtgt/[email protected]<mailto:krbtgt/[email protected]> Any ideia on how to fix this? Thanks, Vinícius. PS: Before the workaround named-pkcs11 fails to start with the following error: Feb 10 01:40:46 neumann2 named-pkcs11[4532]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind' Feb 10 01:40:46 neumann2 named-pkcs11[4532]: loading DynDB instance 'ipa' driver '/usr/lib64/bind/ldap.so' Feb 10 01:40:46 neumann2 named-pkcs11[4532]: bind-dyndb-ldap version 11.1 compiled at 02:16:24 Apr 1 2020, compiler 4.8.5 20150623 (Red Hat 4.8.5-39) Feb 10 01:40:46 neumann2 named-pkcs11[4532]: LDAP error: Invalid credentials: bind to LDAP server failed Feb 10 01:40:46 neumann2 named-pkcs11[4532]: couldn't establish connection in LDAP connection pool: permission denied Feb 10 01:40:46 neumann2 named-pkcs11[4532]: dynamic database 'ipa' configuration failed: permission denied Feb 10 01:40:46 neumann2 named-pkcs11[4532]: loading configuration: permission denied Feb 10 01:40:46 neumann2 named-pkcs11[4532]: exiting (due to fatal error) Feb 10 01:40:46 neumann2 systemd: named-pkcs11.service: control process exited, code=exited status=1 Feb 10 01:40:46 neumann2 systemd: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
