Just to confirm, the system is working with the exception of ipa-dnskeysyncd.service?
Does this work? # kinit -kt /etc/ipa/dnssec/ipa-dnskeysyncd.keytab ipa-dnskeysyncd/neumann2.cluster.cetene.gov.br # ipa user-show admin This will get a ticket and then use that ticket. rob Vinícius Ferrão via FreeIPA-users wrote: > Hello, > > I still not sure of what is happening but, I got some interesting error > message on ipa-healthcheck: > > [root@neumann2 keytabs]# ipa-healthcheck --failures-only --output-type human > CRITICAL: ipahealthcheck.ipa.dna.IPADNARangeCheck: Insufficient access: > Invalid credentials > ERROR: ipahealthcheck.system.filesystemspace.FileSystemSpaceCheck: > /var/lib/ipa/backup/: free space percentage under threshold: 16% < 20% > ERROR: ipahealthcheck.system.filesystemspace.FileSystemSpaceCheck: /tmp: > free space percentage under threshold: 16% < 20% > ERROR: ipahealthcheck.system.filesystemspace.FileSystemSpaceCheck: > /var/lib/dirsrv/: free space percentage under threshold: 16% < 20% > ERROR: ipahealthcheck.system.filesystemspace.FileSystemSpaceCheck: > /var/log/: free space percentage under threshold: 16% < 20% > ERROR: ipahealthcheck.system.filesystemspace.FileSystemSpaceCheck: > /var/tmp/: free space percentage under threshold: 16% < 20% > ERROR: ipahealthcheck.system.filesystemspace.FileSystemSpaceCheck: > /var/log/audit/: free space percentage under threshold: 16% < 20% > > I tried to search for the critical message but nothing comes up. There’s > a lot of GSSAPI errors on all logs. > > I tried to regenerate all keytabs of the system but it was a no go either: > # gssproxy > ipa-getkeytab -D "cn=directory manager" -w 86dNCxFFCpNMLEf6kr -s > neumann2.cluster.cetene.gov.br <http://neumann2.cluster.cetene.gov.br> > -p 'HTTP/neumann2.cluster.cetene.gov.br > <http://neumann2.cluster.cetene.gov.br>' -r -k > /var/lib/ipa/gssproxy/http.keytab > > # Dogtag > ipa-getkeytab -D "cn=directory manager" -w 86dNCxFFCpNMLEf6kr -s > neumann2.cluster.cetene.gov.br <http://neumann2.cluster.cetene.gov.br> > -p 'dogtag/neumann2.cluster.cetene.gov.br > <http://neumann2.cluster.cetene.gov.br>' -r -k > /etc/pki/pki-tomcat/dogtag.keytab > > # DNSKeySync > ipa-getkeytab -D "cn=directory manager" -w 86dNCxFFCpNMLEf6kr -s > neumann2.cluster.cetene.gov.br <http://neumann2.cluster.cetene.gov.br> > -p 'ipa-dnskeysyncd/neumann2.cluster.cetene.gov.br > <http://neumann2.cluster.cetene.gov.br>' -r -k > /etc/ipa/dnssec/ipa-dnskeysyncd.keytab > > # Host Keytab > ipa-getkeytab -D "cn=directory manager" -w 86dNCxFFCpNMLEf6kr -s > neumann2.cluster.cetene.gov.br <http://neumann2.cluster.cetene.gov.br> > -p 'host/neumann2.cluster.cetene.gov.br > <http://neumann2.cluster.cetene.gov.br>' -r -k /etc/krb5.keytab > > # named > ipa-getkeytab -D "cn=directory manager" -w 86dNCxFFCpNMLEf6kr -s > neumann2.cluster.cetene.gov.br <http://neumann2.cluster.cetene.gov.br> > -p 'DNS/neumann2.cluster.cetene.gov.br > <http://neumann2.cluster.cetene.gov.br>' -r -k /etc/named.keytab > > # 389ds > ipa-getkeytab -D "cn=directory manager" -w 86dNCxFFCpNMLEf6kr -s > neumann2.cluster.cetene.gov.br <http://neumann2.cluster.cetene.gov.br> > -p 'ldap/neumann2.cluster.cetene.gov.br > <http://neumann2.cluster.cetene.gov.br>' -r -k /etc/dirsrv/ds.keytab > > Some error messages: > > [10/Feb/2021:23:05:57.501853962 -0300] conn=92 op=1 RESULT err=49 tag=97 > nentries=0 etime=0.001927716 - SASL(-1): generic failure: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more information > (Cannot create replay cache file /var/tmp/ldap_389: Operation not permitted) > > ==> /var/log/messages <== > Feb 10 23:05:14 neumann2 systemd: ipa-dnskeysyncd.service holdoff time > over, scheduling restart. > Feb 10 23:05:14 neumann2 systemd: Stopped IPA key daemon. > Feb 10 23:05:14 neumann2 systemd: Started IPA key daemon. > Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: ipa-dnskeysyncd: INFO LDAP > bind... > Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: ipa-dnskeysyncd: ERROR > Login to LDAP server failed: {'desc': 'Invalid credentials'} > Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: Traceback (most recent call last): > Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: File > "/usr/libexec/ipa/ipa-dnskeysyncd", line 96, in <module> > Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: > ldap_connection.sasl_interactive_bind_s("", ipaldap.SASL_GSSAPI) > Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: File > "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 850, in > sasl_interactive_bind_s > Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: res = > self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs) > Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: File > "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 818, in > _apply_method_s > Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: return func(self,*args,**kwargs) > Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: File > "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 229, in > sasl_interactive_bind_s > Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: return > self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags) > Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: File > "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in > _ldap_call > Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: result = func(*args,**kwargs) > Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: INVALID_CREDENTIALS: {'desc': > 'Invalid credentials'} > Feb 10 23:05:16 neumann2 systemd: ipa-dnskeysyncd.service: main process > exited, code=exited, status=1/FAILURE > Feb 10 23:05:16 neumann2 systemd: Unit ipa-dnskeysyncd.service entered > failed state. > Feb 10 23:05:16 neumann2 systemd: ipa-dnskeysyncd.service failed. > > Thanks, > >> On 10 Feb 2021, at 02:01, Vinícius Ferrão via FreeIPA-users >> <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hello, >> >> FreeIPA on CentOS 7.8 just stopped working and I’m unable to fix it by >> myself. After reading a lot of threads here on the list, it appears >> that I’ve the same issue as this >> topic: >> https://www.mail-archive.com/[email protected]/msg05501.html >> >> Since Kerberos is apparently not working as expected, I cannot use >> FreeIPA and none of the services are working correctly. Following the >> debug guide I was able to at least start named with single >> authentication to further debug. (Workaround 1 >> of https://docs.pagure.org/bind-dyndb-ldap/BIND9/NamedCannotStart.html) >> >> And now I’m stuck on item 5 of the same manual. >> >> [root@neumann2 ~]# KRB5_TRACE=/dev/stderr ldapsearch -H >> 'ldapi://%2fvar%2frun%2fslapd-CLUSTER-CETENE-GOV-BR.socket' -Y GSSAPI >> -b 'cn=dns,dc=cluster,dc=cetene,dc=gov,dc=br >> <ldapi://%2fvar%2frun%2fslapd-CLUSTER-CETENE-GOV-BR.socket' -Y GSSAPI >> -b 'cn=dns,dc=cluster,dc=cetene,dc=gov,dc=br>' >> SASL/GSSAPI authentication started >> [6588] 1612932571.244080: ccselect module realm chose cache >> KEYRING:persistent:0:krb_ccache_UuVdVRC with client principal >> DNS/[email protected] >> <mailto:DNS/[email protected]> for >> server principal >> ldap/[email protected] >> <mailto:ldap/[email protected]> >> [6588] 1612932571.244081: Getting credentials >> DNS/[email protected] >> <mailto:DNS/[email protected]> -> >> ldap/[email protected] >> <mailto:ldap/[email protected]> >> using ccache KEYRING:persistent:0:krb_ccache_UuVdVRC >> [6588] 1612932571.244082: Retrieving >> DNS/[email protected] >> <mailto:DNS/[email protected]> -> >> ldap/[email protected] >> <mailto:ldap/[email protected]> >> from KEYRING:persistent:0:krb_ccache_UuVdVRC with result: 0/Success >> [6588] 1612932571.244084: Creating authenticator for >> DNS/[email protected] >> <mailto:DNS/[email protected]> -> >> ldap/[email protected] >> <mailto:ldap/[email protected]>, >> seqnum 1040975659, subkey aes256-cts/48E9, session key aes256-cts/DF1E >> ldap_sasl_interactive_bind_s: Invalid credentials (49) >> >> [root@neumann2 ~]# ipa privilege-show 'DNS Servers' --all --raw >> ipa: ERROR: Insufficient access: Invalid credentials >> >> [root@neumann2 ~]# klist >> Ticket cache: KEYRING:persistent:0:krb_ccache_UuVdVRC >> Default principal: >> DNS/[email protected] >> <mailto:DNS/[email protected]> >> >> Valid starting Expires Service principal >> 02/10/2021 01:52:43 02/11/2021 01:49:04 >> HTTP/[email protected] >> <mailto:HTTP/[email protected]> >> 02/10/2021 01:49:16 02/11/2021 01:49:04 >> ldap/[email protected] >> <mailto:ldap/[email protected]> >> 02/10/2021 01:49:04 02/11/2021 01:49:04 >> krbtgt/[email protected] >> <mailto:krbtgt/[email protected]> >> >> Any ideia on how to fix this? >> >> Thanks, >> Vinícius. >> >> PS: Before the workaround named-pkcs11 fails to start with the >> following error: >> >> Feb 10 01:40:46 neumann2 named-pkcs11[4532]: set up managed keys zone >> for view _default, file '/var/named/dynamic/managed-keys.bind' >> Feb 10 01:40:46 neumann2 named-pkcs11[4532]: loading DynDB instance >> 'ipa' driver '/usr/lib64/bind/ldap.so' >> Feb 10 01:40:46 neumann2 named-pkcs11[4532]: bind-dyndb-ldap version >> 11.1 compiled at 02:16:24 Apr 1 2020, compiler 4.8.5 20150623 (Red >> Hat 4.8.5-39) >> Feb 10 01:40:46 neumann2 named-pkcs11[4532]: LDAP error: Invalid >> credentials: bind to LDAP server failed >> Feb 10 01:40:46 neumann2 named-pkcs11[4532]: couldn't establish >> connection in LDAP connection pool: permission denied >> Feb 10 01:40:46 neumann2 named-pkcs11[4532]: dynamic database 'ipa' >> configuration failed: permission denied >> Feb 10 01:40:46 neumann2 named-pkcs11[4532]: loading configuration: >> permission denied >> Feb 10 01:40:46 neumann2 named-pkcs11[4532]: exiting (due to fatal error) >> Feb 10 01:40:46 neumann2 systemd: named-pkcs11.service: control >> process exited, code=exited status=1 >> Feb 10 01:40:46 neumann2 systemd: Failed to start Berkeley Internet >> Name Domain (DNS) with native PKCS#11. >> >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> <mailto:[email protected]> >> To unsubscribe send an email to >> [email protected] >> <mailto:[email protected]> >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
