As a control, I fired up a new VPS, did a new minimal CentOS 7.2 install and I have the same problem.
These are the steps I took: # yum update -y # yum install -y nano net-tools wget # yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm # cd /etc/yum.repos.d/ # wget -N https://copr.fedorainfracloud.org/coprs/mkosek/freeipa/repo/epel-7/mkosek-fr eeipa-epel-7.repo # yum install -y haveged # systemctl start haveged # systemctl enable haveged # yum install -y ipa-server ipa-server-dns # ipa-server-install -r EXAMPLE.COM -n example.com --mkhomedir --ip-address=192.0.2.10 --idstart=100000 --idmax=199999 --no-ui-redirect --ssh-trust-dns --setup-dns --no-forwarders --no-reverse # ipa-dns-install --no-forwarders --no-reverse --dnssec-master # ipa dnszone-mod example.com --dnssec=true GTG -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Gary T. Giesen Sent: May-05-16 11:19 AM To: 'Petr Spacek' <[email protected]>; [email protected] Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing I'm not entirely sure if this is what you were asking for, but here's a manual LDAP query and the associated logs, and then I restarted ipa-dnskeysyncd and the logs associated with that as well: [root@host /]# date Thu May 5 10:52:12 EDT 2016 [root@host /]# ldapsearch -Y GSSAPI -b 'cn=dns,dc=example,dc=com' -s sub '(|(objectClass=idnsZone)(objectClass=idnsS ecKey)(objectClass=ipk11PublicKey))' SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=dns,dc=example,dc=com> with scope subtree # filter: (|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey) ) # requesting: ALL # # example.com., dns, example.com dn: idnsname=example.com.,cn=dns,dc=example,dc=com idnsZoneActive: TRUE idnsSOAexpire: 1209600 idnsSOAminimum: 3600 objectClass: idnszone objectClass: top objectClass: idnsrecord idnsAllowTransfer: none; idnsSOAretry: 900 idnsSOAserial: 1462338941 idnsUpdatePolicy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * A AAA; grant EXAMPLE.COM krb5-self * SSHFP; idnsSOArefresh: 3600 idnsAllowQuery: any; idnsName: example.com. idnsSOAmName: host.example.com. idnsSOArName: hostmaster.example.com. idnsAllowDynUpdate: TRUE nSRecord: host.example.com. mXRecord: 5 mx.example.com. tXTRecord: v=spf1 ip4:104.207.128.239 ip6:2001:19f0:300:24e1::10 -all idnsSecInlineSigning: TRUE # 2a6519b4-8d9c-11e5-8ced-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=2a6519b4-8d9c-11e5-8ced-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: FALSE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxk6apYsMbT7MH87pCzK GyVkpAmp+nOL8Alo/pwfaOALJO6EFfhvw+V+9Lnx1jKObnrAHo0O7j3c8qDqAmewjdS1beFb GyVkpAmp+beLG u GFGNFGTW7hOmqJKgWyH+OWtyHZyy7EYeMO5sXt+nMoQ3hdYMZEeBQtTLbMrhOAQR6EUksCbG GFGNFGTW7hOmqJKgWyH+OWtyHZyy7EYeMO5sXt+pvkj c xBHz+9HbaDyoteWO53dAS1B04PS3FZXZyvkCDCdH+ZDaJ7sm1WMgHupKndUpl2vdvJWtEi2j xBHz+9HbaDyoteWO53dAS1B04PS3FZXZyvkCDCdH+41/4 q FOYXAyIgx+3yv7OG9X1D5qBb7v/IqtFuJFRqc0LIdBvWUlHn5LTLYh4rtb2h/6DUK/ZnGlJ+ FOYXAyIgx+Sss5 Q nmuhUiky3cJ0KvQIDAQAB ipk11Verify: FALSE ipk11Id:: b4AQWy4+gJz2XABOkWEgnw== ipk11VerifyRecover: FALSE ipk11UniqueId: 2a6519b4-8d9c-11e5-8ced-56000017eb11 # 9fc0e8ec-ccd4-11e5-a9e6-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=9fc0e8ec-ccd4-11e5-a9e6-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: FALSE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1oo1sC+p8/NCfI8r2Te 4onEHxk4yrrLWfwfuKl3lN/3QHmahPAjyHNYnm8srL45/lJzNqoZpI4yGyhWtCpNQhnnoD+W67aX N 2KGnshBTYE8IGG2zCHtQ0p5CJtNTNZFyIH4pyNiLfk/QLi1ptzk79f9u6Bwq4RdEKdzEk4R1G58C w cpUlKlG6pzGk+OpiX1a3Iw8ZCfgmYIEOmHSpexz0aRBA4q2ADdRn4dERL/aP+lWC+IQEj749 cpUlKlG6pzGk+wn+Q H sIFxikHQ6Kz2DOpdeJTNSJvNuVSTh3FigdH2xUbuwhPd3O5Q3D3s1+n7XajelYh5YqkOY8PN sIFxikHQ6Kz2DOpdeJTNSJvNuVSTh3FigdH2xUbuwhPd3O5Q3D3s1+cFgL 9 O+iB9tqWJJiFChQIDAQAB ipk11Verify: FALSE ipk11Id:: L9nKKUY2ypycB3EldvJjVg== ipk11VerifyRecover: FALSE ipk11UniqueId: 9fc0e8ec-ccd4-11e5-a9e6-56000017eb11 # 70eca210-0ee0-11e6-9e98-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=70eca210-0ee0-11e6-9e98-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: FALSE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoAnwbNG7EwTIlWwlWvu pPOEQnV7ahv7xMoF0v9qzoEZ+ccx9Wp515IWs6okmX6UhB/HELhO3EP5iCftL2iOq+aTa3Zx pPOEQnV7ahv7xMoF0v9qzoEZ+8Z/+ F JtpXPFkbCweUiOxr8vq4VLTppLmok0q+Dlm5CYaQUYs5en3d9HFtmaYt3m8JD5a58AkAzozo JtpXPFkbCweUiOxr8vq4VLTppLmok0q+ACrO m st5aNIkwo/YGdSa0e1tNcb7Xv7RhBSGbFlrpFfwj5uX3QyI57CSxR7S5FYjOD8lG8tmlCjKuuOhH O ST8uzatbirX0kiaVH3ENohDUmEV+zW6T9//TBG2xTRTw6v7TAM21klWMCNKoUYVyh84c34jd ST8uzatbirX0kiaVH3ENohDUmEV+arVr Q PvEPCDzNF6C15NwIDAQAB ipk11Verify: FALSE ipk11Id:: teifTM9dTfpDRQgbL8rsFQ== ipk11VerifyRecover: FALSE ipk11UniqueId: 70eca210-0ee0-11e6-9e98-56000017eb11 # fba8d874-10a2-11e6-86aa-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=fba8d874-10a2-11e6-86aa-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: FALSE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv9r9+8POEp8nb+jiEi6 pvvuWWex2KuHeV1f1qo6LCe3oMSkZ39I73cdJZIfirt2E/D+CWSUMGwbWmNOnMUMIDI8YAnxLQ// K uvyaHMbxXfIrgMZmK1BFtPgSuH3ZoeXBI5x+VR1007Dhl5e7dEagHUlEw5OXPQ2jgeq6kCMU uvyaHMbxXfIrgMZmK1BFtPgSuH3ZoeXBI5x+Uteu 3 Nye/G2K51GzAJcAXlrBdVEek02LuhszHtxjYDxevq90my+0GXVb2nU9mPghIKnkwsQeHUoHXH83p H NLtIUug23Fac3oeklQX7PK8mAWbut5rh5ZZOUbHA+X+T8KV6sGRqMi8rlGIU9biuYHrmGZca NLtIUug23Fac3oeklQX7PK8mAWbut5rh5ZZOUbHA+X+UuAY R NXCIrWIUrDV21cQIDAQAB ipk11Verify: FALSE ipk11Id:: WXrLuKBlC8r8UsjjGf2zww== ipk11VerifyRecover: FALSE ipk11UniqueId: fba8d874-10a2-11e6-86aa-56000017eb11 # a7bac2a6-10a5-11e6-9c20-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=a7bac2a6-10a5-11e6-9c20-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: FALSE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4m3sUosT4X9x8EjwrtQ B6mQDmClMNs3M8hCJ6UKvcCH/X+yFH2IAht5L85IOBCqmy8RQSL2fPY6BuCxx0krDPPvFBUfCW2i / X0s2RN+vdZQ6xtCe/Q8CHxTZmXsJLrOS8WsiggbHXh7QqkP8sY4Xl2N14OFDNTmSgtQWKnKj X0s2RN+Jloy g D03p+lo7BxFmOP9L1C+NGDhiiKjBwVexBNFlYSyUXEFacIDXAIjI/WMgxeCl/9Xu9wwAW5GY D03p+lo7BxFmOP9L1C+iYOR D KTl9h4JgUDRrge82OBMu0kQt0FyLCdVKl3Kw5GiMazWoTnK8KGpvuZl46whl9IbOYtPeQpHEhhSw X w36Ii4Y+e6eYeoQIDAQAB ipk11Verify: FALSE ipk11Id:: +Y0cQI+gUJelIpun/N1IYQ== ipk11VerifyRecover: FALSE ipk11UniqueId: a7bac2a6-10a5-11e6-9c20-56000017eb11 # 2f32c0f8-10c9-11e6-bf47-56000017eb11, keys, sec, dns, example.com dn: ipk11UniqueID=2f32c0f8-10c9-11e6-bf47-56000017eb11,cn=keys,cn=sec,cn=dns,d c=example,dc=com objectClass: ipk11PublicKey objectClass: ipk11Object objectClass: top objectClass: ipaPublicKeyObject objectClass: ipk11Key objectClass: ipk11StorageObject ipk11Wrap: TRUE ipk11Label: dnssec-replica:host.example.com. ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApWEc/C9jgjoCzQ2wTKT zJ9obG74mlYyokaP/rZyYA0nIIqrKF1DwArt7wemVzrMf9m8b70MyYlOZm77KJiw1gMD9qzcJieI m +two+BYb6zRAvp4o2HlTwG+x/UpOct8EnakilUh7zOhGFkEyk9m9+WnWBcXGX63lfiodL4sC +two+BYb6zRAvp4o2HlTwG+rtBd s CIfF6bPH9yHYSYpa4/s/flW/mM7fRMSd0hO3ayYYxSg8INitFHVwnUj/MENxdFejeMPXlyROW/6m h kwBQjhLSYnmzvgiP2rNnA6AJIMX0cxjuxjswNaAS5vULG1Vju51Mb0f8V3RLv5P1L0dQYoY7S5Hb O aaO7c+27moTOZPQIDAQAB ipk11Verify: FALSE ipk11Id:: mn+arLpqrb1jDdDZXlroUg== ipk11VerifyRecover: FALSE ipk11UniqueId: 2f32c0f8-10c9-11e6-bf47-56000017eb11 # search result search: 4 result: 0 Success # numResponses: 8 # numEntries: 7 My manual LDAP search (/var/log/dirsrv/slapd-EXAMPLE-COM/access): [05/May/2016:10:52:13 -0400] conn=613 fd=109 slot=109 SSL connection from 2001:db8:300:24e1::10 to 2001:db8:300:24e1::10 [05/May/2016:10:52:13 -0400] conn=613 TLS1.2 256-bit AES-GCM [05/May/2016:10:52:13 -0400] conn=613 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:13 -0400] conn=613 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [05/May/2016:10:52:13 -0400] conn=613 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:13 -0400] conn=613 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [05/May/2016:10:52:13 -0400] conn=613 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:13 -0400] conn=613 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=user,cn=users,cn=accounts,dc=example,dc=com" [05/May/2016:10:52:13 -0400] conn=613 op=3 SRCH base="cn=dns,dc=example,dc=com" scope=2 filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11Pu blicKey))" attrs=ALL [05/May/2016:10:52:13 -0400] conn=613 op=3 RESULT err=0 tag=101 nentries=7 etime=0 [05/May/2016:10:52:13 -0400] conn=613 op=4 UNBIND [05/May/2016:10:52:13 -0400] conn=613 op=4 fd=109 closed - U1 I then restarted ipa-dnskeysyncd (journalctl -u ipa-dnskeysyncd): May 05 10:52:19 host.example.com systemd[1]: Stopping IPA key daemon... May 05 10:52:19 host.example.com ipa-dnskeysyncd[13719]: ipa : INFO Signal 15 received: Shutting down! May 05 10:52:19 host.example.com systemd[1]: Started IPA key daemon. May 05 10:52:19 host.example.com systemd[1]: Starting IPA key daemon... May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing all plugin modules in ipalib.plugins... May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.aci May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.automember May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.automount May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.baseldap May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.baseuser May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.batch May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.caacl May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.cert May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.certprofile May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.config May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.delegation May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.dns May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.group May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.hbactest May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.host May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.idrange May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.idviews May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.internal May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.kerberos May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.migration May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.misc May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.netgroup May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.passwd May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.permission May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.ping May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.pkinit May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.privilege May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Starting external process May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: args='klist' '-V' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Process finished, return code=0 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: stderr= May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.role May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.selfservice May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.server May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.service May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.session May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: WARNING: session memcached servers not running May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.stageuser May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.sudorule May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.topology May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.trust May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.user May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.vault May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipalib.plugins.virtual May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing all plugin modules in ipaserver.plugins... May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipaserver.plugins.join May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipaserver.plugins.rabase May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_43658512 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_43681424 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: session_auth_duration: 0:20:00 May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG Kerberos principal: ipa-dnskeysyncd/host.example.com May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG Initializing principal ipa-dnskeysyncd/host.example.com using keytab /etc/ipa/dnssec/ipa-dnskeysyncd.keytab May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG using ccache /tmp/ipa-dnskeysyncd.ccache May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG Attempt 1/5: success May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : DEBUG LDAP URL: ldapi://%2Fvar%2Frun%2Fslapd-EXAMPLE-COM.socket/cn%3Ddns%2Cdc%3Dexample%2Cdc %3Dme??sub?%28%7C%28objectClass%3DidnsZone%29%28objectClass%3DidnsSecKey%29% 28objectClass%3Dipk11PublicKey%29%29 May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa : INFO LDAP bind... May 05 10:52:20 host.example.com python2[13834]: GSSAPI client step 1 May 05 10:52:20 host.example.com python2[13834]: GSSAPI client step 1 May 05 10:52:21 host.example.com python2[13834]: GSSAPI client step 1 May 05 10:52:21 host.example.com python2[13834]: GSSAPI client step 2 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa : INFO Commencing sync process May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is: None (not received yet) May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: idnsname=example.com.,cn=dns,dc=example,dc=com 203dbe2d-8d9c-11e5-bb23-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones: {'203dbe2d-8d9c-11e5-bb23-e7a3b46d8929': <DNS name example.com.>} May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=2a6519b4-8d9c-11e5-8ced-56000017eb11,cn=keys,cn=sec,cn=dns,dc= example,dc=com 203dbe63-8d9c-11e5-bb23-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=9fc0e8ec-ccd4-11e5-a9e6-56000017eb11,cn=keys,cn=sec,cn=dns,dc= example,dc=com 9d5e3d66-ccd4-11e5-bb23-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=70eca210-0ee0-11e6-9e98-56000017eb11,cn=keys,cn=sec,cn=dns,dc= example,dc=com 59985f1f-0ee0-11e6-aa2d-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=fba8d874-10a2-11e6-86aa-56000017eb11,cn=keys,cn=sec,cn=dns,dc= example,dc=com dc691799-10a2-11e6-aa2d-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=a7bac2a6-10a5-11e6-9c20-56000017eb11,cn=keys,cn=sec,cn=dns,dc= example,dc=com 83e74997-10a5-11e6-aa2d-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry: ipk11UniqueID=2f32c0f8-10c9-11e6-bf47-56000017eb11,cn=keys,cn=sec,cn=dns,dc= example,dc=com 0f260699-10c9-11e6-aa2d-e7a3b46d8929 May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is: host.example.com:389#krbprincipalname=ipa-dnskeysyncd/host.example.com@examp le.com,cn=services,cn=accounts,dc=example,dc=com:cn=dns,dc=example,dc=com:(| (objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey))# 33443 Logs as a result of ipa-dnskeysyncd restart (/var/log/dirsrv/slapd-EXAMPLE-COM/access): [05/May/2016:10:52:20 -0400] conn=614 fd=83 slot=83 connection from local to /var/run/slapd-EXAMPLE-COM.socket [05/May/2016:10:52:20 -0400] conn=614 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:20 -0400] conn=614 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [05/May/2016:10:52:20 -0400] conn=614 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:20 -0400] conn=614 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [05/May/2016:10:52:20 -0400] conn=614 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [05/May/2016:10:52:20 -0400] conn=614 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=ipa-dnskeysyncd/[email protected],cn=service s,cn=accounts,dc=example,dc=com" [05/May/2016:10:52:20 -0400] conn=614 op=3 SRCH base="cn=dns,dc=example,dc=com" scope=2 filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11Pu blicKey))" attrs=ALL [05/May/2016:10:52:20 -0400] conn=614 op=3 RESULT err=269 tag=121 nentries=0 etime=0 Cheers, GTG -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Gary T. Giesen Sent: May-03-16 10:19 AM To: 'Petr Spacek' <[email protected]>; [email protected] Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing Thanks Petr. I'm on IRC as well if a more interactive troubleshooting session would be better. Cheers, GTG -----Original Message----- From: Petr Spacek [mailto:[email protected]] Sent: May-03-16 9:59 AM To: Gary T. Giesen <[email protected]>; [email protected] Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing On 3.5.2016 15:29, Gary T. Giesen wrote: > All lines from the log file with conn=152. > > [03/May/2016:07:21:06 -0400] conn=152 fd=83 slot=83 connection from > local to /var/run/slapd-EXAMPLE-COM.socket > [03/May/2016:07:21:06 -0400] conn=152 op=0 BIND dn="" method=sasl > version=3 mech=GSSAPI > [03/May/2016:07:21:06 -0400] conn=152 op=0 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > [03/May/2016:07:21:06 -0400] conn=152 op=1 BIND dn="" method=sasl > version=3 mech=GSSAPI > [03/May/2016:07:21:06 -0400] conn=152 op=1 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > [03/May/2016:07:21:06 -0400] conn=152 op=2 BIND dn="" method=sasl > version=3 mech=GSSAPI > [03/May/2016:07:21:06 -0400] conn=152 op=2 RESULT err=0 tag=97 > nentries=0 > etime=0 > dn="krbprincipalname=ipa-dnskeysyncd/[email protected],cn=s > ervice > s,cn=accounts,dc=example,dc=com" > [03/May/2016:07:21:06 -0400] conn=152 op=3 SRCH > base="cn=dns,dc=example,dc=com" scope=2 > filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=i > pk11Pu > blicKey))" attrs=ALL > [03/May/2016:07:21:06 -0400] conn=152 op=3 RESULT err=269 tag=121 > nentries=0 > etime=0 This seems to be okay, I will think about it a bit more and return back to you when I find something. Petr^2 Spacek > > -----Original Message----- > From: Petr Spacek [mailto:[email protected]] > Sent: May-03-16 8:50 AM > To: Gary T. Giesen <[email protected]>; > [email protected] > Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing > > Hmm, this is really weird. > > It should log message "Initial LDAP dump is done, sychronizing with > ODS and BIND" which is apparently not there. Maybe LDAP server is > doing something weird ... > > Could you inspect /var/log/dirsrv/*/access_log and look for lines > similar to ones in the attached file, please? > > It should start with log message like > "connection from local to /var/run/slapd-*". > This line will have identifier like "conn=84". We are looking for conn > number (e.g. "conn=84") which is related to BIND DN > "dn="krbprincipalname=ipa-dnskeysyncd/*". > > If you find the right conn number, look for other lines containing the > same conn number and operation "SRCH base="cn=dns,*". This SRCH line > will have specific identifier like "conn=84 op=3". > > Now you have identifier for particular operation. Look for RESULT line > with the same ID. > > How does it look? > > Can you copy&paste complete all lines with identifier conn=??? you found? > > Thanks! > Petr^2 Spacek > > On 3.5.2016 13:37, Gary T. Giesen wrote: >> See attached. >> >> GTG >> >> -----Original Message----- >> From: Petr Spacek [mailto:[email protected]] >> Sent: May-03-16 7:33 AM >> To: Gary T. Giesen <[email protected]>; >> [email protected] >> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing >> >> On 3.5.2016 13:28, Gary T. Giesen wrote: >>> 1. Confirmed, it was already set to ISMASTER=1 >>> >>> 2. Logs: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is: > None >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones: > {'203dbe2d-8d9c-1 >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of > entry: >>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: >>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is: > host.exa >> >> The log seems to be truncated. Please attach it as a file to avoid >> truncation and line wrapping problems. >> >> Thanks >> Petr^2 Spacek >> >>> >>> >>> 3. # rpm -q ipa-server >>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>> >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] On Behalf Of Petr Spacek >>> Sent: May-03-16 7:08 AM >>> To: [email protected] >>> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing >>> >>> Okay, this is a problem. It should list your zone example.com >>> because it has DNSSEC signing enabled. >>> >>> Make sure you are working on host.example.com (the host listed by >>> the ldapsearch above). >>> >>> I would check two things: >>> 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1". >>> If it does not, re-run ipa-dns-install with --dnssec-master option >>> to fix >> that. >>> >>> 2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and >>> make sure that it contains line "debug=True" and restart >>> ipa-dnskeysyncd when you are done with it. >>> >>> The log should be much longer after this change. >>> >>> I hope it will help to identify the root cause. >>> >>> What IPA version do you use? >>> $ rpm -q freeipa-server >>> >>> Petr^2 Spacek >>> >>> >>> >>>> Per the instructions, I've restarted ipa-dnskeysyncd, but it has >>>> had no effect. The only log entries I see are: >>>> >>>> # journalctl -u ipa-dnskeysyncd >>>> >>>> May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key > daemon... >>>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa : >>> INFO >>>> Signal 15 received: Shutting down! >>>> May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon. >>>> May 02 20:35:52 host.example.com systemd[1]: Starting IPA key > daemon... >>>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING: >>>> session memcached servers not running >>>> May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa : >>> INFO >>>> LDAP bind... >>>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step >>>> 1 May 02 20:35:53 host.example.com python2[15014]: GSSAPI client >>>> step 1 May 02 20:35:54 host.example.com python2[15014]: GSSAPI >>>> client step 1 May 02 20:35:54 host.example.com python2[15014]: >>>> GSSAPI > client step 2 >>>> May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa : >>> INFO >>>> Commencing sync process >>>> >>>> >>>> >>>> Can anyone advise on next steps? I've been banging my head against >>>> a wall for a couple days now and would really appreciate some help. > > > -- > Petr^2 Spacek > -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
