Vinícius Ferrão wrote: > Hi Rob. > >> On 15 Feb 2021, at 10:58, Rob Crittenden <rcrit...@redhat.com >> <mailto:rcrit...@redhat.com>> wrote: >> >> Vinícius Ferrão wrote: >>> Hi Rob. >>> >>> Actually nothing that relies on Kerberos Keytabs is working. >> >> Kerberos is working. The kinit was successful. > > Sorry perhaps I didn’t say it correctly. In fact Kerberos is working (I > can kinit) but anything that relies on Keytabs, specifically Keytabs, > aren’t working. > > named-pkcs11 does not start without the hack that I’ve mentioned. Please > correct me if I’m wrong about this. > > Every other service fails with “insufficient credentials”; dogtag, > gssproxy, etc.
Looping in the Kerberos maintainer. You'll note that later in the output there is a reference to credential cache is empty. I wonder if gssproxy is having issues. rob > >>> I can properly issue kinit’s and login, but I can’t use ‘ipa’ commands >>> for instance. named-pkcs11 is only starting up because I’ve changed the >>> authentication method on /etc/named.conf: >>> >>> /* WARNING: This part of the config file is IPA-managed. >>> * Modifications may break IPA setup or upgrades. >>> */ >>> dyndb "ipa" "/usr/lib64/bind/ldap.so" { >>> uri "ldapi://%2fvar%2frun%2fslapd-CLUSTER-CETENE-GOV-BR.socket"; >>> base "cn=dns, dc=cluster,dc=cetene,dc=gov,dc=br"; >>> server_id "neumann2.cluster.cetene.gov.br >>> <http://neumann2.cluster.cetene.gov.br/> >>> <http://neumann2.cluster.cetene.gov.br >>> <http://neumann2.cluster.cetene.gov.br/>>"; >>> #auth_method "sasl"; >>> #sasl_mech "GSSAPI"; >>> #sasl_user "DNS/neumann2.cluster.cetene.gov.br >>> <http://neumann2.cluster.cetene.gov.br/> >>> <http://neumann2.cluster.cetene.gov.br >>> <http://neumann2.cluster.cetene.gov.br/>>"; >>> /* Desespero */ >>> auth_method "simple"; >>> bind_dn >>> "uid=admin,cn=users,cn=accounts,dc=cluster,dc=cetene,dc=gov,dc=br"; >>> password “REDACTED"; >>> }; >>> /* End of IPA-managed part. */ >>> >>> I’ve done the test that you’ve asked, and was a no go: >>> >>> [root@neumann2 ~]# kinit -kt /etc/ipa/dnssec/ipa-dnskeysyncd.keytab >>> ipa-dnskeysyncd/neumann2.cluster.cetene.gov.br >>> <http://neumann2.cluster.cetene.gov.br/> >>> <http://neumann2.cluster.cetene.gov.br >>> <http://neumann2.cluster.cetene.gov.br/>> >>> [root@neumann2 ~]# klist >>> Ticket cache: KEYRING:persistent:0:krb_ccache_dngnA1P >>> Default principal: >>> ipa-dnskeysyncd/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br >>> <mailto:ipa-dnskeysyncd/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>> <mailto:ipa-dnskeysyncd/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>> >>> Valid starting Expires Service principal >>> 02/12/2021 22:42:03 02/13/2021 22:42:03 >>> krbtgt/cluster.cetene.gov...@cluster.cetene.gov.br >>> <mailto:krbtgt/cluster.cetene.gov...@cluster.cetene.gov.br> >>> <mailto:krbtgt/cluster.cetene.gov...@cluster.cetene.gov.br> >>> [root@neumann2 ~]# ipa user-show admin >>> ipa: ERROR: Insufficient access: Invalid credentials >>> [root@neumann2 ~]# ipa -v user-show admin >>> ipa: INFO: trying https://neumann2.cluster.cetene.gov.br/ipa/session/json >>> ipa: INFO: [try 1]: Forwarding 'schema' to json server >>> 'https://neumann2.cluster.cetene.gov.br/ipa/session/json' >>> ipa: INFO: trying https://neumann2.cluster.cetene.gov.br/ipa/session/json >>> ipa: INFO: [try 2]: Forwarding 'schema' to json server >>> 'https://neumann2.cluster.cetene.gov.br/ipa/session/json' >>> ipa: INFO: trying https://neumann2.cluster.cetene.gov.br/ipa/session/json >>> ipa: INFO: [try 3]: Forwarding 'schema' to json server >>> 'https://neumann2.cluster.cetene.gov.br/ipa/session/json' >>> ipa: INFO: trying https://neumann2.cluster.cetene.gov.br/ipa/session/json >>> ipa: INFO: [try 4]: Forwarding 'schema' to json server >>> 'https://neumann2.cluster.cetene.gov.br/ipa/session/json' >>> ipa: INFO: trying https://neumann2.cluster.cetene.gov.br/ipa/session/json >>> ipa: INFO: [try 5]: Forwarding 'schema' to json server >>> 'https://neumann2.cluster.cetene.gov.br/ipa/session/json' >>> ipa: INFO: trying https://neumann2.cluster.cetene.gov.br/ipa/session/json >>> ipa: ERROR: cannot connect to >>> 'https://neumann2.cluster.cetene.gov.br/ipa/session/json': Exceeded >>> number of tries to forward a request. >>> >>> I never seen this on FreeIPA. >>> >>> Subsequent queries of IPA commands just returns the same error: >>> >>> [root@neumann2 ~]# ipa user-show admin >>> ipa: ERROR: cannot connect to >>> 'https://neumann2.cluster.cetene.gov.br/ipa/session/json': Exceeded >>> number of tries to forward a request. >> >> Did you get a HTTP service ticket? (klist) > > I issued and admin ticket as I usually do: > > [root@neumann2 ~]# kinit admin > Password for ad...@cluster.cetene.gov.br > <mailto:ad...@cluster.cetene.gov.br>: > [root@neumann2 ~]# klist > Ticket cache: KEYRING:persistent:0:krb_ccache_dngnA1P > Default principal: ad...@cluster.cetene.gov.br > <mailto:ad...@cluster.cetene.gov.br> > > Valid starting Expires Service principal > 02/15/2021 13:09:04 02/16/2021 13:09:04 > krbtgt/cluster.cetene.gov...@cluster.cetene.gov.br > <mailto:krbtgt/cluster.cetene.gov...@cluster.cetene.gov.br> > [root@neumann2 ~]# ipa user-list > ipa: ERROR: Insufficient access: Invalid credentials > [root@neumann2 ~]# ipa user-list > ipa: ERROR: cannot connect to > 'https://neumann2.cluster.cetene.gov.br/ipa/session/json': Exceeded > number of tries to forward a request. > [root@neumann2 ~]# ipa user-list > ipa: ERROR: cannot connect to > 'https://neumann2.cluster.cetene.gov.br/ipa/session/json': Exceeded > number of tries to forward a request. > > But I can recover the HTTP ticket and kinit: > > [root@neumann2 ~]# klist -kt /var/lib/ipa/gssproxy/http.keytab > Keytab name: FILE:/var/lib/ipa/gssproxy/http.keytab > KVNO Timestamp Principal > ---- ------------------- > ------------------------------------------------------ > 3 02/10/2021 22:52:34 > HTTP/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br > <mailto:HTTP/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> > 3 02/10/2021 22:52:34 > HTTP/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br > <mailto:HTTP/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> > [root@neumann2 ~]# kinit -kt /var/lib/ipa/gssproxy/http.keytab > HTTP/neumann2.cluster.cetene.gov.br <http://neumann2.cluster.cetene.gov.br> > [root@neumann2 ~]# klist > Ticket cache: KEYRING:persistent:0:krb_ccache_JRv9hJN > Default principal: > HTTP/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br > <mailto:HTTP/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> > > Valid starting Expires Service principal > 02/15/2021 13:13:47 02/16/2021 13:13:47 > krbtgt/cluster.cetene.gov...@cluster.cetene.gov.br > <mailto:krbtgt/cluster.cetene.gov...@cluster.cetene.gov.br> > [root@neumann2 ~]# ipa user-list > ipa: ERROR: Insufficient access: Invalid credentials > [root@neumann2 ~]# ipa user-list > ipa: ERROR: cannot connect to > 'https://neumann2.cluster.cetene.gov.br/ipa/session/json': Exceeded > number of tries to forward a request. > [root@neumann2 ~]# ipa user-list > ipa: ERROR: cannot connect to > 'https://neumann2.cluster.cetene.gov.br/ipa/session/json': Exceeded > number of tries to forward a request. > > But again it didn’t work. > > On /var/log/httpd/error_log there basically this: > > [Wed Feb 10 17:34:19.129505 2021] [:error] [pid 13912] ipa: INFO: 401 > Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more information > (Credential cache is empty) > [Wed Feb 10 17:34:19.151811 2021] [auth_gssapi:error] [pid 13917] > [client 172.26.255.254:48758] GSS ERROR gss_acquire_cred[_from]() failed > to get server creds: [Unspecified GSS failure. Minor code may provide > more information ( SPNEGO cannot find mechanisms to negotiate)], > referer: https://neumann2.cluster.cetene.gov.br/ipa/xml > [Wed Feb 10 17:34:31.982562 2021] [:error] [pid 13913] ipa: INFO: 401 > Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI > Error: Unspecified GSS failure. Minor code may provide more information > (Credential cache is empty) > [Wed Feb 10 17:34:32.015893 2021] [auth_gssapi:error] [pid 13914] > [client 172.26.255.254:49020] GSS ERROR gss_acquire_cred[_from]() failed > to get server creds: [Unspecified GSS failure. Minor code may provide > more information ( SPNEGO cannot find mechanisms to negotiate)], > referer: https://neumann2.cluster.cetene.gov.br/ipa/xml > [Wed Feb 10 17:35:08.037058 2021] [auth_gssapi:error] [pid 13915] > [client 172.26.255.254:49624] GSS ERROR gss_acquire_cred[_from]() failed > to get server creds: [Unspecified GSS failure. Minor code may provide > more information ( SPNEGO cannot find mechanisms to negotiate)], > referer: https://neumann2.cluster.cetene.gov.br/ipa/xml > [Wed Feb 10 17:38:08.183222 2021] [:warn] [pid 13916] [client > 172.26.255.254:52646] failed to set perms (3140) on file > (/var/run/ipa/ccaches/ad...@cluster.cetene.gov.br > <mailto:var/run/ipa/ccaches/ad...@cluster.cetene.gov.br>)!, referer: > https://neumann2.cluster.cetene.gov.br/ipa/xml > [Wed Feb 10 17:38:08.213367 2021] [:error] [pid 13911] ipa: INFO: 401 > Unauthorized: Insufficient access: Invalid credentials > [Wed Feb 10 17:38:08.256346 2021] [:error] [pid 13912] ipa: INFO: 401 > Unauthorized: Insufficient access: Invalid credentials > [Wed Feb 10 17:38:08.278769 2021] [:warn] [pid 13917] [client > 172.26.255.254:52654] failed to set perms (3140) on file > (/var/run/ipa/ccaches/ad...@cluster.cetene.gov.br > <mailto:var/run/ipa/ccaches/ad...@cluster.cetene.gov.br>)!, referer: > https://neumann2.cluster.cetene.gov.br/ipa/xml > > Just for the completude, removing the /etc/named.conf hack; this happens: > > [root@neumann2 ~]# ipactl start > Starting Directory Service > Starting krb5kdc Service > Starting kadmin Service > Starting named Service > Failed to start named Service > Shutting down > Hint: You can use --ignore-service-failure option for forced start in > case that a non-critical service failed > Aborting ipactl > > On /var/log/messages: > > Feb 15 13:18:52 neumann2 named-pkcs11[32027]: set up managed keys zone > for view _default, file '/var/named/dynamic/managed-keys.bind' > Feb 15 13:18:52 neumann2 named-pkcs11[32027]: loading DynDB instance > 'ipa' driver '/usr/lib64/bind/ldap.so' > Feb 15 13:18:52 neumann2 named-pkcs11[32027]: bind-dyndb-ldap version > 11.1 compiled at 02:16:24 Apr 1 2020, compiler 4.8.5 20150623 (Red Hat > 4.8.5-39) > Feb 15 13:18:52 neumann2 named-pkcs11[32027]: LDAP error: Invalid > credentials: bind to LDAP server failed > Feb 15 13:18:52 neumann2 named-pkcs11[32027]: couldn't establish > connection in LDAP connection pool: permission denied > Feb 15 13:18:52 neumann2 named-pkcs11[32027]: dynamic database 'ipa' > configuration failed: permission denied > Feb 15 13:18:52 neumann2 named-pkcs11[32027]: loading configuration: > permission denied > Feb 15 13:18:52 neumann2 named-pkcs11[32027]: exiting (due to fatal error) > Feb 15 13:18:52 neumann2 systemd: named-pkcs11.service: control process > exited, code=exited status=1 > Feb 15 13:18:52 neumann2 systemd: Failed to start Berkeley Internet Name > Domain (DNS) with native PKCS#11. > Feb 15 13:18:52 neumann2 systemd: Unit named-pkcs11.service entered > failed state. > Feb 15 13:18:52 neumann2 systemd: named-pkcs11.service failed. > Feb 15 13:18:52 neumann2 systemd: Stopping Kerberos 5 KDC... > Feb 15 13:18:52 neumann2 systemd: Stopped Kerberos 5 KDC. > Feb 15 13:18:52 neumann2 systemd: Stopping Kerberos 5 Password-changing > and Administration... > Feb 15 13:18:52 neumann2 systemd: Stopped Kerberos 5 Password-changing > and Administration. > Feb 15 13:18:52 neumann2 systemd: Stopping 389 Directory Server > CLUSTER-CETENE-GOV-BR.... > > Thats it Rob. > > If there’s anything more that I should try or you need to see please let > me know. > > Thank you. > >> >> Check the Apache error log for more details. >> >> rob >> >>> >>> Thank you. >>> >>> >>>> On 12 Feb 2021, at 18:11, Rob Crittenden <rcrit...@redhat.com >>>> <mailto:rcrit...@redhat.com> >>>> <mailto:rcrit...@redhat.com>> wrote: >>>> >>>> Just to confirm, the system is working with the exception of >>>> ipa-dnskeysyncd.service? >>>> >>>> Does this work? >>>> >>>> # kinit -kt /etc/ipa/dnssec/ipa-dnskeysyncd.keytab >>>> ipa-dnskeysyncd/neumann2.cluster.cetene.gov.br >>>> <http://neumann2.cluster.cetene.gov.br/> >>>> <http://neumann2.cluster.cetene.gov.br/> >>>> # ipa user-show admin >>>> >>>> This will get a ticket and then use that ticket. >>>> >>>> rob >>>> >>>> Vinícius Ferrão via FreeIPA-users wrote: >>>>> Hello, >>>>> >>>>> I still not sure of what is happening but, I got some interesting error >>>>> message on ipa-healthcheck: >>>>> >>>>> [root@neumann2 keytabs]# ipa-healthcheck --failures-only >>>>> --output-type human >>>>> CRITICAL: ipahealthcheck.ipa.dna.IPADNARangeCheck: Insufficient >>>>> access: >>>>> Invalid credentials >>>>> ERROR: ipahealthcheck.system.filesystemspace.FileSystemSpaceCheck: >>>>> /var/lib/ipa/backup/: free space percentage under threshold: 16% < 20% >>>>> ERROR: ipahealthcheck.system.filesystemspace.FileSystemSpaceCheck: >>>>> /tmp: >>>>> free space percentage under threshold: 16% < 20% >>>>> ERROR: ipahealthcheck.system.filesystemspace.FileSystemSpaceCheck: >>>>> /var/lib/dirsrv/: free space percentage under threshold: 16% < 20% >>>>> ERROR: ipahealthcheck.system.filesystemspace.FileSystemSpaceCheck: >>>>> /var/log/: free space percentage under threshold: 16% < 20% >>>>> ERROR: ipahealthcheck.system.filesystemspace.FileSystemSpaceCheck: >>>>> /var/tmp/: free space percentage under threshold: 16% < 20% >>>>> ERROR: ipahealthcheck.system.filesystemspace.FileSystemSpaceCheck: >>>>> /var/log/audit/: free space percentage under threshold: 16% < 20% >>>>> >>>>> I tried to search for the critical message but nothing comes up. >>>>> There’s >>>>> a lot of GSSAPI errors on all logs. >>>>> >>>>> I tried to regenerate all keytabs of the system but it was a no go >>>>> either: >>>>> # gssproxy >>>>> ipa-getkeytab -D "cn=directory manager" -w 86dNCxFFCpNMLEf6kr -s >>>>> neumann2.cluster.cetene.gov.br <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/>> >>>>> -p 'HTTP/neumann2.cluster.cetene.gov.br >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/>>' -r -k >>>>> /var/lib/ipa/gssproxy/http.keytab >>>>> >>>>> # Dogtag >>>>> ipa-getkeytab -D "cn=directory manager" -w 86dNCxFFCpNMLEf6kr -s >>>>> neumann2.cluster.cetene.gov.br <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/>> >>>>> -p 'dogtag/neumann2.cluster.cetene.gov.br >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/>>' -r -k >>>>> /etc/pki/pki-tomcat/dogtag.keytab >>>>> >>>>> # DNSKeySync >>>>> ipa-getkeytab -D "cn=directory manager" -w 86dNCxFFCpNMLEf6kr -s >>>>> neumann2.cluster.cetene.gov.br <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/>> >>>>> -p 'ipa-dnskeysyncd/neumann2.cluster.cetene.gov.br >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/>>' -r -k >>>>> /etc/ipa/dnssec/ipa-dnskeysyncd.keytab >>>>> >>>>> # Host Keytab >>>>> ipa-getkeytab -D "cn=directory manager" -w 86dNCxFFCpNMLEf6kr -s >>>>> neumann2.cluster.cetene.gov.br <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/>> >>>>> -p 'host/neumann2.cluster.cetene.gov.br >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/>>' -r -k /etc/krb5.keytab >>>>> >>>>> # named >>>>> ipa-getkeytab -D "cn=directory manager" -w 86dNCxFFCpNMLEf6kr -s >>>>> neumann2.cluster.cetene.gov.br <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/>> >>>>> -p 'DNS/neumann2.cluster.cetene.gov.br >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/>>' -r -k /etc/named.keytab >>>>> >>>>> # 389ds >>>>> ipa-getkeytab -D "cn=directory manager" -w 86dNCxFFCpNMLEf6kr -s >>>>> neumann2.cluster.cetene.gov.br <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/>> >>>>> -p 'ldap/neumann2.cluster.cetene.gov.br >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br >>>>> <http://neumann2.cluster.cetene.gov.br/> >>>>> <http://neumann2.cluster.cetene.gov.br/>>' -r -k /etc/dirsrv/ds.keytab >>>>> >>>>> Some error messages: >>>>> >>>>> [10/Feb/2021:23:05:57.501853962 -0300] conn=92 op=1 RESULT err=49 >>>>> tag=97 >>>>> nentries=0 etime=0.001927716 - SASL(-1): generic failure: GSSAPI Error: >>>>> Unspecified GSS failure. Minor code may provide more information >>>>> (Cannot create replay cache file /var/tmp/ldap_389: Operation not >>>>> permitted) >>>>> >>>>> ==> /var/log/messages <== >>>>> Feb 10 23:05:14 neumann2 systemd: ipa-dnskeysyncd.service holdoff time >>>>> over, scheduling restart. >>>>> Feb 10 23:05:14 neumann2 systemd: Stopped IPA key daemon. >>>>> Feb 10 23:05:14 neumann2 systemd: Started IPA key daemon. >>>>> Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: ipa-dnskeysyncd: INFO >>>>> LDAP >>>>> bind... >>>>> Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: ipa-dnskeysyncd: ERROR >>>>> Login to LDAP server failed: {'desc': 'Invalid credentials'} >>>>> Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: Traceback (most recent call >>>>> last): >>>>> Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: File >>>>> "/usr/libexec/ipa/ipa-dnskeysyncd", line 96, in <module> >>>>> Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: >>>>> ldap_connection.sasl_interactive_bind_s("", ipaldap.SASL_GSSAPI) >>>>> Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: File >>>>> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 850, in >>>>> sasl_interactive_bind_s >>>>> Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: res = >>>>> self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs) >>>>> Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: File >>>>> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 818, in >>>>> _apply_method_s >>>>> Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: return >>>>> func(self,*args,**kwargs) >>>>> Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: File >>>>> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 229, in >>>>> sasl_interactive_bind_s >>>>> Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: return >>>>> self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags) >>>>> Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: File >>>>> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in >>>>> _ldap_call >>>>> Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: result = func(*args,**kwargs) >>>>> Feb 10 23:05:16 neumann2 ipa-dnskeysyncd: INVALID_CREDENTIALS: {'desc': >>>>> 'Invalid credentials'} >>>>> Feb 10 23:05:16 neumann2 systemd: ipa-dnskeysyncd.service: main process >>>>> exited, code=exited, status=1/FAILURE >>>>> Feb 10 23:05:16 neumann2 systemd: Unit ipa-dnskeysyncd.service entered >>>>> failed state. >>>>> Feb 10 23:05:16 neumann2 systemd: ipa-dnskeysyncd.service failed. >>>>> >>>>> Thanks, >>>>> >>>>>> On 10 Feb 2021, at 02:01, Vinícius Ferrão via FreeIPA-users >>>>>> <freeipa-users@lists.fedorahosted.org >>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>> <mailto:freeipa-users@lists.fedorahosted.org>> wrote: >>>>>> >>>>>> Hello, >>>>>> >>>>>> FreeIPA on CentOS 7.8 just stopped working and I’m unable to fix it by >>>>>> myself. After reading a lot of threads here on the list, it appears >>>>>> that I’ve the same issue as this >>>>>> topic: >>>>>> https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg05501.html >>>>>> >>>>>> Since Kerberos is apparently not working as expected, I cannot use >>>>>> FreeIPA and none of the services are working correctly. Following the >>>>>> debug guide I was able to at least start named with single >>>>>> authentication to further debug. (Workaround 1 >>>>>> of https://docs.pagure.org/bind-dyndb-ldap/BIND9/NamedCannotStart.html) >>>>>> >>>>>> And now I’m stuck on item 5 of the same manual. >>>>>> >>>>>> [root@neumann2 ~]# KRB5_TRACE=/dev/stderr ldapsearch -H >>>>>> 'ldapi://%2fvar%2frun%2fslapd-CLUSTER-CETENE-GOV-BR.socket' -Y GSSAPI >>>>>> -b 'cn=dns,dc=cluster,dc=cetene,dc=gov,dc=br >>>>>> <ldapi://%2fvar%2frun%2fslapd-CLUSTER-CETENE-GOV-BR.socket' -Y GSSAPI >>>>>> -b 'cn=dns,dc=cluster,dc=cetene,dc=gov,dc=br>' >>>>>> SASL/GSSAPI authentication started >>>>>> [6588] 1612932571.244080: ccselect module realm chose cache >>>>>> KEYRING:persistent:0:krb_ccache_UuVdVRC with client principal >>>>>> DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br >>>>>> <mailto:DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> for >>>>>> server principal >>>>>> ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br >>>>>> <mailto:ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> [6588] 1612932571.244081: Getting credentials >>>>>> DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br >>>>>> <mailto:DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> -> >>>>>> ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br >>>>>> <mailto:ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> using ccache KEYRING:persistent:0:krb_ccache_UuVdVRC >>>>>> [6588] 1612932571.244082: Retrieving >>>>>> DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br >>>>>> <mailto:DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> -> >>>>>> ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br >>>>>> <mailto:ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> from KEYRING:persistent:0:krb_ccache_UuVdVRC with result: 0/Success >>>>>> [6588] 1612932571.244084: Creating authenticator for >>>>>> DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br >>>>>> <mailto:DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> -> >>>>>> ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br >>>>>> <mailto:ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br>, >>>>>> seqnum 1040975659, subkey aes256-cts/48E9, session key aes256-cts/DF1E >>>>>> ldap_sasl_interactive_bind_s: Invalid credentials (49) >>>>>> >>>>>> [root@neumann2 ~]# ipa privilege-show 'DNS Servers' --all --raw >>>>>> ipa: ERROR: Insufficient access: Invalid credentials >>>>>> >>>>>> [root@neumann2 ~]# klist >>>>>> Ticket cache: KEYRING:persistent:0:krb_ccache_UuVdVRC >>>>>> Default principal: >>>>>> DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br >>>>>> <mailto:DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:DNS/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> >>>>>> Valid starting Expires Service principal >>>>>> 02/10/2021 01:52:43 02/11/2021 01:49:04 >>>>>> HTTP/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br >>>>>> <mailto:HTTP/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:HTTP/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:HTTP/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> 02/10/2021 01:49:16 02/11/2021 01:49:04 >>>>>> ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br >>>>>> <mailto:ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:ldap/neumann2.cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> 02/10/2021 01:49:04 02/11/2021 01:49:04 >>>>>> krbtgt/cluster.cetene.gov...@cluster.cetene.gov.br >>>>>> <mailto:krbtgt/cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:krbtgt/cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> <mailto:krbtgt/cluster.cetene.gov...@cluster.cetene.gov.br> >>>>>> >>>>>> Any ideia on how to fix this? >>>>>> >>>>>> Thanks, >>>>>> Vinícius. >>>>>> >>>>>> PS: Before the workaround named-pkcs11 fails to start with the >>>>>> following error: >>>>>> >>>>>> Feb 10 01:40:46 neumann2 named-pkcs11[4532]: set up managed keys zone >>>>>> for view _default, file '/var/named/dynamic/managed-keys.bind' >>>>>> Feb 10 01:40:46 neumann2 named-pkcs11[4532]: loading DynDB instance >>>>>> 'ipa' driver '/usr/lib64/bind/ldap.so' >>>>>> Feb 10 01:40:46 neumann2 named-pkcs11[4532]: bind-dyndb-ldap version >>>>>> 11.1 compiled at 02:16:24 Apr 1 2020, compiler 4.8.5 20150623 (Red >>>>>> Hat 4.8.5-39) >>>>>> Feb 10 01:40:46 neumann2 named-pkcs11[4532]: LDAP error: Invalid >>>>>> credentials: bind to LDAP server failed >>>>>> Feb 10 01:40:46 neumann2 named-pkcs11[4532]: couldn't establish >>>>>> connection in LDAP connection pool: permission denied >>>>>> Feb 10 01:40:46 neumann2 named-pkcs11[4532]: dynamic database 'ipa' >>>>>> configuration failed: permission denied >>>>>> Feb 10 01:40:46 neumann2 named-pkcs11[4532]: loading configuration: >>>>>> permission denied >>>>>> Feb 10 01:40:46 neumann2 named-pkcs11[4532]: exiting (due to fatal >>>>>> error) >>>>>> Feb 10 01:40:46 neumann2 systemd: named-pkcs11.service: control >>>>>> process exited, code=exited status=1 >>>>>> Feb 10 01:40:46 neumann2 systemd: Failed to start Berkeley Internet >>>>>> Name Domain (DNS) with native PKCS#11. >>>>>> >>>>>> _______________________________________________ >>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>> To unsubscribe send an email to >>>>>> freeipa-users-le...@lists.fedorahosted.org >>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>> Fedora Code of Conduct: >>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>> List >>>>>> Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>> List Archives: >>>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >>>>> >>>>> >>>>> _______________________________________________ >>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>> To unsubscribe send an email to >>>>> freeipa-users-le...@lists.fedorahosted.org >>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>> Fedora Code of Conduct: >>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>> List Archives: >>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >>>>> Do not reply to spam on the list, report it: >>>>> https://pagure.io/fedora-infrastructure > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure