Hello, In one of our IPA server, named service suddenly cannot start, so I followed the link bellow: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
Found some errors like bellow: ==> messages <== Jul 8 23:30:30 eupreprd-ops-ipa-01 named-pkcs11[5002]: LDAP error: Invalid credentials: SASL(-14): authorization failure: : bind to LDAP server failed It should be a "Invalid credentials: bind to LDAP server failed " error, however, the commands bellow shows no issues to me: [root@eupreprd-ops-ipa-01 ~]# kvno DNS/eupreprd-ops-ipa-01.internal....@internal.com DNS/eupreprd-ops-ipa-01.internal....@internal.com: kvno = 2 [root@eupreprd-ops-ipa-01 ~]# klist -kt /etc/named.keytab Keytab name: FILE:/etc/named.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal....@internal.com 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal....@internal.com 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal....@internal.com 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal....@internal.com 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal....@internal.com 2 06/10/2016 17:57:38 DNS/eupreprd-ops-ipa-01.internal....@internal.com [root@eupreprd-ops-ipa-01 ~]# kinit -kt /etc/named.keytab DNS/eupreprd-ops-ipa-01.internal.com [root@eupreprd-ops-ipa-01 ~] [root@eupreprd-ops-ipa-01 ~]# ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-INTERNAL-COM.socket"' -Y GSSAPI -b 'cn=dns, dc=internal,dc=com' ...<Lots of results, will not put here>... For now, I have use the "(Workaround) Use simple LDAP BIND insted of Kerberos" to make it work, but still want to know how to recover to "sasl"? Thanks in advance!
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
