On Tue, 2016-12-20 at 11:55 +0100, Martin Basti wrote: > > So there are actually no issues with credentials, it needs more > debugging, in past we have similar case but we haven't found the > root > cause why it doesn't have the right credentials after kinit.
So, to be clear, all I did was kinit. I didn't do anything after that once the credentials were acquired. Should I have or did you just want me to test that credential file was usable? I did that as root. Here's the permissions on that keytab just in case there is a problem there: # ls -lZ /etc/ipa/dnssec/ipa-dnskeysyncd.keytab -r--r-----. root ods unconfined_u:object_r:etc_t:s0 /etc/ipa/dnssec/ipa-dnskeysyncd.keytab restorecon says that the selinux labels are ok. The file is not in the RPM (i.e. as a config file) so I have no reference for the permissions of it. > Are you > willing to do more basic level code debugging? Absolutely. > BTW this is used only with DNSSEC feature. I you don't use DNSSEC > signing you can ignore this failing service (ipactl start > --ignore-service-failures) Let's also not lose sight of the other problem that occurred at the same upgrade and that's the having to fall back to simple authentication of bind with: arg "auth_method simple"; arg "bind_dn uid=admin,cn=users,cn=accounts,dc=example.com"; arg "password my_password"; in /etc/named.conf due to: 21:12:19 LDAP error: Invalid credentials: bind to LDAP server failed trying to start bind via systemctl start ipa. Is it most likely that these two problems are in fact not related? Cheers, b.
signature.asc
Description: This is a digitally signed message part
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project