On 20.12.2016 12:41, Brian J. Murrell wrote: > On Tue, 2016-12-20 at 11:55 +0100, Martin Basti wrote: >> >> So there are actually no issues with credentials, it needs more >> debugging, in past we have similar case but we haven't found the >> root >> cause why it doesn't have the right credentials after kinit. > > So, to be clear, all I did was kinit. I didn't do anything after that > once the credentials were acquired. Should I have or did you just want > me to test that credential file was usable? I did that as root. > Here's the permissions on that keytab just in case there is a problem > there: > > # ls -lZ /etc/ipa/dnssec/ipa-dnskeysyncd.keytab > -r--r-----. root ods unconfined_u:object_r:etc_t:s0 > /etc/ipa/dnssec/ipa-dnskeysyncd.keytab > > restorecon says that the selinux labels are ok. The file is not in the > RPM (i.e. as a config file) so I have no reference for the permissions > of it. > >> Are you >> willing to do more basic level code debugging? > > Absolutely. > >> BTW this is used only with DNSSEC feature. I you don't use DNSSEC >> signing you can ignore this failing service (ipactl start >> --ignore-service-failures) > > Let's also not lose sight of the other problem that occurred at the > same upgrade and that's the having to fall back to simple > authentication of bind with: > > arg "auth_method simple"; > arg "bind_dn uid=admin,cn=users,cn=accounts,dc=example.com"; > arg "password my_password"; > > in /etc/named.conf due to: > > 21:12:19 LDAP error: Invalid credentials: bind to LDAP server failed > > trying to start bind via systemctl start ipa. > > Is it most likely that these two problems are in fact not related?
I guess that they are related because it is basically the very same problem. The keytab does not work when used from the server application. The question is: Why is that? You can try to add line KRB5_TRACE=/dev/stdout to /etc/sysconfig/ipa-dnskeysyncd and see if there will be some additional information in the the journal. Maybe you will have to use path like /var/lib/ipa/dnssec/debug.log instead of /dev/stderr and then look into the new file. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project