---------- Forwarded message ---------- From: Jeff Goddard <jgodd...@emerlyn.com> Date: Thu, Jan 5, 2017 at 8:57 AM Subject: Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'} To: Martin Basti <mba...@redhat.com>
On Thu, Jan 5, 2017 at 3:43 AM, Martin Basti <mba...@redhat.com> wrote: > > > On 04.01.2017 22:21, Jeff Goddard wrote: > > I don't want to hijack someone else's thread but I'm having what appears > to be the same problem and have not seen a solution presented yet. > > Here is the output of journalctl -xe after having tried to start named: > > Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]: > loading configuration from '/etc/named.conf' > Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]: > reading built-in trusted keys from file '/etc/named.iscdlv.key' > Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]: > using default UDP/IPv4 port range: [1024, 65535] > Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]: > using default UDP/IPv6 port range: [1024, 65535] > Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]: > listening on IPv6 interfaces, port 53 > Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]: > listening on IPv4 interface lo, 127.0.0.1#53 > Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]: > listening on IPv4 interface ens32, 10.73.100.31#53 > Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]: > generating session key for dynamic DNS > Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]: > sizing zone task pool based on 6 zones > Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]: > set up managed keys zone for view _default, file > '/var/named/dynamic/managed-keys.bind' > Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]: > bind-dyndb-ldap version 10.0 compiled at 18:06:06 Nov 11 2016, compiler > 4.8.5 20150623 (Red Hat 4.8.5-11) > Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]: > option 'serial_autoincrement' is not supported, ignoring > Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]: > GSSAPI client step 1 > Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]: > GSSAPI client step 1 > Jan 04 15:48:42 id-management-2.internal.emerlyn.com ns-slapd[2596]: > GSSAPI server step 1 > Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]: > GSSAPI client step 1 > Jan 04 15:48:42 id-management-2.internal.emerlyn.com ns-slapd[2596]: > GSSAPI server step 2 > Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]: > GSSAPI client step 2 > Jan 04 15:48:42 id-management-2.internal.emerlyn.com ns-slapd[2596]: > GSSAPI server step 3 > Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]: > LDAP error: Invalid credentials: bind to LDAP server failed > Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]: > couldn't establish connection in LDAP connection pool: permission denied > Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]: > dynamic database 'ipa' configuration failed: permission denied > Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]: > loading configuration: permission denied > Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]: > exiting (due to fatal error) > Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]: > named-pkcs11.service: control process exited, code=exited status=1 > Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]: Failed > to start Berkeley Internet Name Domain (DNS) with native PKCS#11. > -- Subject: Unit named-pkcs11.service has failed > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Unit named-pkcs11.service has failed. > -- > -- The result is failed. > Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]: Unit > named-pkcs11.service entered failed state. > Jan 04 15:48:42 id-management-2.internal.emerlyn.com systemd[1]: > named-pkcs11.service failed. > Jan 04 15:48:42 id-management-2.internal.emerlyn.com polkitd[949]: > Unregistered Authentication Agent for unix-process:3936:380486 (system bus > name :1.59, object path /org/freedesktop/Policy > > Here are the last four entries of /var/log/dirsrv/slapd-*/access |grep > ipa-dnskeysyncdcat: > > [04/Jan/2017:15:28:37.463224739 -0500] conn=5 op=1129 SRCH > base="dc=internal,dc=emerlyn,dc=com" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbpri > ncipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias > =ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com > )(krbPrincipalName:caseIgnoreIA5Match:=ipa-dnskeysyncd/id-management- > 2.internal.emerlyn....@internal.emerlyn.com)))" attrs="krbPrincipalName > krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference > krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference > krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases > krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount > krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences > krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock > passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink > objectClass" > [04/Jan/2017:15:28:37.464739661 -0500] conn=5 op=1133 SRCH > base="krbprincipalname=ipa-dnskeysyncd/id-management-2.inter > nal.emerlyn....@internal.emerlyn.com,cn=services,cn=accounts > ,dc=internal,dc=emerlyn,dc=com" scope=0 filter="(objectClass=*)" > attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName > krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration > krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases > krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount > krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript > ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive" > [04/Jan/2017:15:28:37.465851372 -0500] conn=5 op=1134 MOD > dn="krbprincipalname=ipa-dnskeysyncd/id-management-2.interna > l.emerlyn....@internal.emerlyn.com,cn=services,cn=accounts,d > c=internal,dc=emerlyn,dc=com" > [04/Jan/2017:15:28:37.474974775 -0500] conn=6 op=1372 SRCH > base="dc=internal,dc=emerlyn,dc=com" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbpri > ncipal))(krbPrincipalName=ipa-dnskeysyncd/id-management-2.in > ternal.emerlyn....@internal.emerlyn.com))" attrs="krbPrincipalName > krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference > krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference > krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases > krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount > krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences > krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock > passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink > objectClass" > [04/Jan/2017:15:28:37.482436172 -0500] conn=281 op=2 RESULT err=0 tag=97 > nentries=0 etime=0 dn="krbprincipalname=ipa-dnskeysyncd/ > id-management-2.internal.emerlyn....@internal.emerlyn.com > ,cn=services,cn=accounts,dc=internal,dc=emerlyn,dc=com" > > My environment: > Freeipa 4.2.0 > OS is Centos 7.2 > > This is a secondary replica (master) and the other replica can be pinged > but nslookup and dig fail to provide results even though the values are in > the /etc/hosts file: > > 127.0.0.1 localhost localhost.localdomain localhost4 > localhost4.localdomain4 > ::1 localhost localhost.localdomain localhost6 > localhost6.localdomain6 > 10.72.100.16 id-management-1.internal.emerlyn.com > 10.73.100.31 id-management-2.internal.emerlyn.com > > > Any assistance is in solving this would be greatly appreciated and thanks > for both the great product and the support already provided. > > Jeff > > > > > > Hello, > > what contains the /etc/sysconfig/dirsrv file > > can you kinit as DNS? > > kinit -kt /etc/named.keytab DNS/$HOSTNAME > > Martin^2 > > The kinit -kt /etc/named.keytab DNS/$HOSTNAME command returns nothing Here is the requested file output: # This file is sourced by dirsrv upon startup to set # the default environment for all directory server instances. # To set instance specific defaults, use the file in the same # directory called dirsrv-instance where "instance" # is the name of your directory server instance e.g. # dirsrv-localhost for the slapd-localhost instance. # This file is in systemd EnvironmentFile format - see man systemd.exec # In order to make more file descriptors available # to the directory server, first make sure the system # hard limits are raised, then use ulimit - uncomment # out the following line and change the value to the # desired value # ulimit -n 8192 # note - if using systemd, ulimit won't work - you must edit # the systemd unit file for directory server to add the # LimitNOFILE option - see man systemd.exec for more info # A per instance keytab does not make much sense for servers. # Kerberos clients use the machine FQDN to obtain a ticket like ldap/FQDN, there # is nothing that can make a client understand how to get a per-instance ticket. # Therefore by default a keytab should be considered a per server option. # Also this file is sourced for all instances, so again all # instances would ultimately get the same keytab. # Finally a keytab is normally named either krb5.keytab or <service>.keytab # In order to use SASL/GSSAPI (Kerberos) the directory # server needs to know where to find its keytab # file - uncomment the following line and set # the path and filename appropriately # if using systemd, omit the "; export VARNAME" at the end # how many seconds to wait for the startpid file to show # up before we assume there is a problem and fail to start # if using systemd, omit the "; export VARNAME" at the end #STARTPID_TIME=10 ; export STARTPID_TIME # how many seconds to wait for the pid file to show # up before we assume there is a problem and fail to start # if using systemd, omit the "; export VARNAME" at the end #PID_TIME=600 ; export PID_TIME KRB5CCNAME=/tmp/krb5cc_389 KRB5_KTNAME=/etc/dirsrv/ds.keytab I tried to re-install (ipa-install-dns) and here is the install log. I highlighted in red below where I think the problem may be coming from. 2017-01-05T13:13:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:47Z DEBUG duration: 0 seconds 2017-01-05T13:13:47Z DEBUG [4/8]: setting up kerberos principal 2017-01-05T13:13:47Z DEBUG Starting external process 2017-01-05T13:13:47Z DEBUG args=kadmin.local -q addprinc -randkey DNS/ id-management-2.internal.emerlyn....@internal.emerlyn.com -x ipa-setup-override-restrictions 2017-01-05T13:13:47Z DEBUG Process finished, return code=0 2017-01-05T13:13:47Z DEBUG stdout=Authenticating as principal admin/ ad...@internal.emerlyn.com with password. 2017-01-05T13:13:47Z DEBUG stderr=WARNING: no policy specified for DNS/ id-management-2.internal.emerlyn....@internal.emerlyn.com; defaulting to no policy add_principal: Principal or policy already exists while creating "DNS/ id-management-2.internal.emerlyn....@internal.emerlyn.com". 2017-01-05T13:13:47Z DEBUG Backing up system configuration file '/etc/named.keytab' 2017-01-05T13:13:47Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2017-01-05T13:13:47Z DEBUG Starting external process 2017-01-05T13:13:47Z DEBUG args=kadmin.local -q ktadd -k /etc/named.keytab DNS/id-management-2.internal.emerlyn....@internal.emerlyn.com -x ipa-setup-override-restrictions 2017-01-05T13:13:47Z DEBUG Process finished, return code=0 2017-01-05T13:13:47Z DEBUG stdout=Authenticating as principal admin/ ad...@internal.emerlyn.com with password. Entry for principal DNS/id-management-2.internal.e merlyn....@internal.emerlyn.com with kvno 7, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/named.keytab. Entry for principal DNS/id-management-2.internal.e merlyn....@internal.emerlyn.com with kvno 7, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/named.keytab. Entry for principal DNS/id-management-2.internal.e merlyn....@internal.emerlyn.com with kvno 7, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/named.keytab. Entry for principal DNS/id-management-2.internal.e merlyn....@internal.emerlyn.com with kvno 7, encryption type arcfour-hmac added to keytab WRFILE:/etc/named.keytab. Entry for principal DNS/id-management-2.internal.e merlyn....@internal.emerlyn.com with kvno 7, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/named.keytab. Entry for principal DNS/id-management-2.internal.e merlyn....@internal.emerlyn.com with kvno 7, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/named.keytab. 2017-01-05T13:13:47Z DEBUG stderr= 2017-01-05T13:13:47Z DEBUG duration: 0 seconds 2017-01-05T13:13:47Z DEBUG [5/8]: setting up named.conf 2017-01-05T13:13:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2017-01-05T13:13:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2017-01-05T13:13:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2017-01-05T13:13:47Z DEBUG duration: 0 seconds 2017-01-05T13:13:47Z DEBUG [6/8]: setting up server configuration 2017-01-05T13:13:47Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache 2017-01-05T13:13:47Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4c48440> 2017-01-05T13:13:48Z DEBUG raw: dnsserver_add(u'id-management- 2.internal.emerlyn.com', idnssoamname=<DNS name id-management-2.internal.emerlyn.com.>, version=u'2.213') 2017-01-05T13:13:48Z DEBUG dnsserver_add(u'id-management- 2.internal.emerlyn.com', idnssoamname=<DNS name id-management-2.internal.emerlyn.com.>, all=False, raw=False, version=u'2.213') 2017-01-05T13:13:48Z DEBUG raw: dnsserver_mod(u'id-management- 2.internal.emerlyn.com', idnsforwarders=[u'10.72.100.16'], idnsforwardpolicy=u'only', version=u'2.213') 2017-01-05T13:13:48Z DEBUG dnsserver_mod(u'id-management- 2.internal.emerlyn.com', idnsforwarders=(u'10.72.100.16',), idnsforwardpolicy=u'only', rights=False, all=False, raw=False, version=u'2.213') 2017-01-05T13:13:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2017-01-05T13:13:48Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2017-01-05T13:13:48Z DEBUG duration: 0 seconds 2017-01-05T13:13:48Z DEBUG [7/8]: configuring named to start on boot 2017-01-05T13:13:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:48Z DEBUG Starting external process 2017-01-05T13:13:48Z DEBUG args=/bin/systemctl disable named-pkcs11.service 2017-01-05T13:13:48Z DEBUG Process finished, return code=0 2017-01-05T13:13:48Z DEBUG stdout= 2017-01-05T13:13:48Z DEBUG stderr= 2017-01-05T13:13:48Z DEBUG service DNS startup entry already enabled 2017-01-05T13:13:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:48Z DEBUG Starting external process 2017-01-05T13:13:48Z DEBUG args=/bin/systemctl stop named.service 2017-01-05T13:13:48Z DEBUG Process finished, return code=0 2017-01-05T13:13:48Z DEBUG stdout= 2017-01-05T13:13:48Z DEBUG stderr= 2017-01-05T13:13:48Z DEBUG Starting external process 2017-01-05T13:13:48Z DEBUG args=/bin/systemctl mask named.service 2017-01-05T13:13:48Z DEBUG Process finished, return code=0 2017-01-05T13:13:48Z DEBUG stdout= 2017-01-05T13:13:48Z DEBUG stderr=Created symlink from /etc/systemd/system/named.service to /dev/null. 2017-01-05T13:13:48Z DEBUG duration: 0 seconds 2017-01-05T13:13:48Z DEBUG [8/8]: changing resolv.conf to point to ourselves 2017-01-05T13:13:48Z DEBUG duration: 0 seconds 2017-01-05T13:13:48Z DEBUG Done configuring DNS (named). 2017-01-05T13:13:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:48Z DEBUG Starting external process 2017-01-05T13:13:48Z DEBUG args=/bin/systemctl stop ipa-dnskeysyncd.service 2017-01-05T13:13:48Z DEBUG Process finished, return code=0 2017-01-05T13:13:48Z DEBUG stdout= 2017-01-05T13:13:48Z DEBUG stderr= 2017-01-05T13:13:48Z DEBUG Configuring DNS key synchronization service (ipa-dnskeysyncd) 2017-01-05T13:13:48Z DEBUG [1/7]: checking status 2017-01-05T13:13:48Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache 2017-01-05T13:13:48Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4eb2c20> 2017-01-05T13:13:48Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:48Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:48Z DEBUG duration: 0 seconds 2017-01-05T13:13:48Z DEBUG [2/7]: setting up bind-dyndb-ldap working directory 2017-01-05T13:13:48Z DEBUG duration: 0 seconds 2017-01-05T13:13:48Z DEBUG [3/7]: setting up kerberos principal 2017-01-05T13:13:48Z DEBUG Removing service keytab: /etc/ipa/dnssec/ipa-dnskeysyncd.keytab 2017-01-05T13:13:48Z DEBUG Starting external process 2017-01-05T13:13:48Z DEBUG args=kadmin.local -q addprinc -randkey ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com -x ipa-setup-override-restrictions 2017-01-05T13:13:48Z DEBUG Process finished, return code=0 2017-01-05T13:13:48Z DEBUG stdout=Authenticating as principal admin/ ad...@internal.emerlyn.com with password. 2017-01-05T13:13:48Z DEBUG stderr=WARNING: no policy specified for ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com; defaulting to no policy add_principal: Principal or policy already exists while creating "ipa-dnskeysyncd/id-management-2.internal.emerlyn....@internal.emerlyn.com". 2017-01-05T13:13:48Z DEBUG Starting external process 2017-01-05T13:13:48Z DEBUG args=kadmin.local -q ktadd -k /etc/ipa/dnssec/ipa-dnskeysyncd.keytab ipa-dnskeysyncd/id-management- 2.internal.emerlyn....@internal.emerlyn.com -x ipa-setup-override-restrictions 2017-01-05T13:13:49Z DEBUG Process finished, return code=0 2017-01-05T13:13:49Z DEBUG stdout=Authenticating as principal admin/ ad...@internal.emerlyn.com with password. Entry for principal ipa-dnskeysyncd/id-management- 2.internal.emerlyn....@internal.emerlyn.com with kvno 7, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/ipa/dnssec/ipa-dns keysyncd.keytab. Entry for principal ipa-dnskeysyncd/id-management- 2.internal.emerlyn....@internal.emerlyn.com with kvno 7, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/ipa/dnssec/ipa-dns keysyncd.keytab. Entry for principal ipa-dnskeysyncd/id-management- 2.internal.emerlyn....@internal.emerlyn.com with kvno 7, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab. Entry for principal ipa-dnskeysyncd/id-management- 2.internal.emerlyn....@internal.emerlyn.com with kvno 7, encryption type arcfour-hmac added to keytab WRFILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab. Entry for principal ipa-dnskeysyncd/id-management- 2.internal.emerlyn....@internal.emerlyn.com with kvno 7, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/ipa/dnssec/ipa-dns keysyncd.keytab. Entry for principal ipa-dnskeysyncd/id-management- 2.internal.emerlyn....@internal.emerlyn.com with kvno 7, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/ipa/dnssec/ipa-dns keysyncd.keytab. 2017-01-05T13:13:49Z DEBUG stderr= 2017-01-05T13:13:49Z DEBUG duration: 0 seconds 2017-01-05T13:13:49Z DEBUG [4/7]: setting up SoftHSM 2017-01-05T13:13:49Z DEBUG Creating new softhsm config file 2017-01-05T13:13:49Z DEBUG duration: 0 seconds 2017-01-05T13:13:49Z DEBUG [5/7]: adding DNSSEC containers 2017-01-05T13:13:49Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache 2017-01-05T13:13:49Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4ec9998> 2017-01-05T13:13:49Z INFO DNSSEC container exists (step skipped) 2017-01-05T13:13:49Z DEBUG duration: 0 seconds 2017-01-05T13:13:49Z DEBUG [6/7]: creating replica keys 2017-01-05T13:13:49Z DEBUG Creating replica's key pair 2017-01-05T13:13:49Z DEBUG Storing replica public key to LDAP, ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=internal ,dc=emerlyn,dc=com 2017-01-05T13:13:49Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket from SchemaCache 2017-01-05T13:13:49Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-INTERNAL-EMERLYN-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4eb2830> 2017-01-05T13:13:50Z DEBUG Replica public key stored 2017-01-05T13:13:50Z DEBUG Setting CKA_WRAP=False for old replica keys 2017-01-05T13:13:50Z DEBUG Changing ownership of token files 2017-01-05T13:13:50Z DEBUG duration: 0 seconds 2017-01-05T13:13:50Z DEBUG [7/7]: configuring ipa-dnskeysyncd to start on boot 2017-01-05T13:13:50Z DEBUG Starting external process 2017-01-05T13:13:50Z DEBUG args=/bin/systemctl disable ipa-dnskeysyncd.service 2017-01-05T13:13:50Z DEBUG Process finished, return code=0 2017-01-05T13:13:50Z DEBUG stdout= 2017-01-05T13:13:50Z DEBUG stderr= 2017-01-05T13:13:50Z DEBUG service DNSKeySync startup entry already enabled 2017-01-05T13:13:50Z DEBUG duration: 0 seconds 2017-01-05T13:13:50Z DEBUG Done configuring DNS key synchronization service (ipa-dnskeysyncd). 2017-01-05T13:13:50Z DEBUG Starting external process 2017-01-05T13:13:50Z DEBUG args=/bin/systemctl restart ipa-dnskeysyncd.service 2017-01-05T13:13:50Z DEBUG Process finished, return code=0 2017-01-05T13:13:50Z DEBUG stdout= 2017-01-05T13:13:50Z DEBUG stderr= 2017-01-05T13:13:50Z DEBUG Starting external process 2017-01-05T13:13:50Z DEBUG args=/bin/systemctl is-active ipa-dnskeysyncd.service 2017-01-05T13:13:50Z DEBUG Process finished, return code=0 2017-01-05T13:13:50Z DEBUG stdout=active 2017-01-05T13:13:50Z DEBUG stderr= 2017-01-05T13:13:50Z DEBUG Restarting named 2017-01-05T13:13:50Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-01-05T13:13:50Z DEBUG Starting external process 2017-01-05T13:13:50Z DEBUG args=/bin/systemctl restart named-pkcs11.service 2017-01-05T13:13:50Z DEBUG Process finished, return code=1 2017-01-05T13:13:50Z DEBUG stdout= 2017-01-05T13:13:50Z DEBUG stderr=Job for named-pkcs11.service failed because the control process exited with error code. See "systemctl status named-pkcs11.service" and "journalctl -xe" for details. Thank you for assisting. -- Jeff Looping in the rest of the previous recipients -- Jeff Goddard
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project