I forgot to add the -k in the klist command. Actually the keytab looks correct. I noticed the file permissions were 0400 named:named but all other service keytabs I see are 0600. I thought that might be an issue so I tried changing the permissions to 0600 on all the servers but it hasn't changed the result.
Any clue on whether those permissions (0400) are correct? I know folks like to do named like that with chroots and such but that seems wrong to me. On Fri, Oct 7, 2016 at 1:24 PM, Fil Di Noto <[email protected]> wrote: > klist /etc/named.keytab > klist: Bad format in credentials cache > > It's actually like this on all the servers, and I assume it is only > showing up in the logs for the 1 server because that is the server > where we make changes and it is trying to push changes out to the > rest. > > If it were any other server than an IPA server I would just manually > ipa-getkeytab, but since it's also a KDC I'm having doubts about how > to proceed. What do you think Matt? > > On Fri, Oct 7, 2016 at 1:03 PM, Matt Wells <[email protected]> wrote: >> That's correct. Apparently it's on able to use the Kerberos credential to >> utilize that service associated with the server. >> Have you examined the key tab itself? Read it in and see what's inside of >> it. >> >> >> On Fri, Oct 7, 2016, 12:20 Fil Di Noto <[email protected]> wrote: >>> >>> I'm trying to interpret these log messages. It seems like server ipa03 >>> has no principal for the DNS service and is not able to replicate LDAP >>> to the other 3 IPA servers. If that is correct: >>> >>> 1. Is "DNS" the service principal it should be using? >>> 2. How do I correct this? >>> (what concerns me is that ipa03 is the server I designated as >>> the server where administrative changes are made in case manual >>> replication is needed) >>> >>> >>> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: connection to >>> the LDAP server was lost >>> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: Failed to get >>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and >>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for >>> DNS/[email protected]) >>> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: ldap_syncrepl >>> will reconnect in 60 seconds >>> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: connection to >>> the LDAP server was lost >>> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: Failed to get >>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and >>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for >>> DNS/[email protected]) >>> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: ldap_syncrepl >>> will reconnect in 60 seconds >>> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: connection to >>> the LDAP server was lost >>> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: Failed to get >>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and >>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for >>> DNS/[email protected]) >>> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: ldap_syncrepl >>> will reconnect in 60 seconds >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> >> -- >> Matt Wells >> Chief Systems Architect >> RHCA II, RHCVA - #110-000-353 >> (702) 808-0424 >> [email protected] >> Las Vegas | Phoenix | Portland Mosaic451.com >> CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or >> may otherwise be privileged. If you are not intended recipient, you are >> hereby notified that you have received this transmittal in error and that >> any review, dissemination, distribution or copying of this transmittal is >> strictly prohibited. If you have received this communication in error, >> please notify this office, and immediately delete this message and all its >> attachments, if any. >> 1* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
