Found it. Nothing to do with keytabs or their permissions. It was settings in named.conf (sasl_user) which had the wrong server name.
On Fri, Oct 7, 2016 at 2:05 PM, Fil Di Noto <[email protected]> wrote: > I forgot to add the -k in the klist command. Actually the keytab looks > correct. I noticed the file permissions were 0400 named:named but all > other service keytabs I see are 0600. I thought that might be an issue > so I tried changing the permissions to 0600 on all the servers but it > hasn't changed the result. > > Any clue on whether those permissions (0400) are correct? I know folks > like to do named like that with chroots and such but that seems wrong > to me. > > On Fri, Oct 7, 2016 at 1:24 PM, Fil Di Noto <[email protected]> wrote: >> klist /etc/named.keytab >> klist: Bad format in credentials cache >> >> It's actually like this on all the servers, and I assume it is only >> showing up in the logs for the 1 server because that is the server >> where we make changes and it is trying to push changes out to the >> rest. >> >> If it were any other server than an IPA server I would just manually >> ipa-getkeytab, but since it's also a KDC I'm having doubts about how >> to proceed. What do you think Matt? >> >> On Fri, Oct 7, 2016 at 1:03 PM, Matt Wells <[email protected]> wrote: >>> That's correct. Apparently it's on able to use the Kerberos credential to >>> utilize that service associated with the server. >>> Have you examined the key tab itself? Read it in and see what's inside of >>> it. >>> >>> >>> On Fri, Oct 7, 2016, 12:20 Fil Di Noto <[email protected]> wrote: >>>> >>>> I'm trying to interpret these log messages. It seems like server ipa03 >>>> has no principal for the DNS service and is not able to replicate LDAP >>>> to the other 3 IPA servers. If that is correct: >>>> >>>> 1. Is "DNS" the service principal it should be using? >>>> 2. How do I correct this? >>>> (what concerns me is that ipa03 is the server I designated as >>>> the server where administrative changes are made in case manual >>>> replication is needed) >>>> >>>> >>>> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: connection to >>>> the LDAP server was lost >>>> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: Failed to get >>>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and >>>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for >>>> DNS/[email protected]) >>>> Oct 7 18:38:47 ipa02.example.com named-pkcs11[4959]: ldap_syncrepl >>>> will reconnect in 60 seconds >>>> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: connection to >>>> the LDAP server was lost >>>> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: Failed to get >>>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and >>>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for >>>> DNS/[email protected]) >>>> Oct 7 18:39:00 ipa04.example.com named-pkcs11[4537]: ldap_syncrepl >>>> will reconnect in 60 seconds >>>> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: connection to >>>> the LDAP server was lost >>>> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: Failed to get >>>> initial credentials (TGT) using principal 'DNS/ipa03.example.com' and >>>> keytab 'FILE:/etc/named.keytab' (Keytab contains no suitable keys for >>>> DNS/[email protected]) >>>> Oct 7 18:39:16 ipa01.example.com named-pkcs11[15697]: ldap_syncrepl >>>> will reconnect in 60 seconds >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>> >>> -- >>> Matt Wells >>> Chief Systems Architect >>> RHCA II, RHCVA - #110-000-353 >>> (702) 808-0424 >>> [email protected] >>> Las Vegas | Phoenix | Portland Mosaic451.com >>> CONFIDENTIALITY NOTICE: This transmittal is a confidential communication or >>> may otherwise be privileged. If you are not intended recipient, you are >>> hereby notified that you have received this transmittal in error and that >>> any review, dissemination, distribution or copying of this transmittal is >>> strictly prohibited. If you have received this communication in error, >>> please notify this office, and immediately delete this message and all its >>> attachments, if any. >>> 1* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
