[Freeipa-users] krb5-server-1.9-33.el6_3.3.x86_64 prevents named from starting when selinux is enforcing
Rob Crittenden
rcritten at redhat.com
Wed Sep 19 21:05:35 UTC 2012
Sigbjorn Lie wrote:
> On 09/19/2012 10:48 PM, Rob Crittenden wrote:
>> Sigbjorn Lie wrote:
>>> Hi,
>>>
>>> I noticed an updated krb5-server package today advertising that it's
>>> fixing the issue with slow GSSAPI binds discussed earlier, so I
>>> installed it in my test environment, set SElinux back to enforcing in
>>> /etc/sysconfig/selinux and rebooted.
>>>
>>> The named daemon does not start now. The error below was logged in
>>> /var/log/messages:
>>>
>>> Sep 19 21:54:46 ipa01 named[3712]: GSSAPI Error: Unspecified GSS
>>> failure. Minor code may provide more information (KDC returned error
>>> string: PROCESS_TGS)
>>>
>>> I am able to start named after setting SElinux in permissive mode
>>> (setenforce 0).
>>>
>>> Then to verify: I stop all IPA services (ipactl stop), reenabled selinux
>>> (setenforce 1), and start the IPA services (ipactl start). A new error
>>> is logged in /var/log/messages:
>>>
>>> Sep 19 22:00:49 ipa01 named[5918]: bind to LDAP server failed: Invalid
>>> credentials
>>> Sep 19 22:00:49 ipa01 named[5918]: loading configuration: permission
>>> denied
>>> Sep 19 22:00:49 ipa01 named[5918]: exiting (due to fatal error)
>>>
>>>
>>> From the /var/log/krb5kdc.log:
>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 etypes
>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, <unknown client>
>>> for <unknown server>, Cannot create replay cache file /var/tmp/krbtgt_0:
>>> File exists
>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): TGS_REQ (4 etypes
>>> {18 17 16 23}) 192.168.210.20: PROCESS_TGS: authtime 0, <unknown client>
>>> for <unknown server>, Cannot create replay cache file /var/tmp/krbtgt_0:
>>> File exists
>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 etypes
>>> {18 17 16 23}) 192.168.210.20: NEEDED_PREAUTH:
>>> DNS/ipa01.ix.test.com at IX.TEST.COM for krbtgt/IX.TEST.COM at IX.TEST.COM,
>>> Additional pre-authentication required
>>> Sep 19 21:54:46 ipa01.ix.test.com krb5kdc[3681](info): AS_REQ (4 etypes
>>> {18 17 16 23}) 192.168.210.20: ISSUE: authtime 1348084486, etypes
>>> {rep=18 tkt=18 ses=18}, DNS/ipa01.ix.test.com at IX.TEST.COM for
>>> krbtgt/IX.TEST.COM at IX.TEST.COM
>>>
>>> /var/named/data/named.run logged nothing.
>>>
>>>
>>>
>>> Any suggestions for how to troubleshoot this issue?
>>
>> Pure guess, but:
>>
>> restorecon /var/tmp/krbtgt_0
>>
>> rob
> Sorry, that did not help. There seem to be a new error in the messages
> file every time I attempt a named restart though. See below for the latest:
>
> Sep 19 23:01:27 ipa01 named[12638]: default realm from krb5.conf
> (IX.TEST.COM) does not match tkey-gssapi-credential (DNS/ipa01.ix.test.com)
> Sep 19 23:01:27 ipa01 named[12638]: configuring TKEY: failure
> Sep 19 23:01:27 ipa01 named[12638]: loading configuration: failure
> Sep 19 23:01:27 ipa01 named[12638]: exiting (due to fatal error)
I'd continue to check /var/log/audit/audit.log for AVCs.
rob
More information about the Freeipa-users
mailing list