In one of those weird things I can only blame on gremlins, time seems to have been the answer. I recently ran "ipactl start" again and it worked.
--
Bret Wortman
bret.wortman@damascusgrp.com
On Thu, Jun 3, 2021, at 1:19 PM, Bret Wortman via FreeIPA-users wrote:
> It's an ancient server, and one I'm trying to get us off of, but it's
> our current primary IPA server on this network and named didn't like
> its last reboot and is erroring on startup:
>
> [root@ipa1 ~]# systemctl status -l named-pkcs11.service
> ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with
> native PKCS#11
> Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service;
> disabled)
> Active: failed (Result: exit-code) since Thu 2021-06-03 12:47:25
> EDT; 13min ago
> Process: 1055 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS
> (code=exited, status=1/FAILURE)
> Process: 1053 ExecStartPre=/usr/sbin/named-checkconf -z
> /etc/named.conf (code=exited, status=0/SUCCESS)
>
> Jun 03 12:47:25 ipa1.our.net named-pkcs11[1057]: bind-dyndb-ldap
> version 6.1 compiled at 17:24:34 Dec 2 2014, compiler 4.9.2 20141101
> (Red Hat 4.9.2-1)
> Jun 03 12:47:25 ipa1.our.net named-pkcs11[1057]: option
> 'serial_autoincrement' is not supported, ignoring
> Jun 03 12:47:25 ipa1.our.net named-pkcs11[1057]: GSSAPI client step 1
> Jun 03 12:47:25 ipa1.our.net named-pkcs11[1057]: GSSAPI client step 1
> Jun 03 12:47:25 ipa1.our.net named-pkcs11[1057]: LDAP error: Invalid
> credentials: SASL(-13): authentication failure: GSSAPI Failure:
> gss_accept_sec_context: bind to LDAP server failed
> Jun 03 12:47:25 ipa1.our.net named-pkcs11[1057]: couldn't establish
> connection in LDAP connection pool: permission denied
> Jun 03 12:47:25 ipa1.our.net systemd[1]: named-pkcs11.service: control
> process exited, code=exited status=1
> Jun 03 12:47:25 ipa1.our.net systemd[1]: Failed to start Berkeley
> Internet Name Domain (DNS) with native PKCS#11.
> Jun 03 12:47:25 ipa1.our.net systemd[1]: Unit named-pkcs11.service
> entered failed state.
> Jun 03 12:47:25 ipa1.our.net systemd[1]: named-pkcs11.service failed.
>
> One of its replicas is still up and running so I'm not in emergency
> crisis mode yet.
>
> This server is running Fedora 21 and ipa-server 4.1.4-1.
>
> We got here as I was trying to take this server and replicate it to a
> C7 box running a more recent ipa-server (4.6.8-5) but couldn't get the
> replication to work. Along the way, I rebooted the F21 server and it
> came back in this state.
>
> What should I try next to get it back?
>
>
> --
> Bret Wortman
> bret.wortman@damascusgrp.com
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
> Do not reply to spam on the list, report it:
>
https://pagure.io/fedora-infrastructure
>