It's an ancient server, and one I'm trying to get us off of, but it's our current primary IPA server on this network and named didn't like its last reboot and is erroring on startup:
[root@ipa1 ~]# systemctl status -l named-pkcs11.service ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11 Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled) Active: failed (Result: exit-code) since Thu 2021-06-03 12:47:25 EDT; 13min ago Process: 1055 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS (code=exited, status=1/FAILURE) Process: 1053 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf (code=exited, status=0/SUCCESS)
Jun 03 12:47:25 ipa1.our.net named-pkcs11[1057]: bind-dyndb-ldap version 6.1 compiled at 17:24:34 Dec 2 2014, compiler 4.9.2 20141101 (Red Hat 4.9.2-1) Jun 03 12:47:25 ipa1.our.net named-pkcs11[1057]: option 'serial_autoincrement' is not supported, ignoring Jun 03 12:47:25 ipa1.our.net named-pkcs11[1057]: GSSAPI client step 1 Jun 03 12:47:25 ipa1.our.net named-pkcs11[1057]: GSSAPI client step 1 Jun 03 12:47:25 ipa1.our.net named-pkcs11[1057]: LDAP error: Invalid credentials: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context: bind to LDAP server failed Jun 03 12:47:25 ipa1.our.net named-pkcs11[1057]: couldn't establish connection in LDAP connection pool: permission denied Jun 03 12:47:25 ipa1.our.net systemd[1]: named-pkcs11.service: control process exited, code=exited status=1 Jun 03 12:47:25 ipa1.our.net systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11. Jun 03 12:47:25 ipa1.our.net systemd[1]: Unit named-pkcs11.service entered failed state. Jun 03 12:47:25 ipa1.our.net systemd[1]: named-pkcs11.service failed.
One of its replicas is still up and running so I'm not in emergency crisis mode yet.
This server is running Fedora 21 and ipa-server 4.1.4-1.
We got here as I was trying to take this server and replicate it to a C7 box running a more recent ipa-server (4.6.8-5) but couldn't get the replication to work. Along the way, I rebooted the F21 server and it came back in this state.
What should I try next to get it back?
In one of those weird things I can only blame on gremlins, time seems to have been the answer. I recently ran "ipactl start" again and it worked.
freeipa-users@lists.fedorahosted.org