Bug 1432149

*** Bug 1436623 has been marked as a duplicate of this bug. ***

I followed the steps given in comment #0, but couldn't proceed after IPA server installation.

On a clean system, I did:
1). Install IPA server and ipa-server-dns packages
2). Configured IPA server for the default values.
3). Copied named.conf file as mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1404409#c6
4). Ran ipa-dns-install --auto-forwarders
This is failing...
Checking DNS domain lab.eng.bos.redhat.com., please wait ...
Unexpected error - see /var/log/ipaserver-install.log for details:
ValueError: DNS zone lab.eng.bos.redhat.com. already exists in DNS and is handled by server(s): ns1.eng.tlv.redhat.com., ns1.eng.blr.redhat.com., dns.engineering.redhat.com., ns1.eng.brq.redhat.com., ns1.app.eng.bos.redhat.com., ns1.eng.pek2.redhat.com., ns1.eng.bne.redhat.com.

Am I following the right steps? Is there a way this can be directly verified with 389-ds-base alone setup?

you can't set up your test server to be the DNS server for a domain that already *has* a DNS server. You should use a VM and give it a non-redhat.com domain name; I usually use the host names ipa001.domain.local (for the server) and client001.domain.local (for the client).

Thanks Williamson for your input. I installed IPA server and client using the beaker job - https://beaker.engineering.redhat.com/jobs/1906686

After successful IPA server/client installation, then I ran ipa-dns-install command successfully.
ipa-dns-install --auto-forwarders

bash-4.2$ ldapsearch -h $(hostname) -Y GSSAPI |grep -i "dn: " |wc -l
SASL/GSSAPI authentication started
SASL username: admin
SASL SSF: 56
SASL data security layer installed.
782
bash-4.2$ kdestroy -A

bash-4.2$ ldapsearch -h $(hostname) -Y GSSAPI |grep -i "dn: " |wc -l
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available (default cache: KEYRING:persistent:25))
0


bash-4.2$ ldapsearch -h $(hostname) -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available (default cache: KEYRING:persistent:25))

bash-4.2$ kinit 
kinit: Client 'named' not found in Kerberos database while getting initial credentials
bash-4.2$ kinit admin
Password for admin: 

bash-4.2$ ldapsearch -h $(hostname) -Y GSSAPI |grep -i "dn: " |wc -l
SASL/GSSAPI authentication started
SASL username: admin
SASL SSF: 56
SASL data security layer installed.
782
bash-4.2$ kdestroy -A
bash-4.2$ ldapsearch -h $(hostname) -Y GSSAPI |grep -i "dn: " |wc -l
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available (default cache: KEYRING:persistent:25))
0


Consistent error messages for no "Kerberos credentials" when there is no Kerberos credentials available. There is also no "Can't contact LDAP server (-1)" error message.

Consistent results for ldapsearch after running kinit and kdestroy. So, SASL external bind works fine. Hence, marking the bug as Verified.

[root@vm-idm-007 ~]# rpm -qa |grep -i 389-ds
389-ds-base-1.3.6.1-16.el7.x86_64
389-ds-base-debuginfo-1.3.6.1-16.el7.x86_64
389-ds-base-libs-1.3.6.1-16.el7.x86_64

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2086