*** Bug 1436623 has been marked as a duplicate of this bug. ***
I followed the steps given in comment #0, but couldn't proceed after IPA server installation. On a clean system, I did: 1). Install IPA server and ipa-server-dns packages 2). Configured IPA server for the default values. 3). Copied named.conf file as mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1404409#c6 4). Ran ipa-dns-install --auto-forwarders This is failing... Checking DNS domain lab.eng.bos.redhat.com., please wait ... Unexpected error - see /var/log/ipaserver-install.log for details: ValueError: DNS zone lab.eng.bos.redhat.com. already exists in DNS and is handled by server(s): ns1.eng.tlv.redhat.com., ns1.eng.blr.redhat.com., dns.engineering.redhat.com., ns1.eng.brq.redhat.com., ns1.app.eng.bos.redhat.com., ns1.eng.pek2.redhat.com., ns1.eng.bne.redhat.com. Am I following the right steps? Is there a way this can be directly verified with 389-ds-base alone setup?
you can't set up your test server to be the DNS server for a domain that already *has* a DNS server. You should use a VM and give it a non-redhat.com domain name; I usually use the host names ipa001.domain.local (for the server) and client001.domain.local (for the client).
Thanks Williamson for your input. I installed IPA server and client using the beaker job - https://beaker.engineering.redhat.com/jobs/1906686 After successful IPA server/client installation, then I ran ipa-dns-install command successfully. ipa-dns-install --auto-forwarders bash-4.2$ ldapsearch -h $(hostname) -Y GSSAPI |grep -i "dn: " |wc -l SASL/GSSAPI authentication started SASL username: admin SASL SSF: 56 SASL data security layer installed. 782 bash-4.2$ kdestroy -A bash-4.2$ ldapsearch -h $(hostname) -Y GSSAPI |grep -i "dn: " |wc -l SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: KEYRING:persistent:25)) 0 bash-4.2$ ldapsearch -h $(hostname) -Y GSSAPI SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: KEYRING:persistent:25)) bash-4.2$ kinit kinit: Client 'named' not found in Kerberos database while getting initial credentials bash-4.2$ kinit admin Password for admin: bash-4.2$ ldapsearch -h $(hostname) -Y GSSAPI |grep -i "dn: " |wc -l SASL/GSSAPI authentication started SASL username: admin SASL SSF: 56 SASL data security layer installed. 782 bash-4.2$ kdestroy -A bash-4.2$ ldapsearch -h $(hostname) -Y GSSAPI |grep -i "dn: " |wc -l SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: KEYRING:persistent:25)) 0 Consistent error messages for no "Kerberos credentials" when there is no Kerberos credentials available. There is also no "Can't contact LDAP server (-1)" error message. Consistent results for ldapsearch after running kinit and kdestroy. So, SASL external bind works fine. Hence, marking the bug as Verified. [root@vm-idm-007 ~]# rpm -qa |grep -i 389-ds 389-ds-base-1.3.6.1-16.el7.x86_64 389-ds-base-debuginfo-1.3.6.1-16.el7.x86_64 389-ds-base-libs-1.3.6.1-16.el7.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2086