Hi, On Mon, Nov 14, 2011 at 13:06, Alexander Bokovoy <[email protected]> wrote: > On Mon, 14 Nov 2011, Dan Scott wrote: >> In any case, the process is still failing to start. Do I need to >> create a link in dirsrv.target.wants to somewhere? > You need to do some steps like ipa-server-install does. I'm trying to > get them separated in a small upgrade script but something like > following needs to be done, completely untested, may eat your kitten, > and realm/dirsrv instance names need to be replaced before running: > ---------------------------------------------------------------- > #! /usr/bin/python -E > from ipaserver.install.krbinstance import update_val_in_file > from ipapython import ipautil > from ipapython import services as ipaservices > > # 1. Upgrade /etc/sysconfig/dirsrv for systemd > update_key_val_in_file("/etc/sysconfig/dirsrv", "KRB5_KTNAME", > "/etc/dirsrv/ds.keytab") > update_key_val_in_file("/etc/sysconfig/dirsrv", "export KRB5_KTNAME", > "/etc/dirsrv/ds.keytab") > # 2. Upgrade /etc/sysconfig/krb5kdc for systemd > replacevars = {'KRB5REALM':"EXAMPLE.COM"} > appendvars = {} > ipautil.config_replace_variables("/etc/sysconfig/krb5kdc", > replacevars=replacevars, appendvars=appendvars) > ipaservices.restore_context("/etc/sysconfig/krb5kdc") > # 3. Enable DS instances: > ipaservices.knownservices.dirsrv.enable("EXAMPLE-COM") > ipaservices.knownservices.dirsrv.enable("PKI-IPA") > # 4. Enable FreeIPA > ipaservices.knownservices.ipa.enable() > ------------------------------------------------------- > > Note that these .enable() calls on Fedora 16 do much more than just > 'systemctl enable foo.service', they copy and modify service files, > create symlinks and so on, all the dirty work required by systemd. > You may look at ipapython/platform/fedora16.py and systemd.py for > details.
OK, looks like I'm getting there, but there's still a problem (I replaced EXAMPLE-COM above and re-replaced it in the output below): [root@fileserver1 ~]# ls -l /etc/systemd/system/dirsrv.target.wants total 0 lrwxrwxrwx. 1 root root 35 Nov 14 14:49 [email protected] -> /etc/systemd/system/[email protected] lrwxrwxrwx. 1 root root 35 Nov 14 14:49 [email protected] -> /etc/systemd/system/[email protected] [root@fileserver1 ~]# systemctl status dirsrv.service dirsrv.service Loaded: error (Reason: No such file or directory) Active: inactive (dead) [root@fileserver1 ~]# My /var/log/dirsrv/slapd-EXAMPLE-COM/errors now contains: [14/Nov/2011:14:55:16 -0500] set_krb5_creds - Could not get initial credentials for principal [ldap/[email protected]] in keytab [WRFILE:/etc/krb5.keytab]: 13 (Permission denied) [14/Nov/2011:14:55:16 -0500] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_494' not found)) [14/Nov/2011:14:55:16 -0500] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) And the permissions on /etc/krb5.keytab: [root@fileserver1 ~]# ls -Z /etc/krb5.keytab -rw-------. root root unconfined_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab The permissions are the same on my other, replica, IPA server (which is still Fedora 15). The other message above is correct: /tmp/krb5cc_494 does not exist. Thanks, Dan _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
