On Mon, Nov 14, 2011 at 13:06, Alexander Bokovoy <aboko...@redhat.com> wrote:
> On Mon, 14 Nov 2011, Dan Scott wrote:
>> In any case, the process is still failing to start. Do I need to
>> create a link in dirsrv.target.wants to somewhere?
> You need to do some steps like ipa-server-install does. I'm trying to
> get them separated in a small upgrade script but something like
> following needs to be done, completely untested, may eat your kitten,
> and realm/dirsrv instance names need to be replaced before running:
> ----------------------------------------------------------------
> #! /usr/bin/python -E
> from ipaserver.install.krbinstance import update_val_in_file
> from ipapython import ipautil
> from ipapython import services as ipaservices
> # 1. Upgrade /etc/sysconfig/dirsrv for systemd
> update_key_val_in_file("/etc/sysconfig/dirsrv", "KRB5_KTNAME", 
> "/etc/dirsrv/ds.keytab")
> update_key_val_in_file("/etc/sysconfig/dirsrv", "export KRB5_KTNAME", 
> "/etc/dirsrv/ds.keytab")
> # 2. Upgrade /etc/sysconfig/krb5kdc for systemd
> replacevars = {'KRB5REALM':"EXAMPLE.COM"}
> appendvars = {}
> ipautil.config_replace_variables("/etc/sysconfig/krb5kdc",
>    replacevars=replacevars, appendvars=appendvars)
> ipaservices.restore_context("/etc/sysconfig/krb5kdc")
> # 3. Enable DS instances:
> ipaservices.knownservices.dirsrv.enable("EXAMPLE-COM")
> ipaservices.knownservices.dirsrv.enable("PKI-IPA")
> # 4. Enable FreeIPA
> ipaservices.knownservices.ipa.enable()
> -------------------------------------------------------
> Note that these .enable() calls on Fedora 16 do much more than just
> 'systemctl enable foo.service', they copy and modify service files,
> create symlinks and so on, all the dirty work required by systemd.
> You may look at ipapython/platform/fedora16.py and systemd.py for
> details.

OK, looks like I'm getting there, but there's still a problem (I
replaced EXAMPLE-COM above and re-replaced it in the output below):

[root@fileserver1 ~]# ls -l /etc/systemd/system/dirsrv.target.wants
total 0
lrwxrwxrwx. 1 root root 35 Nov 14 14:49 dirsrv@EXAMPLE-COM.service ->
lrwxrwxrwx. 1 root root 35 Nov 14 14:49 dirsrv@PKI-IPA.service ->
[root@fileserver1 ~]# systemctl status dirsrv.service
          Loaded: error (Reason: No such file or directory)
          Active: inactive (dead)
[root@fileserver1 ~]#

My /var/log/dirsrv/slapd-EXAMPLE-COM/errors now contains:

[14/Nov/2011:14:55:16 -0500] set_krb5_creds - Could not get initial
credentials for principal [ldap/fileserver1.example....@example.com]
in keytab [WRFILE:/etc/krb5.keytab]: 13 (Permission denied)
[14/Nov/2011:14:55:16 -0500] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure.  Minor code may provide more information (Credentials
cache file '/tmp/krb5cc_494' not found))
[14/Nov/2011:14:55:16 -0500] slapi_ldap_bind - Error: could not
perform interactive bind for id [] mech [GSSAPI]: error -2 (Local

And the permissions on /etc/krb5.keytab:

[root@fileserver1 ~]# ls -Z /etc/krb5.keytab
-rw-------. root root unconfined_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab

The permissions are the same on my other, replica, IPA server (which
is still Fedora 15). The other message above is correct:
/tmp/krb5cc_494 does not exist.



Freeipa-users mailing list

Reply via email to