On 11/14/2011 01:08 PM, Dan Scott wrote:

On Mon, Nov 14, 2011 at 13:06, Alexander Bokovoy<aboko...@redhat.com>  wrote:
On Mon, 14 Nov 2011, Dan Scott wrote:
In any case, the process is still failing to start. Do I need to
create a link in dirsrv.target.wants to somewhere?
You need to do some steps like ipa-server-install does. I'm trying to
get them separated in a small upgrade script but something like
following needs to be done, completely untested, may eat your kitten,
and realm/dirsrv instance names need to be replaced before running:
#! /usr/bin/python -E
from ipaserver.install.krbinstance import update_val_in_file
from ipapython import ipautil
from ipapython import services as ipaservices

# 1. Upgrade /etc/sysconfig/dirsrv for systemd
update_key_val_in_file("/etc/sysconfig/dirsrv", "KRB5_KTNAME", 
update_key_val_in_file("/etc/sysconfig/dirsrv", "export KRB5_KTNAME", 
# 2. Upgrade /etc/sysconfig/krb5kdc for systemd
replacevars = {'KRB5REALM':"EXAMPLE.COM"}
appendvars = {}
    replacevars=replacevars, appendvars=appendvars)
# 3. Enable DS instances:
# 4. Enable FreeIPA

Note that these .enable() calls on Fedora 16 do much more than just
'systemctl enable foo.service', they copy and modify service files,
create symlinks and so on, all the dirty work required by systemd.
You may look at ipapython/platform/fedora16.py and systemd.py for
OK, looks like I'm getting there, but there's still a problem (I
replaced EXAMPLE-COM above and re-replaced it in the output below):

[root@fileserver1 ~]# ls -l /etc/systemd/system/dirsrv.target.wants
total 0
lrwxrwxrwx. 1 root root 35 Nov 14 14:49 dirsrv@EXAMPLE-COM.service ->
lrwxrwxrwx. 1 root root 35 Nov 14 14:49 dirsrv@PKI-IPA.service ->
[root@fileserver1 ~]# systemctl status dirsrv.service
           Loaded: error (Reason: No such file or directory)
           Active: inactive (dead)
Right - see http://directory.fedoraproject.org/wiki/Howto:systemd#FAQ
[root@fileserver1 ~]#

My /var/log/dirsrv/slapd-EXAMPLE-COM/errors now contains:

[14/Nov/2011:14:55:16 -0500] set_krb5_creds - Could not get initial
credentials for principal [ldap/fileserver1.example....@example.com]
in keytab [WRFILE:/etc/krb5.keytab]: 13 (Permission denied)
[14/Nov/2011:14:55:16 -0500] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure.  Minor code may provide more information (Credentials
cache file '/tmp/krb5cc_494' not found))
[14/Nov/2011:14:55:16 -0500] slapi_ldap_bind - Error: could not
perform interactive bind for id [] mech [GSSAPI]: error -2 (Local

And the permissions on /etc/krb5.keytab:

[root@fileserver1 ~]# ls -Z /etc/krb5.keytab
-rw-------. root root unconfined_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab
Right - directory server usually runs as dirsrv:dirsrv not root:root - not sure what is responsible for ensuring the krb5.keytab is owned by the dirsrv user.
The permissions are the same on my other, replica, IPA server (which
is still Fedora 15). The other message above is correct:
/tmp/krb5cc_494 does not exist.



Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to