On Mon, 14 Nov 2011, Rich Megginson wrote: > >replaced EXAMPLE-COM above and re-replaced it in the output below): > > > >[root@fileserver1 ~]# ls -l /etc/systemd/system/dirsrv.target.wants > >total 0 > >lrwxrwxrwx. 1 root root 35 Nov 14 14:49 [email protected] -> > >/etc/systemd/system/[email protected] > >lrwxrwxrwx. 1 root root 35 Nov 14 14:49 [email protected] -> > >/etc/systemd/system/[email protected] > >[root@fileserver1 ~]# systemctl status dirsrv.service > >dirsrv.service > > Loaded: error (Reason: No such file or directory) > > Active: inactive (dead) > Right - see http://directory.fedoraproject.org/wiki/Howto:systemd#FAQ Yes, the target is dirsrv.target, not dirsrv.service, while instances are [email protected]. That is life.
systemctl start dirsrv.target now would bring both instances up -- when you'll solve kerberos credentials access. > >[root@fileserver1 ~]# > > > >My /var/log/dirsrv/slapd-EXAMPLE-COM/errors now contains: > > > >[14/Nov/2011:14:55:16 -0500] set_krb5_creds - Could not get initial > >credentials for principal [ldap/[email protected]] > >in keytab [WRFILE:/etc/krb5.keytab]: 13 (Permission denied) > >[14/Nov/2011:14:55:16 -0500] slapd_ldap_sasl_interactive_bind - Error: > >could not perform interactive bind for id [] mech [GSSAPI]: error -2 > >(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > >GSS failure. Minor code may provide more information (Credentials > >cache file '/tmp/krb5cc_494' not found)) > >[14/Nov/2011:14:55:16 -0500] slapi_ldap_bind - Error: could not > >perform interactive bind for id [] mech [GSSAPI]: error -2 (Local > >error) > > > >And the permissions on /etc/krb5.keytab: > > > >[root@fileserver1 ~]# ls -Z /etc/krb5.keytab > >-rw-------. root root unconfined_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab > Right - directory server usually runs as dirsrv:dirsrv not root:root > - not sure what is responsible for ensuring the krb5.keytab is owned > by the dirsrv user. It should be /etc/dirsrv/ds.keytab, not /etc/krb5.keytab. Could you please show your /etc/sysconfig/dirsrv? KRB5_KTNAME there should point to /etc/dirsrv/ds.keytab and as you have installation that worked before, the keytab should be in place already and with proper ownership (dirsrv:dirsrv). Dan, could you please file a bug against freeipa in Fedora 16 to ask about upgrade from Fedora 15. I'll then work out the script and how to use it. I'm not sure it will be possible to use it in %post for upgrades but at least running it after yum upgrade would be possible. -- / Alexander Bokovoy _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
