On Mon, 14 Nov 2011, Rich Megginson wrote:
> >replaced EXAMPLE-COM above and re-replaced it in the output below):
> >
> >[root@fileserver1 ~]# ls -l /etc/systemd/system/dirsrv.target.wants
> >total 0
> >lrwxrwxrwx. 1 root root 35 Nov 14 14:49 dirsrv@EXAMPLE-COM.service ->
> >/etc/systemd/system/dirsrv@.service
> >lrwxrwxrwx. 1 root root 35 Nov 14 14:49 dirsrv@PKI-IPA.service ->
> >/etc/systemd/system/dirsrv@.service
> >[root@fileserver1 ~]# systemctl status dirsrv.service
> >dirsrv.service
> >           Loaded: error (Reason: No such file or directory)
> >           Active: inactive (dead)
> Right - see http://directory.fedoraproject.org/wiki/Howto:systemd#FAQ
Yes, the target is dirsrv.target, not dirsrv.service, while instances 
are dirsrv@NAME.service. That is life.

systemctl start dirsrv.target

now would bring both instances up -- when you'll solve 
kerberos credentials access.

> >[root@fileserver1 ~]#
> >
> >My /var/log/dirsrv/slapd-EXAMPLE-COM/errors now contains:
> >
> >[14/Nov/2011:14:55:16 -0500] set_krb5_creds - Could not get initial
> >credentials for principal [ldap/fileserver1.example....@example.com]
> >in keytab [WRFILE:/etc/krb5.keytab]: 13 (Permission denied)
> >[14/Nov/2011:14:55:16 -0500] slapd_ldap_sasl_interactive_bind - Error:
> >could not perform interactive bind for id [] mech [GSSAPI]: error -2
> >(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
> >GSS failure.  Minor code may provide more information (Credentials
> >cache file '/tmp/krb5cc_494' not found))
> >[14/Nov/2011:14:55:16 -0500] slapi_ldap_bind - Error: could not
> >perform interactive bind for id [] mech [GSSAPI]: error -2 (Local
> >error)
> >
> >And the permissions on /etc/krb5.keytab:
> >
> >[root@fileserver1 ~]# ls -Z /etc/krb5.keytab
> >-rw-------. root root unconfined_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab
> Right - directory server usually runs as dirsrv:dirsrv not root:root
> - not sure what is responsible for ensuring the krb5.keytab is owned
> by the dirsrv user.
It should be /etc/dirsrv/ds.keytab, not /etc/krb5.keytab. Could you 
please show your /etc/sysconfig/dirsrv? KRB5_KTNAME there should point 
to /etc/dirsrv/ds.keytab and as you have installation that worked 
before, the keytab should be in place already and with proper 
ownership (dirsrv:dirsrv).

Dan, could you please file a bug against freeipa in Fedora 16 to ask 
about upgrade from Fedora 15. I'll then work out the script and how to use 
it. I'm not sure it will be possible to use it in %post for upgrades 
but at least running it after yum upgrade would be possible.
-- 
/ Alexander Bokovoy

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to