Hi,

On Mon, Nov 14, 2011 at 15:50, Alexander Bokovoy <aboko...@redhat.com> wrote:
> On Mon, 14 Nov 2011, Rich Megginson wrote:
>> >replaced EXAMPLE-COM above and re-replaced it in the output below):
>> >
>> >[root@fileserver1 ~]# ls -l /etc/systemd/system/dirsrv.target.wants
>> >total 0
>> >lrwxrwxrwx. 1 root root 35 Nov 14 14:49 dirsrv@EXAMPLE-COM.service ->
>> >/etc/systemd/system/dirsrv@.service
>> >lrwxrwxrwx. 1 root root 35 Nov 14 14:49 dirsrv@PKI-IPA.service ->
>> >/etc/systemd/system/dirsrv@.service
>> >[root@fileserver1 ~]# systemctl status dirsrv.service
>> >dirsrv.service
>> >           Loaded: error (Reason: No such file or directory)
>> >           Active: inactive (dead)
>> Right - see http://directory.fedoraproject.org/wiki/Howto:systemd#FAQ
> Yes, the target is dirsrv.target, not dirsrv.service, while instances
> are dirsrv@NAME.service. That is life.

:) Nice and consistent with other 'services'. Do you know if it's
possible for 'systemctl status dirsrv.service' to return nothing,
instead of saying that it's dead? This would help reduce the
confusion.

> systemctl start dirsrv.target
>
> now would bring both instances up -- when you'll solve
> kerberos credentials access.
>
>> >[root@fileserver1 ~]#
>> >
>> >My /var/log/dirsrv/slapd-EXAMPLE-COM/errors now contains:
>> >
>> >[14/Nov/2011:14:55:16 -0500] set_krb5_creds - Could not get initial
>> >credentials for principal [ldap/fileserver1.example....@example.com]
>> >in keytab [WRFILE:/etc/krb5.keytab]: 13 (Permission denied)
>> >[14/Nov/2011:14:55:16 -0500] slapd_ldap_sasl_interactive_bind - Error:
>> >could not perform interactive bind for id [] mech [GSSAPI]: error -2
>> >(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
>> >GSS failure.  Minor code may provide more information (Credentials
>> >cache file '/tmp/krb5cc_494' not found))
>> >[14/Nov/2011:14:55:16 -0500] slapi_ldap_bind - Error: could not
>> >perform interactive bind for id [] mech [GSSAPI]: error -2 (Local
>> >error)
>> >
>> >And the permissions on /etc/krb5.keytab:
>> >
>> >[root@fileserver1 ~]# ls -Z /etc/krb5.keytab
>> >-rw-------. root root unconfined_u:object_r:krb5_keytab_t:s0 
>> >/etc/krb5.keytab
>> Right - directory server usually runs as dirsrv:dirsrv not root:root
>> - not sure what is responsible for ensuring the krb5.keytab is owned
>> by the dirsrv user.
> It should be /etc/dirsrv/ds.keytab, not /etc/krb5.keytab. Could you
> please show your /etc/sysconfig/dirsrv? KRB5_KTNAME there should point
> to /etc/dirsrv/ds.keytab and as you have installation that worked
> before, the keytab should be in place already and with proper
> ownership (dirsrv:dirsrv).

Thanks. I'd just figured this out and fixed my /etc/sysconfig/dirsrv
file. The two servers seem to be working and syncing now.

I've run into something else now though:

djscott@pc35:~$ ipa host-del pc60
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)

Could this be related? Or should I start a new thread to try and solve it.

> Dan, could you please file a bug against freeipa in Fedora 16 to ask
> about upgrade from Fedora 15. I'll then work out the script and how to use
> it. I'm not sure it will be possible to use it in %post for upgrades
> but at least running it after yum upgrade would be possible.

Sure, will do.

Thanks,

Dan

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to