On Mon, Nov 14, 2011 at 15:50, Alexander Bokovoy <aboko...@redhat.com> wrote:
> On Mon, 14 Nov 2011, Rich Megginson wrote:
>> >replaced EXAMPLE-COM above and re-replaced it in the output below):
>> >[root@fileserver1 ~]# ls -l /etc/systemd/system/dirsrv.target.wants
>> >total 0
>> >lrwxrwxrwx. 1 root root 35 Nov 14 14:49 dirsrv@EXAMPLE-COM.service ->
>> >lrwxrwxrwx. 1 root root 35 Nov 14 14:49 dirsrv@PKI-IPA.service ->
>> >[root@fileserver1 ~]# systemctl status dirsrv.service
>> > Loaded: error (Reason: No such file or directory)
>> > Active: inactive (dead)
>> Right - see http://directory.fedoraproject.org/wiki/Howto:systemd#FAQ
> Yes, the target is dirsrv.target, not dirsrv.service, while instances
> are dirsrv@NAME.service. That is life.
:) Nice and consistent with other 'services'. Do you know if it's
possible for 'systemctl status dirsrv.service' to return nothing,
instead of saying that it's dead? This would help reduce the
> systemctl start dirsrv.target
> now would bring both instances up -- when you'll solve
> kerberos credentials access.
>> >[root@fileserver1 ~]#
>> >My /var/log/dirsrv/slapd-EXAMPLE-COM/errors now contains:
>> >[14/Nov/2011:14:55:16 -0500] set_krb5_creds - Could not get initial
>> >credentials for principal [ldap/fileserver1.example....@example.com]
>> >in keytab [WRFILE:/etc/krb5.keytab]: 13 (Permission denied)
>> >[14/Nov/2011:14:55:16 -0500] slapd_ldap_sasl_interactive_bind - Error:
>> >could not perform interactive bind for id  mech [GSSAPI]: error -2
>> >(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
>> >GSS failure. Minor code may provide more information (Credentials
>> >cache file '/tmp/krb5cc_494' not found))
>> >[14/Nov/2011:14:55:16 -0500] slapi_ldap_bind - Error: could not
>> >perform interactive bind for id  mech [GSSAPI]: error -2 (Local
>> >And the permissions on /etc/krb5.keytab:
>> >[root@fileserver1 ~]# ls -Z /etc/krb5.keytab
>> >-rw-------. root root unconfined_u:object_r:krb5_keytab_t:s0
>> Right - directory server usually runs as dirsrv:dirsrv not root:root
>> - not sure what is responsible for ensuring the krb5.keytab is owned
>> by the dirsrv user.
> It should be /etc/dirsrv/ds.keytab, not /etc/krb5.keytab. Could you
> please show your /etc/sysconfig/dirsrv? KRB5_KTNAME there should point
> to /etc/dirsrv/ds.keytab and as you have installation that worked
> before, the keytab should be in place already and with proper
> ownership (dirsrv:dirsrv).
Thanks. I'd just figured this out and fixed my /etc/sysconfig/dirsrv
file. The two servers seem to be working and syncing now.
I've run into something else now though:
djscott@pc35:~$ ipa host-del pc60
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)
Could this be related? Or should I start a new thread to try and solve it.
> Dan, could you please file a bug against freeipa in Fedora 16 to ask
> about upgrade from Fedora 15. I'll then work out the script and how to use
> it. I'm not sure it will be possible to use it in %post for upgrades
> but at least running it after yum upgrade would be possible.
Sure, will do.
Freeipa-users mailing list