Re: [Freeipa-users] RHEL 6.4 , IPA 3.0 and bind-chroot
On 23.2.2013 23:01, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/23/2013 09:47 PM, Dmitri Pal wrote: On 02/23/2013 12:48 PM, Dale Macartney wrote: Hi all I've just performed a clean IPA installation and noticed that if you're using integrated DNS, you are still unable to use bind in a chrooted environment with a default IPA install. Basically if its a chrooted environment, named will fail to start. To replicate what I've done, do the following. # yum install ipa-server bind bind-chroot bind-dyndb-ldap -y # ipa-server-install --setup-dns (do your usual thing here) - From what I've been testing, there needs to be quite a few libraries located in the chroot environment. I've done the below to get a little further (I should probably use symbolic links, but for now copying the files is a start). mkdir /var/named/chroot/lib64/ cp /lib64/libldap-2.4.so.2 /var/named/chroot/lib64/ cp /lib64/liblber-2.4.so.2 /var/named/chroot/lib64/ cp /lib64/libplds4.so /var/named/chroot/lib64/ cp /lib64/libplc4.so /var/named/chroot/lib64/ cp /lib64/libnspr4.so /var/named/chroot/lib64/ cp /lib64/libcrypt.so.1 /var/named/chroot/lib64/ cp /lib64/libfreebl3.so /var/named/chroot/lib64/ mkdir /var/named/chroot/usr/lib64/ cp /usr/lib64/libssl3.so /var/named/chroot/usr/lib64/ cp /usr/lib64/libsmime3.so /var/named/chroot/usr/lib64/ cp /usr/lib64/libnss3.so /var/named/chroot/usr/lib64/ cp /usr/lib64/libnssutil3.so /var/named/chroot/usr/lib64/ cp /usr/lib64/libsasl2.so.2 /var/named/chroot/usr/lib64/ Now when I restart named, I get the below error in /var/log/messages. Does anyone have any ideas of the best way to get around this error? Feb 23 17:35:29 ds01 named[2425]: Failed to parse the principal name DNS/ds01.example.com (Configuration file does not specify default realm) It should be DNS/ds01.example.com@YOURREALMNAME.SOMETHING oh of course.. what a face palm moment. Where does the default ipa installation put the DNS keytab file? I did notice an /etc/named.keytab was present, but placing that in /var/named/chroot/etc didn't seem to improve matters. I wrote short how-to: http://freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot In my RHEL 6.4 test environment it worked, but it is a bit hackish. Any improvements are welcome! I do not know the exact reason but it might be that bind ldap driver can't locate its kerberos configuration. I hope it will give you a hint and unblock you before the real masters of DNS chime in. i I know this has been a rather long lasting rfe/bug/how ever you want to label it. https://fedorahosted.org/freeipa/ticket/126 If I make any progress I'll let the team know. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] RHEL 6.4 , IPA 3.0 and bind-chroot
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all I've just performed a clean IPA installation and noticed that if you're using integrated DNS, you are still unable to use bind in a chrooted environment with a default IPA install. Basically if its a chrooted environment, named will fail to start. To replicate what I've done, do the following. # yum install ipa-server bind bind-chroot bind-dyndb-ldap -y # ipa-server-install --setup-dns (do your usual thing here) - From what I've been testing, there needs to be quite a few libraries located in the chroot environment. I've done the below to get a little further (I should probably use symbolic links, but for now copying the files is a start). mkdir /var/named/chroot/lib64/ cp /lib64/libldap-2.4.so.2 /var/named/chroot/lib64/ cp /lib64/liblber-2.4.so.2 /var/named/chroot/lib64/ cp /lib64/libplds4.so /var/named/chroot/lib64/ cp /lib64/libplc4.so /var/named/chroot/lib64/ cp /lib64/libnspr4.so /var/named/chroot/lib64/ cp /lib64/libcrypt.so.1 /var/named/chroot/lib64/ cp /lib64/libfreebl3.so /var/named/chroot/lib64/ mkdir /var/named/chroot/usr/lib64/ cp /usr/lib64/libssl3.so /var/named/chroot/usr/lib64/ cp /usr/lib64/libsmime3.so /var/named/chroot/usr/lib64/ cp /usr/lib64/libnss3.so /var/named/chroot/usr/lib64/ cp /usr/lib64/libnssutil3.so /var/named/chroot/usr/lib64/ cp /usr/lib64/libsasl2.so.2 /var/named/chroot/usr/lib64/ Now when I restart named, I get the below error in /var/log/messages. Does anyone have any ideas of the best way to get around this error? Feb 23 17:35:29 ds01 named[2425]: Failed to parse the principal name DNS/ds01.example.com (Configuration file does not specify default realm) Thanks folks. Dale -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRKQD4AAoJEAJsWS61tB+qN4QP/1yICe5uzSQFvARf1wFPfLzV YWzS8orBTwtPAhVcTCfD6GNuFqiypzjumdqNwL75Gm4jBeB1dIoZnaMKaVWaTvau 0sryplL1YZVu4UBLWc5igOK5HRkIeV4yrzCnH/1vnDEiEkJQ8xPCRw7IEfXdD4/N Cas5uOL9aJo9TQf22cHoIRoESeULzkLmn+tIOYpeTFQlnrhIpFhLcNO35gJmuwyG revPahRhm4FsW368K+ZnhEouF3cBK+0rMpaC/yi7rUD6PXxK1LaSNMUREG9e6dh/ hx3LoR1tEhzu7buYymwQ33wKM3J9o+HOZiUkxann5YXG+4HBk96XgJ8Mh4bQ03ZJ A6kMh4CFQxxuOMzQ65c2jj94zvSZFnLRMFgbWuWdZklEyVFk7m1aZ+b7wRwRafBB BAnEYf+3yCnBjpXyKJSTIs1PZaOSQ0GFg1pLmLYr601ATJ5omcl/a5J4x/l2ofUq PjFOmARAOb7hIX6zrlGuHFoXoctrweAmorO1suWsUR3beecaQAfMqpfpS9OkDsng YM8C0IXAo31GGhJDOO0IzuGx+PMtb/ASrW+9ogWM9OI0cTPZvbZtUi0zrIt3lMzJ 62rTHJHvHbEk5sXZvZT9Omd42Tq2yNyt+40TrSZsQX5EBcTxiFD1aeI/UiISRQFI vEJAbiE+LtGGDrso+6J+ =QR+Y -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL 6.4 , IPA 3.0 and bind-chroot
On 02/23/2013 12:48 PM, Dale Macartney wrote: Hi all I've just performed a clean IPA installation and noticed that if you're using integrated DNS, you are still unable to use bind in a chrooted environment with a default IPA install. Basically if its a chrooted environment, named will fail to start. To replicate what I've done, do the following. # yum install ipa-server bind bind-chroot bind-dyndb-ldap -y # ipa-server-install --setup-dns (do your usual thing here) - From what I've been testing, there needs to be quite a few libraries located in the chroot environment. I've done the below to get a little further (I should probably use symbolic links, but for now copying the files is a start). mkdir /var/named/chroot/lib64/ cp /lib64/libldap-2.4.so.2 /var/named/chroot/lib64/ cp /lib64/liblber-2.4.so.2 /var/named/chroot/lib64/ cp /lib64/libplds4.so /var/named/chroot/lib64/ cp /lib64/libplc4.so /var/named/chroot/lib64/ cp /lib64/libnspr4.so /var/named/chroot/lib64/ cp /lib64/libcrypt.so.1 /var/named/chroot/lib64/ cp /lib64/libfreebl3.so /var/named/chroot/lib64/ mkdir /var/named/chroot/usr/lib64/ cp /usr/lib64/libssl3.so /var/named/chroot/usr/lib64/ cp /usr/lib64/libsmime3.so /var/named/chroot/usr/lib64/ cp /usr/lib64/libnss3.so /var/named/chroot/usr/lib64/ cp /usr/lib64/libnssutil3.so /var/named/chroot/usr/lib64/ cp /usr/lib64/libsasl2.so.2 /var/named/chroot/usr/lib64/ Now when I restart named, I get the below error in /var/log/messages. Does anyone have any ideas of the best way to get around this error? Feb 23 17:35:29 ds01 named[2425]: Failed to parse the principal name DNS/ds01.example.com (Configuration file does not specify default realm) It should be DNS/ds01.example.com@YOURREALMNAME.SOMETHING I do not know the exact reason but it might be that bind ldap driver can't locate its kerberos configuration. I hope it will give you a hint and unblock you before the real masters of DNS chime in. Thanks folks. Dale ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users