[Fedora-directory-users] FDS config problem with GSSAPI: No suchfile or directory

Listbox listbox at hymerfania.com
Thu Jan 17 18:41:55 UTC 2008 

That was it!
Thanks So Much!
I have FDS 1.1 , and 

"KRB5_KTNAME=/var/kerberos/krb5kdc/fdirsrv.keytab ; export KRB5_KTNAME"

     was already in /etc/sysconfig/dirsrv. Unfortunately, I was trying to
put
 
"export KRB5_KTNAME=/etc/dirsrv/slapd-trixter/fdirsrv.keytab" 

     in my dirsrv startup script, and that was where the keytab actually
was. But I moved it, and cleaned up the startup script, and it worked. I
don't understand why this did not show up in any of the dirsrv logs, but
I'll take the solution.

Now krb5kdc is reporting a "Clock skew too great" error, which is very
strange, everthing is on the same host: kr5kcd, dirserv, and ldap client.

C.

-----Original Message-----
From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rob
Crittenden
Sent: Thursday, January 17, 2008 9:54 AM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] FDS config problem with GSSAPI: No
suchfile or directory

Charles Hymes wrote:
> Hi folks,
> I'm having a real hard time debugging this.
> I'm trying to do a new Fedora Directory Server+kerberos install , on a 
> new Fedora 7 box. I can kinit, but I can't get ldapsearch or 
> ldapwhoami to work locally. I thought it was a read problem with the 
> keytab files, but I tried setting KRB5_KTNAME to a keytab file I knew 
> ware readable by slapd, and that did not help. I also checked 
> permissions on my certificates, and that seems OK too. ldapsearch -x does
work, but ldapsearch -Y GSSAPI does not.
> 
> I tried running strace on ldapwhoami, slapd and krb5kdc, but strace 
> does not show which resource is not accessible. Actually I'm surprised 
> that strace does not show any attempts to open the keytabs or anything 
> in /etc/openldap/cacerts...
> 
> I tried making briefly making /etc/krb5.keytab world readable, it did 
> not change the "No such file" error.
> The logs I check are /var/log/messages, slapd and krb5kdc.log. The 
> logs do not show the ldap client error. I DID see some SELINUX errors 
> for krb5kdc_rcache and krb5.conf, but I ran restorecon and fixed 
> those. This did not stop the error. I guess I'll try turning SELINUX 
> off, and see if that makes any difference.
> 
> Any help would be greatly appreciated :)
> 

It depends on what version of FDS you are running. I believe that the
1.1 init file include support for using /etc/sysconfig/dirsrv for
configuration.

If you are running 1.1 add this to /etc/sysconfig/dirsrv:

export KRB5_KTNAME=/path/to/fds.keytab

where fds.keytab holds the ldap/FQDN at REALM key.

If you are running 1.0 you'll need to update /etc/init.d/dirsrv and add
something like this at the top:

[ -r /etc/sysconfig/dirsrv ] && . /etc/sysconfig/dirsrv

rob

More information about the Fedora-directory-users mailing list