[Freeipa-users] Fedora 16 failing to start dirsrv process

Mon Nov 14 20:12:43 UTC 2011

On 11/14/2011 01:08 PM, Dan Scott wrote:
> Hi,
>
> On Mon, Nov 14, 2011 at 13:06, Alexander Bokovoy<abokovoy at redhat.com>  wrote:
>> On Mon, 14 Nov 2011, Dan Scott wrote:
>>> In any case, the process is still failing to start. Do I need to
>>> create a link in dirsrv.target.wants to somewhere?
>> You need to do some steps like ipa-server-install does. I'm trying to
>> get them separated in a small upgrade script but something like
>> following needs to be done, completely untested, may eat your kitten,
>> and realm/dirsrv instance names need to be replaced before running:
>> ----------------------------------------------------------------
>> #! /usr/bin/python -E
>> from ipaserver.install.krbinstance import update_val_in_file
>> from ipapython import ipautil
>> from ipapython import services as ipaservices
>>
>> # 1. Upgrade /etc/sysconfig/dirsrv for systemd
>> update_key_val_in_file("/etc/sysconfig/dirsrv", "KRB5_KTNAME", "/etc/dirsrv/ds.keytab")
>> update_key_val_in_file("/etc/sysconfig/dirsrv", "export KRB5_KTNAME", "/etc/dirsrv/ds.keytab")
>> # 2. Upgrade /etc/sysconfig/krb5kdc for systemd
>> replacevars = {'KRB5REALM':"EXAMPLE.COM"}
>> appendvars = {}
>> ipautil.config_replace_variables("/etc/sysconfig/krb5kdc",
>>     replacevars=replacevars, appendvars=appendvars)
>> ipaservices.restore_context("/etc/sysconfig/krb5kdc")
>> # 3. Enable DS instances:
>> ipaservices.knownservices.dirsrv.enable("EXAMPLE-COM")
>> ipaservices.knownservices.dirsrv.enable("PKI-IPA")
>> # 4. Enable FreeIPA
>> ipaservices.knownservices.ipa.enable()
>> -------------------------------------------------------
>>
>> Note that these .enable() calls on Fedora 16 do much more than just
>> 'systemctl enable foo.service', they copy and modify service files,
>> create symlinks and so on, all the dirty work required by systemd.
>> You may look at ipapython/platform/fedora16.py and systemd.py for
>> details.
> OK, looks like I'm getting there, but there's still a problem (I
> replaced EXAMPLE-COM above and re-replaced it in the output below):
>
> [root at fileserver1 ~]# ls -l /etc/systemd/system/dirsrv.target.wants
> total 0
> lrwxrwxrwx. 1 root root 35 Nov 14 14:49 dirsrv at EXAMPLE-COM.service ->
> /etc/systemd/system/dirsrv at .service
> lrwxrwxrwx. 1 root root 35 Nov 14 14:49 dirsrv at PKI-IPA.service ->
> /etc/systemd/system/dirsrv at .service
> [root at fileserver1 ~]# systemctl status dirsrv.service
> dirsrv.service
>            Loaded: error (Reason: No such file or directory)
>            Active: inactive (dead)
Right - see http://directory.fedoraproject.org/wiki/Howto:systemd#FAQ
> [root at fileserver1 ~]#
>
> My /var/log/dirsrv/slapd-EXAMPLE-COM/errors now contains:
>
> [14/Nov/2011:14:55:16 -0500] set_krb5_creds - Could not get initial
> credentials for principal [ldap/fileserver1.example.com at EXAMPLE.COM]
> in keytab [WRFILE:/etc/krb5.keytab]: 13 (Permission denied)
> [14/Nov/2011:14:55:16 -0500] slapd_ldap_sasl_interactive_bind - Error:
> could not perform interactive bind for id [] mech [GSSAPI]: error -2
> (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
> GSS failure.  Minor code may provide more information (Credentials
> cache file '/tmp/krb5cc_494' not found))
> [14/Nov/2011:14:55:16 -0500] slapi_ldap_bind - Error: could not
> perform interactive bind for id [] mech [GSSAPI]: error -2 (Local
> error)
>
> And the permissions on /etc/krb5.keytab:
>
> [root at fileserver1 ~]# ls -Z /etc/krb5.keytab
> -rw-------. root root unconfined_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab
Right - directory server usually runs as dirsrv:dirsrv not root:root - 
not sure what is responsible for ensuring the krb5.keytab is owned by 
the dirsrv user.
> The permissions are the same on my other, replica, IPA server (which
> is still Fedora 15). The other message above is correct:
> /tmp/krb5cc_494 does not exist.
>
> Thanks,
>
> Dan
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users