[Freeipa-users] Fedora 16 failing to start dirsrv process
Dan Scott
danieljamesscott at gmail.com
Mon Nov 14 20:56:16 UTC 2011
Hi,
On Mon, Nov 14, 2011 at 15:50, Alexander Bokovoy <abokovoy at redhat.com> wrote:
> On Mon, 14 Nov 2011, Rich Megginson wrote:
>> >replaced EXAMPLE-COM above and re-replaced it in the output below):
>> >
>> >[root at fileserver1 ~]# ls -l /etc/systemd/system/dirsrv.target.wants
>> >total 0
>> >lrwxrwxrwx. 1 root root 35 Nov 14 14:49 dirsrv at EXAMPLE-COM.service ->
>> >/etc/systemd/system/dirsrv at .service
>> >lrwxrwxrwx. 1 root root 35 Nov 14 14:49 dirsrv at PKI-IPA.service ->
>> >/etc/systemd/system/dirsrv at .service
>> >[root at fileserver1 ~]# systemctl status dirsrv.service
>> >dirsrv.service
>> > Loaded: error (Reason: No such file or directory)
>> > Active: inactive (dead)
>> Right - see http://directory.fedoraproject.org/wiki/Howto:systemd#FAQ
> Yes, the target is dirsrv.target, not dirsrv.service, while instances
> are dirsrv at NAME.service. That is life.
:) Nice and consistent with other 'services'. Do you know if it's
possible for 'systemctl status dirsrv.service' to return nothing,
instead of saying that it's dead? This would help reduce the
confusion.
> systemctl start dirsrv.target
>
> now would bring both instances up -- when you'll solve
> kerberos credentials access.
>
>> >[root at fileserver1 ~]#
>> >
>> >My /var/log/dirsrv/slapd-EXAMPLE-COM/errors now contains:
>> >
>> >[14/Nov/2011:14:55:16 -0500] set_krb5_creds - Could not get initial
>> >credentials for principal [ldap/fileserver1.example.com at EXAMPLE.COM]
>> >in keytab [WRFILE:/etc/krb5.keytab]: 13 (Permission denied)
>> >[14/Nov/2011:14:55:16 -0500] slapd_ldap_sasl_interactive_bind - Error:
>> >could not perform interactive bind for id [] mech [GSSAPI]: error -2
>> >(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
>> >GSS failure. Minor code may provide more information (Credentials
>> >cache file '/tmp/krb5cc_494' not found))
>> >[14/Nov/2011:14:55:16 -0500] slapi_ldap_bind - Error: could not
>> >perform interactive bind for id [] mech [GSSAPI]: error -2 (Local
>> >error)
>> >
>> >And the permissions on /etc/krb5.keytab:
>> >
>> >[root at fileserver1 ~]# ls -Z /etc/krb5.keytab
>> >-rw-------. root root unconfined_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab
>> Right - directory server usually runs as dirsrv:dirsrv not root:root
>> - not sure what is responsible for ensuring the krb5.keytab is owned
>> by the dirsrv user.
> It should be /etc/dirsrv/ds.keytab, not /etc/krb5.keytab. Could you
> please show your /etc/sysconfig/dirsrv? KRB5_KTNAME there should point
> to /etc/dirsrv/ds.keytab and as you have installation that worked
> before, the keytab should be in place already and with proper
> ownership (dirsrv:dirsrv).
Thanks. I'd just figured this out and fixed my /etc/sysconfig/dirsrv
file. The two servers seem to be working and syncing now.
I've run into something else now though:
djscott at pc35:~$ ipa host-del pc60
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)
Could this be related? Or should I start a new thread to try and solve it.
> Dan, could you please file a bug against freeipa in Fedora 16 to ask
> about upgrade from Fedora 15. I'll then work out the script and how to use
> it. I'm not sure it will be possible to use it in %post for upgrades
> but at least running it after yum upgrade would be possible.
Sure, will do.
Thanks,
Dan
More information about the Freeipa-users
mailing list