[Freeipa-users] RHEL 6.4 , IPA 3.0 and bind-chroot

Dmitri Pal dpal at redhat.com
Sat Feb 23 21:47:35 UTC 2013 

On 02/23/2013 12:48 PM, Dale Macartney wrote:
>
> Hi all
>
> I've just performed a clean IPA installation and noticed that if you're
> using integrated DNS, you are still unable to use bind in a chrooted
> environment with a default IPA install.
>
> Basically if its a chrooted environment, named will fail to start.
>
> To replicate what I've done, do the following.
>
> # yum install ipa-server bind bind-chroot bind-dyndb-ldap -y
> # ipa-server-install --setup-dns (do your usual thing here)
>
> - From what I've been testing, there needs to be quite a few libraries
> located in the chroot environment.
>
> I've done the below to get a little further (I should probably use
> symbolic links, but for now copying the files is a start).
>
> mkdir /var/named/chroot/lib64/
> cp /lib64/libldap-2.4.so.2 /var/named/chroot/lib64/
> cp /lib64/liblber-2.4.so.2 /var/named/chroot/lib64/
> cp /lib64/libplds4.so /var/named/chroot/lib64/
> cp /lib64/libplc4.so /var/named/chroot/lib64/
> cp /lib64/libnspr4.so /var/named/chroot/lib64/
> cp /lib64/libcrypt.so.1 /var/named/chroot/lib64/
> cp /lib64/libfreebl3.so /var/named/chroot/lib64/
>
> mkdir /var/named/chroot/usr/lib64/
> cp /usr/lib64/libssl3.so /var/named/chroot/usr/lib64/
> cp /usr/lib64/libsmime3.so /var/named/chroot/usr/lib64/
> cp /usr/lib64/libnss3.so /var/named/chroot/usr/lib64/
> cp /usr/lib64/libnssutil3.so /var/named/chroot/usr/lib64/
> cp /usr/lib64/libsasl2.so.2 /var/named/chroot/usr/lib64/
>
>
>
> Now when I restart named, I get the below error in /var/log/messages.
>
> Does anyone have any ideas of the best way to get around this error?
>
> Feb 23 17:35:29 ds01 named[2425]: Failed to parse the principal name
> DNS/ds01.example.com (Configuration file does not specify default realm)

It should be
DNS/ds01.example.com at YOURREALMNAME.SOMETHING


I do not know the exact reason but it might be that bind ldap driver
can't locate its kerberos configuration.
I hope it will give you a hint and unblock you before the real masters
of DNS chime in.

>
>
> Thanks folks.
>
> Dale
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130223/00750814/attachment.htm>

More information about the Freeipa-users mailing list