[Freeipa-users] RHEL 6.4 , IPA 3.0 and bind-chroot
Dale Macartney
dale at themacartneyclan.com
Sat Feb 23 22:01:14 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/23/2013 09:47 PM, Dmitri Pal wrote:
> On 02/23/2013 12:48 PM, Dale Macartney wrote:
> >
>> Hi all
>>
>> I've just performed a clean IPA installation and noticed that if you're
>> using integrated DNS, you are still unable to use bind in a chrooted
>> environment with a default IPA install.
>>
>> Basically if its a chrooted environment, named will fail to start.
>>
>> To replicate what I've done, do the following.
>>
>> # yum install ipa-server bind bind-chroot bind-dyndb-ldap -y
>> # ipa-server-install --setup-dns (do your usual thing here)
>>
>> - From what I've been testing, there needs to be quite a few libraries
>> located in the chroot environment.
>>
>> I've done the below to get a little further (I should probably use
>> symbolic links, but for now copying the files is a start).
>>
>> mkdir /var/named/chroot/lib64/
>> cp /lib64/libldap-2.4.so.2 /var/named/chroot/lib64/
>> cp /lib64/liblber-2.4.so.2 /var/named/chroot/lib64/
>> cp /lib64/libplds4.so /var/named/chroot/lib64/
>> cp /lib64/libplc4.so /var/named/chroot/lib64/
>> cp /lib64/libnspr4.so /var/named/chroot/lib64/
>> cp /lib64/libcrypt.so.1 /var/named/chroot/lib64/
>> cp /lib64/libfreebl3.so /var/named/chroot/lib64/
>>
>> mkdir /var/named/chroot/usr/lib64/
>> cp /usr/lib64/libssl3.so /var/named/chroot/usr/lib64/
>> cp /usr/lib64/libsmime3.so /var/named/chroot/usr/lib64/
>> cp /usr/lib64/libnss3.so /var/named/chroot/usr/lib64/
>> cp /usr/lib64/libnssutil3.so /var/named/chroot/usr/lib64/
>> cp /usr/lib64/libsasl2.so.2 /var/named/chroot/usr/lib64/
>>
>>
>>
>> Now when I restart named, I get the below error in /var/log/messages.
>>
>> Does anyone have any ideas of the best way to get around this error?
>>
>> Feb 23 17:35:29 ds01 named[2425]: Failed to parse the principal name
>> DNS/ds01.example.com (Configuration file does not specify default realm)
>
> It should be
> DNS/ds01.example.com at YOURREALMNAME.SOMETHING
oh of course.. what a face palm moment.
Where does the default ipa installation put the DNS keytab file? I did
notice an /etc/named.keytab was present, but placing that in
/var/named/chroot/etc didn't seem to improve matters.
>
>
> I do not know the exact reason but it might be that bind ldap driver
can't locate its kerberos configuration.
> I hope it will give you a hint and unblock you before the real masters
of DNS chime in. i
I know this has been a rather long lasting rfe/bug/how ever you want to
label it.
https://fedorahosted.org/freeipa/ticket/126
If I make any progress I'll let the team know.
>
>>
>>
>> Thanks folks.
>>
>> Dale
>>
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJRKTwpAAoJEAJsWS61tB+qzUEQAIgijKHJx8tSOps5avQ58HU2
8ZDSHzeokeXqvZxHGnZ3O1AsOPukS9G37TdCdEe2GqvK3c159tgYCHoV7FrksYm9
9n6cWohVdwFBdSB/Qzc+G/w/lITtt5hnXf/yT1H1b5ERtUoJUCg+dc76FCfBhJ9q
DQUBfXKwbbdctGRZpo8V2tq4Vc56Rt2cQ+XsFj1Tsvz8NfW6fSx24rYnpu0FEPnp
2CDeQufE3cbeViGE9AEM8sa/pqXqgL16KNoFZoRqtYWCcE/Ct/rTCrITkx8xMinw
8dc+6kvG0xvuQXpfi/iCEZq+sAr2WA/3vwBg2VDDjNrCQZurGEgD6/wmcNXclN8X
jasRaAfw2YqnR40wB9zqNZS50KzF2F72xIDjiFsWF/DssJnEOR6QxxKWaZbjPH4K
Ud/aEhk5p3NSOlz5XBMBlnHkrElbA9/c6J396fPqgyMNXFrc1t5ofaPtzaYNJzSz
PdpCWmZ8+L4aJfci2vFo6aKuQHKgYetRLA/pemNEdQK1gYvD0/LJ8zExrXKHRszC
ILPhpacO4n/SXcWx2EKY4rtD0RNyiWxdQAjAtFfyvwqXuD7a1mXNkaCL71dhvWWU
xvrsGid6Bb5ca2/6A1C/VZvYFIQ9Fg6dYZrEERvbcPeV80qizVeWYDSetZwGhfPZ
GiYyWRDdRZrUb5tW8Xtd
=aaLP
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130223/ef9fb049/attachment.htm>
More information about the Freeipa-users
mailing list