[Freeipa-users] RHEL 6.4 , IPA 3.0 and bind-chroot
Petr Spacek
pspacek at redhat.com
Tue Feb 26 13:39:58 UTC 2013
On 23.2.2013 23:01, Dale Macartney wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On 02/23/2013 09:47 PM, Dmitri Pal wrote:
>> On 02/23/2013 12:48 PM, Dale Macartney wrote:
> > >
> >> Hi all
> >>
> >> I've just performed a clean IPA installation and noticed that if you're
> >> using integrated DNS, you are still unable to use bind in a chrooted
> >> environment with a default IPA install.
> >>
> >> Basically if its a chrooted environment, named will fail to start.
> >>
> >> To replicate what I've done, do the following.
> >>
> >> # yum install ipa-server bind bind-chroot bind-dyndb-ldap -y
> >> # ipa-server-install --setup-dns (do your usual thing here)
> >>
> >> - From what I've been testing, there needs to be quite a few libraries
> >> located in the chroot environment.
> >>
> >> I've done the below to get a little further (I should probably use
> >> symbolic links, but for now copying the files is a start).
> >>
> >> mkdir /var/named/chroot/lib64/
> >> cp /lib64/libldap-2.4.so.2 /var/named/chroot/lib64/
> >> cp /lib64/liblber-2.4.so.2 /var/named/chroot/lib64/
> >> cp /lib64/libplds4.so /var/named/chroot/lib64/
> >> cp /lib64/libplc4.so /var/named/chroot/lib64/
> >> cp /lib64/libnspr4.so /var/named/chroot/lib64/
> >> cp /lib64/libcrypt.so.1 /var/named/chroot/lib64/
> >> cp /lib64/libfreebl3.so /var/named/chroot/lib64/
> >>
> >> mkdir /var/named/chroot/usr/lib64/
> >> cp /usr/lib64/libssl3.so /var/named/chroot/usr/lib64/
> >> cp /usr/lib64/libsmime3.so /var/named/chroot/usr/lib64/
> >> cp /usr/lib64/libnss3.so /var/named/chroot/usr/lib64/
> >> cp /usr/lib64/libnssutil3.so /var/named/chroot/usr/lib64/
> >> cp /usr/lib64/libsasl2.so.2 /var/named/chroot/usr/lib64/
> >>
> >>
> >>
> >> Now when I restart named, I get the below error in /var/log/messages.
> >>
> >> Does anyone have any ideas of the best way to get around this error?
> >>
> >> Feb 23 17:35:29 ds01 named[2425]: Failed to parse the principal name
> >> DNS/ds01.example.com (Configuration file does not specify default realm)
> >
> > It should be
> > DNS/ds01.example.com at YOURREALMNAME.SOMETHING
> oh of course.. what a face palm moment.
>
> Where does the default ipa installation put the DNS keytab file? I did notice
> an /etc/named.keytab was present, but placing that in /var/named/chroot/etc
> didn't seem to improve matters.
I wrote short how-to:
http://freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot
In my RHEL 6.4 test environment it worked, but it is a bit "hackish". Any
improvements are welcome!
> > I do not know the exact reason but it might be that bind ldap driver can't
> locate its kerberos configuration.
> > I hope it will give you a hint and unblock you before the real masters of
> DNS chime in. i
> I know this has been a rather long lasting rfe/bug/how ever you want to label it.
> https://fedorahosted.org/freeipa/ticket/126
>
> If I make any progress I'll let the team know.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list