<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
<br>
On 02/23/2013 09:47 PM, Dmitri Pal wrote:<br>
<span style="white-space: pre;">> On 02/23/2013 12:48 PM, Dale
Macartney wrote:<br>
> ><br>
>> Hi all<br>
>><br>
>> I've just performed a clean IPA installation and noticed
that if you're<br>
>> using integrated DNS, you are still unable to use bind in
a chrooted<br>
>> environment with a default IPA install.<br>
>><br>
>> Basically if its a chrooted environment, named will fail
to start.<br>
>><br>
>> To replicate what I've done, do the following.<br>
>><br>
>> # yum install ipa-server bind bind-chroot bind-dyndb-ldap
-y<br>
>> # ipa-server-install --setup-dns (do your usual thing
here)<br>
>><br>
>> - From what I've been testing, there needs to be quite a
few libraries<br>
>> located in the chroot environment.<br>
>><br>
>> I've done the below to get a little further (I should
probably use<br>
>> symbolic links, but for now copying the files is a
start).<br>
>><br>
>> mkdir /var/named/chroot/lib64/<br>
>> cp /lib64/libldap-2.4.so.2 /var/named/chroot/lib64/<br>
>> cp /lib64/liblber-2.4.so.2 /var/named/chroot/lib64/<br>
>> cp /lib64/libplds4.so /var/named/chroot/lib64/<br>
>> cp /lib64/libplc4.so /var/named/chroot/lib64/<br>
>> cp /lib64/libnspr4.so /var/named/chroot/lib64/<br>
>> cp /lib64/libcrypt.so.1 /var/named/chroot/lib64/<br>
>> cp /lib64/libfreebl3.so /var/named/chroot/lib64/<br>
>><br>
>> mkdir /var/named/chroot/usr/lib64/<br>
>> cp /usr/lib64/libssl3.so /var/named/chroot/usr/lib64/<br>
>> cp /usr/lib64/libsmime3.so /var/named/chroot/usr/lib64/<br>
>> cp /usr/lib64/libnss3.so /var/named/chroot/usr/lib64/<br>
>> cp /usr/lib64/libnssutil3.so /var/named/chroot/usr/lib64/<br>
>> cp /usr/lib64/libsasl2.so.2 /var/named/chroot/usr/lib64/<br>
>><br>
>><br>
>><br>
>> Now when I restart named, I get the below error in
/var/log/messages.<br>
>><br>
>> Does anyone have any ideas of the best way to get around
this error?<br>
>><br>
>> Feb 23 17:35:29 ds01 named[2425]: Failed to parse the
principal name<br>
>> DNS/ds01.example.com (Configuration file does not specify
default realm)<br>
><br>
> It should be<br>
> <a class="moz-txt-link-abbreviated" href="mailto:DNS/ds01.example.com@YOURREALMNAME.SOMETHING">DNS/ds01.example.com@YOURREALMNAME.SOMETHING</a></span><br>
oh of course.. what a face palm moment.<br>
<br>
Where does the default ipa installation put the DNS keytab file? I
did notice an /etc/named.keytab was present, but placing that in
/var/named/chroot/etc didn't seem to improve matters.<br>
<span style="white-space: pre;">><br>
><br>
> I do not know the exact reason but it might be that bind ldap
driver can't locate its kerberos configuration.<br>
> I hope it will give you a hint and unblock you before the
real masters of DNS chime in. i</span><br>
I know this has been a rather long lasting rfe/bug/how ever you want
to label it.<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/126">https://fedorahosted.org/freeipa/ticket/126</a><br>
<br>
If I make any progress I'll let the team know.<br>
<br>
<span style="white-space: pre;">><br>
>><br>
>><br>
>> Thanks folks.<br>
>><br>
>> Dale<br>
>><br>
> ><br>
> > _______________________________________________<br>
> > Freeipa-users mailing list<br>
> > <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
> > <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
><br>
> -- <br>
> Thank you,<br>
> Dmitri Pal<br>
><br>
> Sr. Engineering Manager for IdM portfolio<br>
> Red Hat Inc.<br>
><br>
><br>
> -------------------------------<br>
> Looking to carve out IT costs?<br>
> <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a><br>
><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Freeipa-users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></span><br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.13 (GNU/Linux)<br>
Comment: Using GnuPG with Thunderbird - <a class="moz-txt-link-freetext" href="http://www.enigmail.net/">http://www.enigmail.net/</a><br>
<br>
iQIcBAEBAgAGBQJRKTwpAAoJEAJsWS61tB+qzUEQAIgijKHJx8tSOps5avQ58HU2<br>
8ZDSHzeokeXqvZxHGnZ3O1AsOPukS9G37TdCdEe2GqvK3c159tgYCHoV7FrksYm9<br>
9n6cWohVdwFBdSB/Qzc+G/w/lITtt5hnXf/yT1H1b5ERtUoJUCg+dc76FCfBhJ9q<br>
DQUBfXKwbbdctGRZpo8V2tq4Vc56Rt2cQ+XsFj1Tsvz8NfW6fSx24rYnpu0FEPnp<br>
2CDeQufE3cbeViGE9AEM8sa/pqXqgL16KNoFZoRqtYWCcE/Ct/rTCrITkx8xMinw<br>
8dc+6kvG0xvuQXpfi/iCEZq+sAr2WA/3vwBg2VDDjNrCQZurGEgD6/wmcNXclN8X<br>
jasRaAfw2YqnR40wB9zqNZS50KzF2F72xIDjiFsWF/DssJnEOR6QxxKWaZbjPH4K<br>
Ud/aEhk5p3NSOlz5XBMBlnHkrElbA9/c6J396fPqgyMNXFrc1t5ofaPtzaYNJzSz<br>
PdpCWmZ8+L4aJfci2vFo6aKuQHKgYetRLA/pemNEdQK1gYvD0/LJ8zExrXKHRszC<br>
ILPhpacO4n/SXcWx2EKY4rtD0RNyiWxdQAjAtFfyvwqXuD7a1mXNkaCL71dhvWWU<br>
xvrsGid6Bb5ca2/6A1C/VZvYFIQ9Fg6dYZrEERvbcPeV80qizVeWYDSetZwGhfPZ<br>
GiYyWRDdRZrUb5tW8Xtd<br>
=aaLP<br>
-----END PGP SIGNATURE-----<br>
<br>
</body>
</html>