Charles Hymes wrote: > Hi folks, > I'm having a real hard time debugging this. > I'm trying to do a new Fedora Directory Server+kerberos install , on a new > Fedora 7 box. I can kinit, but I can't get ldapsearch or ldapwhoami to work > locally. I thought it was a read problem with the keytab files, but I tried > setting KRB5_KTNAME to a keytab file I knew ware readable by slapd, and that > did not help. I also checked permissions on my certificates, and that seems > OK too. ldapsearch -x does work, but ldapsearch -Y GSSAPI does not. > > I tried running strace on ldapwhoami, slapd and krb5kdc, but strace does not > show which resource is not accessible. Actually I'm surprised that strace > does not show any attempts to open the keytabs or anything in > /etc/openldap/cacerts... > > I tried making briefly making /etc/krb5.keytab world readable, it did not > change the "No such file" error. > The logs I check are /var/log/messages, slapd and krb5kdc.log. The logs do > not show the ldap client error. I DID see some SELINUX errors for > krb5kdc_rcache and krb5.conf, but I ran restorecon and fixed those. This did > not stop the error. I guess I'll try turning SELINUX off, and see if that > makes any difference. > > Any help would be greatly appreciated :) > It depends on what version of FDS you are running. I believe that the 1.1 init file include support for using /etc/sysconfig/dirsrv for configuration. If you are running 1.1 add this to /etc/sysconfig/dirsrv: export KRB5_KTNAME=/path/to/fds.keytab where fds.keytab holds the ldap/FQDN at REALM key. If you are running 1.0 you'll need to update /etc/init.d/dirsrv and add something like this at the top: [ -r /etc/sysconfig/dirsrv ] && . /etc/sysconfig/dirsrv rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20080117/b7518c68/attachment.bin
