Charles Hymes wrote:
Hi folks, I'm having a real hard time debugging this. I'm trying to do a new Fedora Directory Server+kerberos install , on a new Fedora 7 box. I can kinit, but I can't get ldapsearch or ldapwhoami to work locally. I thought it was a read problem with the keytab files, but I tried setting KRB5_KTNAME to a keytab file I knew ware readable by slapd, and that did not help. I also checked permissions on my certificates, and that seems OK too. ldapsearch -x does work, but ldapsearch -Y GSSAPI does not. I tried running strace on ldapwhoami, slapd and krb5kdc, but strace does not show which resource is not accessible. Actually I'm surprised that strace does not show any attempts to open the keytabs or anything in /etc/openldap/cacerts... I tried making briefly making /etc/krb5.keytab world readable, it did not change the "No such file" error. The logs I check are /var/log/messages, slapd and krb5kdc.log. The logs do not show the ldap client error. I DID see some SELINUX errors for krb5kdc_rcache and krb5.conf, but I ran restorecon and fixed those. This did not stop the error. I guess I'll try turning SELINUX off, and see if that makes any difference. Any help would be greatly appreciated :)
It depends on what version of FDS you are running. I believe that the 1.1 init file include support for using /etc/sysconfig/dirsrv for configuration.
If you are running 1.1 add this to /etc/sysconfig/dirsrv: export KRB5_KTNAME=/path/to/fds.keytab where fds.keytab holds the ldap/FQDN@REALM key.If you are running 1.0 you'll need to update /etc/init.d/dirsrv and add something like this at the top:
[ -r /etc/sysconfig/dirsrv ] && . /etc/sysconfig/dirsrv rob
<<attachment: smime.p7s>>
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
