-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/23/2013 09:47 PM, Dmitri Pal wrote: > On 02/23/2013 12:48 PM, Dale Macartney wrote: > > >> Hi all >> >> I've just performed a clean IPA installation and noticed that if you're >> using integrated DNS, you are still unable to use bind in a chrooted >> environment with a default IPA install. >> >> Basically if its a chrooted environment, named will fail to start. >> >> To replicate what I've done, do the following. >> >> # yum install ipa-server bind bind-chroot bind-dyndb-ldap -y >> # ipa-server-install --setup-dns (do your usual thing here) >> >> - From what I've been testing, there needs to be quite a few libraries >> located in the chroot environment. >> >> I've done the below to get a little further (I should probably use >> symbolic links, but for now copying the files is a start). >> >> mkdir /var/named/chroot/lib64/ >> cp /lib64/libldap-2.4.so.2 /var/named/chroot/lib64/ >> cp /lib64/liblber-2.4.so.2 /var/named/chroot/lib64/ >> cp /lib64/libplds4.so /var/named/chroot/lib64/ >> cp /lib64/libplc4.so /var/named/chroot/lib64/ >> cp /lib64/libnspr4.so /var/named/chroot/lib64/ >> cp /lib64/libcrypt.so.1 /var/named/chroot/lib64/ >> cp /lib64/libfreebl3.so /var/named/chroot/lib64/ >> >> mkdir /var/named/chroot/usr/lib64/ >> cp /usr/lib64/libssl3.so /var/named/chroot/usr/lib64/ >> cp /usr/lib64/libsmime3.so /var/named/chroot/usr/lib64/ >> cp /usr/lib64/libnss3.so /var/named/chroot/usr/lib64/ >> cp /usr/lib64/libnssutil3.so /var/named/chroot/usr/lib64/ >> cp /usr/lib64/libsasl2.so.2 /var/named/chroot/usr/lib64/ >> >> >> >> Now when I restart named, I get the below error in /var/log/messages. >> >> Does anyone have any ideas of the best way to get around this error? >> >> Feb 23 17:35:29 ds01 named[2425]: Failed to parse the principal name >> DNS/ds01.example.com (Configuration file does not specify default realm) > > It should be > DNS/[email protected] oh of course.. what a face palm moment. Where does the default ipa installation put the DNS keytab file? I did notice an /etc/named.keytab was present, but placing that in /var/named/chroot/etc didn't seem to improve matters. > > > I do not know the exact reason but it might be that bind ldap driver can't locate its kerberos configuration. > I hope it will give you a hint and unblock you before the real masters of DNS chime in. i I know this has been a rather long lasting rfe/bug/how ever you want to label it. https://fedorahosted.org/freeipa/ticket/126 If I make any progress I'll let the team know. > >> >> >> Thanks folks. >> >> Dale >> > > > > _______________________________________________ > > Freeipa-users mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRKTwpAAoJEAJsWS61tB+qzUEQAIgijKHJx8tSOps5avQ58HU2 8ZDSHzeokeXqvZxHGnZ3O1AsOPukS9G37TdCdEe2GqvK3c159tgYCHoV7FrksYm9 9n6cWohVdwFBdSB/Qzc+G/w/lITtt5hnXf/yT1H1b5ERtUoJUCg+dc76FCfBhJ9q DQUBfXKwbbdctGRZpo8V2tq4Vc56Rt2cQ+XsFj1Tsvz8NfW6fSx24rYnpu0FEPnp 2CDeQufE3cbeViGE9AEM8sa/pqXqgL16KNoFZoRqtYWCcE/Ct/rTCrITkx8xMinw 8dc+6kvG0xvuQXpfi/iCEZq+sAr2WA/3vwBg2VDDjNrCQZurGEgD6/wmcNXclN8X jasRaAfw2YqnR40wB9zqNZS50KzF2F72xIDjiFsWF/DssJnEOR6QxxKWaZbjPH4K Ud/aEhk5p3NSOlz5XBMBlnHkrElbA9/c6J396fPqgyMNXFrc1t5ofaPtzaYNJzSz PdpCWmZ8+L4aJfci2vFo6aKuQHKgYetRLA/pemNEdQK1gYvD0/LJ8zExrXKHRszC ILPhpacO4n/SXcWx2EKY4rtD0RNyiWxdQAjAtFfyvwqXuD7a1mXNkaCL71dhvWWU xvrsGid6Bb5ca2/6A1C/VZvYFIQ9Fg6dYZrEERvbcPeV80qizVeWYDSetZwGhfPZ GiYyWRDdRZrUb5tW8Xtd =aaLP -----END PGP SIGNATURE-----
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
