Charles Hymes wrote:
Hi folks,
I'm having a real hard time debugging this.
I'm trying to do a new Fedora Directory Server+kerberos install , on a new
Fedora 7 box. I can kinit, but I can't get ldapsearch or ldapwhoami to work
locally. I thought it was a read problem with the keytab files, but I tried
setting KRB5_KTNAME to a keytab file I knew ware readable by slapd, and that
did not help. I also checked permissions on my certificates, and that seems
OK too. ldapsearch -x does work, but ldapsearch -Y GSSAPI does not.
I tried running strace on ldapwhoami, slapd and krb5kdc, but strace does not
show which resource is not accessible. Actually I'm surprised that strace
does not show any attempts to open the keytabs or anything in
/etc/openldap/cacerts...
I tried making briefly making /etc/krb5.keytab world readable, it did not
change the "No such file" error.
The logs I check are /var/log/messages, slapd and krb5kdc.log. The logs do
not show the ldap client error. I DID see some SELINUX errors for
krb5kdc_rcache and krb5.conf, but I ran restorecon and fixed those. This did
not stop the error. I guess I'll try turning SELINUX off, and see if that
makes any difference.
Any help would be greatly appreciated :)
It depends on what version of FDS you are running. I believe that the
1.1 init file include support for using /etc/sysconfig/dirsrv for
configuration.
If you are running 1.1 add this to /etc/sysconfig/dirsrv:
export KRB5_KTNAME=/path/to/fds.keytab
where fds.keytab holds the ldap/FQDN@REALM key.
If you are running 1.0 you'll need to update /etc/init.d/dirsrv and add
something like this at the top:
[ -r /etc/sysconfig/dirsrv ] && . /etc/sysconfig/dirsrv
rob