PDF
Отсутствует указатель на keytab-файл для службы dirsrv
Статья является возможным решением инцидента FreeIPA. Проблемы в работе сервисов
Окружение
Диагностика
Проверить:
статус службы
bind9-pkcs11:systemctl status bind9-pkcs11CODE● bind9-pkcs11.service - BIND Domain Name Server with native PKCS#11 Loaded: loaded (/lib/systemd/system/bind9-pkcs11.service; disabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2020-08-06 08:17:49 +07; 4min 22s ago Docs: man:named(8) Process: 11511 ExecStop=/usr/sbin/rndc stop (code=exited, status=1/FAILURE) Process: 11463 ExecStart=/usr/sbin/named-pkcs11 -f -u bind (code=exited, status=1/FAILURE) Main PID: 11463 (code=exited, status=1/FAILURE) авг 06 08:17:49 h054-ipa-01.mrg154.mrg named-pkcs11[11463]: bind-dyndb-ldap version 11.1, compiler 6.3.0 20170516 авг 06 08:17:49 h054-ipa-01.mrg154.mrg named-pkcs11[11463]: LDAP error: Invalid credentials: bind to LDAP server failed авг 06 08:17:49 h054-ipa-01.mrg154.mrg named-pkcs11[11463]: couldn't establish connection in LDAP connection pool: permission denied авг 06 08:17:49 h054-ipa-01.mrg154.mrg named-pkcs11[11463]: dynamic database 'ipa' configuration failed: permission denied авг 06 08:17:49 h054-ipa-01.mrg154.mrg named-pkcs11[11463]: loading configuration: permission denied авг 06 08:17:49 h054-ipa-01.mrg154.mrg systemd[1]: bind9-pkcs11.service: Main process exited, code=exited, status=1/FAILURE авг 06 08:17:49 h054-ipa-01.mrg154.mrg rndc[11511]: rndc: connect failed: 127.0.0.1#953: connection refused авг 06 08:17:49 h054-ipa-01.mrg154.mrg systemd[1]: bind9-pkcs11.service: Control process exited, code=exited status=1 авг 06 08:17:49 h054-ipa-01.mrg154.mrg systemd[1]: bind9-pkcs11.service: Unit entered failed state. авг 06 08:17:49 h054-ipa-01.mrg154.mrg systemd[1]: bind9-pkcs11.service: Failed with result 'exit-code'.CODE# This file is sourced by dirsrv upon startup to set # the default environment for all directory server instances. # To set instance specific defaults, use the file in the same # directory called dirsrv-instance where "instance" # is the name of your directory server instance e.g. # dirsrv-localhost for the slapd-localhost instance. # This file is in systemd EnvironmentFile format - see man systemd.exec # In order to make more file descriptors available to the directory server, # first make sure the system hard limits are raised, then use ulimit - # uncomment out the following line and change the value to the desired value #ulimit -n 8192 # note - if using systemd, ulimit won't work - you must edit the systemd unit # file for directory server to add the LimitNOFILE option - see "man # systemd.exec" for more info # A per instance keytab does not make much sense for servers. Kerberos clients # use the machine FQDN to obtain a ticket like ldap/FQDN, there is nothing that # can make a client understand how to get a per-instance ticket. Therefore by # default a keytab should be considered a per server option. # # Also this file is sourced for all instances, so again all instances would # ultimately get the same keytab. # # Finally a keytab is normally named either krb5.keytab or <service>.keytab # # In order to use SASL/GSSAPI (Kerberos) the directory server needs to know # where to find its keytab file - uncomment the following line and set the # path and filename appropriately. # If using systemd, omit the "; export VARNAME" at the end. #KRB5_KTNAME=/etc/dirsrv/myname.keytab ; export KRB5_KTNAME # How many seconds to wait for the startpid file to show up before we assume # there is a problem and fail to start. # If using systemd, omit the "; export STARTPID_TIME" at the end. #STARTPID_TIME=10 ; export STARTPID_TIME # How many seconds to wait for the pid file to show up before we assume there # is a problem and fail to start. # If using systemd, omit the "; export PID_TIME" at the end. #PID_TIME=600 ; export PID_TIME KRB5CCNAME=/tmp/krb5cc_110CODE
Решение
Ответ доступен с подключенной услугой «Техническая поддержка».
Внимание! Для авторизации используйте учетные данные Личного кабинета
Если учетная запись от новой версии личного кабинета отсутствует, просим писать на почту lk@astralinux.ru
Проверить:
статус службы
bind9-pkcs11:systemctl status bind9-pkcs11
● bind9-pkcs11.service - BIND Domain Name Server with native PKCS#11 Loaded: loaded (/lib/systemd/system/bind9-pkcs11.service; disabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2020-08-06 08:17:49 +07; 4min 22s ago Docs: man:named(8) Process: 11511 ExecStop=/usr/sbin/rndc stop (code=exited, status=1/FAILURE) Process: 11463 ExecStart=/usr/sbin/named-pkcs11 -f -u bind (code=exited, status=1/FAILURE) Main PID: 11463 (code=exited, status=1/FAILURE) авг 06 08:17:49 h054-ipa-01.mrg154.mrg named-pkcs11[11463]: bind-dyndb-ldap version 11.1, compiler 6.3.0 20170516 авг 06 08:17:49 h054-ipa-01.mrg154.mrg named-pkcs11[11463]: LDAP error: Invalid credentials: bind to LDAP server failed авг 06 08:17:49 h054-ipa-01.mrg154.mrg named-pkcs11[11463]: couldn't establish connection in LDAP connection pool: permission denied авг 06 08:17:49 h054-ipa-01.mrg154.mrg named-pkcs11[11463]: dynamic database 'ipa' configuration failed: permission denied авг 06 08:17:49 h054-ipa-01.mrg154.mrg named-pkcs11[11463]: loading configuration: permission denied авг 06 08:17:49 h054-ipa-01.mrg154.mrg systemd[1]: bind9-pkcs11.service: Main process exited, code=exited, status=1/FAILURE авг 06 08:17:49 h054-ipa-01.mrg154.mrg rndc[11511]: rndc: connect failed: 127.0.0.1#953: connection refused авг 06 08:17:49 h054-ipa-01.mrg154.mrg systemd[1]: bind9-pkcs11.service: Control process exited, code=exited status=1 авг 06 08:17:49 h054-ipa-01.mrg154.mrg systemd[1]: bind9-pkcs11.service: Unit entered failed state. авг 06 08:17:49 h054-ipa-01.mrg154.mrg systemd[1]: bind9-pkcs11.service: Failed with result 'exit-code'.
# This file is sourced by dirsrv upon startup to set # the default environment for all directory server instances. # To set instance specific defaults, use the file in the same # directory called dirsrv-instance where "instance" # is the name of your directory server instance e.g. # dirsrv-localhost for the slapd-localhost instance. # This file is in systemd EnvironmentFile format - see man systemd.exec # In order to make more file descriptors available to the directory server, # first make sure the system hard limits are raised, then use ulimit - # uncomment out the following line and change the value to the desired value #ulimit -n 8192 # note - if using systemd, ulimit won't work - you must edit the systemd unit # file for directory server to add the LimitNOFILE option - see "man # systemd.exec" for more info # A per instance keytab does not make much sense for servers. Kerberos clients # use the machine FQDN to obtain a ticket like ldap/FQDN, there is nothing that # can make a client understand how to get a per-instance ticket. Therefore by # default a keytab should be considered a per server option. # # Also this file is sourced for all instances, so again all instances would # ultimately get the same keytab. # # Finally a keytab is normally named either krb5.keytab or <service>.keytab # # In order to use SASL/GSSAPI (Kerberos) the directory server needs to know # where to find its keytab file - uncomment the following line and set the # path and filename appropriately. # If using systemd, omit the "; export VARNAME" at the end. #KRB5_KTNAME=/etc/dirsrv/myname.keytab ; export KRB5_KTNAME # How many seconds to wait for the startpid file to show up before we assume # there is a problem and fail to start. # If using systemd, omit the "; export STARTPID_TIME" at the end. #STARTPID_TIME=10 ; export STARTPID_TIME # How many seconds to wait for the pid file to show up before we assume there # is a problem and fail to start. # If using systemd, omit the "; export PID_TIME" at the end. #PID_TIME=600 ; export PID_TIME KRB5CCNAME=/tmp/krb5cc_110
Возможная причина: Отсутствует указатель на keytab-файл для службы dirsrv. Перейти к решению.