Отсутствует указатель на keytab-файл для службы dirsrv

Проверить:

• статус службы bind9-pkcs11:

  systemctl status bind9-pkcs11

  CODE
  Ожидаемый вывод:

  ● bind9-pkcs11.service - BIND Domain Name Server with native PKCS#11
  Loaded: loaded (/lib/systemd/system/bind9-pkcs11.service; disabled; vendor preset: enabled)
  Active: failed (Result: exit-code) since Thu 2020-08-06 08:17:49 +07; 4min 22s ago
  Docs: man:named(8)
  Process: 11511 ExecStop=/usr/sbin/rndc stop (code=exited, status=1/FAILURE)
  Process: 11463 ExecStart=/usr/sbin/named-pkcs11 -f -u bind (code=exited, status=1/FAILURE)
  Main PID: 11463 (code=exited, status=1/FAILURE)
  
  авг 06 08:17:49 h054-ipa-01.mrg154.mrg named-pkcs11[11463]: bind-dyndb-ldap version 11.1, compiler 6.3.0 20170516
  авг 06 08:17:49 h054-ipa-01.mrg154.mrg named-pkcs11[11463]: LDAP error: Invalid credentials: bind to LDAP server failed
  авг 06 08:17:49 h054-ipa-01.mrg154.mrg named-pkcs11[11463]: couldn't establish connection in LDAP connection pool: permission denied
  авг 06 08:17:49 h054-ipa-01.mrg154.mrg named-pkcs11[11463]: dynamic database 'ipa' configuration failed: permission denied
  авг 06 08:17:49 h054-ipa-01.mrg154.mrg named-pkcs11[11463]: loading configuration: permission denied
  авг 06 08:17:49 h054-ipa-01.mrg154.mrg systemd[1]: bind9-pkcs11.service: Main process exited, code=exited, status=1/FAILURE
  авг 06 08:17:49 h054-ipa-01.mrg154.mrg rndc[11511]: rndc: connect failed: 127.0.0.1#953: connection refused
  авг 06 08:17:49 h054-ipa-01.mrg154.mrg systemd[1]: bind9-pkcs11.service: Control process exited, code=exited status=1
  авг 06 08:17:49 h054-ipa-01.mrg154.mrg systemd[1]: bind9-pkcs11.service: Unit entered failed state.
  авг 06 08:17:49 h054-ipa-01.mrg154.mrg systemd[1]: bind9-pkcs11.service: Failed with result 'exit-code'.

  CODE

• содержимое файла /etc/default/dirsrv.

  Ожидаемый вывод:

  # This file is sourced by dirsrv upon startup to set
  # the default environment for all directory server instances.
  # To set instance specific defaults, use the file in the same
  # directory called dirsrv-instance where "instance"
  # is the name of your directory server instance e.g.
  # dirsrv-localhost for the slapd-localhost instance.
  
  # This file is in systemd EnvironmentFile format - see man systemd.exec
  
  # In order to make more file descriptors available to the directory server,
  # first make sure the system hard limits are raised, then use ulimit -
  # uncomment out the following line and change the value to the desired value
  #ulimit -n 8192
  # note - if using systemd, ulimit won't work -  you must edit the systemd unit
  # file for directory server to add the LimitNOFILE option - see "man
  # systemd.exec" for more info
  
  # A per instance keytab does not make much sense for servers.  Kerberos clients
  # use the machine FQDN to obtain a ticket like ldap/FQDN, there is nothing that
  # can make a client understand how to get a per-instance ticket.  Therefore by
  # default a keytab should be considered a per server option.
  #
  # Also this file is sourced for all instances, so again all instances would
  # ultimately get the same keytab.
  #
  # Finally a keytab is normally named either krb5.keytab or <service>.keytab
  #
  # In order to use SASL/GSSAPI (Kerberos) the directory server needs to know
  # where to find its keytab file - uncomment the following line and set the
  # path and filename appropriately.
  # If using systemd, omit the "; export VARNAME" at the end.
  #KRB5_KTNAME=/etc/dirsrv/myname.keytab ; export KRB5_KTNAME
  
  # How many seconds to wait for the startpid file to show up before we assume
  # there is a problem and fail to start.
  # If using systemd, omit the "; export STARTPID_TIME" at the end.
  #STARTPID_TIME=10 ; export STARTPID_TIME
  
  # How many seconds to wait for the pid file to show up before we assume there
  # is a problem and fail to start.
  # If using systemd, omit the "; export PID_TIME" at the end.
  #PID_TIME=600 ; export PID_TIME
  KRB5CCNAME=/tmp/krb5cc_110

  CODE