When installing an IPA server instance on a platform which installs the named keytab in a non-standard location (such as Debian), the installation fails.
This is due to the krb5_keytab directive not being used in the named configuration template, resulting in a failure to authenticate with the LDAP server once named starts up and tries to load dynamic DNS entries. The keytab is properly created in the overridden location, but if the directive is not specified, bind defaults to using /etc/bind/krb5.keytab which - in this configuration - does not exist.
krb5_keytab
/etc/bind/krb5.keytab
The nonstandard location is the way it is on some platforms for various reasons, ranging from historical to philosophical - nevertheless, it is a configurable option that IPA seemingly supports but is currently broken.
ipa-install-server fails to configure a working instance. named fails to authenticate with the LDAP server.
ipa-install-server successfully configures a working instance. named authenticates successfully with the keytab in the nonstandard location.
freeipa-server 4.10.1 (testing on Debian)
I can't seem to edit the metadata of the issue, but on-review should be set to https://github.com/freeipa/freeipa/pull/6705
Modifications or additions to the server upgrade procedure should not be required, since existing installs would already either be using the default keytab path (and as such would not need the directive) or have manually configured it themselves (in which case their configuration shouldn't be altered).
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6705
master:
ipa-4-10:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.