[debian-lan-devel] Wheezy semi-successful convert

Andreas B. Mundt andi.mundt at web.de
Thu Feb 28 07:48:35 UTC 2013 

Hi Julien,

On Wed, Feb 27, 2013 at 10:31:51PM +0100, Julien Lambot wrote:
[...]

>
> > > I finally installed wheezy and made a conversion.
> > >
> > > As is, I can say NFS, KDC are not OK yet. This will be checked right
> > > now.
> >
> > OK, looking forward for the reasons/problems ...
> >
>
> Here is the content of
> /var/log/fai/mainserver/softupdate-20130227_130645/error.log
>
> fai.log:/usr/bin/fai-class: WARNING. Following classes are defined multiple
> times:       2 DEBIAN
> fai.log:  404  Not Found [IP: 77.243.184.65 80]
> fai.log:W: Failed to fetch
> http://http.debian.net/debian-backports/dists/wheezy-backports/main/binary-amd64/Packages
> 404  Not Found [IP: 77.243.184.65 80]

Yes, wheezy backports does not exist yet, can be ignored ...

> fai.log:E: Some index files failed to download. They have been ignored, or
> old ones used instead.
> fai.log:The following packages have unmet dependencies:
> fai.log:Warning: The home dir /var/run/nslcd/ you specified can't be
> accessed: No such file or directory
> fai.log:! Warning: you may need to reload your webservice!
> fai.log:E: Some index files failed to download. They have been ignored, or
> old ones used instead.
>
> This one seems to explain the passwd problem for the various services. I
> don't remember that it has been asked (I didn't recorded the session...)
> fai.log:KDC_LDAP/10-slapd-KDC FAILED with exit code 127.
> fai.log:KDC_LDAP/10-slapd-KDC FAILED with exit code 127.
> shell.log:ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> shell.log:./KDC_LDAP/10-slapd-KDC: line 68: dialog: command not found
> shell.log:./KDC_LDAP/10-slapd-KDC: line 71: dialog: command not found

Ouch!  Ah, it's clear what happend:  'dialog' is missing!  I forgot to
add that in the wiki (I did that in debian/README.Debian in git).
Before a convertion, you need to run:

	 aptitude -R install fai-server dialog git

                   (dialog was missing) ^^^^^^.

> shell.log:KDC_LDAP/10-slapd-KDC FAILED with exit code 127.
> shell.log:ln: failed to create symbolic link `//media/cdrom/cdrom0': File
> exists
> shell.log:mv: cannot stat `//etc/icinga/objects/localhost_icinga.cfg': No
> such file or directory
> shell.log:ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> shell.log:./KDC_LDAP/10-slapd-KDC: line 68: dialog: command not found
> shell.log:./KDC_LDAP/10-slapd-KDC: line 71: dialog: command not found
> shell.log:KDC_LDAP/10-slapd-KDC FAILED with exit code 127.
> status.log:KDC_LDAP/10-slapd-KDC FAILED with exit code 127.
> status.log:KDC_LDAP/10-slapd-KDC FAILED with exit code 127.
>

This makes the most important part, KDC_LDAP/10-slapd-KDC fail.
All other warnings can probably be ignored. I cannot remember the
DEBIAN defined twice warning ... can probably be ignored for now.

> >
> > > I will also need to integrate:
> > > - samba because of windows clients.
> > > - ddclient (or alike) because of ... well, budget considerations.
> > > - ldaps
> > >
> >
> > OK, samba is a good point. LDAP is kerberized via GSSAPI and uses TLS
> > already, so no need to use ldaps.
> >
>
> Right, I saw afterward that it was configured with TLS. That's fine!
> Though, having recently made a setup of openldap/tls/samba, I saw the
> config of openldap was a bit changed. It now uses ldif.
> Are you interested in defining the configuration following this method?
> Config space in ldap DB will become the new standard (I read that in
> wiki.debian.org somewhere)

Usually, after setting up ldap, the configuration is converted to live
within the DB (slaptest -v -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d).
Failed probably because 10-slapd-KDC broke.  So the first step for
this conversion is already there.  I have kept slapd.conf as it's
easier to understand (perhaps until one get's used to the new scheme).

> If yes, I will collect the config files I used and look at your scripts.
>
>
> > > The only question I have right now is, what is the default gosa's admin
> > > password?
> >
> > You should have been asked for a password for 'admin' during
> > installation.  Use 'admin' and that password for login into GOsa.
> >
>
> unfortunately not, or I missed it.
>

Yeah, you cannot have been ask without dialog ... :-(

>
> >
> > > There is one in /root/installation/LDAPadminPWD but it is not accepted.
> > > Pardon me if I missed the information somewhere.
> >
> > This is the password of the LDAP admin, try:
> >
> >      ldapvi -ZZ -D cn=admin,dc=intern -w `cat
> > /root/installation/LDAPadminPWD`
> >
> > It is used for the ldapscripts i.e. the debian-lan command and GOsa's
> > internal access to LDAP.  Usually you should not need it (anymore), an
> > anything should be done with the admin password and kerberos (except
> > GOsa login, where no Kerberos is used (but the same password)).
> >
>
> I will try that.
> Otherwise, is it possible to launch the scripts again manually from the
> "converted" server or do I need to reinstall from scratch?

This is not easy, but it is possible.  You have to make sure that you
remove the LDAP database, and perhaps some other things (depends if
you have already set up the chroots ...).  Take a look
at KDC_LDAP/10-slapd-KDC:

## Stop now, if LDAP database is already present:
if [ -f /var/lib/ldap/__db.001 ] ;  then
    echo "The LDAP data base is not empty, stopping. "
    echo "To initialize a brand new LDAP+KDC: "
    echo "rm /var/lib/ldap/__db* /var/lib/ldap/*.bdb"
    echo "rm /etc/krb5kdc/stash /etc/krb5.keytab*"
    exit 0
fi

Im not sure if this is sufficient, but worth a try ...
If you hav not modified much up to now, consider reinstalling, as LDAP
and KDC are of course the most central and involved components of the
system.

> Thereby, I suppose that if I change mainserver.intern to whatever.domain, I
> will need to adapt the whole ldap config and directory accordingly?

Yes.  'mainserver' and 'intern' is kind of hardcoded.  It should be
possible to use variables for hostname and domain, however.  But that
has not been done yet.

> I hope they are useful.  Please report all problems, that's pretty
> > appreciated!  I might live in my filter bubble already, so it's great
> > to have some input from someone else.
> >
>
> They are !
> I will do. As I told you, I'm very interested in the project and will do my
> best to help out.

Great!

Best regards,

     Andi (who is a bit short in time right now ...)

More information about the debian-lan-devel mailing list