[Freeipa-users] Having difficulty installing on Fedora 20

Petr Spacek pspacek at redhat.com
Thu Jun 26 07:36:36 UTC 2014 

On 25.6.2014 22:12, Carl Perry wrote:
> After some more digging, I've discovered that the error message was a
> red herring. The SELinux stuff is working fine, the error message seems
> to be saying that BIND cannot talk to LDAP. It's been difficult to track
> down the exact error because BIND doesn't seem to be logging at all. I
> found a link in the troubleshooting guide about debugging named not
> starting [
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart ]
> and adding options to enable debugging but those do produce any logs either.
>
> Launching named using the command you gave does cause named to launch,
> but it cannot connect to the KDC or LDAP. This isn't surprising since
> ipactl turns off all those services if named fails to start. The only
I would recommend you to use
$ ipactl -d start
and see what exactly failed.

Then you can manually copy & paste "systemctl" commands issued by ipactl one 
by one and start LDAP server, KDC and so on until you reach "named". Then you 
can use tricks from
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
to see where the problem is.

Maybe you have encountered https://fedorahosted.org/freeipa/ticket/4210 , in 
that case it will help to run command
$ /usr/libexec/generate-rndc-key.sh
manually.

This particular problem is fixed in upcoming 4.0 release.

Feel free to send me logs privately if you need further assistance. Have a 
nice day!

Petr^2 Spacek

> errors I could find in the massive ipa-install.log were that BIND failed
> to start at the end of the process. Everything else looked normal.
>
> Since I tried some commands with SELinux in Permissive mode, I wiped and
> re-installed the VM from scratch with Fedora 19 and then again with
> Fedora 20. Both yield the same results. I was going to try Centos 6.5,
> but the FreeIPA version that shipped with that was older than I wanted
> to use. When I did the re-install, I even reduced the size of the
> directory admin password and the kdc admin password from 24chr to 18chr
> to see if that would make a difference. I'm kind of at a loss how to
> debug at this point, since even the debug logs either don't exist or
> have no data in them. Any suggestions would be appreciated. I'm also
> willing to upload log files someplace if someone with more experience
> than I would like to look at them.
>
>    -Carl
>
> On 06/25/2014 03:07 AM, Petr Spacek wrote:
>> On 24.6.2014 21:40, Carl Perry wrote:
>>> Whoops, let me send replies to the list. Sorry about that!
>>>
>>> It appears the problem is with named not starting. I did install the
>>> required packages, but it looks like SELinux is getting in the way:
>>>
>>> [root at freeipa named]# named -f -d 255
>>> isc_file_isplainfile 'data/named.run' failed: permission denied
>>> [root at freeipa named]#
>>>
>>> It took some time digging through logs and startup scripts to find the
>>> exact issue.
>>
>> Interesting.
>>
>> First of all, try to start named with "named -g -u named" and look for
>> error messages. IMHO SELinux correctly prevents it from running under
>> root account as it is undesirable.
>>
>> Also, it would be valuable to see error messages or AVCs from
>> /var/log/audit/audit.log .
>>
>> Did you find any error in /var/log/ipaserver-install.log ?
>>
>> Petr^2 Spacek
>>
>>>     -Carl
>>>
>>> On 06/24/2014 02:13 PM, Rob Verduijn wrote:
>>>> err
>>>> http://www.freeipa.org/docs/master/html-desktop/index.html#Preparing_for_an_IPA_Installation
>>>>
>>>> ofcourse
>>>>
>>>> Rob
>>>>
>>>> 2014-06-24 21:12 GMT+02:00 Rob Verduijn <rob.verduijn at gmail.com>:
>>>>> I saw this in your log :
>>>>>
>>>>> <snip>
>>>>> Global DNS configuration in LDAP server is empty
>>>>> You can use 'dnsconfig-mod' command to set global DNS options that
>>>>> would override settings in local named.conf files
>>>>> <snip>
>>>>>
>>>>> Did you install bind and bind-dyndb-ldap ?
>>>>> http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica
>>>>>
>>>>>
>>>>> Just meddling around with ipa myself
>>>>> Rob
>>>>>
>>>>> 2014-06-24 19:11 GMT+02:00 Petr Spacek <pspacek at redhat.com>:
>>>>>> Hello!
>>>>>>
>>>>>> That is interesting. Do you have latest updates?
>>>>>>
>>>>>> Please see
>>>>>> http://www.freeipa.org/page/Troubleshooting
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 24.6.2014 18:41, Carl Perry wrote:
>>>>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>>>> If the web page doesn't cover your case please send us the log file
>>>>>> mentioned in the the error message.

More information about the Freeipa-users mailing list