[Freeipa-users] Having difficulty installing on Fedora 20

Thu Jun 26 14:14:33 UTC 2014

Bug 4210 was the problem, generating the key outside of the systemd
script solved the problem. This explains why the logs were empty, it
never got to that far :)

  -Carl

On 06/26/2014 02:36 AM, Petr Spacek wrote:
> On 25.6.2014 22:12, Carl Perry wrote:
>> After some more digging, I've discovered that the error message was a
>> red herring. The SELinux stuff is working fine, the error message seems
>> to be saying that BIND cannot talk to LDAP. It's been difficult to track
>> down the exact error because BIND doesn't seem to be logging at all. I
>> found a link in the troubleshooting guide about debugging named not
>> starting [
>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart ]
>> and adding options to enable debugging but those do produce any logs
>> either.
>>
>> Launching named using the command you gave does cause named to launch,
>> but it cannot connect to the KDC or LDAP. This isn't surprising since
>> ipactl turns off all those services if named fails to start. The only
> I would recommend you to use
> $ ipactl -d start
> and see what exactly failed.
>
> Then you can manually copy & paste "systemctl" commands issued by
> ipactl one by one and start LDAP server, KDC and so on until you reach
> "named". Then you can use tricks from
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
> to see where the problem is.
>
> Maybe you have encountered
> https://fedorahosted.org/freeipa/ticket/4210 , in that case it will
> help to run command
> $ /usr/libexec/generate-rndc-key.sh
> manually.
>
> This particular problem is fixed in upcoming 4.0 release.
>
> Feel free to send me logs privately if you need further assistance.
> Have a nice day!
>
> Petr^2 Spacek
>
>> errors I could find in the massive ipa-install.log were that BIND failed
>> to start at the end of the process. Everything else looked normal.
>>
>> Since I tried some commands with SELinux in Permissive mode, I wiped and
>> re-installed the VM from scratch with Fedora 19 and then again with
>> Fedora 20. Both yield the same results. I was going to try Centos 6.5,
>> but the FreeIPA version that shipped with that was older than I wanted
>> to use. When I did the re-install, I even reduced the size of the
>> directory admin password and the kdc admin password from 24chr to 18chr
>> to see if that would make a difference. I'm kind of at a loss how to
>> debug at this point, since even the debug logs either don't exist or
>> have no data in them. Any suggestions would be appreciated. I'm also
>> willing to upload log files someplace if someone with more experience
>> than I would like to look at them.
>>
>>    -Carl
>>
>> On 06/25/2014 03:07 AM, Petr Spacek wrote:
>>> On 24.6.2014 21:40, Carl Perry wrote:
>>>> Whoops, let me send replies to the list. Sorry about that!
>>>>
>>>> It appears the problem is with named not starting. I did install the
>>>> required packages, but it looks like SELinux is getting in the way:
>>>>
>>>> [root at freeipa named]# named -f -d 255
>>>> isc_file_isplainfile 'data/named.run' failed: permission denied
>>>> [root at freeipa named]#
>>>>
>>>> It took some time digging through logs and startup scripts to find the
>>>> exact issue.
>>>
>>> Interesting.
>>>
>>> First of all, try to start named with "named -g -u named" and look for
>>> error messages. IMHO SELinux correctly prevents it from running under
>>> root account as it is undesirable.
>>>
>>> Also, it would be valuable to see error messages or AVCs from
>>> /var/log/audit/audit.log .
>>>
>>> Did you find any error in /var/log/ipaserver-install.log ?
>>>
>>> Petr^2 Spacek
>>>
>>>>     -Carl
>>>>
>>>> On 06/24/2014 02:13 PM, Rob Verduijn wrote:
>>>>> err
>>>>> http://www.freeipa.org/docs/master/html-desktop/index.html#Preparing_for_an_IPA_Installation
>>>>>
>>>>>
>>>>> ofcourse
>>>>>
>>>>> Rob
>>>>>
>>>>> 2014-06-24 21:12 GMT+02:00 Rob Verduijn <rob.verduijn at gmail.com>:
>>>>>> I saw this in your log :
>>>>>>
>>>>>> <snip>
>>>>>> Global DNS configuration in LDAP server is empty
>>>>>> You can use 'dnsconfig-mod' command to set global DNS options that
>>>>>> would override settings in local named.conf files
>>>>>> <snip>
>>>>>>
>>>>>> Did you install bind and bind-dyndb-ldap ?
>>>>>> http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica
>>>>>>
>>>>>>
>>>>>>
>>>>>> Just meddling around with ipa myself
>>>>>> Rob
>>>>>>
>>>>>> 2014-06-24 19:11 GMT+02:00 Petr Spacek <pspacek at redhat.com>:
>>>>>>> Hello!
>>>>>>>
>>>>>>> That is interesting. Do you have latest updates?
>>>>>>>
>>>>>>> Please see
>>>>>>> http://www.freeipa.org/page/Troubleshooting
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 24.6.2014 18:41, Carl Perry wrote:
>>>>>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>>>>> If the web page doesn't cover your case please send us the log file
>>>>>>> mentioned in the the error message.
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140626/7df1cca8/attachment.sig>