On Tue, Nov 08, 2016 at 10:29:29AM +0800, 郑磊 wrote: > Hello everyone, > > I have successfully set up the FreeIPA environment on Ubuntu when selinux is > disable. But when selinux is enable, there is a configuring ipa-otpd error > occurred. > > The ipaserver-install.log shows following informations: > 2016-11-08T01:55:18Z DEBUG [1/2]: starting ipa-otpd > 2016-11-08T01:55:18Z DEBUG Starting external process > 2016-11-08T01:55:18Z DEBUG args=/bin/systemctl is-active ipa-otpd.socket > 2016-11-08T01:55:18Z DEBUG Process finished, return code=3 > 2016-11-08T01:55:18Z DEBUG stdout=inactive > > 2016-11-08T01:55:18Z DEBUG stderr= > 2016-11-08T01:55:18Z DEBUG Loading StateFile from > '/var/lib/ipa/sysrestore/sysrestore.state' > 2016-11-08T01:55:18Z DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2016-11-08T01:55:18Z DEBUG Starting external process > 2016-11-08T01:55:18Z DEBUG args=/bin/systemctl restart ipa-otpd.socket > 2016-11-08T01:55:18Z DEBUG Process finished, return code=1 > 2016-11-08T01:55:18Z DEBUG stdout= > 2016-11-08T01:55:18Z DEBUG stderr=Job for ipa-otpd.socket failed. See > "systemctl status ipa-otpd.socket" and "journalctl -xe" for details. > > 2016-11-08T01:55:18Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line > 447, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line > 437, in run_step > method() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line > 585, in __start > self.restart() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line > 347, in restart > self.service.restart(instance_name, capture_output=capture_output, > wait=wait) > File "/usr/lib/python2.7/dist-packages/ipaplatform/base/services.py", line > 301, in restart > skip_output=not capture_output) > File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 479, in > run > raise CalledProcessError(p.returncode, arg_string, str(output)) > CalledProcessError: Command '/bin/systemctl restart ipa-otpd.socket' returned > non-zero exit status 1 > > 2016-11-08T01:55:18Z DEBUG [error] CalledProcessError: Command > '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1 > 2016-11-08T01:55:18Z DEBUG File > "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 171, in > execute > return_value = self.run() > File "/usr/lib/python2.7/dist-packages/ipapython/install/cli.py", line 318, > in run > cfgr.run() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line > 310, in run > self.execute() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line > 332, in execute > for nothing in self._executor(): > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line > 372, in __runner > self._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line > 394, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line > 362, in __runner > step() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line > 359, in <lambda> > step = lambda: next(self.__gen) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, > in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, > in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line > 586, in _configure > next(executor) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line > 372, in __runner > self._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line > 449, in _handle_exception > self.__parent._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line > 394, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line > 446, in _handle_exception > super(ComponentBase, self)._handle_exception(exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line > 394, in _handle_exception > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line > 362, in __runner > step() > File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line > 359, in <lambda> > step = lambda: next(self.__gen) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, > in run_generator_with_yield_from > six.reraise(*exc_info) > File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, > in run_generator_with_yield_from > value = gen.send(prev_value) > File "/usr/lib/python2.7/dist-packages/ipapython/install/common.py", line > 63, in _install > for nothing in self._installer(self.parent): > File > "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line > 1513, in main > install(self) > File > "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line > 267, in decorated > func(installer) > File > "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line > 944, in install > ipautil.realm_to_suffix(realm_name)) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line > 579, in create_instance > self.start_creation("Configuring %s" % self.service_name) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line > 447, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line > 437, in run_step > method() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line > 585, in __start > self.restart() > File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line > 347, in restart > self.service.restart(instance_name, capture_output=capture_output, > wait=wait) > File "/usr/lib/python2.7/dist-packages/ipaplatform/base/services.py", line > 301, in restart > skip_output=not capture_output) > File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 479, in > run > raise CalledProcessError(p.returncode, arg_string, str(output)) > > 2016-11-08T01:55:18Z DEBUG The ipa-server-install command failed, exception: > CalledProcessError: Command '/bin/systemctl restart ipa-otpd.socket' returned > non-zero exit status 1 > 2016-11-08T01:55:18Z ERROR Command '/bin/systemctl restart ipa-otpd.socket' > returned non-zero exit status 1 > 2016-11-08T01:55:18Z ERROR The ipa-server-install command failed. See > /var/log/ipaserver-install.log for more information > > the ipa-otpd.socket status is as follows: > root@ipaserver:~# systemctl status ipa-otpd.socket > ● ipa-otpd.socket - ipa-otpd socket > Loaded: loaded (/lib/systemd/system/ipa-otpd.socket; disabled; vendor > preset: enabled) > Active: failed (Result: exit-code) since 二 2016-11-08 09:55:18 CST; 26min > ago > Listen: /var/run/krb5kdc/DEFAULT.socket (Stream) > Accepted: 0; Connected: 0 > Process: 19864 ExecStopPre=/usr/bin/unlink /var/run/krb5kdc/DEFAULT.socket > (code=exited, status=1/FAILURE) > > 11月 08 09:55:18 ipaserver.test.com systemd[1]: Starting ipa-otpd socket. > 11月 08 09:55:18 ipaserver.test.com unlink[19864]: /usr/bin/unlink: Unable to > remove '/var/run/krb5kdc/DEFAULT.socket' links: no such files or directories > 11月 08 09:55:18 ipaserver.test.com systemd[1]: ipa-otpd.socket: Control > process exited, code=exited status=1 > 11月 08 09:55:18 ipaserver.test.com systemd[1]: Failed to listen on ipa-otpd > socket. > 11月 08 09:55:18 ipaserver.test.com systemd[1]: ipa-otpd.socket: Unit entered > failed state. > I found that the file or directory is automatically created when > ipa-otpd.socket is started. > > Is there anyone help me? > > Thank you! > Thanks for reporting. It is a known issue. There is a ticket against selinux-policy-targeted: https://bugzilla.redhat.com/show_bug.cgi?id=1384872
Until it is resolved, you will have to `setenforce 0`. Cheers, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code