The problem is solved. The reason is that the path of ExecStart program is
incorrect in the /lib/systemd/system/[email protected] file. Need to make the
following changes:
[Unit]
Description=ipa-otpd service
[Service]
EnvironmentFile=/etc/ipa/default.conf
ExecStart=/usr/lib/ipa-otpd $ldap_uri
StandardInput=socket
StandardOutput=socket
StandardError=syslog
change to
[Unit]
Description=ipa-otpd service
[Service]
EnvironmentFile=/etc/ipa/default.conf
ExecStart=/usr/lib/ipa/ipa-otpd $ldap_uri
StandardInput=socket
StandardOutput=socket
StandardError=syslog
Note: my system is Ubuntu.
------------------
祝:
工作顺利!生活愉快!
--------------------------
长沙研发中心 郑磊
电话:18684703229
邮箱:[email protected]
公司:天津麒麟信息技术有限公司
地址:湖南长沙市开福区三一大道工美大厦十四楼
------------------ Original ------------------
From: "郑磊"<[email protected]>;
Date: Tue, Nov 8, 2016 10:43 AM
To: "Fraser Tweedale"<[email protected]>;
Cc: "freeipa-devel"<[email protected]>;
Subject: Re: [Freeipa-devel] Configuring ipa-otpd error when selinux isenable
Thank you for your reply! I have already performed `setenforce 0` and the
selinux mode is already permissive, but the problem still exists.
------------------
祝:
工作顺利!生活愉快!
--------------------------
长沙研发中心 郑磊
电话:18684703229
邮箱:[email protected]
公司:天津麒麟信息技术有限公司
地址:湖南长沙市开福区三一大道工美大厦十四楼
------------------ Original ------------------
From: "Fraser Tweedale"<[email protected]>;
Date: Tue, Nov 8, 2016 10:37 AM
To: "郑磊"<[email protected]>;
Cc: "freeipa-devel"<[email protected]>;
Subject: Re: [Freeipa-devel] Configuring ipa-otpd error when selinux is enable
On Tue, Nov 08, 2016 at 10:29:29AM +0800, 郑磊 wrote:
> Hello everyone,
>
> I have successfully set up the FreeIPA environment on Ubuntu when selinux is
> disable. But when selinux is enable, there is a configuring ipa-otpd error
> occurred.
>
> The ipaserver-install.log shows following informations:
> 2016-11-08T01:55:18Z DEBUG [1/2]: starting ipa-otpd
> 2016-11-08T01:55:18Z DEBUG Starting external process
> 2016-11-08T01:55:18Z DEBUG args=/bin/systemctl is-active ipa-otpd.socket
> 2016-11-08T01:55:18Z DEBUG Process finished, return code=3
> 2016-11-08T01:55:18Z DEBUG stdout=inactive
>
> 2016-11-08T01:55:18Z DEBUG stderr=
> 2016-11-08T01:55:18Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2016-11-08T01:55:18Z DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2016-11-08T01:55:18Z DEBUG Starting external process
> 2016-11-08T01:55:18Z DEBUG args=/bin/systemctl restart ipa-otpd.socket
> 2016-11-08T01:55:18Z DEBUG Process finished, return code=1
> 2016-11-08T01:55:18Z DEBUG stdout=
> 2016-11-08T01:55:18Z DEBUG stderr=Job for ipa-otpd.socket failed. See
> "systemctl status ipa-otpd.socket" and "journalctl -xe" for details.
>
> 2016-11-08T01:55:18Z DEBUG Traceback (most recent call last):
> File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
> 447, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
> 437, in run_step
> method()
> File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
> 585, in __start
> self.restart()
> File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
> 347, in restart
> self.service.restart(instance_name, capture_output=capture_output,
> wait=wait)
> File "/usr/lib/python2.7/dist-packages/ipaplatform/base/services.py", line
> 301, in restart
> skip_output=not capture_output)
> File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 479, in
> run
> raise CalledProcessError(p.returncode, arg_string, str(output))
> CalledProcessError: Command '/bin/systemctl restart ipa-otpd.socket' returned
> non-zero exit status 1
>
> 2016-11-08T01:55:18Z DEBUG [error] CalledProcessError: Command
> '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1
> 2016-11-08T01:55:18Z DEBUG File
> "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 171, in
> execute
> return_value = self.run()
> File "/usr/lib/python2.7/dist-packages/ipapython/install/cli.py", line 318,
> in run
> cfgr.run()
> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
> 310, in run
> self.execute()
> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
> 332, in execute
> for nothing in self._executor():
> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
> 372, in __runner
> self._handle_exception(exc_info)
> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
> 394, in _handle_exception
> six.reraise(*exc_info)
> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
> 362, in __runner
> step()
> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
> 359, in <lambda>
> step = lambda: next(self.__gen)
> File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81,
> in run_generator_with_yield_from
> six.reraise(*exc_info)
> File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59,
> in run_generator_with_yield_from
> value = gen.send(prev_value)
> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
> 586, in _configure
> next(executor)
> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
> 372, in __runner
> self._handle_exception(exc_info)
> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
> 449, in _handle_exception
> self.__parent._handle_exception(exc_info)
> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
> 394, in _handle_exception
> six.reraise(*exc_info)
> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
> 446, in _handle_exception
> super(ComponentBase, self)._handle_exception(exc_info)
> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
> 394, in _handle_exception
> six.reraise(*exc_info)
> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
> 362, in __runner
> step()
> File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line
> 359, in <lambda>
> step = lambda: next(self.__gen)
> File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81,
> in run_generator_with_yield_from
> six.reraise(*exc_info)
> File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59,
> in run_generator_with_yield_from
> value = gen.send(prev_value)
> File "/usr/lib/python2.7/dist-packages/ipapython/install/common.py", line
> 63, in _install
> for nothing in self._installer(self.parent):
> File
> "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line
> 1513, in main
> install(self)
> File
> "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line
> 267, in decorated
> func(installer)
> File
> "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line
> 944, in install
> ipautil.realm_to_suffix(realm_name))
> File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
> 579, in create_instance
> self.start_creation("Configuring %s" % self.service_name)
> File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
> 447, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
> 437, in run_step
> method()
> File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
> 585, in __start
> self.restart()
> File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line
> 347, in restart
> self.service.restart(instance_name, capture_output=capture_output,
> wait=wait)
> File "/usr/lib/python2.7/dist-packages/ipaplatform/base/services.py", line
> 301, in restart
> skip_output=not capture_output)
> File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 479, in
> run
> raise CalledProcessError(p.returncode, arg_string, str(output))
>
> 2016-11-08T01:55:18Z DEBUG The ipa-server-install command failed, exception:
> CalledProcessError: Command '/bin/systemctl restart ipa-otpd.socket' returned
> non-zero exit status 1
> 2016-11-08T01:55:18Z ERROR Command '/bin/systemctl restart ipa-otpd.socket'
> returned non-zero exit status 1
> 2016-11-08T01:55:18Z ERROR The ipa-server-install command failed. See
> /var/log/ipaserver-install.log for more information
>
> the ipa-otpd.socket status is as follows:
> root@ipaserver:~# systemctl status ipa-otpd.socket
> ● ipa-otpd.socket - ipa-otpd socket
> Loaded: loaded (/lib/systemd/system/ipa-otpd.socket; disabled; vendor
> preset: enabled)
> Active: failed (Result: exit-code) since 二 2016-11-08 09:55:18 CST; 26min
> ago
> Listen: /var/run/krb5kdc/DEFAULT.socket (Stream)
> Accepted: 0; Connected: 0
> Process: 19864 ExecStopPre=/usr/bin/unlink /var/run/krb5kdc/DEFAULT.socket
> (code=exited, status=1/FAILURE)
>
> 11月 08 09:55:18 ipaserver.test.com systemd[1]: Starting ipa-otpd socket.
> 11月 08 09:55:18 ipaserver.test.com unlink[19864]: /usr/bin/unlink: Unable to
> remove '/var/run/krb5kdc/DEFAULT.socket' links: no such files or directories
> 11月 08 09:55:18 ipaserver.test.com systemd[1]: ipa-otpd.socket: Control
> process exited, code=exited status=1
> 11月 08 09:55:18 ipaserver.test.com systemd[1]: Failed to listen on ipa-otpd
> socket.
> 11月 08 09:55:18 ipaserver.test.com systemd[1]: ipa-otpd.socket: Unit entered
> failed state.
> I found that the file or directory is automatically created when
> ipa-otpd.socket is started.
>
> Is there anyone help me?
>
> Thank you!
>
Thanks for reporting. It is a known issue. There is a ticket
against selinux-policy-targeted:
https://bugzilla.redhat.com/show_bug.cgi?id=1384872
Until it is resolved, you will have to `setenforce 0`.
Cheers,
Fraser--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
