After some more digging, I've discovered that the error message was a
red herring. The SELinux stuff is working fine, the error message seems
to be saying that BIND cannot talk to LDAP. It's been difficult to track
down the exact error because BIND doesn't seem to be logging at all. I
found a link in the troubleshooting guide about debugging named not
starting [ ]
and adding options to enable debugging but those do produce any logs either.

Launching named using the command you gave does cause named to launch,
but it cannot connect to the KDC or LDAP. This isn't surprising since
ipactl turns off all those services if named fails to start. The only
errors I could find in the massive ipa-install.log were that BIND failed
to start at the end of the process. Everything else looked normal.

Since I tried some commands with SELinux in Permissive mode, I wiped and
re-installed the VM from scratch with Fedora 19 and then again with
Fedora 20. Both yield the same results. I was going to try Centos 6.5,
but the FreeIPA version that shipped with that was older than I wanted
to use. When I did the re-install, I even reduced the size of the
directory admin password and the kdc admin password from 24chr to 18chr
to see if that would make a difference. I'm kind of at a loss how to
debug at this point, since even the debug logs either don't exist or
have no data in them. Any suggestions would be appreciated. I'm also
willing to upload log files someplace if someone with more experience
than I would like to look at them.


On 06/25/2014 03:07 AM, Petr Spacek wrote:
> On 24.6.2014 21:40, Carl Perry wrote:
>> Whoops, let me send replies to the list. Sorry about that!
>> It appears the problem is with named not starting. I did install the
>> required packages, but it looks like SELinux is getting in the way:
>> [root@freeipa named]# named -f -d 255
>> isc_file_isplainfile 'data/' failed: permission denied
>> [root@freeipa named]#
>> It took some time digging through logs and startup scripts to find the
>> exact issue.
> Interesting.
> First of all, try to start named with "named -g -u named" and look for
> error messages. IMHO SELinux correctly prevents it from running under
> root account as it is undesirable.
> Also, it would be valuable to see error messages or AVCs from
> /var/log/audit/audit.log .
> Did you find any error in /var/log/ipaserver-install.log ?
> Petr^2 Spacek
>>    -Carl
>> On 06/24/2014 02:13 PM, Rob Verduijn wrote:
>>> err
>>> ofcourse
>>> Rob
>>> 2014-06-24 21:12 GMT+02:00 Rob Verduijn <>:
>>>> I saw this in your log :
>>>> <snip>
>>>> Global DNS configuration in LDAP server is empty
>>>> You can use 'dnsconfig-mod' command to set global DNS options that
>>>> would override settings in local named.conf files
>>>> <snip>
>>>> Did you install bind and bind-dyndb-ldap ?
>>>> Just meddling around with ipa myself
>>>> Rob
>>>> 2014-06-24 19:11 GMT+02:00 Petr Spacek <>:
>>>>> Hello!
>>>>> That is interesting. Do you have latest updates?
>>>>> Please see
>>>>> On 24.6.2014 18:41, Carl Perry wrote:
>>>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>>> If the web page doesn't cover your case please send us the log file
>>>>> mentioned in the the error message.

Attachment: signature.asc
Description: OpenPGP digital signature

Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to