On 25.6.2014 22:12, Carl Perry wrote:
After some more digging, I've discovered that the error message was a
red herring. The SELinux stuff is working fine, the error message seems
to be saying that BIND cannot talk to LDAP. It's been difficult to track
down the exact error because BIND doesn't seem to be logging at all. I
found a link in the troubleshooting guide about debugging named not
starting [
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart ]
and adding options to enable debugging but those do produce any logs either.

Launching named using the command you gave does cause named to launch,
but it cannot connect to the KDC or LDAP. This isn't surprising since
ipactl turns off all those services if named fails to start. The only
I would recommend you to use
$ ipactl -d start
and see what exactly failed.

Then you can manually copy & paste "systemctl" commands issued by ipactl one by one and start LDAP server, KDC and so on until you reach "named". Then you can use tricks from
to see where the problem is.

Maybe you have encountered https://fedorahosted.org/freeipa/ticket/4210 , in that case it will help to run command
$ /usr/libexec/generate-rndc-key.sh

This particular problem is fixed in upcoming 4.0 release.

Feel free to send me logs privately if you need further assistance. Have a nice day!

Petr^2 Spacek

errors I could find in the massive ipa-install.log were that BIND failed
to start at the end of the process. Everything else looked normal.

Since I tried some commands with SELinux in Permissive mode, I wiped and
re-installed the VM from scratch with Fedora 19 and then again with
Fedora 20. Both yield the same results. I was going to try Centos 6.5,
but the FreeIPA version that shipped with that was older than I wanted
to use. When I did the re-install, I even reduced the size of the
directory admin password and the kdc admin password from 24chr to 18chr
to see if that would make a difference. I'm kind of at a loss how to
debug at this point, since even the debug logs either don't exist or
have no data in them. Any suggestions would be appreciated. I'm also
willing to upload log files someplace if someone with more experience
than I would like to look at them.


On 06/25/2014 03:07 AM, Petr Spacek wrote:
On 24.6.2014 21:40, Carl Perry wrote:
Whoops, let me send replies to the list. Sorry about that!

It appears the problem is with named not starting. I did install the
required packages, but it looks like SELinux is getting in the way:

[root@freeipa named]# named -f -d 255
isc_file_isplainfile 'data/named.run' failed: permission denied
[root@freeipa named]#

It took some time digging through logs and startup scripts to find the
exact issue.


First of all, try to start named with "named -g -u named" and look for
error messages. IMHO SELinux correctly prevents it from running under
root account as it is undesirable.

Also, it would be valuable to see error messages or AVCs from
/var/log/audit/audit.log .

Did you find any error in /var/log/ipaserver-install.log ?

Petr^2 Spacek


On 06/24/2014 02:13 PM, Rob Verduijn wrote:



2014-06-24 21:12 GMT+02:00 Rob Verduijn <rob.verdu...@gmail.com>:
I saw this in your log :

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Did you install bind and bind-dyndb-ldap ?

Just meddling around with ipa myself

2014-06-24 19:11 GMT+02:00 Petr Spacek <pspa...@redhat.com>:

That is interesting. Do you have latest updates?

Please see

On 24.6.2014 18:41, Carl Perry wrote:
Unexpected error - see /var/log/ipaserver-install.log for details:
If the web page doesn't cover your case please send us the log file
mentioned in the the error message.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to