Bug 4210 was the problem, generating the key outside of the systemd
script solved the problem. This explains why the logs were empty, it
never got to that far :)


On 06/26/2014 02:36 AM, Petr Spacek wrote:
> On 25.6.2014 22:12, Carl Perry wrote:
>> After some more digging, I've discovered that the error message was a
>> red herring. The SELinux stuff is working fine, the error message seems
>> to be saying that BIND cannot talk to LDAP. It's been difficult to track
>> down the exact error because BIND doesn't seem to be logging at all. I
>> found a link in the troubleshooting guide about debugging named not
>> starting [
>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart ]
>> and adding options to enable debugging but those do produce any logs
>> either.
>> Launching named using the command you gave does cause named to launch,
>> but it cannot connect to the KDC or LDAP. This isn't surprising since
>> ipactl turns off all those services if named fails to start. The only
> I would recommend you to use
> $ ipactl -d start
> and see what exactly failed.
> Then you can manually copy & paste "systemctl" commands issued by
> ipactl one by one and start LDAP server, KDC and so on until you reach
> "named". Then you can use tricks from
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
> to see where the problem is.
> Maybe you have encountered
> https://fedorahosted.org/freeipa/ticket/4210 , in that case it will
> help to run command
> $ /usr/libexec/generate-rndc-key.sh
> manually.
> This particular problem is fixed in upcoming 4.0 release.
> Feel free to send me logs privately if you need further assistance.
> Have a nice day!
> Petr^2 Spacek
>> errors I could find in the massive ipa-install.log were that BIND failed
>> to start at the end of the process. Everything else looked normal.
>> Since I tried some commands with SELinux in Permissive mode, I wiped and
>> re-installed the VM from scratch with Fedora 19 and then again with
>> Fedora 20. Both yield the same results. I was going to try Centos 6.5,
>> but the FreeIPA version that shipped with that was older than I wanted
>> to use. When I did the re-install, I even reduced the size of the
>> directory admin password and the kdc admin password from 24chr to 18chr
>> to see if that would make a difference. I'm kind of at a loss how to
>> debug at this point, since even the debug logs either don't exist or
>> have no data in them. Any suggestions would be appreciated. I'm also
>> willing to upload log files someplace if someone with more experience
>> than I would like to look at them.
>>    -Carl
>> On 06/25/2014 03:07 AM, Petr Spacek wrote:
>>> On 24.6.2014 21:40, Carl Perry wrote:
>>>> Whoops, let me send replies to the list. Sorry about that!
>>>> It appears the problem is with named not starting. I did install the
>>>> required packages, but it looks like SELinux is getting in the way:
>>>> [root@freeipa named]# named -f -d 255
>>>> isc_file_isplainfile 'data/named.run' failed: permission denied
>>>> [root@freeipa named]#
>>>> It took some time digging through logs and startup scripts to find the
>>>> exact issue.
>>> Interesting.
>>> First of all, try to start named with "named -g -u named" and look for
>>> error messages. IMHO SELinux correctly prevents it from running under
>>> root account as it is undesirable.
>>> Also, it would be valuable to see error messages or AVCs from
>>> /var/log/audit/audit.log .
>>> Did you find any error in /var/log/ipaserver-install.log ?
>>> Petr^2 Spacek
>>>>     -Carl
>>>> On 06/24/2014 02:13 PM, Rob Verduijn wrote:
>>>>> err
>>>>> http://www.freeipa.org/docs/master/html-desktop/index.html#Preparing_for_an_IPA_Installation
>>>>> ofcourse
>>>>> Rob
>>>>> 2014-06-24 21:12 GMT+02:00 Rob Verduijn <rob.verdu...@gmail.com>:
>>>>>> I saw this in your log :
>>>>>> <snip>
>>>>>> Global DNS configuration in LDAP server is empty
>>>>>> You can use 'dnsconfig-mod' command to set global DNS options that
>>>>>> would override settings in local named.conf files
>>>>>> <snip>
>>>>>> Did you install bind and bind-dyndb-ldap ?
>>>>>> http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica
>>>>>> Just meddling around with ipa myself
>>>>>> Rob
>>>>>> 2014-06-24 19:11 GMT+02:00 Petr Spacek <pspa...@redhat.com>:
>>>>>>> Hello!
>>>>>>> That is interesting. Do you have latest updates?
>>>>>>> Please see
>>>>>>> http://www.freeipa.org/page/Troubleshooting
>>>>>>> On 24.6.2014 18:41, Carl Perry wrote:
>>>>>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>>>>> If the web page doesn't cover your case please send us the log file
>>>>>>> mentioned in the the error message.

Attachment: signature.asc
Description: OpenPGP digital signature

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to