Re: [Freeipa-users] Having difficulty installing on Fedora 20
Bug 4210 was the problem, generating the key outside of the systemd script solved the problem. This explains why the logs were empty, it never got to that far :) -Carl On 06/26/2014 02:36 AM, Petr Spacek wrote: > On 25.6.2014 22:12, Carl Perry wrote: >> After some more digging, I've discovered that the error message was a >> red herring. The SELinux stuff is working fine, the error message seems >> to be saying that BIND cannot talk to LDAP. It's been difficult to track >> down the exact error because BIND doesn't seem to be logging at all. I >> found a link in the troubleshooting guide about debugging named not >> starting [ >> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart ] >> and adding options to enable debugging but those do produce any logs >> either. >> >> Launching named using the command you gave does cause named to launch, >> but it cannot connect to the KDC or LDAP. This isn't surprising since >> ipactl turns off all those services if named fails to start. The only > I would recommend you to use > $ ipactl -d start > and see what exactly failed. > > Then you can manually copy & paste "systemctl" commands issued by > ipactl one by one and start LDAP server, KDC and so on until you reach > "named". Then you can use tricks from > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart > to see where the problem is. > > Maybe you have encountered > https://fedorahosted.org/freeipa/ticket/4210 , in that case it will > help to run command > $ /usr/libexec/generate-rndc-key.sh > manually. > > This particular problem is fixed in upcoming 4.0 release. > > Feel free to send me logs privately if you need further assistance. > Have a nice day! > > Petr^2 Spacek > >> errors I could find in the massive ipa-install.log were that BIND failed >> to start at the end of the process. Everything else looked normal. >> >> Since I tried some commands with SELinux in Permissive mode, I wiped and >> re-installed the VM from scratch with Fedora 19 and then again with >> Fedora 20. Both yield the same results. I was going to try Centos 6.5, >> but the FreeIPA version that shipped with that was older than I wanted >> to use. When I did the re-install, I even reduced the size of the >> directory admin password and the kdc admin password from 24chr to 18chr >> to see if that would make a difference. I'm kind of at a loss how to >> debug at this point, since even the debug logs either don't exist or >> have no data in them. Any suggestions would be appreciated. I'm also >> willing to upload log files someplace if someone with more experience >> than I would like to look at them. >> >>-Carl >> >> On 06/25/2014 03:07 AM, Petr Spacek wrote: >>> On 24.6.2014 21:40, Carl Perry wrote: Whoops, let me send replies to the list. Sorry about that! It appears the problem is with named not starting. I did install the required packages, but it looks like SELinux is getting in the way: [root@freeipa named]# named -f -d 255 isc_file_isplainfile 'data/named.run' failed: permission denied [root@freeipa named]# It took some time digging through logs and startup scripts to find the exact issue. >>> >>> Interesting. >>> >>> First of all, try to start named with "named -g -u named" and look for >>> error messages. IMHO SELinux correctly prevents it from running under >>> root account as it is undesirable. >>> >>> Also, it would be valuable to see error messages or AVCs from >>> /var/log/audit/audit.log . >>> >>> Did you find any error in /var/log/ipaserver-install.log ? >>> >>> Petr^2 Spacek >>> -Carl On 06/24/2014 02:13 PM, Rob Verduijn wrote: > err > http://www.freeipa.org/docs/master/html-desktop/index.html#Preparing_for_an_IPA_Installation > > > ofcourse > > Rob > > 2014-06-24 21:12 GMT+02:00 Rob Verduijn : >> I saw this in your log : >> >> >> Global DNS configuration in LDAP server is empty >> You can use 'dnsconfig-mod' command to set global DNS options that >> would override settings in local named.conf files >> >> >> Did you install bind and bind-dyndb-ldap ? >> http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica >> >> >> >> Just meddling around with ipa myself >> Rob >> >> 2014-06-24 19:11 GMT+02:00 Petr Spacek : >>> Hello! >>> >>> That is interesting. Do you have latest updates? >>> >>> Please see >>> http://www.freeipa.org/page/Troubleshooting >>> >>> >>> >>> On 24.6.2014 18:41, Carl Perry wrote: Unexpected error - see /var/log/ipaserver-install.log for details: >>> If the web page doesn't cover your case please send us the log file >>> mentioned in the the error message. > signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/fr
Re: [Freeipa-users] Having difficulty installing on Fedora 20
On 25.6.2014 22:12, Carl Perry wrote: After some more digging, I've discovered that the error message was a red herring. The SELinux stuff is working fine, the error message seems to be saying that BIND cannot talk to LDAP. It's been difficult to track down the exact error because BIND doesn't seem to be logging at all. I found a link in the troubleshooting guide about debugging named not starting [ https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart ] and adding options to enable debugging but those do produce any logs either. Launching named using the command you gave does cause named to launch, but it cannot connect to the KDC or LDAP. This isn't surprising since ipactl turns off all those services if named fails to start. The only I would recommend you to use $ ipactl -d start and see what exactly failed. Then you can manually copy & paste "systemctl" commands issued by ipactl one by one and start LDAP server, KDC and so on until you reach "named". Then you can use tricks from https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart to see where the problem is. Maybe you have encountered https://fedorahosted.org/freeipa/ticket/4210 , in that case it will help to run command $ /usr/libexec/generate-rndc-key.sh manually. This particular problem is fixed in upcoming 4.0 release. Feel free to send me logs privately if you need further assistance. Have a nice day! Petr^2 Spacek errors I could find in the massive ipa-install.log were that BIND failed to start at the end of the process. Everything else looked normal. Since I tried some commands with SELinux in Permissive mode, I wiped and re-installed the VM from scratch with Fedora 19 and then again with Fedora 20. Both yield the same results. I was going to try Centos 6.5, but the FreeIPA version that shipped with that was older than I wanted to use. When I did the re-install, I even reduced the size of the directory admin password and the kdc admin password from 24chr to 18chr to see if that would make a difference. I'm kind of at a loss how to debug at this point, since even the debug logs either don't exist or have no data in them. Any suggestions would be appreciated. I'm also willing to upload log files someplace if someone with more experience than I would like to look at them. -Carl On 06/25/2014 03:07 AM, Petr Spacek wrote: On 24.6.2014 21:40, Carl Perry wrote: Whoops, let me send replies to the list. Sorry about that! It appears the problem is with named not starting. I did install the required packages, but it looks like SELinux is getting in the way: [root@freeipa named]# named -f -d 255 isc_file_isplainfile 'data/named.run' failed: permission denied [root@freeipa named]# It took some time digging through logs and startup scripts to find the exact issue. Interesting. First of all, try to start named with "named -g -u named" and look for error messages. IMHO SELinux correctly prevents it from running under root account as it is undesirable. Also, it would be valuable to see error messages or AVCs from /var/log/audit/audit.log . Did you find any error in /var/log/ipaserver-install.log ? Petr^2 Spacek -Carl On 06/24/2014 02:13 PM, Rob Verduijn wrote: err http://www.freeipa.org/docs/master/html-desktop/index.html#Preparing_for_an_IPA_Installation ofcourse Rob 2014-06-24 21:12 GMT+02:00 Rob Verduijn : I saw this in your log : Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Did you install bind and bind-dyndb-ldap ? http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica Just meddling around with ipa myself Rob 2014-06-24 19:11 GMT+02:00 Petr Spacek : Hello! That is interesting. Do you have latest updates? Please see http://www.freeipa.org/page/Troubleshooting On 24.6.2014 18:41, Carl Perry wrote: Unexpected error - see /var/log/ipaserver-install.log for details: If the web page doesn't cover your case please send us the log file mentioned in the the error message. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Having difficulty installing on Fedora 20
After some more digging, I've discovered that the error message was a red herring. The SELinux stuff is working fine, the error message seems to be saying that BIND cannot talk to LDAP. It's been difficult to track down the exact error because BIND doesn't seem to be logging at all. I found a link in the troubleshooting guide about debugging named not starting [ https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart ] and adding options to enable debugging but those do produce any logs either. Launching named using the command you gave does cause named to launch, but it cannot connect to the KDC or LDAP. This isn't surprising since ipactl turns off all those services if named fails to start. The only errors I could find in the massive ipa-install.log were that BIND failed to start at the end of the process. Everything else looked normal. Since I tried some commands with SELinux in Permissive mode, I wiped and re-installed the VM from scratch with Fedora 19 and then again with Fedora 20. Both yield the same results. I was going to try Centos 6.5, but the FreeIPA version that shipped with that was older than I wanted to use. When I did the re-install, I even reduced the size of the directory admin password and the kdc admin password from 24chr to 18chr to see if that would make a difference. I'm kind of at a loss how to debug at this point, since even the debug logs either don't exist or have no data in them. Any suggestions would be appreciated. I'm also willing to upload log files someplace if someone with more experience than I would like to look at them. -Carl On 06/25/2014 03:07 AM, Petr Spacek wrote: > On 24.6.2014 21:40, Carl Perry wrote: >> Whoops, let me send replies to the list. Sorry about that! >> >> It appears the problem is with named not starting. I did install the >> required packages, but it looks like SELinux is getting in the way: >> >> [root@freeipa named]# named -f -d 255 >> isc_file_isplainfile 'data/named.run' failed: permission denied >> [root@freeipa named]# >> >> It took some time digging through logs and startup scripts to find the >> exact issue. > > Interesting. > > First of all, try to start named with "named -g -u named" and look for > error messages. IMHO SELinux correctly prevents it from running under > root account as it is undesirable. > > Also, it would be valuable to see error messages or AVCs from > /var/log/audit/audit.log . > > Did you find any error in /var/log/ipaserver-install.log ? > > Petr^2 Spacek > >>-Carl >> >> On 06/24/2014 02:13 PM, Rob Verduijn wrote: >>> err >>> http://www.freeipa.org/docs/master/html-desktop/index.html#Preparing_for_an_IPA_Installation >>> >>> ofcourse >>> >>> Rob >>> >>> 2014-06-24 21:12 GMT+02:00 Rob Verduijn : I saw this in your log : Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Did you install bind and bind-dyndb-ldap ? http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica Just meddling around with ipa myself Rob 2014-06-24 19:11 GMT+02:00 Petr Spacek : > Hello! > > That is interesting. Do you have latest updates? > > Please see > http://www.freeipa.org/page/Troubleshooting > > > > On 24.6.2014 18:41, Carl Perry wrote: >> Unexpected error - see /var/log/ipaserver-install.log for details: > If the web page doesn't cover your case please send us the log file > mentioned in the the error message. > signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Having difficulty installing on Fedora 20
On 24.6.2014 21:40, Carl Perry wrote: Whoops, let me send replies to the list. Sorry about that! It appears the problem is with named not starting. I did install the required packages, but it looks like SELinux is getting in the way: [root@freeipa named]# named -f -d 255 isc_file_isplainfile 'data/named.run' failed: permission denied [root@freeipa named]# It took some time digging through logs and startup scripts to find the exact issue. Interesting. First of all, try to start named with "named -g -u named" and look for error messages. IMHO SELinux correctly prevents it from running under root account as it is undesirable. Also, it would be valuable to see error messages or AVCs from /var/log/audit/audit.log . Did you find any error in /var/log/ipaserver-install.log ? Petr^2 Spacek -Carl On 06/24/2014 02:13 PM, Rob Verduijn wrote: err http://www.freeipa.org/docs/master/html-desktop/index.html#Preparing_for_an_IPA_Installation ofcourse Rob 2014-06-24 21:12 GMT+02:00 Rob Verduijn : I saw this in your log : Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Did you install bind and bind-dyndb-ldap ? http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica Just meddling around with ipa myself Rob 2014-06-24 19:11 GMT+02:00 Petr Spacek : Hello! That is interesting. Do you have latest updates? Please see http://www.freeipa.org/page/Troubleshooting On 24.6.2014 18:41, Carl Perry wrote: Unexpected error - see /var/log/ipaserver-install.log for details: If the web page doesn't cover your case please send us the log file mentioned in the the error message. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Having difficulty installing on Fedora 20
Whoops, let me send replies to the list. Sorry about that! It appears the problem is with named not starting. I did install the required packages, but it looks like SELinux is getting in the way: [root@freeipa named]# named -f -d 255 isc_file_isplainfile 'data/named.run' failed: permission denied [root@freeipa named]# It took some time digging through logs and startup scripts to find the exact issue. -Carl On 06/24/2014 02:13 PM, Rob Verduijn wrote: > err > http://www.freeipa.org/docs/master/html-desktop/index.html#Preparing_for_an_IPA_Installation > ofcourse > > Rob > > 2014-06-24 21:12 GMT+02:00 Rob Verduijn : >> I saw this in your log : >> >> >> Global DNS configuration in LDAP server is empty >> You can use 'dnsconfig-mod' command to set global DNS options that >> would override settings in local named.conf files >> >> >> Did you install bind and bind-dyndb-ldap ? >> http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica >> >> Just meddling around with ipa myself >> Rob >> >> 2014-06-24 19:11 GMT+02:00 Petr Spacek : >>> Hello! >>> >>> That is interesting. Do you have latest updates? >>> >>> Please see >>> http://www.freeipa.org/page/Troubleshooting >>> >>> >>> >>> On 24.6.2014 18:41, Carl Perry wrote: Unexpected error - see /var/log/ipaserver-install.log for details: >>> If the web page doesn't cover your case please send us the log file >>> mentioned in the the error message. >>> >>> Have a nice day! >>> >>> -- >>> Petr^2 Spacek >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go To http://freeipa.org for more info on the project signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Having difficulty installing on Fedora 20
I saw this in your log : Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Did you install bind and bind-dyndb-ldap ? http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica Just meddling around with ipa myself Rob 2014-06-24 19:11 GMT+02:00 Petr Spacek : > Hello! > > That is interesting. Do you have latest updates? > > Please see > http://www.freeipa.org/page/Troubleshooting > > > > On 24.6.2014 18:41, Carl Perry wrote: >> Unexpected error - see /var/log/ipaserver-install.log for details: > > If the web page doesn't cover your case please send us the log file > mentioned in the the error message. > > Have a nice day! > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Having difficulty installing on Fedora 20
err http://www.freeipa.org/docs/master/html-desktop/index.html#Preparing_for_an_IPA_Installation ofcourse Rob 2014-06-24 21:12 GMT+02:00 Rob Verduijn : > I saw this in your log : > > > Global DNS configuration in LDAP server is empty > You can use 'dnsconfig-mod' command to set global DNS options that > would override settings in local named.conf files > > > Did you install bind and bind-dyndb-ldap ? > http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica > > Just meddling around with ipa myself > Rob > > 2014-06-24 19:11 GMT+02:00 Petr Spacek : >> Hello! >> >> That is interesting. Do you have latest updates? >> >> Please see >> http://www.freeipa.org/page/Troubleshooting >> >> >> >> On 24.6.2014 18:41, Carl Perry wrote: >>> Unexpected error - see /var/log/ipaserver-install.log for details: >> >> If the web page doesn't cover your case please send us the log file >> mentioned in the the error message. >> >> Have a nice day! >> >> -- >> Petr^2 Spacek >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Having difficulty installing on Fedora 20
Hello! That is interesting. Do you have latest updates? Please see http://www.freeipa.org/page/Troubleshooting On 24.6.2014 18:41, Carl Perry wrote: > Unexpected error - see /var/log/ipaserver-install.log for details: If the web page doesn't cover your case please send us the log file mentioned in the the error message. Have a nice day! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
