Bug 1162340

Summary: ipa-server-install fails when restarting named
Product: Red Hat Enterprise Linux 7 Reporter: Namita Soman <nsoman>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.1CC: jcholast, ksiddiqu, mbasti, mkosek, rcritten, sgoveas
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.1.0-5.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:14:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Namita Soman 2014-11-10 21:11:29 UTC 
Description of problem:

Installing ipa server after downgrading 389-ds-base to workaround bz1158410 fails when restarting named

ipa-server install fails with error:
  [12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting named
ipa         : ERROR    Named service failed to start (Command ''/bin/systemctl' 'restart' 'named.service'' returned non-zero exit status 1)
named service failed to start



New msg when doing a yum install ipa-server:
<..snip..>
Running transaction
  Installing : ipa-server-4.1.0-4.el7.x86_64                                                                                                                                                                                             1/1 
warning: user named does not exist - using root
warning: group named does not exist - using root
  Verifying  : ipa-server-4.1.0-4.el7.x86_64                                                                                                                                                                                             1/1 
<..snip..>

Uninstalled and reinstalled - still same error.

Version-Release number of selected component (if applicable):
ipa-server-4.1.0-4.el7.x86_64
bind-dyndb-ldap-6.0-1.el7.x86_64
389-ds-base-1.3.3.1-6.el7.x86_64


How reproducible:
always

Steps to Reproduce:
1.install ipa-server


Actual results:
Error as mentioned in description


Expected results:
successful install

Additional info:

# journalctl -b -u named
<..snip..>
Nov 10 15:46:00 beast.testrelm.test named[16067]: bind-dyndb-ldap version 6.0 compiled at 07:24:05 Sep 23 2014, compiler 4.8.3 20140911 (Red Hat 4.8.3-7)
Nov 10 15:46:00 beast.testrelm.test named[16067]: unable to open directory 'dyndb-ldap/ipa', working directory is '/var/named': permission denied
Nov 10 15:46:00 beast.testrelm.test named[16067]: LDAP config validation failed for database 'ipa': permission denied
Nov 10 15:46:00 beast.testrelm.test named[16067]: dynamic database 'ipa' configuration failed: permission denied
Nov 10 15:46:00 beast.testrelm.test named[16067]: loading configuration: permission denied
Nov 10 15:46:00 beast.testrelm.test named[16067]: exiting (due to fatal error)
Nov 10 15:46:00 beast.testrelm.test systemd[1]: named.service: control process exited, code=exited status=1
Nov 10 15:46:00 beast.testrelm.test systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
<..snip..>

# ls -lZ /var/named/dyndb-ldap/
drwxrwx---. root root system_u:object_r:named_zone_t:s0 ipa

# ls -lZ /var/named/dyndb-ldap/ipa

nothing to list in this dir ^
Comment 1 Namita Soman 2014-11-10 21:13:27 UTC 
From /var/log/ipaserver-install.log:

2014-11-10T21:09:47Z DEBUG Starting external process
2014-11-10T21:09:47Z DEBUG args='/bin/systemctl' 'enable' 'ipa.service'
2014-11-10T21:09:47Z DEBUG Process finished, return code=0
2014-11-10T21:09:47Z DEBUG stdout=
2014-11-10T21:09:47Z DEBUG stderr=ln -s '/usr/lib/systemd/system/ipa.service' '/etc/systemd/system/multi-user.target.wants/ipa.service'

2014-11-10T21:09:47Z DEBUG Starting external process
2014-11-10T21:09:47Z DEBUG args='/bin/systemctl' 'restart' 'ipa.service'
2014-11-10T21:09:54Z DEBUG Process finished, return code=1
2014-11-10T21:09:54Z DEBUG stdout=
2014-11-10T21:09:54Z DEBUG stderr=Job for ipa.service failed. See 'systemctl status ipa.service' and 'journalctl -xn' for details.

2014-11-10T21:09:54Z DEBUG   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 646, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 1296, in main
    services.knownservices.ipa.enable()

  File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 163, in enable
    self.restart(instance_name)

  File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 291, in restart
    capture_output=capture_output)

  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 346, in run
    raise CalledProcessError(p.returncode, arg_string, stdout)

2014-11-10T21:09:54Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command ''/bin/systemctl' 'restart' 'ipa.service'' returned non-zero exit status 1
Comment 3 Martin Bašti 2014-11-11 09:19:29 UTC 
This directory should have owner named:named:

# ls -lZ /var/named/dyndb-ldap/
drwxrwx---. root root system_u:object_r:named_zone_t:s0 ipa

Caused by:

<..snip..>
Running transaction
  Installing : ipa-server-4.1.0-4.el7.x86_64                                                                                                                                                                                             1/1 
warning: user named does not exist - using root
warning: group named does not exist - using root
  Verifying  : ipa-server-4.1.0-4.el7.x86_64                                                                                                                                                                                             1/1 
<..snip..>

I'm working on fix.
Comment 6 Jan Cholasta 2014-11-11 18:28:29 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4716
Comment 8 Jan Cholasta 2014-11-18 18:52:16 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/7c176b708eb855ea8774ad36ba72fd31952a8895
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/ba124045b9f39f8264a974c977beba6f15b1b1fb
Comment 9 Kaleem 2015-01-12 09:34:20 UTC 
Verified.

IPA version:
============
[root@dhcp207-214 ~]# rpm -q ipa-server
ipa-server-4.1.0-13.el7.x86_64
[root@dhcp207-214 ~]# 

Now correct permission for /var/named/dyndb-ldap/ipa directory 

[root@dhcp207-214 ~]# ls -lZ /var/named/dyndb-ldap/
drwxrwx---. named named system_u:object_r:named_zone_t:s0 ipa
[root@dhcp207-214 ~]# ls -lZ /var/named/dyndb-ldap/ipa/
drwxrwx---. named named system_u:object_r:named_zone_t:s0 master
[root@dhcp207-214 ~]#
Comment 11 errata-xmlrpc 2015-03-05 10:14:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html