Bug 815226

Summary: IPA server configuration fails with permission errors while accessing the file /var/log/dirsrv/slapd-PKI-IPA/errors
Product: Red Hat Enterprise Linux 6 Reporter: Kashyap Chamarthy <kchamart>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED NOTABUG QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.3CC: mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-23 09:26:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kashyap Chamarthy 2012-04-23 07:34:48 UTC 
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2662

Description of problem:
IPA server configuration fails with permission errors while accessing the file /var/log/dirsrv/slapd-PKI-IPA/errors

================================================================
ipa-server-install --setup-dns --forwarder=w.x.y.z -r FOO.BAR.REDHAT.COM -p testpwd -P testpwd -a testpwd -U
.
.
.
Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 minutes 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
ipa         : CRITICAL Failed to restart the directory server. See the installation log for details.
[root@neptune ~]#
================================================================
=> /var/log/dirsrv/slapd-PKI-IPA/errors <==
[05/Apr/2012:08:37:50 +051800] - 389-Directory/1.2.10.2 B2012.081.1716 starting up
[05/Apr/2012:08:37:50 +051800] attrcrypt - No symmetric key found for cipher AES in backend userRoot, attempting to create one...
[05/Apr/2012:08:37:50 +051800] attrcrypt - Key for cipher AES successfully generated and stored
[05/Apr/2012:08:37:51 +051800] attrcrypt - No symmetric key found for cipher 3DES in backend userRoot, attempting to create one...
[05/Apr/2012:08:37:51 +051800] attrcrypt - Key for cipher 3DES successfully generated and stored
[05/Apr/2012:08:37:51 +051800] attrcrypt - No symmetric key found for cipher AES in backend ipaca, attempting to create one...
[05/Apr/2012:08:37:51 +051800] attrcrypt - Key for cipher AES successfully generated and stored
[05/Apr/2012:08:37:51 +051800] attrcrypt - No symmetric key found for cipher 3DES in backend ipaca, attempting to create one...
[05/Apr/2012:08:37:51 +051800] attrcrypt - Key for cipher 3DES successfully generated and stored
[05/Apr/2012:08:37:51 +051800] - slapd started.  Listening on All Interfaces port 7389 for LDAP requests
[05/Apr/2012:08:37:51 +051800] - Listening on All Interfaces port 7390 for LDAPS requests
[05/Apr/2012:08:40:20 +051800] - LOGINFO: Unable to open access file:/var/log/dirsrv/slapd-PKI-IPA/access
(END) 
================================================================
[root@neptune ~]# tail /var/log/messages
Apr 23 06:24:27 neptune ns-slapd: Failed to reopen errors log file, Netscape Portable Runtime error -5966 (Access Denied.)
Apr 23 06:24:27 neptune ns-slapd: Failed to open errors log file /var/log/dirsrv/slapd-PKI-IPA/errors: error 13 (Permission denied); Exiting...
Apr 23 06:24:27 neptune ns-slapd: Failed to reopen errors log file, Netscape Portable Runtime error -5966 (Access Denied.)
Apr 23 06:24:27 neptune ns-slapd: Failed to open errors log file /var/log/dirsrv/slapd-PKI-IPA/errors: error 13 (Permission denied); Exiting...
Apr 23 06:24:27 neptune ns-slapd: Failed to reopen errors log file, Netscape Portable Runtime error -5966 (Access Denied.)
Apr 23 06:24:28 neptune ns-slapd: Failed to open errors log file /var/log/dirsrv/slapd-PKI-IPA/errors: error 13 (Permission denied); Exiting...
Apr 23 06:24:28 neptune ns-slapd: Failed to reopen errors log file, Netscape Portable Runtime error -5966 (Access Denied.)
Apr 23 06:24:28 neptune ns-slapd: Failed to open errors log file /var/log/dirsrv/slapd-PKI-IPA/errors: error 13 (Permission denied); Exiting...
Apr 23 06:24:28 neptune ns-slapd: Failed to reopen errors log file, Netscape Portable Runtime error -5966 (Access Denied.)
Apr 23 06:27:32 neptune ntpd[4790]: synchronized to LOCAL(0), stratum 10
[root@neptune ~]# 
================================================================
[root@neptune ~]# ls -lZ /var/log/dirsrv/slapd-PKI-IPA/
-rw-------. pkisrv dirsrv system_u:object_r:dirsrv_var_log_t:s0 access
-rw-------. pkisrv dirsrv system_u:object_r:dirsrv_var_log_t:s0 access.20120325-100847
-rw-------. pkisrv dirsrv system_u:object_r:dirsrv_var_log_t:s0 access.20120326-101101
-rw-------. pkisrv dirsrv system_u:object_r:dirsrv_var_log_t:s0 access.20120327-101346
-rw-------. pkisrv dirsrv system_u:object_r:dirsrv_var_log_t:s0 access.20120328-101832
-rw-------. pkisrv dirsrv system_u:object_r:dirsrv_var_log_t:s0 access.20120329-101847
-rw-------. pkisrv dirsrv system_u:object_r:dirsrv_var_log_t:s0 access.20120330-102101
-rw-------. pkisrv dirsrv system_u:object_r:dirsrv_var_log_t:s0 access.20120331-102115
-rw-------. pkisrv dirsrv system_u:object_r:dirsrv_var_log_t:s0 access.20120401-102328
-rw-------. pkisrv dirsrv system_u:object_r:dirsrv_var_log_t:s0 access.20120402-102342
-rw-------. pkisrv dirsrv unconfined_u:object_r:dirsrv_var_log_t:s0 access.rotationinfo
-rw-------. pkisrv dirsrv unconfined_u:object_r:dirsrv_var_log_t:s0 audit
-rw-------. pkisrv dirsrv unconfined_u:object_r:dirsrv_var_log_t:s0 audit.rotationinfo
-rw-------. pkisrv dirsrv system_u:object_r:dirsrv_var_log_t:s0 errors
-rw-------. pkisrv dirsrv unconfined_u:object_r:dirsrv_var_log_t:s0 errors.20111212-113946
-rw-------. pkisrv dirsrv unconfined_u:object_r:dirsrv_var_log_t:s0 errors.rotationinfo
================================================================
[root@neptune ~]# getenforce 
Enforcing
[root@neptune ~]# 
================================================================

Version-Release number of selected component (if applicable):

# rpm -q ipa-server
ipa-server-2.2.0-10.el6.x86_64



Steps to Reproduce:
1. Update to latest RHEL 6.3 and 

2. # ipa-server-install --setup-dns --forwarder=w.x.y.z -r FOO.BAR.REDHAT.COM -p testpwd -P testpwd -a testpwd -U


  


Additional info:

Note from ab: nslapd is launched with different uid/gid/selinux context than what's configured on the files
Comment 2 Martin Kosek 2012-04-23 08:40:55 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2662
Comment 3 Kashyap Chamarthy 2012-04-23 09:26:08 UTC 
I had a bad ownership of /var/log/dirsrv/slapd-PKI-IPA directory. This was a previously fixed bug ( https://fedorahosted.org/freeipa/ticket/2423) 

[root@neptune ~]# ll /var/log/dirsrv/
total 8
drwxrwx---. 2 pkiuser   memcached 4096 Apr  4 08:40 slapd-LAB-ENG-PNQ-REDHAT-COM
drwxrwx---. 2 memcached memcached 4096 Apr 23 08:14 slapd-PKI-IPA


With correct permissions, the server configuration proceeds fine. 

[root@neptune ~]# ll /var/log/dirsrv/
total 8
drwxrwx---. 2 dirsrv dirsrv 4096 Apr 23 08:36 slapd-LAB-ENG-PNQ-REDHAT-COM
drwxrwx---. 2 pkisrv dirsrv 4096 Apr 23 08:35 slapd-PKI-IPA
[root@neptune ~]# 


[root@neptune ~]# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
[root@neptune ~]# 

Closing this as NOTABUG