Description of problem: I am installing ipa-server (ipa-server-install -r AJS7 -n ajs7 --hostname=serwer.ajs7 --idstart=7000000 --no_hbac_allow --ssh-trust-dns --setup-dns --forwarder=62.179.1.62 --forwarder=62.179.1.63 --zonemgr=artur@....), and this command in one moment is configuring my server station, to act as client, but this fail: [11/11]: changing resolv.conf to point to ourselves Done configuring DNS (named). Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server Configuration of client side components failed! ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain ajs7 --server serwer.ajs7 --realm AJS7 --hostname serwer.ajs7 --ssh-trust-dns' returned non-zero exit status 1 So I started this command by hand: # /usr/sbin/ipa-client-install --on-master --unattended --domain ajs7 --server serwer.ajs7 --realm AJS7 --hostname serwer.ajs7 --ssh-trust-dns Hostname: serwer.ajs7 Realm: AJS7 DNS Domain: ajs7 IPA Server: serwer.ajs7 BaseDN: dc=ajs7 Domain ajs7 is already configured in existing SSSD config, creating a new one. The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. Configured /etc/sssd/sssd.conf Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 2565, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 2551, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 2349, in install remote_env = api.Command['env'](server=True)['result'] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1103, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 782, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 712, in forward raise error(message=e.faultString) ipalib.errors.NetworkError: cannot connect to 'ldapi://%2fvar%2frun%2fslapd-AJS7.socket': In /var/log/ipaclient-install.log: 2013-10-03T17:37:24Z DEBUG approved_usage = SSL Server intended_usage = SSL Server 2013-10-03T17:37:24Z DEBUG cert valid True for "CN=serwer.ajs7,O=AJS7" 2013-10-03T17:37:24Z DEBUG handshake complete, peer = 10.0.0.254:443 2013-10-03T17:37:24Z DEBUG Caught fault 907 from server https://serwer.ajs7/ipa/xml: cannot connect to 'ldapi://%2fvar%2frun%2fslapd-AJS7.socket': Version-Release number of selected component (if applicable): freeipa-client-3.3.1-1.fc20.i686 How reproducible: Always Steps to Reproduce: 1. configure ipa-server as mentioned above 2. 3. Actual results: as above Expected results: should work Additional info:
Are you in SELinux enforcing mode? Can you see if there are any AVCs? ausearch -m AVC.
Yes, I am in enforcing mode, and there are AVC: # ausearch -m avc ---- time->Thu Oct 3 18:28:34 2013 type=SYSCALL msg=audit(1380817714.902:273): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=b483d870 a2=b60ce000 a3=0 items=0 ppid=7884 pid=7907 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1380817714.902:273): avc: denied { name_connect } for pid=7907 comm="httpd" dest=389 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket ---- time->Thu Oct 3 19:37:24 2013 type=SYSCALL msg=audit(1380821844.920:281): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=b483d870 a2=b60ce000 a3=0 items=0 ppid=7884 pid=7907 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1380821844.920:281): avc: denied { name_connect } for pid=7907 comm="httpd" dest=389 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket Btw, I reported a bug related to this AVCs: #1015206
These AVCs are the reason of this failure. Note that there was a very similar case in Bug 1007606, in other distribution, but leading to the exactly same issue. Fixing Bug 1015206 in selinux-policy will fix this bug as well. Closing as duplicate. *** This bug has been marked as a duplicate of bug 1015206 ***