Bug 1162340 – ipa-server-install fails when restarting named

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1162340 - ipa-server-install fails when restarting named

Summary:	ipa-server-install fails when restarting named

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	7.1
Hardware:	Unspecified Unspecified

Priority	medium Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2014-11-10 16:11 EST by Namita Soman
Modified:	2015-03-05 05:14 EST (History)
CC List:	6 users (show)

See Also:
Fixed In Version:	ipa-4.1.0-5.el7
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-03-05 05:14:35 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0442	normal	SHIPPED_LIVE	Moderate: ipa security, bug fix, and enhancement update	2015-03-05 09:50:39 EST

Groups: None (edit)

Description Namita Soman 2014-11-10 16:11:29 EST

Description of problem:

Installing ipa server after downgrading 389-ds-base to workaround bz1158410 fails when restarting named

ipa-server install fails with error:
  [12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting named
ipa         : ERROR    Named service failed to start (Command ''/bin/systemctl' 'restart' 'named.service'' returned non-zero exit status 1)
named service failed to start



New msg when doing a yum install ipa-server:
<..snip..>
Running transaction
  Installing : ipa-server-4.1.0-4.el7.x86_64                                                                                                                                                                                             1/1 
warning: user named does not exist - using root
warning: group named does not exist - using root
  Verifying  : ipa-server-4.1.0-4.el7.x86_64                                                                                                                                                                                             1/1 
<..snip..>

Uninstalled and reinstalled - still same error.

Version-Release number of selected component (if applicable):
ipa-server-4.1.0-4.el7.x86_64
bind-dyndb-ldap-6.0-1.el7.x86_64
389-ds-base-1.3.3.1-6.el7.x86_64


How reproducible:
always

Steps to Reproduce:
1.install ipa-server


Actual results:
Error as mentioned in description


Expected results:
successful install

Additional info:

# journalctl -b -u named
<..snip..>
Nov 10 15:46:00 beast.testrelm.test named[16067]: bind-dyndb-ldap version 6.0 compiled at 07:24:05 Sep 23 2014, compiler 4.8.3 20140911 (Red Hat 4.8.3-7)
Nov 10 15:46:00 beast.testrelm.test named[16067]: unable to open directory 'dyndb-ldap/ipa', working directory is '/var/named': permission denied
Nov 10 15:46:00 beast.testrelm.test named[16067]: LDAP config validation failed for database 'ipa': permission denied
Nov 10 15:46:00 beast.testrelm.test named[16067]: dynamic database 'ipa' configuration failed: permission denied
Nov 10 15:46:00 beast.testrelm.test named[16067]: loading configuration: permission denied
Nov 10 15:46:00 beast.testrelm.test named[16067]: exiting (due to fatal error)
Nov 10 15:46:00 beast.testrelm.test systemd[1]: named.service: control process exited, code=exited status=1
Nov 10 15:46:00 beast.testrelm.test systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
<..snip..>

# ls -lZ /var/named/dyndb-ldap/
drwxrwx---. root root system_u:object_r:named_zone_t:s0 ipa

# ls -lZ /var/named/dyndb-ldap/ipa

nothing to list in this dir ^

Comment 1 Namita Soman 2014-11-10 16:13:27 EST

From /var/log/ipaserver-install.log:

2014-11-10T21:09:47Z DEBUG Starting external process
2014-11-10T21:09:47Z DEBUG args='/bin/systemctl' 'enable' 'ipa.service'
2014-11-10T21:09:47Z DEBUG Process finished, return code=0
2014-11-10T21:09:47Z DEBUG stdout=
2014-11-10T21:09:47Z DEBUG stderr=ln -s '/usr/lib/systemd/system/ipa.service' '/etc/systemd/system/multi-user.target.wants/ipa.service'

2014-11-10T21:09:47Z DEBUG Starting external process
2014-11-10T21:09:47Z DEBUG args='/bin/systemctl' 'restart' 'ipa.service'
2014-11-10T21:09:54Z DEBUG Process finished, return code=1
2014-11-10T21:09:54Z DEBUG stdout=
2014-11-10T21:09:54Z DEBUG stderr=Job for ipa.service failed. See 'systemctl status ipa.service' and 'journalctl -xn' for details.

2014-11-10T21:09:54Z DEBUG   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 646, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 1296, in main
    services.knownservices.ipa.enable()

  File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 163, in enable
    self.restart(instance_name)

  File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 291, in restart
    capture_output=capture_output)

  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 346, in run
    raise CalledProcessError(p.returncode, arg_string, stdout)

2014-11-10T21:09:54Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command ''/bin/systemctl' 'restart' 'ipa.service'' returned non-zero exit status 1

Comment 3 Martin Bašti 2014-11-11 04:19:29 EST

This directory should have owner named:named:

# ls -lZ /var/named/dyndb-ldap/
drwxrwx---. root root system_u:object_r:named_zone_t:s0 ipa

Caused by:

<..snip..>
Running transaction
  Installing : ipa-server-4.1.0-4.el7.x86_64                                                                                                                                                                                             1/1 
warning: user named does not exist - using root
warning: group named does not exist - using root
  Verifying  : ipa-server-4.1.0-4.el7.x86_64                                                                                                                                                                                             1/1 
<..snip..>

I'm working on fix.

Comment 6 Jan Cholasta 2014-11-11 13:28:29 EST

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4716

Comment 8 Jan Cholasta 2014-11-18 13:52:16 EST

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/7c176b708eb855ea8774ad36ba72fd31952a8895
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/ba124045b9f39f8264a974c977beba6f15b1b1fb

Comment 9 Kaleem 2015-01-12 04:34:20 EST

Verified.

IPA version:
============
[root@dhcp207-214 ~]# rpm -q ipa-server
ipa-server-4.1.0-13.el7.x86_64
[root@dhcp207-214 ~]# 

Now correct permission for /var/named/dyndb-ldap/ipa directory 

[root@dhcp207-214 ~]# ls -lZ /var/named/dyndb-ldap/
drwxrwx---. named named system_u:object_r:named_zone_t:s0 ipa
[root@dhcp207-214 ~]# ls -lZ /var/named/dyndb-ldap/ipa/
drwxrwx---. named named system_u:object_r:named_zone_t:s0 master
[root@dhcp207-214 ~]#

Comment 11 errata-xmlrpc 2015-03-05 05:14:35 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.