Description of problem: Installing ipa server fails when restarting named: ipa-server install fails with error: [12/12]: changing resolv.conf to point to ourselves Done configuring DNS (named). Restarting named ipa : ERROR Named service failed to start (Command ''/bin/systemctl' 'restart' 'named.service'' returned non-zero exit status 1) named service failed to start New msg when doing a yum install ipa-server: <..snip..> Running transaction Installing : ipa-server-4.1.0-4.el7.x86_64 1/1 warning: user named does not exist - using root warning: group named does not exist - using root Verifying : ipa-server-4.1.0-4.el7.x86_64 1/1 <..snip..> # journalctl -b -u named <..snip..> Nov 10 15:46:00 beast.testrelm.test named[16067]: bind-dyndb-ldap version 6.0 compiled at 07:24:05 Sep 23 2014, compiler 4.8.3 20140911 (Red Hat 4.8.3-7) Nov 10 15:46:00 beast.testrelm.test named[16067]: unable to open directory 'dyndb-ldap/ipa', working directory is '/var/named': permission denied Nov 10 15:46:00 beast.testrelm.test named[16067]: LDAP config validation failed for database 'ipa': permission denied Nov 10 15:46:00 beast.testrelm.test named[16067]: dynamic database 'ipa' configuration failed: permission denied Nov 10 15:46:00 beast.testrelm.test named[16067]: loading configuration: permission denied Nov 10 15:46:00 beast.testrelm.test named[16067]: exiting (due to fatal error) Nov 10 15:46:00 beast.testrelm.test systemd[1]: named.service: control process exited, code=exited status=1 Nov 10 15:46:00 beast.testrelm.test systemd[1]: Failed to start Berkeley Internet Name Domain (DNS). <..snip..> # ls -lZ /var/named/dyndb-ldap/ drwxrwx---. root root system_u:object_r:named_zone_t:s0 ipa # ls -lZ /var/named/dyndb-ldap/ipa nothing to list in this dir ^ Version-Release number of selected component (if applicable): freeipa-server-4.1.1-1.fc21.x86_64 bind-9.9.6-3.fc21.x86_64 How reproducible: On new installations, when named user is not present Steps to Reproduce: 1. Install clean VM 2. Install freeipa-server package 3. Run ipa-server-install Actual results: Installer fails. Expected results: Installer does not fail. Additional info:
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4716
Proposed as a Blocker for 21-final by Fedora user simo using the blocker tracking app because: Violates Fedora Server criterion that the Domain Controller role must be installable and DNS must work after install.
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/7c176b708eb855ea8774ad36ba72fd31952a8895 ipa-4-1: https://fedorahosted.org/freeipa/changeset/ba124045b9f39f8264a974c977beba6f15b1b1fb
Discussed in 2014-11-19 blocker review meeting. This bug violates the beta roles criteria: Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully started, stopped, brought to a working configuration, and queried.
freeipa-4.1.1-2.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/freeipa-4.1.1-2.fc21
Package freeipa-4.1.1-2.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-4.1.1-2.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-15601/freeipa-4.1.1-2.fc21 then log in and leave karma (feedback).
sgallagh states that he's tested this with the update, so marking VERIFIED.
freeipa-4.1.1-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.