Bug 1165261 - ipa-server-install fails when restarting named
Summary: ipa-server-install fails when restarting named
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: freeipa
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: IPA Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedBlocker
Depends On:
Blocks: F21FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2014-11-18 16:46 UTC by Martin Kosek
Modified: 2014-11-25 03:06 UTC (History)
11 users (show)

Fixed In Version: freeipa-4.1.1-2.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-11-25 03:06:55 UTC


Attachments (Terms of Use)

Description Martin Kosek 2014-11-18 16:46:40 UTC
Description of problem:

Installing ipa server fails when restarting named:

ipa-server install fails with error:
  [12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting named
ipa         : ERROR    Named service failed to start (Command ''/bin/systemctl'
'restart' 'named.service'' returned non-zero exit status 1)
named service failed to start

New msg when doing a yum install ipa-server:
<..snip..>
Running transaction
  Installing : ipa-server-4.1.0-4.el7.x86_64
1/1
warning: user named does not exist - using root
warning: group named does not exist - using root
  Verifying  : ipa-server-4.1.0-4.el7.x86_64
1/1
<..snip..>

# journalctl -b -u named
<..snip..>
Nov 10 15:46:00 beast.testrelm.test named[16067]: bind-dyndb-ldap version 6.0
compiled at 07:24:05 Sep 23 2014, compiler 4.8.3 20140911 (Red Hat 4.8.3-7)
Nov 10 15:46:00 beast.testrelm.test named[16067]: unable to open directory
'dyndb-ldap/ipa', working directory is '/var/named': permission denied
Nov 10 15:46:00 beast.testrelm.test named[16067]: LDAP config validation failed
for database 'ipa': permission denied
Nov 10 15:46:00 beast.testrelm.test named[16067]: dynamic database 'ipa'
configuration failed: permission denied
Nov 10 15:46:00 beast.testrelm.test named[16067]: loading configuration:
permission denied
Nov 10 15:46:00 beast.testrelm.test named[16067]: exiting (due to fatal error)
Nov 10 15:46:00 beast.testrelm.test systemd[1]: named.service: control process
exited, code=exited status=1
Nov 10 15:46:00 beast.testrelm.test systemd[1]: Failed to start Berkeley
Internet Name Domain (DNS).
<..snip..>

# ls -lZ /var/named/dyndb-ldap/
drwxrwx---. root root system_u:object_r:named_zone_t:s0 ipa

# ls -lZ /var/named/dyndb-ldap/ipa

nothing to list in this dir ^

Version-Release number of selected component (if applicable):
freeipa-server-4.1.1-1.fc21.x86_64
bind-9.9.6-3.fc21.x86_64

How reproducible:
On new installations, when named user is not present

Steps to Reproduce:
1. Install clean VM
2. Install freeipa-server package
3. Run ipa-server-install

Actual results:
Installer fails.

Expected results:
Installer does not fail.

Additional info:

Comment 1 Martin Kosek 2014-11-18 16:50:48 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4716

Comment 2 Fedora Blocker Bugs Application 2014-11-18 17:00:24 UTC
Proposed as a Blocker for 21-final by Fedora user simo using the blocker tracking app because:

 Violates Fedora Server criterion that the Domain Controller role must be installable and DNS must work after install.

Comment 4 Mike Ruckman 2014-11-19 16:36:34 UTC
Discussed in 2014-11-19 blocker review meeting. This bug violates the beta roles criteria: Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully started, stopped, brought to a working configuration, and queried.

Comment 5 Fedora Update System 2014-11-21 13:55:45 UTC
freeipa-4.1.1-2.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/freeipa-4.1.1-2.fc21

Comment 6 Fedora Update System 2014-11-22 20:21:31 UTC
Package freeipa-4.1.1-2.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing freeipa-4.1.1-2.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-15601/freeipa-4.1.1-2.fc21
then log in and leave karma (feedback).

Comment 7 Adam Williamson 2014-11-24 16:26:15 UTC
sgallagh states that he's tested this with the update, so marking VERIFIED.

Comment 8 Fedora Update System 2014-11-25 03:06:55 UTC
freeipa-4.1.1-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.