Bug 680201 - IPA server installation fails with: Ensure that user "dirsrv" has read and write permissions on /var/run/dirsrv
Summary: IPA server installation fails with: Ensure that user "dirsrv" has read and wr...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-02-24 16:30 UTC by Rob Crittenden
Modified: 2015-01-04 23:46 UTC (History)
3 users (show)

Fixed In Version: ipa-2.0.0-13.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-19 13:44:29 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2011:0631 0 normal SHIPPED_LIVE new package: ipa 2011-05-18 17:55:55 UTC

Description Rob Crittenden 2011-02-24 16:30:48 UTC 
Description of problem:

ipa-server-install fails with the following error in the 389-ds log:

[23/Feb/2011:16:13:02 -0500] - Unable to access nsslapd-rundir: Permission denied
[23/Feb/2011:16:13:02 -0500] - Ensure that user "dirsrv" has read and write permissions on /var/run/dirsrv
[23/Feb/2011:16:13:02 -0500] - Shutting down.
[23/Feb/2011:16:23:02 -0500] - Unable to access nsslapd-rundir: Permission denied
[23/Feb/2011:16:23:02 -0500] - Ensure that user "dirsrv" has read and write permissions on /var/run/dirsrv
[23/Feb/2011:16:23:02 -0500] - Shutting down. 

Version-Release number of selected component (if applicable):

ipa-server-2.0.0-11.20110223T0630zgite5cda47.el6.i686
389-ds-base-1.2.8-2011022302.el6dsrv.i386
Comment 1 Rob Crittenden 2011-02-24 16:31:25 UTC 
Nathan Kinder commented:

One thing I notice is that SuiteSpotGroup is not set in the General section of the inf file used to create the instance.  If a previous instance was created for Dogtag and this new instance is created as a different user, you must specify the same group in the SuiteSpotGroup parameter when creating the second instance.  This is required now that we have secure permissions on /var/run, which was just fixed for the 8.2 errata and is in the 9.0 builds now as well.
Comment 2 Rob Crittenden 2011-02-24 16:51:16 UTC 
If I remove /var/run/dirsrv before starting the IPA installer then it succeeds whether I have SuiteSpotGroup defined or not.

The resulting difference is:

SuiteSpotGroup set: /var/run/dirsrv mode 0770
no group: /var/run/dirsrv mode 0700

It looks like the 389-ds-base postinstall script creates /var/run/dirsrv if it doesn't already exist.
Comment 3 Rob Crittenden 2011-02-24 19:25:41 UTC 
https://fedorahosted.org/freeipa/ticket/1010
Comment 4 Rob Crittenden 2011-02-24 20:44:19 UTC 
commit 99d6e0883af6759f80ddba01cbb1d90431929bfd
Comment 6 Jenny Severance 2011-03-23 19:38:17 UTC 
verified.

version: 

ipa-server-2.0.0-16.el6.x86_64

# ls -al /var/run/dirsrv/
total 24
drwxrwx---.  2 root   dirsrv 4096 Mar 23 15:29 .
drwxr-xr-x. 24 root   root   4096 Mar 23 15:30 ..
-rw-r--r--.  1 pkisrv dirsrv    6 Mar 23 15:29 slapd-PKI-IPA.pid
-rw-r--r--.  1 pkisrv dirsrv 2072 Mar 23 15:37 slapd-PKI-IPA.stats
-rw-r--r--.  1 dirsrv dirsrv    6 Mar 23 15:29 slapd-TESTRELM.pid
-rw-r--r--.  1 dirsrv dirsrv 2072 Mar 23 15:37 slapd-TESTRELM.stats
Comment 7 errata-xmlrpc 2011-05-19 13:44:29 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0631.html
Note You need to log in before you can comment on or make changes to this bug.