Bug 4210 was the problem, generating the key outside of the systemd script solved the problem. This explains why the logs were empty, it never got to that far :)
-Carl On 06/26/2014 02:36 AM, Petr Spacek wrote: > On 25.6.2014 22:12, Carl Perry wrote: >> After some more digging, I've discovered that the error message was a >> red herring. The SELinux stuff is working fine, the error message seems >> to be saying that BIND cannot talk to LDAP. It's been difficult to track >> down the exact error because BIND doesn't seem to be logging at all. I >> found a link in the troubleshooting guide about debugging named not >> starting [ >> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart ] >> and adding options to enable debugging but those do produce any logs >> either. >> >> Launching named using the command you gave does cause named to launch, >> but it cannot connect to the KDC or LDAP. This isn't surprising since >> ipactl turns off all those services if named fails to start. The only > I would recommend you to use > $ ipactl -d start > and see what exactly failed. > > Then you can manually copy & paste "systemctl" commands issued by > ipactl one by one and start LDAP server, KDC and so on until you reach > "named". Then you can use tricks from > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart > to see where the problem is. > > Maybe you have encountered > https://fedorahosted.org/freeipa/ticket/4210 , in that case it will > help to run command > $ /usr/libexec/generate-rndc-key.sh > manually. > > This particular problem is fixed in upcoming 4.0 release. > > Feel free to send me logs privately if you need further assistance. > Have a nice day! > > Petr^2 Spacek > >> errors I could find in the massive ipa-install.log were that BIND failed >> to start at the end of the process. Everything else looked normal. >> >> Since I tried some commands with SELinux in Permissive mode, I wiped and >> re-installed the VM from scratch with Fedora 19 and then again with >> Fedora 20. Both yield the same results. I was going to try Centos 6.5, >> but the FreeIPA version that shipped with that was older than I wanted >> to use. When I did the re-install, I even reduced the size of the >> directory admin password and the kdc admin password from 24chr to 18chr >> to see if that would make a difference. I'm kind of at a loss how to >> debug at this point, since even the debug logs either don't exist or >> have no data in them. Any suggestions would be appreciated. I'm also >> willing to upload log files someplace if someone with more experience >> than I would like to look at them. >> >> -Carl >> >> On 06/25/2014 03:07 AM, Petr Spacek wrote: >>> On 24.6.2014 21:40, Carl Perry wrote: >>>> Whoops, let me send replies to the list. Sorry about that! >>>> >>>> It appears the problem is with named not starting. I did install the >>>> required packages, but it looks like SELinux is getting in the way: >>>> >>>> [root@freeipa named]# named -f -d 255 >>>> isc_file_isplainfile 'data/named.run' failed: permission denied >>>> [root@freeipa named]# >>>> >>>> It took some time digging through logs and startup scripts to find the >>>> exact issue. >>> >>> Interesting. >>> >>> First of all, try to start named with "named -g -u named" and look for >>> error messages. IMHO SELinux correctly prevents it from running under >>> root account as it is undesirable. >>> >>> Also, it would be valuable to see error messages or AVCs from >>> /var/log/audit/audit.log . >>> >>> Did you find any error in /var/log/ipaserver-install.log ? >>> >>> Petr^2 Spacek >>> >>>> -Carl >>>> >>>> On 06/24/2014 02:13 PM, Rob Verduijn wrote: >>>>> err >>>>> http://www.freeipa.org/docs/master/html-desktop/index.html#Preparing_for_an_IPA_Installation >>>>> >>>>> >>>>> ofcourse >>>>> >>>>> Rob >>>>> >>>>> 2014-06-24 21:12 GMT+02:00 Rob Verduijn <[email protected]>: >>>>>> I saw this in your log : >>>>>> >>>>>> <snip> >>>>>> Global DNS configuration in LDAP server is empty >>>>>> You can use 'dnsconfig-mod' command to set global DNS options that >>>>>> would override settings in local named.conf files >>>>>> <snip> >>>>>> >>>>>> Did you install bind and bind-dyndb-ldap ? >>>>>> http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica >>>>>> >>>>>> >>>>>> >>>>>> Just meddling around with ipa myself >>>>>> Rob >>>>>> >>>>>> 2014-06-24 19:11 GMT+02:00 Petr Spacek <[email protected]>: >>>>>>> Hello! >>>>>>> >>>>>>> That is interesting. Do you have latest updates? >>>>>>> >>>>>>> Please see >>>>>>> http://www.freeipa.org/page/Troubleshooting >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 24.6.2014 18:41, Carl Perry wrote: >>>>>>>> Unexpected error - see /var/log/ipaserver-install.log for details: >>>>>>> If the web page doesn't cover your case please send us the log file >>>>>>> mentioned in the the error message. >
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
