Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1165261

Summary: ipa-server-install fails when restarting named
Product: [Fedora] Fedora Reporter: Martin Kosek <mkosek>
Component: freeipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 21CC: abokovoy, awilliam, ipa-maint, jcholast, mkosek, mruckman, pviktori, pvoborni, rcritten, robatino, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedBlocker
Fixed In Version: freeipa-4.1.1-2.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-25 03:06:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1043129    

Description Martin Kosek 2014-11-18 16:46:40 UTC 
Description of problem:

Installing ipa server fails when restarting named:

ipa-server install fails with error:
  [12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting named
ipa         : ERROR    Named service failed to start (Command ''/bin/systemctl'
'restart' 'named.service'' returned non-zero exit status 1)
named service failed to start

New msg when doing a yum install ipa-server:
<..snip..>
Running transaction
  Installing : ipa-server-4.1.0-4.el7.x86_64
1/1
warning: user named does not exist - using root
warning: group named does not exist - using root
  Verifying  : ipa-server-4.1.0-4.el7.x86_64
1/1
<..snip..>

# journalctl -b -u named
<..snip..>
Nov 10 15:46:00 beast.testrelm.test named[16067]: bind-dyndb-ldap version 6.0
compiled at 07:24:05 Sep 23 2014, compiler 4.8.3 20140911 (Red Hat 4.8.3-7)
Nov 10 15:46:00 beast.testrelm.test named[16067]: unable to open directory
'dyndb-ldap/ipa', working directory is '/var/named': permission denied
Nov 10 15:46:00 beast.testrelm.test named[16067]: LDAP config validation failed
for database 'ipa': permission denied
Nov 10 15:46:00 beast.testrelm.test named[16067]: dynamic database 'ipa'
configuration failed: permission denied
Nov 10 15:46:00 beast.testrelm.test named[16067]: loading configuration:
permission denied
Nov 10 15:46:00 beast.testrelm.test named[16067]: exiting (due to fatal error)
Nov 10 15:46:00 beast.testrelm.test systemd[1]: named.service: control process
exited, code=exited status=1
Nov 10 15:46:00 beast.testrelm.test systemd[1]: Failed to start Berkeley
Internet Name Domain (DNS).
<..snip..>

# ls -lZ /var/named/dyndb-ldap/
drwxrwx---. root root system_u:object_r:named_zone_t:s0 ipa

# ls -lZ /var/named/dyndb-ldap/ipa

nothing to list in this dir ^

Version-Release number of selected component (if applicable):
freeipa-server-4.1.1-1.fc21.x86_64
bind-9.9.6-3.fc21.x86_64

How reproducible:
On new installations, when named user is not present

Steps to Reproduce:
1. Install clean VM
2. Install freeipa-server package
3. Run ipa-server-install

Actual results:
Installer fails.

Expected results:
Installer does not fail.

Additional info:
Comment 1 Martin Kosek 2014-11-18 16:50:48 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4716
Comment 2 Fedora Blocker Bugs Application 2014-11-18 17:00:24 UTC 
Proposed as a Blocker for 21-final by Fedora user simo using the blocker tracking app because:

 Violates Fedora Server criterion that the Domain Controller role must be installable and DNS must work after install.
Comment 3 Jan Cholasta 2014-11-18 18:52:12 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/7c176b708eb855ea8774ad36ba72fd31952a8895
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/ba124045b9f39f8264a974c977beba6f15b1b1fb
Comment 4 Mike Ruckman 2014-11-19 16:36:34 UTC 
Discussed in 2014-11-19 blocker review meeting. This bug violates the beta roles criteria: Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully started, stopped, brought to a working configuration, and queried.
Comment 5 Fedora Update System 2014-11-21 13:55:45 UTC 
freeipa-4.1.1-2.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/freeipa-4.1.1-2.fc21
Comment 6 Fedora Update System 2014-11-22 20:21:31 UTC 
Package freeipa-4.1.1-2.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing freeipa-4.1.1-2.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-15601/freeipa-4.1.1-2.fc21
then log in and leave karma (feedback).
Comment 7 Adam Williamson 2014-11-24 16:26:15 UTC 
sgallagh states that he's tested this with the update, so marking VERIFIED.
Comment 8 Fedora Update System 2014-11-25 03:06:55 UTC 
freeipa-4.1.1-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.