Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at

Bug 1165261

Summary: ipa-server-install fails when restarting named
Product: [Fedora] Fedora Reporter: Martin Kosek <mkosek>
Component: freeipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 21CC: abokovoy, awilliam, ipa-maint, jcholast, mkosek, mruckman, pviktori, pvoborni, rcritten, robatino, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedBlocker
Fixed In Version: freeipa-4.1.1-2.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-25 03:06:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1043129    

Description Martin Kosek 2014-11-18 16:46:40 UTC
Description of problem:

Installing ipa server fails when restarting named:

ipa-server install fails with error:
  [12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting named
ipa         : ERROR    Named service failed to start (Command ''/bin/systemctl'
'restart' 'named.service'' returned non-zero exit status 1)
named service failed to start

New msg when doing a yum install ipa-server:
Running transaction
  Installing : ipa-server-4.1.0-4.el7.x86_64
warning: user named does not exist - using root
warning: group named does not exist - using root
  Verifying  : ipa-server-4.1.0-4.el7.x86_64

# journalctl -b -u named
Nov 10 15:46:00 beast.testrelm.test named[16067]: bind-dyndb-ldap version 6.0
compiled at 07:24:05 Sep 23 2014, compiler 4.8.3 20140911 (Red Hat 4.8.3-7)
Nov 10 15:46:00 beast.testrelm.test named[16067]: unable to open directory
'dyndb-ldap/ipa', working directory is '/var/named': permission denied
Nov 10 15:46:00 beast.testrelm.test named[16067]: LDAP config validation failed
for database 'ipa': permission denied
Nov 10 15:46:00 beast.testrelm.test named[16067]: dynamic database 'ipa'
configuration failed: permission denied
Nov 10 15:46:00 beast.testrelm.test named[16067]: loading configuration:
permission denied
Nov 10 15:46:00 beast.testrelm.test named[16067]: exiting (due to fatal error)
Nov 10 15:46:00 beast.testrelm.test systemd[1]: named.service: control process
exited, code=exited status=1
Nov 10 15:46:00 beast.testrelm.test systemd[1]: Failed to start Berkeley
Internet Name Domain (DNS).

# ls -lZ /var/named/dyndb-ldap/
drwxrwx---. root root system_u:object_r:named_zone_t:s0 ipa

# ls -lZ /var/named/dyndb-ldap/ipa

nothing to list in this dir ^

Version-Release number of selected component (if applicable):

How reproducible:
On new installations, when named user is not present

Steps to Reproduce:
1. Install clean VM
2. Install freeipa-server package
3. Run ipa-server-install

Actual results:
Installer fails.

Expected results:
Installer does not fail.

Additional info:

Comment 1 Martin Kosek 2014-11-18 16:50:48 UTC
Upstream ticket:

Comment 2 Fedora Blocker Bugs Application 2014-11-18 17:00:24 UTC
Proposed as a Blocker for 21-final by Fedora user simo using the blocker tracking app because:

 Violates Fedora Server criterion that the Domain Controller role must be installable and DNS must work after install.

Comment 4 Mike Ruckman 2014-11-19 16:36:34 UTC
Discussed in 2014-11-19 blocker review meeting. This bug violates the beta roles criteria: Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully started, stopped, brought to a working configuration, and queried.

Comment 5 Fedora Update System 2014-11-21 13:55:45 UTC
freeipa-4.1.1-2.fc21 has been submitted as an update for Fedora 21.

Comment 6 Fedora Update System 2014-11-22 20:21:31 UTC
Package freeipa-4.1.1-2.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing freeipa-4.1.1-2.fc21'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 7 Adam Williamson 2014-11-24 16:26:15 UTC
sgallagh states that he's tested this with the update, so marking VERIFIED.

Comment 8 Fedora Update System 2014-11-25 03:06:55 UTC
freeipa-4.1.1-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.