#2662 IPA server configuration fails with permission errors while accessing the file /var/log/dirsrv/slapd-PKI-IPA/errors
Closed: Invalid None Opened 11 years ago by kashyapc.

================================================================
ipa-server-install --setup-dns --forwarder=w.x.y.z -r FOO.BAR.REDHAT.COM -p testpwd -P testpwd -a testpwd -U
.
.
.
Configuring ntpd
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
done configuring ntpd.
Configuring directory server for the CA: Estimated time 30 minutes 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
ipa         : CRITICAL Failed to restart the directory server. See the installation log for details.
[root@neptune ~]#
================================================================
=> /var/log/dirsrv/slapd-PKI-IPA/errors <==
[05/Apr/2012:08:37:50 +051800] - 389-Directory/1.2.10.2 B2012.081.1716 starting up
[05/Apr/2012:08:37:50 +051800] attrcrypt - No symmetric key found for cipher AES in backend userRoot, attempting to create one...
[05/Apr/2012:08:37:50 +051800] attrcrypt - Key for cipher AES successfully generated and stored
[05/Apr/2012:08:37:51 +051800] attrcrypt - No symmetric key found for cipher 3DES in backend userRoot, attempting to create one...
[05/Apr/2012:08:37:51 +051800] attrcrypt - Key for cipher 3DES successfully generated and stored
[05/Apr/2012:08:37:51 +051800] attrcrypt - No symmetric key found for cipher AES in backend ipaca, attempting to create one...
[05/Apr/2012:08:37:51 +051800] attrcrypt - Key for cipher AES successfully generated and stored
[05/Apr/2012:08:37:51 +051800] attrcrypt - No symmetric key found for cipher 3DES in backend ipaca, attempting to create one...
[05/Apr/2012:08:37:51 +051800] attrcrypt - Key for cipher 3DES successfully generated and stored
[05/Apr/2012:08:37:51 +051800] - slapd started.  Listening on All Interfaces port 7389 for LDAP requests
[05/Apr/2012:08:37:51 +051800] - Listening on All Interfaces port 7390 for LDAPS requests
[05/Apr/2012:08:40:20 +051800] - LOGINFO: Unable to open access file:/var/log/dirsrv/slapd-PKI-IPA/access
(END) 
================================================================
[root@neptune ~]# tail /var/log/messages
Apr 23 06:24:27 neptune ns-slapd: Failed to reopen errors log file, Netscape Portable Runtime error -5966 (Access Denied.)
Apr 23 06:24:27 neptune ns-slapd: Failed to open errors log file /var/log/dirsrv/slapd-PKI-IPA/errors: error 13 (Permission denied); Exiting...
Apr 23 06:24:27 neptune ns-slapd: Failed to reopen errors log file, Netscape Portable Runtime error -5966 (Access Denied.)
Apr 23 06:24:27 neptune ns-slapd: Failed to open errors log file /var/log/dirsrv/slapd-PKI-IPA/errors: error 13 (Permission denied); Exiting...
Apr 23 06:24:27 neptune ns-slapd: Failed to reopen errors log file, Netscape Portable Runtime error -5966 (Access Denied.)
Apr 23 06:24:28 neptune ns-slapd: Failed to open errors log file /var/log/dirsrv/slapd-PKI-IPA/errors: error 13 (Permission denied); Exiting...
Apr 23 06:24:28 neptune ns-slapd: Failed to reopen errors log file, Netscape Portable Runtime error -5966 (Access Denied.)
Apr 23 06:24:28 neptune ns-slapd: Failed to open errors log file /var/log/dirsrv/slapd-PKI-IPA/errors: error 13 (Permission denied); Exiting...
Apr 23 06:24:28 neptune ns-slapd: Failed to reopen errors log file, Netscape Portable Runtime error -5966 (Access Denied.)
Apr 23 06:27:32 neptune ntpd[4790]: synchronized to LOCAL(0), stratum 10
[root@neptune ~]# 
================================================================
[root@neptune ~]# ls -lZ /var/log/dirsrv/slapd-PKI-IPA/
-rw-------. pkisrv dirsrv system_u:object_r:dirsrv_var_log_t:s0 access
-rw-------. pkisrv dirsrv system_u:object_r:dirsrv_var_log_t:s0 access.20120325-100847
-rw-------. pkisrv dirsrv system_u:object_r:dirsrv_var_log_t:s0 access.20120326-101101
-rw-------. pkisrv dirsrv system_u:object_r:dirsrv_var_log_t:s0 access.20120327-101346
-rw-------. pkisrv dirsrv system_u:object_r:dirsrv_var_log_t:s0 access.20120328-101832
-rw-------. pkisrv dirsrv system_u:object_r:dirsrv_var_log_t:s0 access.20120329-101847
-rw-------. pkisrv dirsrv system_u:object_r:dirsrv_var_log_t:s0 access.20120330-102101
-rw-------. pkisrv dirsrv system_u:object_r:dirsrv_var_log_t:s0 access.20120331-102115
-rw-------. pkisrv dirsrv system_u:object_r:dirsrv_var_log_t:s0 access.20120401-102328
-rw-------. pkisrv dirsrv system_u:object_r:dirsrv_var_log_t:s0 access.20120402-102342
-rw-------. pkisrv dirsrv unconfined_u:object_r:dirsrv_var_log_t:s0 access.rotationinfo
-rw-------. pkisrv dirsrv unconfined_u:object_r:dirsrv_var_log_t:s0 audit
-rw-------. pkisrv dirsrv unconfined_u:object_r:dirsrv_var_log_t:s0 audit.rotationinfo
-rw-------. pkisrv dirsrv system_u:object_r:dirsrv_var_log_t:s0 errors
-rw-------. pkisrv dirsrv unconfined_u:object_r:dirsrv_var_log_t:s0 errors.20111212-113946
-rw-------. pkisrv dirsrv unconfined_u:object_r:dirsrv_var_log_t:s0 errors.rotationinfo
================================================================
[root@neptune ~]# getenforce 
Enforcing
[root@neptune ~]# 
================================================================

No AVCs were thrown

[root@neptune ~]# cat /var/log/audit/audit.log | audit2allow -R

[root@neptune ~]#

Closing this as invalid.

I had a bad ownership of /var/log/dirsrv/slapd-PKI-IPA directory. This was a previously fixed (https://fedorahosted.org/freeipa/ticket/2423)

[root@neptune ~]# ll /var/log/dirsrv/
total 8
drwxrwx---. 2 pkiuser   memcached 4096 Apr  4 08:40 slapd-LAB-ENG-PNQ-REDHAT-COM
drwxrwx---. 2 memcached memcached 4096 Apr 23 08:14 slapd-PKI-IPA

With correct permissions, the server configuration proceeds fine.

Moving to current milestone.

Btw. this issue was probably caused by an uninstallation of IPA server before ticket #2423 was fixed.

Metadata Update from @kashyapc:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/04

7 years ago

Login to comment on this ticket.

Metadata