FreeIPA installation on CentOS crashed when I installed with custom hostname:
# ipa-server-install --setup-dns --forwarder 10.0.0.1 --ip-address 10.0.0.2 --hostname ipa.mkosek-rhel70.test ... The IPA Master Server will be configured with: Hostname: ipa.mkosek-rhel70.test IP address(es): 10.16.78.67 Domain name: mkosek-rhel70.test Realm name: MKOSEK-RHEL70.TEST ... Done configuring DNS (named). Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/6]: checking status [2/6]: setting up kerberos principal [3/6]: setting up SoftHSM [4/6]: adding DNSSEC containers [5/6]: creating replica keys [6/6]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named ipa : ERROR Named service failed to start (Command ''/bin/systemctl' 'restart' 'named-pkcs11.service'' returned non-zero exit status 1) named service failed to start Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command ''/bin/systemctl' 'restart' 'ipa.service'' returned non-zero exit status 1
install log:
2014-11-19T03:15:41Z DEBUG stderr= 2014-11-19T03:15:41Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2014-11-19T03:15:41Z DEBUG Starting external process 2014-11-19T03:15:41Z DEBUG args='/bin/systemctl' 'restart' 'named-pkcs11.service' 2014-11-19T03:15:42Z DEBUG Process finished, return code=1 2014-11-19T03:15:42Z DEBUG stdout= 2014-11-19T03:15:42Z DEBUG stderr=Job for named-pkcs11.service failed. See 'systemctl status named-pkcs11.service' and 'journalctl -xn' for details. 2014-11-19T03:15:42Z ERROR Named service failed to start (Command ''/bin/systemctl' 'restart' 'named-pkcs11.service'' returned non-zero exit status 1) 2014-11-19T03:15:42Z DEBUG raw: dnsconfig_show(version=u'2.108') 2014-11-19T03:15:42Z DEBUG dnsconfig_show(rights=False, all=False, raw=False, version=u'2.108') 2014-11-19T03:15:42Z DEBUG Restarting the web server
named-pkcs11 service status:
# service named-pkcs11 status Redirecting to /bin/systemctl status named-pkcs11.service named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11 Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled) Active: failed (Result: exit-code) since Tue 2014-11-18 22:18:06 EST; 11min ago Process: 4879 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS (code=exited, status=1/FAILURE) Process: 4877 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf (code=exited, status=0/SUCCESS) Nov 18 22:18:06 vm-067.idm.lab.bos.redhat.com named-pkcs11[4882]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/IDM.LAB.BOS.REDHAT.COM@MKOSEK-RHEL70.TEST not found in Kerberos database) Nov 18 22:18:06 vm-067.idm.lab.bos.redhat.com named-pkcs11[4882]: LDAP error: Local error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/IDM.LAB.BOS.REDHAT.COM@MKOSEK-RHEL70.TEST not found in Kerberos database): bind to LDAP server failed Nov 18 22:18:06 vm-067.idm.lab.bos.redhat.com named-pkcs11[4882]: couldn't establish connection in LDAP connection pool: failure Nov 18 22:18:06 vm-067.idm.lab.bos.redhat.com named-pkcs11[4882]: dynamic database 'ipa' configuration failed: failure Nov 18 22:18:06 vm-067.idm.lab.bos.redhat.com named-pkcs11[4882]: loading configuration: failure Nov 18 22:18:06 vm-067.idm.lab.bos.redhat.com named-pkcs11[4882]: exiting (due to fatal error) Nov 18 22:18:06 vm-067.idm.lab.bos.redhat.com systemd[1]: named-pkcs11.service: control process exited, code=exited status=1 Nov 18 22:18:06 vm-067.idm.lab.bos.redhat.com systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11. Nov 18 22:18:06 vm-067.idm.lab.bos.redhat.com systemd[1]: Unit named-pkcs11.service entered failed state. Nov 18 22:18:06 vm-067.idm.lab.bos.redhat.com systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with native PKCS#11.
I am not sure where did the "EXAMPLE.COM" came from as server was installed with a whole different realm. Apparently, the original hostname's vm-067.idm.lab.bos.redhat.com domain was used/cached somewhere.
vm-067.idm.lab.bos.redhat.com
4.1.3 was released.
4.1.4 was released, moving to new milestone
The problem is probably caused by an extra entry in /etc/hosts file. Reverse lookup in kerberos then results in hostname from /etc/hosts instead the one curently configured and used.
This bug is caused by unchanged hostname. bind-pkcs11 tries to use old hostname. Also hostname command returns old hostname.
When hostname was changed manually after installation to proper one, bind-pkcs11 sucesfuly started.
To resolve this issue we need to find out why sometimes IPA did not change hostname.
Moving tickets as per freeipa-devel message.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1247247 (Red Hat Enterprise Linux 7)
This has been fixed as side effect of following fixes:
Metadata Update from @mkosek: - Issue assigned to mbasti - Issue set to the milestone: FreeIPA 4.3
Login to comment on this ticket.