Hello Martin, It works perfectly again!
note, I noticed in /var/log/ipaserver-install.log that ipa-dns-installed failed due to 389 wasn't started (failed to connect). Once it was started manually the ipa-dns-installed worked fine. Thanks a lot Martin, -- john 2014-10-27 20:40 GMT+01:00 Martin Basti <[email protected]>: > On 27/10/14 20:34, John Obaterspok wrote: > > hmm... Could not connect to the Directory Server > > So I started it with start-dirsrv since "systemctl start ipa" failed. > Then it was a breeze, ipa-dns-install worked fine. > > # systemctl --failed > 0 loaded units listed. > > I'm lost, does IPA work or not? > are all services running? (ipactl status) > are tokens created in /var/lib/ipa/dnssec/tokens > can you dig records from IPA DNS? > > Martin^2 > > > I haven't verified that it works, but I feel confident :) > > -- john > > > 2014-10-27 20:09 GMT+01:00 Martin Basti <[email protected]>: > >> On 27/10/14 19:57, John Obaterspok wrote: >> >> Hello Martin, >> >> Still no go. >> >> I installed the softhsm-devel package (that only contains header >> files), removed the token directory, reinstalled the bind & bind-pkcs11, >> did ipa-dns-install that completed ok (I guess): >> >> To accept the default shown in brackets, press the Enter key. >> >> Existing BIND configuration detected, overwrite? [no]: yes >> Directory Manager password: >> >> # ipa-upgradeconfig >> [Verifying that root certificate is published] >> *Failed to backup CS.cfg: no magic attribute 'dogtag'* >> [Migrate CRL publish directory] >> CRL tree already moved >> [Verifying that CA proxy configuration is correct] >> [Verifying that KDC configuration is using ipa-kdb backend] >> [Fixing trust flags in /etc/httpd/alias] >> Trust flags already processed >> [Fix DS schema file syntax] >> Syntax already fixed >> [Removing RA cert from DS NSS database] >> RA cert already removed >> [Removing self-signed CA] >> [Checking for deprecated KDC configuration files] >> [Checking for deprecated backups of Samba configuration files] >> [Setting up Firefox extension] >> [Add missing CA DNS records] >> IPA CA DNS records already processed >> [Removing deprecated DNS configuration options] >> [Ensuring minimal number of connections] >> [Enabling serial autoincrement in DNS] >> [Updating GSSAPI configuration in DNS] >> [Updating pid-file configuration in DNS] >> [Masking named] >> Changes to named.conf have been made, restart named >> *Failed to restart named: Command ''/bin/systemctl' 'restart' >> 'named-pkcs11.service'' returned non-zero exit status 1* >> [Verifying that CA service certificate profile is updated] >> [Update certmonger certificate renewal configuration to version 2] >> [Enable PKIX certificate path discovery and validation] >> PKIX already enabled >> The ipa-upgradeconfig command was successful >> >> >> # systemctl restart named-pkcs11 && journalctl -xn >> 19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed to enumerate >> object store in /var/lib/ipa/dnssec/tokens >> 19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not load the object >> store >> 19:38:54 named-pkcs11[838]: initializing DST: PKCS#11 initialization >> failed >> 19:38:54 named-pkcs11[838]: exiting (due to fatal error) >> 19:38:54 systemd[1]: named-pkcs11.service: control process exited, >> code=exited status=1 >> 19:38:54 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) >> with native PKCS#11. >> >> >> It seems the problem is now there are no tokens: >> # ll /var/lib/ipa/dnssec/ >> total 4.0K >> -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin >> >> >> This is interesting, ipa-dns-install should detect missing directory >> and create new one. >> Could you send me tail of /var/log/ipaserver-install.log, where DNS debug >> lines are? >> >> Martin^2 >> >> >> Any ideas? >> >> -- john >> >> 2014-10-27 19:05 GMT+01:00 Martin Basti <[email protected]>: >> >>> On 27/10/14 18:53, John Obaterspok wrote: >>> >>> >>> >>> 2014-10-27 12:19 GMT+01:00 Martin Basti <[email protected]>: >>> >>>> On 26/10/14 21:39, John Obaterspok wrote: >>>> >>>> Hi, >>>> >>>> I enabled mkosek-freeipa repo for F20 and updated freeipa-server from >>>> 3.3.5 to 4.1. The yum update reported just a single error: >>>> >>>> Could not load host key: /etc/ssh/ssh_host_dsa_key >>>> >>>> After reboot I had 3 services that failed to start: >>>> ipa, kadmin, named-pkcs11 >>>> >>>> Doing "strace -f named-pkcs11 -u named -f -g" I can see: >>>> "/var/lib/softhsm/tokens/" => -1 EACCES (Permission denied) >>>> initializing DST: PKCS#11 initialization failed >>>> exiting (due to fatal error) >>>> >>>> >>>> For kadmin the error is due to not being able to connect to sldap >>>> >>>> I noticed that softhsm2-util --show-slots reported "ERROR: Could not >>>> initialize the library." But that seemed to be because wasn't part of the >>>> update. After that I could show the default slot and then I manually called >>>> following (as root): >>>> >>>> "/usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC --pin >>>> XXXXXXXX --so-pin XXXXXXXX" >>>> >>>> But the problems won't go away. Any clues? >>>> >>>> -- john >>>> >>>> >>>> >>>> >>>> Hello, >>>> >>>> 1) >>>> can you share your /var/log/ipaupgrade.log ? >>>> >>> >>> Unfortunatly I removed the original ipaupgrade.log file when I did I >>> retry to install freeipa-server. The current ipaupgrade.log has two errors: >>> First) >>> >>> 2014-10-26T12:45:15Z DEBUG Live 1, updated 1 >>> 2014-10-26T12:45:15Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: >>> {'desc': 'Operations error'} >>> 2014-10-26T12:45:15Z ERROR Update failed: Operations error: >>> 2014-10-26T12:45:15Z INFO Updating existing entry: cn=MemberOf >>> Plugin,cn=plugins,cn=config >>> 2014-10-26T12:45:15Z DEBUG --------------------------------------------- >>> >>> Are there some information about entry which is updated above? >>> >>> >>> Second) It complains about not being able to start named-pkcs11 >>> service. >>> >>> >>> >>>> 2) >>>> your issue with softhsm can be caused by missing enviroment variable >>>> IPA internally uses >>>> >>>> SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf >>>> please try SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util >>>> --show-slots, and let me know if it works >>>> >>>> same with named-pkcs11, >>>> >>>> >>> The filestamps for softhsm_pin & tokens match the time I did the >>> original update >>> >>> # ll /var/lib/ipa/dnssec/ >>> -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin >>> drwxrws---. 2 ods named 4.0K Oct 26 10:35 tokens >>> >>> # ll /var/lib/ipa/dnssec/tokens/ >>> total 0 >>> >>> # SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util >>> --show-slots >>> Available slots: >>> Slot 0 >>> Slot info: >>> Description: SoftHSM slot 0 >>> Manufacturer ID: SoftHSM project >>> Hardware version: 2.0 >>> Firmware version: 2.0 >>> Token present: yes >>> Token info: >>> Manufacturer ID: SoftHSM project >>> Model: SoftHSM v2 >>> Hardware version: 2.0 >>> Firmware version: 2.0 >>> Serial number: >>> Initialized: no >>> User PIN init.: no >>> Label: >>> >>> Slot was not initialized by IPA >>> >>> >>> 3) >>>> can you share journalctl -u named-pkcs11 output? >>>> >>> >>> 10:35:48 systemd[1]: named-pkcs11.service: control process exited, >>> code=exited status=1 >>> 10:35:48 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) >>> with native PKCS#11. >>> 10:35:48 systemd[1]: Unit named-pkcs11.service entered failed state. >>> 10:35:48 systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with >>> native PKCS#11. >>> -- Reboot -- >>> 10:58:05 named-pkcs11[1496]: initializing DST: no PKCS#11 provider >>> 10:58:05 named-pkcs11[1496]: exiting (due to fatal error) >>> 10:58:05 systemd[1]: named-pkcs11.service: control process exited, >>> code=exited status=1 >>> 10:58:05 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) >>> with native PKCS#11. >>> 10:58:05 systemd[1]: Unit named-pkcs11.service entered failed state. >>> 10:58:05 systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with >>> native PKCS#11. >>> >>> ... After some fiddeling a restart says this: >>> >>> 19:26:21 named-pkcs11[8807]: sha1.c:92: fatal error: >>> 19:26:21 named-pkcs11[8807]: RUNTIME_CHECK(pk11_get_session(ctx, >>> OP_DIGEST, isc_boolean_true, isc_boolean_false, isc_bo >>> 19:26:21 named-pkcs11[8807]: exiting (due to fatal error in library) >>> 19:26:21 systemd[1]: named-pkcs11.service: control process exited, >>> code=exited status=1 >>> 19:26:21 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) >>> with native PKCS#11. >>> 19:26:21 systemd[1]: Unit named-pkcs11.service entered failed state. >>> >>> 4) >>>> I'm not aware of that we need, krb5-libs/openssl, I was getting this >>>> error if tokens directory doesnt exists, but IPA uses own configuration >>>> (see 2) not default. >>>> >>> >>> ok >>> >>> >>> I took a deeper look, and I found there some packaging errors with >>> softhsm. >>> You was right with missing dependency. >>> >>> Please install softhsm-devel package, remove /var/lib/ipa/dnssec/tokens >>> directory, then reinstall DNS, ipa-dns-install (requires running directory >>> server) >>> >>> Or if you have snapshot, install softhsm-devel before upgrading ipa >>> >>> HTH >>> Martin^2 >>> >>> -- >>> Martin Basti >>> >>> >> >> >> -- >> Martin Basti >> >> > > > -- > Martin Basti > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
