Running into same thing, but running ipa-dnsinstall does not complete: ============================= Configuring DNS (named) [1/8]: generating rndc key file WARNING: Your system is running out of entropy, you may experience long delays [2/8]: setting up our own record [3/8]: adding NS record to the zones [4/8]: setting up CA record [5/8]: setting up kerberos principal [6/8]: setting up named.conf [7/8]: configuring named to start on boot [8/8]: changing resolv.conf to point to ourselves Done configuring DNS (named). Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/6]: checking status [2/6]: setting up kerberos principal [3/6]: setting up SoftHSM [4/6]: adding DNSSEC containers [5/6]: creating replica keys [error] DuplicateEntry: This entry already exists Unexpected error - see /var/log/ipaserver-install.log for details: DuplicateEntry: This entry already exists =============================
Looking into the /var/log/ipaserver-install.log gets: ============================= 2014-10-28T05:01:24Z DEBUG Storing replica public key to LDAP, ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com 2014-10-28T05:01:24Z DEBUG flushing ldap://infra-dc-01.my.domain.com:389 from SchemaCache 2014-10-28T05:01:24Z DEBUG retrieving schema for SchemaCache url=ldap://infra-dc-01.my.domain.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x47d0d88> 2014-10-28T05:01:24Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", line 340, in __setup_replica_keys ldap.add_entry(entry) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1592, in add_entry self.conn.add_s(entry.dn, attrs.items()) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1169, in error_handler raise errors.DuplicateEntry() DuplicateEntry: This entry already exists 2014-10-28T05:01:24Z DEBUG [error] DuplicateEntry: This entry already exists 2014-10-28T05:01:24Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 646, in run_script return_value = main_function() File "/sbin/ipa-dns-install", line 218, in main dnskeysyncd.create_instance(api.env.host, api.env.realm) File "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", line 128, in create_instance self.start_creation() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", line 340, in __setup_replica_keys ldap.add_entry(entry) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1592, in add_entry self.conn.add_s(entry.dn, attrs.items()) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1169, in error_handler raise errors.DuplicateEntry() 2014-10-28T05:01:24Z DEBUG The ipa-dns-install command failed, exception: DuplicateEntry: This entry already exists -M On 10/27/14, 12:52 PM, Martin Basti wrote: > On 27/10/14 20:50, John Obaterspok wrote: >> Hello Martin, >> >> It works perfectly again! >> >> note, I noticed in /var/log/ipaserver-install.log that >> ipa-dns-installed failed due to 389 wasn't started (failed to >> connect). Once it was started manually the ipa-dns-installed worked fine. >> >> Thanks a lot Martin, >> >> -- john >> > You are welcome :-) > >> >> 2014-10-27 20:40 GMT+01:00 Martin Basti <[email protected] >> <mailto:[email protected]>>: >> >> On 27/10/14 20:34, John Obaterspok wrote: >>> hmm... Could not connect to the Directory Server >>> >>> So I started it with start-dirsrv since "systemctl start ipa" >>> failed. Then it was a breeze, ipa-dns-install worked fine. >>> >>> # systemctl --failed >>> 0 loaded units listed. >> I'm lost, does IPA work or not? >> are all services running? (ipactl status) >> are tokens created in /var/lib/ipa/dnssec/tokens >> can you dig records from IPA DNS? >> >> Martin^2 >> >>> >>> I haven't verified that it works, but I feel confident :) >>> >>> -- john >>> >>> >>> 2014-10-27 20:09 GMT+01:00 Martin Basti <[email protected] >>> <mailto:[email protected]>>: >>> >>> On 27/10/14 19:57, John Obaterspok wrote: >>>> Hello Martin, >>>> >>>> Still no go. >>>> >>>> I installed the softhsm-devel package (that only contains >>>> header files), removed the token directory, reinstalled the >>>> bind & bind-pkcs11, did ipa-dns-install that completed ok >>>> (I guess): >>>> >>>> To accept the default shown in brackets, press the Enter key. >>>> >>>> Existing BIND configuration detected, overwrite? [no]: yes >>>> Directory Manager password: >>>> >>>> # ipa-upgradeconfig >>>> [Verifying that root certificate is published] >>>> *Failed to backup CS.cfg: no magic attribute 'dogtag'* >>>> [Migrate CRL publish directory] >>>> CRL tree already moved >>>> [Verifying that CA proxy configuration is correct] >>>> [Verifying that KDC configuration is using ipa-kdb backend] >>>> [Fixing trust flags in /etc/httpd/alias] >>>> Trust flags already processed >>>> [Fix DS schema file syntax] >>>> Syntax already fixed >>>> [Removing RA cert from DS NSS database] >>>> RA cert already removed >>>> [Removing self-signed CA] >>>> [Checking for deprecated KDC configuration files] >>>> [Checking for deprecated backups of Samba configuration files] >>>> [Setting up Firefox extension] >>>> [Add missing CA DNS records] >>>> IPA CA DNS records already processed >>>> [Removing deprecated DNS configuration options] >>>> [Ensuring minimal number of connections] >>>> [Enabling serial autoincrement in DNS] >>>> [Updating GSSAPI configuration in DNS] >>>> [Updating pid-file configuration in DNS] >>>> [Masking named] >>>> Changes to named.conf have been made, restart named >>>> *Failed to restart named: Command ''/bin/systemctl' >>>> 'restart' 'named-pkcs11.service'' returned non-zero exit >>>> status 1* >>>> [Verifying that CA service certificate profile is updated] >>>> [Update certmonger certificate renewal configuration to >>>> version 2] >>>> [Enable PKIX certificate path discovery and validation] >>>> PKIX already enabled >>>> The ipa-upgradeconfig command was successful >>>> >>>> >>>> # systemctl restart named-pkcs11 && journalctl -xn >>>> 19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed to >>>> enumerate object store in /var/lib/ipa/dnssec/tokens >>>> 19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not >>>> load the object store >>>> 19:38:54 named-pkcs11[838]: initializing DST: PKCS#11 >>>> initialization failed >>>> 19:38:54 named-pkcs11[838]: exiting (due to fatal error) >>>> 19:38:54 systemd[1]: named-pkcs11.service: control process >>>> exited, code=exited status=1 >>>> 19:38:54 systemd[1]: Failed to start Berkeley Internet Name >>>> Domain (DNS) with native PKCS#11. >>>> >>>> >>>> It seems the problem is now there are no tokens: >>>> # ll /var/lib/ipa/dnssec/ >>>> total 4.0K >>>> -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin >>> >>> This is interesting, ipa-dns-install should detect missing >>> directory and create new one. >>> Could you send me tail of /var/log/ipaserver-install.log, >>> where DNS debug lines are? >>> >>> Martin^2 >>> >>>> >>>> Any ideas? >>>> >>>> -- john >>>> >>>> 2014-10-27 19:05 GMT+01:00 Martin Basti <[email protected] >>>> <mailto:[email protected]>>: >>>> >>>> On 27/10/14 18:53, John Obaterspok wrote: >>>>> >>>>> >>>>> 2014-10-27 12:19 GMT+01:00 Martin Basti >>>>> <[email protected] <mailto:[email protected]>>: >>>>> >>>>> On 26/10/14 21:39, John Obaterspok wrote: >>>>>> Hi, >>>>>> >>>>>> I enabled mkosek-freeipa repo for F20 and updated >>>>>> freeipa-server from 3.3.5 to 4.1. The yum update >>>>>> reported just a single error: >>>>>> >>>>>> Could not load host key: /etc/ssh/ssh_host_dsa_key >>>>>> >>>>>> After reboot I had 3 services that failed to start: >>>>>> ipa, kadmin, named-pkcs11 >>>>>> >>>>>> Doing "strace -f named-pkcs11 -u named -f -g" I >>>>>> can see: >>>>>> "/var/lib/softhsm/tokens/" => -1 EACCES >>>>>> (Permission denied) >>>>>> initializing DST: PKCS#11 initialization failed >>>>>> exiting (due to fatal error) >>>>>> >>>>>> >>>>>> For kadmin the error is due to not being able to >>>>>> connect to sldap >>>>>> >>>>>> I noticed that softhsm2-util --show-slots >>>>>> reported "ERROR: Could not initialize the >>>>>> library." But that seemed to be because wasn't >>>>>> part of the update. After that I could show the >>>>>> default slot and then I manually called following >>>>>> (as root): >>>>>> >>>>>> "/usr/bin/softhsm2-util --init-token --slot 0 >>>>>> --label ipaDNSSEC --pin XXXXXXXX --so-pin XXXXXXXX" >>>>>> >>>>>> But the problems won't go away. Any clues? >>>>>> >>>>>> -- john >>>>>> >>>>>> >>>>>> >>>>>> >>>>> Hello, >>>>> >>>>> 1) >>>>> can you share your /var/log/ipaupgrade.log ? >>>>> >>>>> >>>>> Unfortunatly I removed the original ipaupgrade.log >>>>> file when I did I retry to install freeipa-server. The >>>>> current ipaupgrade.log has two errors: >>>>> First) >>>>> >>>>> 2014-10-26T12:45:15Z DEBUG Live 1, updated 1 >>>>> 2014-10-26T12:45:15Z DEBUG Unhandled LDAPError: >>>>> OPERATIONS_ERROR: {'desc': 'Operations error'} >>>>> 2014-10-26T12:45:15Z ERROR Update failed: Operations >>>>> error: >>>>> 2014-10-26T12:45:15Z INFO Updating existing entry: >>>>> cn=MemberOf Plugin,cn=plugins,cn=config >>>>> 2014-10-26T12:45:15Z DEBUG >>>>> --------------------------------------------- >>>> Are there some information about entry which is updated >>>> above? >>>> >>>>> >>>>> Second) It complains about not being able to start >>>>> named-pkcs11 service. >>>>> >>>>> >>>>> >>>>> 2) >>>>> your issue with softhsm can be caused by missing >>>>> enviroment variable >>>>> IPA internally uses >>>>> >>>>> SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf >>>>> please try >>>>> SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf >>>>> softhsm2-util --show-slots, and let me know if it >>>>> works >>>>> >>>>> same with named-pkcs11, >>>>> >>>>> >>>>> The filestamps for softhsm_pin & tokens match the time >>>>> I did the original update >>>>> >>>>> # ll /var/lib/ipa/dnssec/ >>>>> -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin >>>>> drwxrws---. 2 ods named 4.0K Oct 26 10:35 tokens >>>>> >>>>> # ll /var/lib/ipa/dnssec/tokens/ >>>>> total 0 >>>>> >>>>> # SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf >>>>> softhsm2-util --show-slots >>>>> Available slots: >>>>> Slot 0 >>>>> Slot info: >>>>> Description: SoftHSM slot 0 >>>>> Manufacturer ID: SoftHSM project >>>>> Hardware version: 2.0 >>>>> Firmware version: 2.0 >>>>> Token present: yes >>>>> Token info: >>>>> Manufacturer ID: SoftHSM project >>>>> Model: SoftHSM v2 >>>>> Hardware version: 2.0 >>>>> Firmware version: 2.0 >>>>> Serial number: >>>>> Initialized: no >>>>> User PIN init.: no >>>>> Label: >>>> Slot was not initialized by IPA >>>>> >>>>> 3) >>>>> can you share journalctl -u named-pkcs11 output? >>>>> >>>>> >>>>> 10:35:48 systemd[1]: named-pkcs11.service: control >>>>> process exited, code=exited status=1 >>>>> 10:35:48 systemd[1]: Failed to start Berkeley Internet >>>>> Name Domain (DNS) with native PKCS#11. >>>>> 10:35:48 systemd[1]: Unit named-pkcs11.service entered >>>>> failed state. >>>>> 10:35:48 systemd[1]: Stopped Berkeley Internet Name >>>>> Domain (DNS) with native PKCS#11. >>>>> -- Reboot -- >>>>> 10:58:05 named-pkcs11[1496]: initializing DST: no >>>>> PKCS#11 provider >>>>> 10:58:05 named-pkcs11[1496]: exiting (due to fatal error) >>>>> 10:58:05 systemd[1]: named-pkcs11.service: control >>>>> process exited, code=exited status=1 >>>>> 10:58:05 systemd[1]: Failed to start Berkeley Internet >>>>> Name Domain (DNS) with native PKCS#11. >>>>> 10:58:05 systemd[1]: Unit named-pkcs11.service entered >>>>> failed state. >>>>> 10:58:05 systemd[1]: Stopped Berkeley Internet Name >>>>> Domain (DNS) with native PKCS#11. >>>>> >>>>> ... After some fiddeling a restart says this: >>>>> >>>>> 19:26:21 named-pkcs11[8807]: sha1.c:92: fatal error: >>>>> 19:26:21 named-pkcs11[8807]: >>>>> RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, >>>>> isc_boolean_true, isc_boolean_false, isc_bo >>>>> 19:26:21 named-pkcs11[8807]: exiting (due to fatal >>>>> error in library) >>>>> 19:26:21 systemd[1]: named-pkcs11.service: control >>>>> process exited, code=exited status=1 >>>>> 19:26:21 systemd[1]: Failed to start Berkeley Internet >>>>> Name Domain (DNS) with native PKCS#11. >>>>> 19:26:21 systemd[1]: Unit named-pkcs11.service entered >>>>> failed state. >>>>> >>>>> 4) >>>>> I'm not aware of that we need, krb5-libs/openssl, >>>>> I was getting this error if tokens directory >>>>> doesnt exists, but IPA uses own configuration (see >>>>> 2) not default. >>>>> >>>>> >>>>> ok >>>> >>>> I took a deeper look, and I found there some packaging >>>> errors with softhsm. >>>> You was right with missing dependency. >>>> >>>> Please install softhsm-devel package, remove >>>> /var/lib/ipa/dnssec/tokens directory, then reinstall >>>> DNS, ipa-dns-install (requires running directory server) >>>> >>>> Or if you have snapshot, install softhsm-devel before >>>> upgrading ipa >>>> >>>> HTH >>>> Martin^2 >>>> >>>> -- >>>> Martin Basti >>>> >>>> >>> >>> >>> -- >>> Martin Basti >>> >>> >> >> >> -- >> Martin Basti >> >> > > > -- > Martin Basti > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
