On 27/10/14 18:53, John Obaterspok wrote:


2014-10-27 12:19 GMT+01:00 Martin Basti <mba...@redhat.com <mailto:mba...@redhat.com>>:

    On 26/10/14 21:39, John Obaterspok wrote:
    Hi,

    I enabled mkosek-freeipa repo for F20 and updated freeipa-server
    from 3.3.5 to 4.1. The yum update reported just a single error:

    Could not load host key: /etc/ssh/ssh_host_dsa_key

    After reboot I had 3 services that failed to start:
    ipa, kadmin, named-pkcs11

    Doing "strace -f named-pkcs11 -u named -f -g" I can see:
       "/var/lib/softhsm/tokens/" => -1 EACCES (Permission denied)
       initializing DST: PKCS#11 initialization failed
       exiting (due to fatal error)


    For kadmin the error is due to not being able to connect to sldap

    I noticed that softhsm2-util --show-slots reported "ERROR: Could
not initialize the library." But that seemed to be because wasn't part of the update. After that I could show the default
    slot and then I manually called following (as root):

    "/usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC
    --pin XXXXXXXX --so-pin XXXXXXXX"

    But the problems won't go away. Any clues?

    -- john




    Hello,

    1)
    can you share your /var/log/ipaupgrade.log ?


Unfortunatly I removed the original ipaupgrade.log file when I did I retry to install freeipa-server. The current ipaupgrade.log has two errors:
First)

2014-10-26T12:45:15Z DEBUG Live 1, updated 1
2014-10-26T12:45:15Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc': 'Operations error'}
2014-10-26T12:45:15Z ERROR Update failed: Operations error:
2014-10-26T12:45:15Z INFO Updating existing entry: cn=MemberOf Plugin,cn=plugins,cn=config
2014-10-26T12:45:15Z DEBUG ---------------------------------------------
Are there some information about entry which is updated above?

Second) It complains about not being able to start named-pkcs11 service.

    2)
    your issue with softhsm can be caused by missing enviroment variable
    IPA internally uses

    SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
    please try SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
    softhsm2-util --show-slots, and let me know if it works

    same with named-pkcs11,


The filestamps for softhsm_pin & tokens match the time I did the original update

# ll /var/lib/ipa/dnssec/
-rwxrwx---. 1 ods named   30 Oct 26 10:35 softhsm_pin
drwxrws---. 2 ods named 4.0K Oct 26 10:35 tokens

# ll /var/lib/ipa/dnssec/tokens/
total 0

# SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util --show-slots
Available slots:
Slot 0
    Slot info:
        Description:      SoftHSM slot 0
        Manufacturer ID:  SoftHSM project
        Hardware version: 2.0
        Firmware version: 2.0
        Token present:    yes
    Token info:
        Manufacturer ID:  SoftHSM project
        Model:            SoftHSM v2
        Hardware version: 2.0
        Firmware version: 2.0
        Serial number:
        Initialized:      no
        User PIN init.:   no
        Label:
Slot was not initialized by IPA

    3)
    can you share journalctl -u named-pkcs11 output?


10:35:48 systemd[1]: named-pkcs11.service: control process exited, code=exited status=1 10:35:48 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.
10:35:48 systemd[1]: Unit named-pkcs11.service entered failed state.
10:35:48 systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with native PKCS#11.
-- Reboot --
10:58:05 named-pkcs11[1496]: initializing DST: no PKCS#11 provider
10:58:05 named-pkcs11[1496]: exiting (due to fatal error)
10:58:05 systemd[1]: named-pkcs11.service: control process exited, code=exited status=1 10:58:05 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.
10:58:05 systemd[1]: Unit named-pkcs11.service entered failed state.
10:58:05 systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with native PKCS#11.

... After some fiddeling a restart says this:

19:26:21 named-pkcs11[8807]: sha1.c:92: fatal error:
19:26:21 named-pkcs11[8807]: RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, isc_boolean_true, isc_boolean_false, isc_bo
19:26:21 named-pkcs11[8807]: exiting (due to fatal error in library)
19:26:21 systemd[1]: named-pkcs11.service: control process exited, code=exited status=1 19:26:21 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.
19:26:21 systemd[1]: Unit named-pkcs11.service entered failed state.

    4)
    I'm not aware of that we need, krb5-libs/openssl, I was getting
    this error if tokens directory doesnt exists, but IPA uses own
    configuration (see 2) not default.


 ok

I took a deeper look, and I found there some packaging errors with softhsm.
You was right with missing dependency.

Please install softhsm-devel package, remove /var/lib/ipa/dnssec/tokens directory, then reinstall DNS, ipa-dns-install (requires running directory server)

Or if you have snapshot, install softhsm-devel before upgrading ipa

HTH
Martin^2

--
Martin Basti

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to