On 27/10/14 19:57, John Obaterspok wrote:
Hello Martin,
Still no go.
I installed the softhsm-devel package (that only contains header
files), removed the token directory, reinstalled the bind &
bind-pkcs11, did ipa-dns-install that completed ok (I guess):
To accept the default shown in brackets, press the Enter key.
Existing BIND configuration detected, overwrite? [no]: yes
Directory Manager password:
# ipa-upgradeconfig
[Verifying that root certificate is published]
*Failed to backup CS.cfg: no magic attribute 'dogtag'*
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Removing self-signed CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Setting up Firefox extension]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Enabling serial autoincrement in DNS]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Masking named]
Changes to named.conf have been made, restart named
*Failed to restart named: Command ''/bin/systemctl' 'restart'
'named-pkcs11.service'' returned non-zero exit status 1*
[Verifying that CA service certificate profile is updated]
[Update certmonger certificate renewal configuration to version 2]
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
The ipa-upgradeconfig command was successful
# systemctl restart named-pkcs11 && journalctl -xn
19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed to enumerate
object store in /var/lib/ipa/dnssec/tokens
19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not load the
object store
19:38:54 named-pkcs11[838]: initializing DST: PKCS#11 initialization
failed
19:38:54 named-pkcs11[838]: exiting (due to fatal error)
19:38:54 systemd[1]: named-pkcs11.service: control process exited,
code=exited status=1
19:38:54 systemd[1]: Failed to start Berkeley Internet Name Domain
(DNS) with native PKCS#11.
It seems the problem is now there are no tokens:
# ll /var/lib/ipa/dnssec/
total 4.0K
-rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin
This is interesting, ipa-dns-install should detect missing directory and
create new one.
Could you send me tail of /var/log/ipaserver-install.log, where DNS
debug lines are?
Martin^2
Any ideas?
-- john
2014-10-27 19:05 GMT+01:00 Martin Basti <mba...@redhat.com
<mailto:mba...@redhat.com>>:
On 27/10/14 18:53, John Obaterspok wrote:
2014-10-27 12:19 GMT+01:00 Martin Basti <mba...@redhat.com
<mailto:mba...@redhat.com>>:
On 26/10/14 21:39, John Obaterspok wrote:
Hi,
I enabled mkosek-freeipa repo for F20 and updated
freeipa-server from 3.3.5 to 4.1. The yum update reported
just a single error:
Could not load host key: /etc/ssh/ssh_host_dsa_key
After reboot I had 3 services that failed to start:
ipa, kadmin, named-pkcs11
Doing "strace -f named-pkcs11 -u named -f -g" I can see:
"/var/lib/softhsm/tokens/" => -1 EACCES (Permission denied)
initializing DST: PKCS#11 initialization failed
exiting (due to fatal error)
For kadmin the error is due to not being able to connect to
sldap
I noticed that softhsm2-util --show-slots reported "ERROR:
Could not initialize the library." But that seemed to be
because wasn't part of the update. After that I could show
the default slot and then I manually called following (as root):
"/usr/bin/softhsm2-util --init-token --slot 0 --label
ipaDNSSEC --pin XXXXXXXX --so-pin XXXXXXXX"
But the problems won't go away. Any clues?
-- john
Hello,
1)
can you share your /var/log/ipaupgrade.log ?
Unfortunatly I removed the original ipaupgrade.log file when I
did I retry to install freeipa-server. The current ipaupgrade.log
has two errors:
First)
2014-10-26T12:45:15Z DEBUG Live 1, updated 1
2014-10-26T12:45:15Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR:
{'desc': 'Operations error'}
2014-10-26T12:45:15Z ERROR Update failed: Operations error:
2014-10-26T12:45:15Z INFO Updating existing entry: cn=MemberOf
Plugin,cn=plugins,cn=config
2014-10-26T12:45:15Z DEBUG
---------------------------------------------
Are there some information about entry which is updated above?
Second) It complains about not being able to start named-pkcs11
service.
2)
your issue with softhsm can be caused by missing enviroment
variable
IPA internally uses
SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
please try SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
softhsm2-util --show-slots, and let me know if it works
same with named-pkcs11,
The filestamps for softhsm_pin & tokens match the time I did the
original update
# ll /var/lib/ipa/dnssec/
-rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin
drwxrws---. 2 ods named 4.0K Oct 26 10:35 tokens
# ll /var/lib/ipa/dnssec/tokens/
total 0
# SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util
--show-slots
Available slots:
Slot 0
Slot info:
Description: SoftHSM slot 0
Manufacturer ID: SoftHSM project
Hardware version: 2.0
Firmware version: 2.0
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.0
Firmware version: 2.0
Serial number:
Initialized: no
User PIN init.: no
Label:
Slot was not initialized by IPA
3)
can you share journalctl -u named-pkcs11 output?
10:35:48 systemd[1]: named-pkcs11.service: control process
exited, code=exited status=1
10:35:48 systemd[1]: Failed to start Berkeley Internet Name
Domain (DNS) with native PKCS#11.
10:35:48 systemd[1]: Unit named-pkcs11.service entered failed state.
10:35:48 systemd[1]: Stopped Berkeley Internet Name Domain (DNS)
with native PKCS#11.
-- Reboot --
10:58:05 named-pkcs11[1496]: initializing DST: no PKCS#11 provider
10:58:05 named-pkcs11[1496]: exiting (due to fatal error)
10:58:05 systemd[1]: named-pkcs11.service: control process
exited, code=exited status=1
10:58:05 systemd[1]: Failed to start Berkeley Internet Name
Domain (DNS) with native PKCS#11.
10:58:05 systemd[1]: Unit named-pkcs11.service entered failed state.
10:58:05 systemd[1]: Stopped Berkeley Internet Name Domain (DNS)
with native PKCS#11.
... After some fiddeling a restart says this:
19:26:21 named-pkcs11[8807]: sha1.c:92: fatal error:
19:26:21 named-pkcs11[8807]: RUNTIME_CHECK(pk11_get_session(ctx,
OP_DIGEST, isc_boolean_true, isc_boolean_false, isc_bo
19:26:21 named-pkcs11[8807]: exiting (due to fatal error in library)
19:26:21 systemd[1]: named-pkcs11.service: control process
exited, code=exited status=1
19:26:21 systemd[1]: Failed to start Berkeley Internet Name
Domain (DNS) with native PKCS#11.
19:26:21 systemd[1]: Unit named-pkcs11.service entered failed state.
4)
I'm not aware of that we need, krb5-libs/openssl, I was
getting this error if tokens directory doesnt exists, but IPA
uses own configuration (see 2) not default.
ok
I took a deeper look, and I found there some packaging errors with
softhsm.
You was right with missing dependency.
Please install softhsm-devel package, remove
/var/lib/ipa/dnssec/tokens directory, then reinstall DNS,
ipa-dns-install (requires running directory server)
Or if you have snapshot, install softhsm-devel before upgrading ipa
HTH
Martin^2
--
Martin Basti
--
Martin Basti
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
