hmm... Could not connect to the Directory Server So I started it with start-dirsrv since "systemctl start ipa" failed. Then it was a breeze, ipa-dns-install worked fine.
# systemctl --failed 0 loaded units listed. I haven't verified that it works, but I feel confident :) -- john 2014-10-27 20:09 GMT+01:00 Martin Basti <mba...@redhat.com>: > On 27/10/14 19:57, John Obaterspok wrote: > > Hello Martin, > > Still no go. > > I installed the softhsm-devel package (that only contains header files), > removed the token directory, reinstalled the bind & bind-pkcs11, did > ipa-dns-install that completed ok (I guess): > > To accept the default shown in brackets, press the Enter key. > > Existing BIND configuration detected, overwrite? [no]: yes > Directory Manager password: > > # ipa-upgradeconfig > [Verifying that root certificate is published] > *Failed to backup CS.cfg: no magic attribute 'dogtag'* > [Migrate CRL publish directory] > CRL tree already moved > [Verifying that CA proxy configuration is correct] > [Verifying that KDC configuration is using ipa-kdb backend] > [Fixing trust flags in /etc/httpd/alias] > Trust flags already processed > [Fix DS schema file syntax] > Syntax already fixed > [Removing RA cert from DS NSS database] > RA cert already removed > [Removing self-signed CA] > [Checking for deprecated KDC configuration files] > [Checking for deprecated backups of Samba configuration files] > [Setting up Firefox extension] > [Add missing CA DNS records] > IPA CA DNS records already processed > [Removing deprecated DNS configuration options] > [Ensuring minimal number of connections] > [Enabling serial autoincrement in DNS] > [Updating GSSAPI configuration in DNS] > [Updating pid-file configuration in DNS] > [Masking named] > Changes to named.conf have been made, restart named > *Failed to restart named: Command ''/bin/systemctl' 'restart' > 'named-pkcs11.service'' returned non-zero exit status 1* > [Verifying that CA service certificate profile is updated] > [Update certmonger certificate renewal configuration to version 2] > [Enable PKIX certificate path discovery and validation] > PKIX already enabled > The ipa-upgradeconfig command was successful > > > # systemctl restart named-pkcs11 && journalctl -xn > 19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed to enumerate > object store in /var/lib/ipa/dnssec/tokens > 19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not load the object > store > 19:38:54 named-pkcs11[838]: initializing DST: PKCS#11 initialization failed > 19:38:54 named-pkcs11[838]: exiting (due to fatal error) > 19:38:54 systemd[1]: named-pkcs11.service: control process exited, > code=exited status=1 > 19:38:54 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) > with native PKCS#11. > > > It seems the problem is now there are no tokens: > # ll /var/lib/ipa/dnssec/ > total 4.0K > -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin > > > This is interesting, ipa-dns-install should detect missing directory and > create new one. > Could you send me tail of /var/log/ipaserver-install.log, where DNS debug > lines are? > > Martin^2 > > > Any ideas? > > -- john > > 2014-10-27 19:05 GMT+01:00 Martin Basti <mba...@redhat.com>: > >> On 27/10/14 18:53, John Obaterspok wrote: >> >> >> >> 2014-10-27 12:19 GMT+01:00 Martin Basti <mba...@redhat.com>: >> >>> On 26/10/14 21:39, John Obaterspok wrote: >>> >>> Hi, >>> >>> I enabled mkosek-freeipa repo for F20 and updated freeipa-server from >>> 3.3.5 to 4.1. The yum update reported just a single error: >>> >>> Could not load host key: /etc/ssh/ssh_host_dsa_key >>> >>> After reboot I had 3 services that failed to start: >>> ipa, kadmin, named-pkcs11 >>> >>> Doing "strace -f named-pkcs11 -u named -f -g" I can see: >>> "/var/lib/softhsm/tokens/" => -1 EACCES (Permission denied) >>> initializing DST: PKCS#11 initialization failed >>> exiting (due to fatal error) >>> >>> >>> For kadmin the error is due to not being able to connect to sldap >>> >>> I noticed that softhsm2-util --show-slots reported "ERROR: Could not >>> initialize the library." But that seemed to be because wasn't part of the >>> update. After that I could show the default slot and then I manually called >>> following (as root): >>> >>> "/usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC --pin >>> XXXXXXXX --so-pin XXXXXXXX" >>> >>> But the problems won't go away. Any clues? >>> >>> -- john >>> >>> >>> >>> >>> Hello, >>> >>> 1) >>> can you share your /var/log/ipaupgrade.log ? >>> >> >> Unfortunatly I removed the original ipaupgrade.log file when I did I >> retry to install freeipa-server. The current ipaupgrade.log has two errors: >> First) >> >> 2014-10-26T12:45:15Z DEBUG Live 1, updated 1 >> 2014-10-26T12:45:15Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: >> {'desc': 'Operations error'} >> 2014-10-26T12:45:15Z ERROR Update failed: Operations error: >> 2014-10-26T12:45:15Z INFO Updating existing entry: cn=MemberOf >> Plugin,cn=plugins,cn=config >> 2014-10-26T12:45:15Z DEBUG --------------------------------------------- >> >> Are there some information about entry which is updated above? >> >> >> Second) It complains about not being able to start named-pkcs11 service. >> >> >> >>> 2) >>> your issue with softhsm can be caused by missing enviroment variable >>> IPA internally uses >>> >>> SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf >>> please try SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util >>> --show-slots, and let me know if it works >>> >>> same with named-pkcs11, >>> >>> >> The filestamps for softhsm_pin & tokens match the time I did the >> original update >> >> # ll /var/lib/ipa/dnssec/ >> -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin >> drwxrws---. 2 ods named 4.0K Oct 26 10:35 tokens >> >> # ll /var/lib/ipa/dnssec/tokens/ >> total 0 >> >> # SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util --show-slots >> Available slots: >> Slot 0 >> Slot info: >> Description: SoftHSM slot 0 >> Manufacturer ID: SoftHSM project >> Hardware version: 2.0 >> Firmware version: 2.0 >> Token present: yes >> Token info: >> Manufacturer ID: SoftHSM project >> Model: SoftHSM v2 >> Hardware version: 2.0 >> Firmware version: 2.0 >> Serial number: >> Initialized: no >> User PIN init.: no >> Label: >> >> Slot was not initialized by IPA >> >> >> 3) >>> can you share journalctl -u named-pkcs11 output? >>> >> >> 10:35:48 systemd[1]: named-pkcs11.service: control process exited, >> code=exited status=1 >> 10:35:48 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) >> with native PKCS#11. >> 10:35:48 systemd[1]: Unit named-pkcs11.service entered failed state. >> 10:35:48 systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with >> native PKCS#11. >> -- Reboot -- >> 10:58:05 named-pkcs11[1496]: initializing DST: no PKCS#11 provider >> 10:58:05 named-pkcs11[1496]: exiting (due to fatal error) >> 10:58:05 systemd[1]: named-pkcs11.service: control process exited, >> code=exited status=1 >> 10:58:05 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) >> with native PKCS#11. >> 10:58:05 systemd[1]: Unit named-pkcs11.service entered failed state. >> 10:58:05 systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with >> native PKCS#11. >> >> ... After some fiddeling a restart says this: >> >> 19:26:21 named-pkcs11[8807]: sha1.c:92: fatal error: >> 19:26:21 named-pkcs11[8807]: RUNTIME_CHECK(pk11_get_session(ctx, >> OP_DIGEST, isc_boolean_true, isc_boolean_false, isc_bo >> 19:26:21 named-pkcs11[8807]: exiting (due to fatal error in library) >> 19:26:21 systemd[1]: named-pkcs11.service: control process exited, >> code=exited status=1 >> 19:26:21 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) >> with native PKCS#11. >> 19:26:21 systemd[1]: Unit named-pkcs11.service entered failed state. >> >> 4) >>> I'm not aware of that we need, krb5-libs/openssl, I was getting this >>> error if tokens directory doesnt exists, but IPA uses own configuration >>> (see 2) not default. >>> >> >> ok >> >> >> I took a deeper look, and I found there some packaging errors with >> softhsm. >> You was right with missing dependency. >> >> Please install softhsm-devel package, remove /var/lib/ipa/dnssec/tokens >> directory, then reinstall DNS, ipa-dns-install (requires running directory >> server) >> >> Or if you have snapshot, install softhsm-devel before upgrading ipa >> >> HTH >> Martin^2 >> >> -- >> Martin Basti >> >> > > > -- > Martin Basti > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project