On 27/10/14 20:34, John Obaterspok wrote:
hmm... Could not connect to the Directory Server

So I started it with start-dirsrv since "systemctl start ipa" failed. Then it was a breeze, ipa-dns-install worked fine.

# systemctl --failed
0 loaded units listed.
I'm lost, does IPA work or not?
are all services running? (ipactl status)
are tokens created in /var/lib/ipa/dnssec/tokens
can you dig records from IPA DNS?

Martin^2

I haven't verified that it works, but I feel confident :)

-- john


2014-10-27 20:09 GMT+01:00 Martin Basti <mba...@redhat.com <mailto:mba...@redhat.com>>:

    On 27/10/14 19:57, John Obaterspok wrote:
    Hello Martin,

    Still no go.

    I installed the softhsm-devel package (that only contains header
    files), removed the token directory, reinstalled the bind &
    bind-pkcs11, did ipa-dns-install that completed ok (I guess):

    To accept the default shown in brackets, press the Enter key.

    Existing BIND configuration detected, overwrite? [no]: yes
    Directory Manager password:

    # ipa-upgradeconfig
    [Verifying that root certificate is published]
    *Failed to backup CS.cfg: no magic attribute 'dogtag'*
    [Migrate CRL publish directory]
    CRL tree already moved
    [Verifying that CA proxy configuration is correct]
    [Verifying that KDC configuration is using ipa-kdb backend]
    [Fixing trust flags in /etc/httpd/alias]
    Trust flags already processed
    [Fix DS schema file syntax]
    Syntax already fixed
    [Removing RA cert from DS NSS database]
    RA cert already removed
    [Removing self-signed CA]
    [Checking for deprecated KDC configuration files]
    [Checking for deprecated backups of Samba configuration files]
    [Setting up Firefox extension]
    [Add missing CA DNS records]
    IPA CA DNS records already processed
    [Removing deprecated DNS configuration options]
    [Ensuring minimal number of connections]
    [Enabling serial autoincrement in DNS]
    [Updating GSSAPI configuration in DNS]
    [Updating pid-file configuration in DNS]
    [Masking named]
    Changes to named.conf have been made, restart named
    *Failed to restart named: Command ''/bin/systemctl' 'restart'
    'named-pkcs11.service'' returned non-zero exit status 1*
    [Verifying that CA service certificate profile is updated]
    [Update certmonger certificate renewal configuration to version 2]
    [Enable PKIX certificate path discovery and validation]
    PKIX already enabled
    The ipa-upgradeconfig command was successful


    # systemctl restart named-pkcs11 && journalctl -xn
    19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed to
    enumerate object store in /var/lib/ipa/dnssec/tokens
    19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not load the
    object store
    19:38:54 named-pkcs11[838]: initializing DST: PKCS#11
    initialization failed
    19:38:54 named-pkcs11[838]: exiting (due to fatal error)
    19:38:54 systemd[1]: named-pkcs11.service: control process
    exited, code=exited status=1
    19:38:54 systemd[1]: Failed to start Berkeley Internet Name
    Domain (DNS) with native PKCS#11.


    It seems the problem is now there are no tokens:
    # ll /var/lib/ipa/dnssec/
    total 4.0K
    -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin

    This is interesting, ipa-dns-install should detect missing
    directory and create new one.
    Could you send me tail of /var/log/ipaserver-install.log, where
    DNS debug lines are?

    Martin^2


    Any ideas?

    -- john

    2014-10-27 19:05 GMT+01:00 Martin Basti <mba...@redhat.com
    <mailto:mba...@redhat.com>>:

        On 27/10/14 18:53, John Obaterspok wrote:


        2014-10-27 12:19 GMT+01:00 Martin Basti <mba...@redhat.com
        <mailto:mba...@redhat.com>>:

            On 26/10/14 21:39, John Obaterspok wrote:
            Hi,

            I enabled mkosek-freeipa repo for F20 and updated
            freeipa-server from 3.3.5 to 4.1. The yum update
            reported just a single error:

            Could not load host key: /etc/ssh/ssh_host_dsa_key

            After reboot I had 3 services that failed to start:
            ipa, kadmin, named-pkcs11

            Doing "strace -f named-pkcs11 -u named -f -g" I can see:
             "/var/lib/softhsm/tokens/" => -1 EACCES (Permission
            denied)
               initializing DST: PKCS#11 initialization failed
               exiting (due to fatal error)


            For kadmin the error is due to not being able to
            connect to sldap

            I noticed that softhsm2-util --show-slots reported
            "ERROR: Could not initialize the library." But that
            seemed to be because wasn't part of the update. After
            that I could show the default slot and then I manually
            called following (as root):

            "/usr/bin/softhsm2-util --init-token --slot 0 --label
            ipaDNSSEC --pin XXXXXXXX --so-pin XXXXXXXX"

            But the problems won't go away. Any clues?

            -- john




            Hello,

            1)
            can you share your /var/log/ipaupgrade.log ?


        Unfortunatly I removed the original ipaupgrade.log file when
        I did I retry to install freeipa-server. The current
        ipaupgrade.log has two errors:
        First)

        2014-10-26T12:45:15Z DEBUG Live 1, updated 1
        2014-10-26T12:45:15Z DEBUG Unhandled LDAPError:
        OPERATIONS_ERROR: {'desc': 'Operations error'}
        2014-10-26T12:45:15Z ERROR Update failed: Operations error:
        2014-10-26T12:45:15Z INFO Updating existing entry:
        cn=MemberOf Plugin,cn=plugins,cn=config
        2014-10-26T12:45:15Z DEBUG
        ---------------------------------------------
        Are there some information about entry which is updated above?


        Second) It complains about not being able to start
        named-pkcs11 service.

            2)
            your issue with softhsm can be caused by missing
            enviroment variable
            IPA internally uses

            SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
            please try SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
            softhsm2-util --show-slots, and let me know if it works

            same with named-pkcs11,


        The filestamps for softhsm_pin & tokens match the time I did
        the original update

        # ll /var/lib/ipa/dnssec/
        -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin
        drwxrws---. 2 ods named 4.0K Oct 26 10:35 tokens

        # ll /var/lib/ipa/dnssec/tokens/
        total 0

        # SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util
        --show-slots
        Available slots:
        Slot 0
            Slot info:
                Description:  SoftHSM slot 0
                Manufacturer ID:  SoftHSM project
                Hardware version: 2.0
                Firmware version: 2.0
                Token present:  yes
            Token info:
                Manufacturer ID:  SoftHSM project
                Model:  SoftHSM v2
                Hardware version: 2.0
                Firmware version: 2.0
                Serial number:
                Initialized:  no
                User PIN init.: no
                Label:
        Slot was not initialized by IPA

            3)
            can you share journalctl -u named-pkcs11 output?


        10:35:48 systemd[1]: named-pkcs11.service: control process
        exited, code=exited status=1
        10:35:48 systemd[1]: Failed to start Berkeley Internet Name
        Domain (DNS) with native PKCS#11.
        10:35:48 systemd[1]: Unit named-pkcs11.service entered
        failed state.
        10:35:48 systemd[1]: Stopped Berkeley Internet Name Domain
        (DNS) with native PKCS#11.
        -- Reboot --
        10:58:05 named-pkcs11[1496]: initializing DST: no PKCS#11
        provider
        10:58:05 named-pkcs11[1496]: exiting (due to fatal error)
        10:58:05 systemd[1]: named-pkcs11.service: control process
        exited, code=exited status=1
        10:58:05 systemd[1]: Failed to start Berkeley Internet Name
        Domain (DNS) with native PKCS#11.
        10:58:05 systemd[1]: Unit named-pkcs11.service entered
        failed state.
        10:58:05 systemd[1]: Stopped Berkeley Internet Name Domain
        (DNS) with native PKCS#11.

        ... After some fiddeling a restart says this:

        19:26:21 named-pkcs11[8807]: sha1.c:92: fatal error:
        19:26:21 named-pkcs11[8807]:
        RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST,
        isc_boolean_true, isc_boolean_false, isc_bo
        19:26:21 named-pkcs11[8807]: exiting (due to fatal error in
        library)
        19:26:21 systemd[1]: named-pkcs11.service: control process
        exited, code=exited status=1
        19:26:21 systemd[1]: Failed to start Berkeley Internet Name
        Domain (DNS) with native PKCS#11.
        19:26:21 systemd[1]: Unit named-pkcs11.service entered
        failed state.

            4)
            I'm not aware of that we need, krb5-libs/openssl, I was
            getting this error if tokens directory doesnt exists,
            but IPA uses own configuration (see 2) not default.


         ok

        I took a deeper look, and I found there some packaging errors
        with softhsm.
        You was right with missing dependency.

        Please install softhsm-devel package, remove
        /var/lib/ipa/dnssec/tokens directory, then reinstall DNS,
        ipa-dns-install (requires running directory server)

        Or if you have snapshot, install softhsm-devel before
        upgrading ipa

        HTH
        Martin^2

-- Martin Basti




-- Martin Basti




--
Martin Basti

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to