On 27/10/14 20:50, John Obaterspok wrote:
Hello Martin,

It works perfectly again!

note, I noticed in /var/log/ipaserver-install.log that ipa-dns-installed failed due to 389 wasn't started (failed to connect). Once it was started manually the ipa-dns-installed worked fine.

Thanks a lot Martin,

-- john

You are welcome :-)


2014-10-27 20:40 GMT+01:00 Martin Basti <mba...@redhat.com <mailto:mba...@redhat.com>>:

    On 27/10/14 20:34, John Obaterspok wrote:
    hmm... Could not connect to the Directory Server

    So I started it with start-dirsrv since "systemctl start ipa"
    failed. Then it was a breeze, ipa-dns-install worked fine.

    # systemctl --failed
    0 loaded units listed.
    I'm lost, does IPA work or not?
    are all services running? (ipactl status)
    are tokens created in /var/lib/ipa/dnssec/tokens
    can you dig records from IPA DNS?

    Martin^2


    I haven't verified that it works, but I feel confident :)

    -- john


    2014-10-27 20:09 GMT+01:00 Martin Basti <mba...@redhat.com
    <mailto:mba...@redhat.com>>:

        On 27/10/14 19:57, John Obaterspok wrote:
        Hello Martin,

        Still no go.

        I installed the softhsm-devel package (that only contains
        header files), removed the token directory, reinstalled the
        bind & bind-pkcs11, did ipa-dns-install that completed ok (I
        guess):

        To accept the default shown in brackets, press the Enter key.

        Existing BIND configuration detected, overwrite? [no]: yes
        Directory Manager password:

        # ipa-upgradeconfig
        [Verifying that root certificate is published]
        *Failed to backup CS.cfg: no magic attribute 'dogtag'*
        [Migrate CRL publish directory]
        CRL tree already moved
        [Verifying that CA proxy configuration is correct]
        [Verifying that KDC configuration is using ipa-kdb backend]
        [Fixing trust flags in /etc/httpd/alias]
        Trust flags already processed
        [Fix DS schema file syntax]
        Syntax already fixed
        [Removing RA cert from DS NSS database]
        RA cert already removed
        [Removing self-signed CA]
        [Checking for deprecated KDC configuration files]
        [Checking for deprecated backups of Samba configuration files]
        [Setting up Firefox extension]
        [Add missing CA DNS records]
        IPA CA DNS records already processed
        [Removing deprecated DNS configuration options]
        [Ensuring minimal number of connections]
        [Enabling serial autoincrement in DNS]
        [Updating GSSAPI configuration in DNS]
        [Updating pid-file configuration in DNS]
        [Masking named]
        Changes to named.conf have been made, restart named
        *Failed to restart named: Command ''/bin/systemctl'
        'restart' 'named-pkcs11.service'' returned non-zero exit
        status 1*
        [Verifying that CA service certificate profile is updated]
        [Update certmonger certificate renewal configuration to
        version 2]
        [Enable PKIX certificate path discovery and validation]
        PKIX already enabled
        The ipa-upgradeconfig command was successful


        # systemctl restart named-pkcs11 && journalctl -xn
        19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed to
        enumerate object store in /var/lib/ipa/dnssec/tokens
        19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not load
        the object store
        19:38:54 named-pkcs11[838]: initializing DST: PKCS#11
        initialization failed
        19:38:54 named-pkcs11[838]: exiting (due to fatal error)
        19:38:54 systemd[1]: named-pkcs11.service: control process
        exited, code=exited status=1
        19:38:54 systemd[1]: Failed to start Berkeley Internet Name
        Domain (DNS) with native PKCS#11.


        It seems the problem is now there are no tokens:
        # ll /var/lib/ipa/dnssec/
        total 4.0K
        -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin

        This is interesting, ipa-dns-install should detect missing
        directory and create new one.
        Could you send me tail of /var/log/ipaserver-install.log,
        where DNS debug lines are?

        Martin^2


        Any ideas?

        -- john

        2014-10-27 19:05 GMT+01:00 Martin Basti <mba...@redhat.com
        <mailto:mba...@redhat.com>>:

            On 27/10/14 18:53, John Obaterspok wrote:


            2014-10-27 12:19 GMT+01:00 Martin Basti
            <mba...@redhat.com <mailto:mba...@redhat.com>>:

                On 26/10/14 21:39, John Obaterspok wrote:
                Hi,

                I enabled mkosek-freeipa repo for F20 and updated
                freeipa-server from 3.3.5 to 4.1. The yum update
                reported just a single error:

                Could not load host key: /etc/ssh/ssh_host_dsa_key

                After reboot I had 3 services that failed to start:
                ipa, kadmin, named-pkcs11

                Doing "strace -f named-pkcs11 -u named -f -g" I
                can see:
                 "/var/lib/softhsm/tokens/" => -1 EACCES
                (Permission denied)
                 initializing DST: PKCS#11 initialization failed
                 exiting (due to fatal error)


                For kadmin the error is due to not being able to
                connect to sldap

                I noticed that softhsm2-util --show-slots reported
                "ERROR: Could not initialize the library." But
                that seemed to be because wasn't part of the
                update. After that I could show the default slot
                and then I manually called following (as root):

                "/usr/bin/softhsm2-util --init-token --slot 0
                --label ipaDNSSEC --pin XXXXXXXX --so-pin XXXXXXXX"

                But the problems won't go away. Any clues?

                -- john




                Hello,

                1)
                can you share your /var/log/ipaupgrade.log ?


            Unfortunatly I removed the original ipaupgrade.log file
            when I did I retry to install freeipa-server. The
            current ipaupgrade.log has two errors:
            First)

            2014-10-26T12:45:15Z DEBUG Live 1, updated 1
            2014-10-26T12:45:15Z DEBUG Unhandled LDAPError:
            OPERATIONS_ERROR: {'desc': 'Operations error'}
            2014-10-26T12:45:15Z ERROR Update failed: Operations error:
            2014-10-26T12:45:15Z INFO Updating existing entry:
            cn=MemberOf Plugin,cn=plugins,cn=config
            2014-10-26T12:45:15Z DEBUG
            ---------------------------------------------
            Are there some information about entry which is updated
            above?


            Second) It complains about not being able to start
            named-pkcs11 service.

                2)
                your issue with softhsm can be caused by missing
                enviroment variable
                IPA internally uses

                SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
                please try
                SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
                softhsm2-util --show-slots, and let me know if it works

                same with named-pkcs11,


            The filestamps for softhsm_pin & tokens match the time
            I did the original update

            # ll /var/lib/ipa/dnssec/
            -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin
            drwxrws---. 2 ods named 4.0K Oct 26 10:35 tokens

            # ll /var/lib/ipa/dnssec/tokens/
            total 0

            # SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
            softhsm2-util --show-slots
            Available slots:
            Slot 0
                Slot info:
            Description:    SoftHSM slot 0
            Manufacturer ID:  SoftHSM project
            Hardware version: 2.0
            Firmware version: 2.0
            Token present:    yes
                Token info:
            Manufacturer ID:  SoftHSM project
            Model:    SoftHSM v2
            Hardware version: 2.0
            Firmware version: 2.0
            Serial number:
            Initialized:    no
            User PIN init.:   no
            Label:
            Slot was not initialized by IPA

                3)
                can you share journalctl -u named-pkcs11 output?


            10:35:48 systemd[1]: named-pkcs11.service: control
            process exited, code=exited status=1
            10:35:48 systemd[1]: Failed to start Berkeley Internet
            Name Domain (DNS) with native PKCS#11.
            10:35:48 systemd[1]: Unit named-pkcs11.service entered
            failed state.
            10:35:48 systemd[1]: Stopped Berkeley Internet Name
            Domain (DNS) with native PKCS#11.
            -- Reboot --
            10:58:05 named-pkcs11[1496]: initializing DST: no
            PKCS#11 provider
            10:58:05 named-pkcs11[1496]: exiting (due to fatal error)
            10:58:05 systemd[1]: named-pkcs11.service: control
            process exited, code=exited status=1
            10:58:05 systemd[1]: Failed to start Berkeley Internet
            Name Domain (DNS) with native PKCS#11.
            10:58:05 systemd[1]: Unit named-pkcs11.service entered
            failed state.
            10:58:05 systemd[1]: Stopped Berkeley Internet Name
            Domain (DNS) with native PKCS#11.

            ... After some fiddeling a restart says this:

            19:26:21 named-pkcs11[8807]: sha1.c:92: fatal error:
            19:26:21 named-pkcs11[8807]:
            RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST,
            isc_boolean_true, isc_boolean_false, isc_bo
            19:26:21 named-pkcs11[8807]: exiting (due to fatal
            error in library)
            19:26:21 systemd[1]: named-pkcs11.service: control
            process exited, code=exited status=1
            19:26:21 systemd[1]: Failed to start Berkeley Internet
            Name Domain (DNS) with native PKCS#11.
            19:26:21 systemd[1]: Unit named-pkcs11.service entered
            failed state.

                4)
                I'm not aware of that we need, krb5-libs/openssl, I
                was getting this error if tokens directory doesnt
                exists, but IPA uses own configuration (see 2) not
                default.


             ok

            I took a deeper look, and I found there some packaging
            errors with softhsm.
            You was right with missing dependency.

            Please install softhsm-devel package, remove
            /var/lib/ipa/dnssec/tokens directory, then reinstall
            DNS, ipa-dns-install (requires running directory server)

            Or if you have snapshot, install softhsm-devel before
            upgrading ipa

            HTH
            Martin^2

-- Martin Basti




-- Martin Basti




-- Martin Basti




--
Martin Basti

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to