Hello,

after enabling

        
https://copr.fedoraproject.org/coprs/mkosek/freeipa/repo/fedora-20/mkosek-freeipa-fedora-20.repo

I've installed

        freeipa-server bind bind-dyndb-ldap

and run

        ipa-server-install --domain example.test

The process failed at

  [3/7]: setting up kerberos principal
  [4/7]: setting up SoftHSM
  [error] CalledProcessError: Command ''/usr/bin/softhsm2-util' '--init-token' 
'--slot' '0' '--label' 'ipaDNSSEC' '--pin' XXXXXXXX '--so-pin' XXXXXXXX' 
returned non-zero exit status 1
Unexpected error - see /var/log/ipaserver-install.log for details:
CalledProcessError: Command ''/usr/bin/softhsm2-util' '--init-token' '--slot' 
'0' '--label' 'ipaDNSSEC' '--pin' XXXXXXXX '--so-pin' XXXXXXXX' returned 
non-zero exit status 1

and the log file ends with

2015-03-24T16:49:51Z DEBUG Saving SO PIN to /etc/ipa/dnssec/softhsm_pin_so
2015-03-24T16:49:51Z DEBUG Initializing tokens
2015-03-24T16:49:51Z DEBUG Starting external process
2015-03-24T16:49:51Z DEBUG args='/usr/bin/softhsm2-util' '--init-token' 
'--slot' '0' '--label' 'ipaDNSSEC' '--pin' XXXXXXXX '--so-pin' XXXXXXXX
2015-03-24T16:49:51Z DEBUG Process finished, return code=1
2015-03-24T16:49:51Z DEBUG stdout=
2015-03-24T16:49:51Z DEBUG stderr=ERROR: Could not load the library.

2015-03-24T16:49:51Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
382, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
372, in run_step
    method()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", 
line 293, in __setup_softhsm
    ipautil.run(command, nolog=(pin, pin_so,))
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 346, in run
    raise CalledProcessError(p.returncode, arg_string, stdout)
CalledProcessError: Command ''/usr/bin/softhsm2-util' '--init-token' '--slot' 
'0' '--label' 'ipaDNSSEC' '--pin' XXXXXXXX '--so-pin' XXXXXXXX' returned 
non-zero exit status 1

2015-03-24T16:49:51Z DEBUG   [error] CalledProcessError: Command 
''/usr/bin/softhsm2-util' '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' 
'--pin' XXXXXXXX '--so-pin' XXXXXXXX' returned non-zero exit status 1
2015-03-24T16:49:51Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 642, 
in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 1302, in main
    dnskeysyncd.create_instance(api.env.host, api.env.realm)

  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", 
line 146, in create_instance
    self.start_creation()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
382, in start_creation
    run_step(full_msg, method)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
372, in run_step
    method()

  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", 
line 293, in __setup_softhsm
    ipautil.run(command, nolog=(pin, pin_so,))

  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 346, in run
    raise CalledProcessError(p.returncode, arg_string, stdout)

2015-03-24T16:49:51Z DEBUG The ipa-server-install command failed, exception: 
CalledProcessError: Command ''/usr/bin/softhsm2-util' '--init-token' '--slot' 
'0' '--label' 'ipaDNSSEC' '--pin' XXXXXXXX '--so-pin' XXXXXXXX' returned 
non-zero exit status 1

I've found discussion at

        https://www.redhat.com/archives/freeipa-users/2014-October/msg00362.html

which seems related but it seems the issue is back or was never
properly addressed.

Attempt to run the command manually fails as well:

# SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf /usr/bin/softhsm2-util 
'--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '--pin' XXXXXXXX '--so-pin' 
XXXXXXXX
ERROR: Could not load the library.

I see the same bug both on host and in container.

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to