On 23.12.2015 08:28, Brian Topping wrote:
Greetings all! Thanks for all the continued work on FreeIPA! :)
I saw that 4.2 made it to RHEL 7.2 and upgraded. Unfortunately, the
system did not come up cleanly.
It seems to be some problem with the DNS server:
[root@ipa01 ~]# systemctl status named-pkcs11
● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with
native PKCS#11
Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service;
disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2015-12-23 01:56:37
EST; 4s ago
Process: 16506 ExecStart=/usr/sbin/named-pkcs11 -u named
$OPTIONS (code=exited, status=1/FAILURE)
Process: 16503 ExecStartPre=/bin/bash -c if [ !
"$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf
-z /etc/named.conf; else echo "Checking of zone files is disabled";
fi (code=exited, status=0/SUCCESS)
Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com>
named-pkcs11[16509]: GSSAPI client step 2
Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com>
named-pkcs11[16509]: LDAP error: Invalid credentials:
SASL(-14): authorization failure: security flags do not match
required: bind to LDAP server failed
Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com>
named-pkcs11[16509]: couldn't establish connection in LDAP connection
pool: permission denied
Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com>
named-pkcs11[16509]: dynamic database 'ipa' configuration failed:
permission denied
Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com>
named-pkcs11[16509]: loading configuration: permission denied
Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com>
named-pkcs11[16509]: exiting (due to fatal error)
Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com>
systemd[1]: named-pkcs11.service: control process exited,
code=exited status=1
Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com>
systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with
native PKCS#11.
Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com>
systemd[1]: Unit named-pkcs11.service entered failed state.
Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com>
systemd[1]: named-pkcs11.service failed.
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart provides
some good information. After manually starting 389, I was able to
confirm that the LDAP credentials are able to retrieve the DNS tree with:
[root@ipa01 ~]# ldapsearch -H
'ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket'
<ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket%27> -Y GSSAPI -b
'cn=dns,dc=example,dc=com'
I was also able to confirm that I the named.keytab file is correct:
[root@ipa01 ~]# kinit -k -t /etc/named.keytab DNS/ipa01.example.com
<http://ipa01.example.com>
[root@ipa01 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_th1WCcV
Default principal: DNS/[email protected]
<mailto:DNS/[email protected]>
Valid starting Expires Service principal
12/23/2015 02:07:14 12/24/2015 02:07:14
krbtgt/[email protected] <mailto:krbtgt/[email protected]>
I have disabled unencrypted binds to 389, but I read somewhere this
evening this should not be an issue since passwords were being sent
and the STARTTLS is always being used.
https://fedorahosted.org/freeipa/ticket/5232 seems to be related here,
but I did the install on a healthy server, so I can't imagine that
it's the same. I also don't see any recovery techniques listed here or
in the issue that it links to at
https://bugzilla.redhat.com/show_bug.cgi?id=1254412. I searched the
list archives for this error and came up empty. The versions I have
are as follows:
bind-license-9.9.4-29.el7_2.1.noarch
bind-libs-lite-9.9.4-29.el7_2.1.x86_64
bind-utils-9.9.4-29.el7_2.1.x86_64
bind-pkcs11-libs-9.9.4-29.el7_2.1.x86_64
bind-dyndb-ldap-8.0-1.el7.x86_64
bind-pkcs11-utils-9.9.4-29.el7_2.1.x86_64
bind-9.9.4-29.el7_2.1.x86_64
bind-pkcs11-9.9.4-29.el7_2.1.x86_64
bind-libs-9.9.4-29.el7_2.1.x86_64
ipa-python-4.2.0-15.el7.centos.3.x86_64
ipa-admintools-4.2.0-15.el7.centos.3.x86_64
sssd-ipa-1.13.0-40.el7_2.1.x86_64
ipa-client-4.2.0-15.el7.centos.3.x86_64
ipa-server-dns-4.2.0-15.el7.centos.3.x86_64
ipa-server-4.2.0-15.el7.centos.3.x86_64
python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
libipa_hbac-1.13.0-40.el7_2.1.x86_64
I'm also attaching the ipaupgrade.log
Hopefully I am missing something simple here. Can anyone help?
Happy solstice!
Brian
Hello,
can you check your value of umask?
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
