On 23.12.2015 08:28, Brian Topping wrote:
Greetings all! Thanks for all the continued work on FreeIPA! :)

I saw that 4.2 made it to RHEL 7.2 and upgraded. Unfortunately, the system did not come up cleanly.

It seems to be some problem with the DNS server:

[root@ipa01 ~]# systemctl status named-pkcs11
‚óŹ named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11 Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2015-12-23 01:56:37 EST; 4s ago Process: 16506 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS (code=exited, status=1/FAILURE) Process: 16503 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)

Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com> named-pkcs11[16509]: GSSAPI client step 2 Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com> named-pkcs11[16509]: LDAP error: Invalid credentials: SASL(-14): authorization failure: security flags do not match required: bind to LDAP server failed Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com> named-pkcs11[16509]: couldn't establish connection in LDAP connection pool: permission denied Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com> named-pkcs11[16509]: dynamic database 'ipa' configuration failed: permission denied Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com> named-pkcs11[16509]: loading configuration: permission denied Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com> named-pkcs11[16509]: exiting (due to fatal error) Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com> systemd[1]: named-pkcs11.service: control process exited, code=exited status=1 Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com> systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11. Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com> systemd[1]: Unit named-pkcs11.service entered failed state. Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com> systemd[1]: named-pkcs11.service failed.

https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart provides some good information. After manually starting 389, I was able to confirm that the LDAP credentials are able to retrieve the DNS tree with:

[root@ipa01 ~]# ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket' <ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket%27> -Y GSSAPI -b 'cn=dns,dc=example,dc=com'

I was also able to confirm that I the named.keytab file is correct:

[root@ipa01 ~]# kinit -k -t /etc/named.keytab DNS/ipa01.example.com <http://ipa01.example.com>
[root@ipa01 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_th1WCcV
Default principal: DNS/ipa01.example....@example.com <mailto:DNS/ipa01.example....@example.com>

Valid starting       Expires              Service principal
12/23/2015 02:07:14 12/24/2015 02:07:14 krbtgt/example....@example.com <mailto:krbtgt/example....@example.com>

I have disabled unencrypted binds to 389, but I read somewhere this evening this should not be an issue since passwords were being sent and the STARTTLS is always being used.

https://fedorahosted.org/freeipa/ticket/5232 seems to be related here, but I did the install on a healthy server, so I can't imagine that it's the same. I also don't see any recovery techniques listed here or in the issue that it links to at https://bugzilla.redhat.com/show_bug.cgi?id=1254412. I searched the list archives for this error and came up empty. The versions I have are as follows:

bind-license-9.9.4-29.el7_2.1.noarch
bind-libs-lite-9.9.4-29.el7_2.1.x86_64
bind-utils-9.9.4-29.el7_2.1.x86_64
bind-pkcs11-libs-9.9.4-29.el7_2.1.x86_64
bind-dyndb-ldap-8.0-1.el7.x86_64
bind-pkcs11-utils-9.9.4-29.el7_2.1.x86_64
bind-9.9.4-29.el7_2.1.x86_64
bind-pkcs11-9.9.4-29.el7_2.1.x86_64
bind-libs-9.9.4-29.el7_2.1.x86_64
ipa-python-4.2.0-15.el7.centos.3.x86_64
ipa-admintools-4.2.0-15.el7.centos.3.x86_64
sssd-ipa-1.13.0-40.el7_2.1.x86_64
ipa-client-4.2.0-15.el7.centos.3.x86_64
ipa-server-dns-4.2.0-15.el7.centos.3.x86_64
ipa-server-4.2.0-15.el7.centos.3.x86_64
python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
libipa_hbac-1.13.0-40.el7_2.1.x86_64

I'm also attaching the ipaupgrade.log

Hopefully I am missing something simple here. Can anyone help?

Happy solstice!

Brian





Hello,

can you check your value of umask?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to