After investigation on IRC, it looks that old mkosek/freeipa repo is guilty, this repo should not be used for centos 4.2+


On 05.05.2016 19:11, Gary T. Giesen wrote:
As a control, I fired up a new VPS, did a new minimal CentOS 7.2 install and
I have the same problem.

These are the steps I took:

# yum update -y
# yum install -y nano net-tools wget
# yum install -y
https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# cd /etc/yum.repos.d/
# wget -N
https://copr.fedorainfracloud.org/coprs/mkosek/freeipa/repo/epel-7/mkosek-fr
eeipa-epel-7.repo
# yum install -y haveged
# systemctl start haveged
# systemctl enable haveged
# yum install -y ipa-server ipa-server-dns
# ipa-server-install -r EXAMPLE.COM -n example.com --mkhomedir
--ip-address=192.0.2.10 --idstart=100000 --idmax=199999 --no-ui-redirect
--ssh-trust-dns --setup-dns --no-forwarders --no-reverse
# ipa-dns-install --no-forwarders --no-reverse --dnssec-master
# ipa dnszone-mod example.com --dnssec=true


GTG

-----Original Message-----
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gary T. Giesen
Sent: May-05-16 11:19 AM
To: 'Petr Spacek' <pspa...@redhat.com>; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing

I'm not entirely sure if this is what you were asking for, but here's a
manual LDAP query and the associated logs, and then I restarted
ipa-dnskeysyncd and the logs associated with that as well:


[root@host /]# date
Thu May  5 10:52:12 EDT 2016
[root@host /]# ldapsearch -Y GSSAPI -b 'cn=dns,dc=example,dc=com' -s sub
'(|(objectClass=idnsZone)(objectClass=idnsS
ecKey)(objectClass=ipk11PublicKey))'
SASL/GSSAPI authentication started
SASL username: u...@example.com
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=dns,dc=example,dc=com> with scope subtree # filter:
(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey)
)
# requesting: ALL
#

# example.com., dns, example.com
dn: idnsname=example.com.,cn=dns,dc=example,dc=com
idnsZoneActive: TRUE
idnsSOAexpire: 1209600
idnsSOAminimum: 3600
objectClass: idnszone
objectClass: top
objectClass: idnsrecord
idnsAllowTransfer: none;
idnsSOAretry: 900
idnsSOAserial: 1462338941
idnsUpdatePolicy: grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM
krb5-self * A  AAA; grant EXAMPLE.COM krb5-self * SSHFP;
idnsSOArefresh: 3600
idnsAllowQuery: any;
idnsName: example.com.
idnsSOAmName: host.example.com.
idnsSOArName: hostmaster.example.com.
idnsAllowDynUpdate: TRUE
nSRecord: host.example.com.
mXRecord: 5 mx.example.com.
tXTRecord: v=spf1 ip4:104.207.128.239 ip6:2001:19f0:300:24e1::10 -all
idnsSecInlineSigning: TRUE

# 2a6519b4-8d9c-11e5-8ced-56000017eb11, keys, sec, dns, example.com
dn:
ipk11UniqueID=2a6519b4-8d9c-11e5-8ced-56000017eb11,cn=keys,cn=sec,cn=dns,d
  c=example,dc=com
objectClass: ipk11PublicKey
objectClass: ipk11Object
objectClass: top
objectClass: ipaPublicKeyObject
objectClass: ipk11Key
objectClass: ipk11StorageObject
ipk11Wrap: FALSE
ipk11Label: dnssec-replica:host.example.com.
ipaPublicKey::
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxk6apYsMbT7MH87pCzK
GyVkpAmp+nOL8Alo/pwfaOALJO6EFfhvw+V+9Lnx1jKObnrAHo0O7j3c8qDqAmewjdS1beFb
GyVkpAmp+beLG
u
GFGNFGTW7hOmqJKgWyH+OWtyHZyy7EYeMO5sXt+nMoQ3hdYMZEeBQtTLbMrhOAQR6EUksCbG
GFGNFGTW7hOmqJKgWyH+OWtyHZyy7EYeMO5sXt+pvkj
c
xBHz+9HbaDyoteWO53dAS1B04PS3FZXZyvkCDCdH+ZDaJ7sm1WMgHupKndUpl2vdvJWtEi2j
xBHz+9HbaDyoteWO53dAS1B04PS3FZXZyvkCDCdH+41/4
q
FOYXAyIgx+3yv7OG9X1D5qBb7v/IqtFuJFRqc0LIdBvWUlHn5LTLYh4rtb2h/6DUK/ZnGlJ+
FOYXAyIgx+Sss5
Q
  nmuhUiky3cJ0KvQIDAQAB
ipk11Verify: FALSE
ipk11Id:: b4AQWy4+gJz2XABOkWEgnw==
ipk11VerifyRecover: FALSE
ipk11UniqueId: 2a6519b4-8d9c-11e5-8ced-56000017eb11

# 9fc0e8ec-ccd4-11e5-a9e6-56000017eb11, keys, sec, dns, example.com
dn:
ipk11UniqueID=9fc0e8ec-ccd4-11e5-a9e6-56000017eb11,cn=keys,cn=sec,cn=dns,d
  c=example,dc=com
objectClass: ipk11PublicKey
objectClass: ipk11Object
objectClass: top
objectClass: ipaPublicKeyObject
objectClass: ipk11Key
objectClass: ipk11StorageObject
ipk11Wrap: FALSE
ipk11Label: dnssec-replica:host.example.com.
ipaPublicKey::
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1oo1sC+p8/NCfI8r2Te
4onEHxk4yrrLWfwfuKl3lN/3QHmahPAjyHNYnm8srL45/lJzNqoZpI4yGyhWtCpNQhnnoD+W67aX
N
2KGnshBTYE8IGG2zCHtQ0p5CJtNTNZFyIH4pyNiLfk/QLi1ptzk79f9u6Bwq4RdEKdzEk4R1G58C
w
cpUlKlG6pzGk+OpiX1a3Iw8ZCfgmYIEOmHSpexz0aRBA4q2ADdRn4dERL/aP+lWC+IQEj749
cpUlKlG6pzGk+wn+Q
H
sIFxikHQ6Kz2DOpdeJTNSJvNuVSTh3FigdH2xUbuwhPd3O5Q3D3s1+n7XajelYh5YqkOY8PN
sIFxikHQ6Kz2DOpdeJTNSJvNuVSTh3FigdH2xUbuwhPd3O5Q3D3s1+cFgL
9
  O+iB9tqWJJiFChQIDAQAB
ipk11Verify: FALSE
ipk11Id:: L9nKKUY2ypycB3EldvJjVg==
ipk11VerifyRecover: FALSE
ipk11UniqueId: 9fc0e8ec-ccd4-11e5-a9e6-56000017eb11

# 70eca210-0ee0-11e6-9e98-56000017eb11, keys, sec, dns, example.com
dn:
ipk11UniqueID=70eca210-0ee0-11e6-9e98-56000017eb11,cn=keys,cn=sec,cn=dns,d
  c=example,dc=com
objectClass: ipk11PublicKey
objectClass: ipk11Object
objectClass: top
objectClass: ipaPublicKeyObject
objectClass: ipk11Key
objectClass: ipk11StorageObject
ipk11Wrap: FALSE
ipk11Label: dnssec-replica:host.example.com.
ipaPublicKey::
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoAnwbNG7EwTIlWwlWvu
pPOEQnV7ahv7xMoF0v9qzoEZ+ccx9Wp515IWs6okmX6UhB/HELhO3EP5iCftL2iOq+aTa3Zx
pPOEQnV7ahv7xMoF0v9qzoEZ+8Z/+
F
JtpXPFkbCweUiOxr8vq4VLTppLmok0q+Dlm5CYaQUYs5en3d9HFtmaYt3m8JD5a58AkAzozo
JtpXPFkbCweUiOxr8vq4VLTppLmok0q+ACrO
m
st5aNIkwo/YGdSa0e1tNcb7Xv7RhBSGbFlrpFfwj5uX3QyI57CSxR7S5FYjOD8lG8tmlCjKuuOhH
O
ST8uzatbirX0kiaVH3ENohDUmEV+zW6T9//TBG2xTRTw6v7TAM21klWMCNKoUYVyh84c34jd
ST8uzatbirX0kiaVH3ENohDUmEV+arVr
Q
  PvEPCDzNF6C15NwIDAQAB
ipk11Verify: FALSE
ipk11Id:: teifTM9dTfpDRQgbL8rsFQ==
ipk11VerifyRecover: FALSE
ipk11UniqueId: 70eca210-0ee0-11e6-9e98-56000017eb11

# fba8d874-10a2-11e6-86aa-56000017eb11, keys, sec, dns, example.com
dn:
ipk11UniqueID=fba8d874-10a2-11e6-86aa-56000017eb11,cn=keys,cn=sec,cn=dns,d
  c=example,dc=com
objectClass: ipk11PublicKey
objectClass: ipk11Object
objectClass: top
objectClass: ipaPublicKeyObject
objectClass: ipk11Key
objectClass: ipk11StorageObject
ipk11Wrap: FALSE
ipk11Label: dnssec-replica:host.example.com.
ipaPublicKey::
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv9r9+8POEp8nb+jiEi6
pvvuWWex2KuHeV1f1qo6LCe3oMSkZ39I73cdJZIfirt2E/D+CWSUMGwbWmNOnMUMIDI8YAnxLQ//
K
uvyaHMbxXfIrgMZmK1BFtPgSuH3ZoeXBI5x+VR1007Dhl5e7dEagHUlEw5OXPQ2jgeq6kCMU
uvyaHMbxXfIrgMZmK1BFtPgSuH3ZoeXBI5x+Uteu
3
Nye/G2K51GzAJcAXlrBdVEek02LuhszHtxjYDxevq90my+0GXVb2nU9mPghIKnkwsQeHUoHXH83p
H
NLtIUug23Fac3oeklQX7PK8mAWbut5rh5ZZOUbHA+X+T8KV6sGRqMi8rlGIU9biuYHrmGZca
NLtIUug23Fac3oeklQX7PK8mAWbut5rh5ZZOUbHA+X+UuAY
R
  NXCIrWIUrDV21cQIDAQAB
ipk11Verify: FALSE
ipk11Id:: WXrLuKBlC8r8UsjjGf2zww==
ipk11VerifyRecover: FALSE
ipk11UniqueId: fba8d874-10a2-11e6-86aa-56000017eb11

# a7bac2a6-10a5-11e6-9c20-56000017eb11, keys, sec, dns, example.com
dn:
ipk11UniqueID=a7bac2a6-10a5-11e6-9c20-56000017eb11,cn=keys,cn=sec,cn=dns,d
  c=example,dc=com
objectClass: ipk11PublicKey
objectClass: ipk11Object
objectClass: top
objectClass: ipaPublicKeyObject
objectClass: ipk11Key
objectClass: ipk11StorageObject
ipk11Wrap: FALSE
ipk11Label: dnssec-replica:host.example.com.
ipaPublicKey::
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4m3sUosT4X9x8EjwrtQ
B6mQDmClMNs3M8hCJ6UKvcCH/X+yFH2IAht5L85IOBCqmy8RQSL2fPY6BuCxx0krDPPvFBUfCW2i
/
X0s2RN+vdZQ6xtCe/Q8CHxTZmXsJLrOS8WsiggbHXh7QqkP8sY4Xl2N14OFDNTmSgtQWKnKj
X0s2RN+Jloy
g
D03p+lo7BxFmOP9L1C+NGDhiiKjBwVexBNFlYSyUXEFacIDXAIjI/WMgxeCl/9Xu9wwAW5GY
D03p+lo7BxFmOP9L1C+iYOR
D
KTl9h4JgUDRrge82OBMu0kQt0FyLCdVKl3Kw5GiMazWoTnK8KGpvuZl46whl9IbOYtPeQpHEhhSw
X
  w36Ii4Y+e6eYeoQIDAQAB
ipk11Verify: FALSE
ipk11Id:: +Y0cQI+gUJelIpun/N1IYQ==
ipk11VerifyRecover: FALSE
ipk11UniqueId: a7bac2a6-10a5-11e6-9c20-56000017eb11

# 2f32c0f8-10c9-11e6-bf47-56000017eb11, keys, sec, dns, example.com
dn:
ipk11UniqueID=2f32c0f8-10c9-11e6-bf47-56000017eb11,cn=keys,cn=sec,cn=dns,d
  c=example,dc=com
objectClass: ipk11PublicKey
objectClass: ipk11Object
objectClass: top
objectClass: ipaPublicKeyObject
objectClass: ipk11Key
objectClass: ipk11StorageObject
ipk11Wrap: TRUE
ipk11Label: dnssec-replica:host.example.com.
ipaPublicKey::
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApWEc/C9jgjoCzQ2wTKT
zJ9obG74mlYyokaP/rZyYA0nIIqrKF1DwArt7wemVzrMf9m8b70MyYlOZm77KJiw1gMD9qzcJieI
m
+two+BYb6zRAvp4o2HlTwG+x/UpOct8EnakilUh7zOhGFkEyk9m9+WnWBcXGX63lfiodL4sC
+two+BYb6zRAvp4o2HlTwG+rtBd
s
CIfF6bPH9yHYSYpa4/s/flW/mM7fRMSd0hO3ayYYxSg8INitFHVwnUj/MENxdFejeMPXlyROW/6m
h
kwBQjhLSYnmzvgiP2rNnA6AJIMX0cxjuxjswNaAS5vULG1Vju51Mb0f8V3RLv5P1L0dQYoY7S5Hb
O
  aaO7c+27moTOZPQIDAQAB
ipk11Verify: FALSE
ipk11Id:: mn+arLpqrb1jDdDZXlroUg==
ipk11VerifyRecover: FALSE
ipk11UniqueId: 2f32c0f8-10c9-11e6-bf47-56000017eb11

# search result
search: 4
result: 0 Success

# numResponses: 8
# numEntries: 7



My manual LDAP search (/var/log/dirsrv/slapd-EXAMPLE-COM/access):

[05/May/2016:10:52:13 -0400] conn=613 fd=109 slot=109 SSL connection from
2001:db8:300:24e1::10 to 2001:db8:300:24e1::10
[05/May/2016:10:52:13 -0400] conn=613 TLS1.2 256-bit AES-GCM
[05/May/2016:10:52:13 -0400] conn=613 op=0 BIND dn="" method=sasl version=3
mech=GSSAPI
[05/May/2016:10:52:13 -0400] conn=613 op=0 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress
[05/May/2016:10:52:13 -0400] conn=613 op=1 BIND dn="" method=sasl version=3
mech=GSSAPI
[05/May/2016:10:52:13 -0400] conn=613 op=1 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress
[05/May/2016:10:52:13 -0400] conn=613 op=2 BIND dn="" method=sasl version=3
mech=GSSAPI
[05/May/2016:10:52:13 -0400] conn=613 op=2 RESULT err=0 tag=97 nentries=0
etime=0 dn="uid=user,cn=users,cn=accounts,dc=example,dc=com"
[05/May/2016:10:52:13 -0400] conn=613 op=3 SRCH
base="cn=dns,dc=example,dc=com" scope=2
filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11Pu
blicKey))" attrs=ALL
[05/May/2016:10:52:13 -0400] conn=613 op=3 RESULT err=0 tag=101 nentries=7
etime=0
[05/May/2016:10:52:13 -0400] conn=613 op=4 UNBIND
[05/May/2016:10:52:13 -0400] conn=613 op=4 fd=109 closed - U1


I then restarted ipa-dnskeysyncd (journalctl -u ipa-dnskeysyncd):

May 05 10:52:19 host.example.com systemd[1]: Stopping IPA key daemon...
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13719]: ipa         : INFO
Signal 15 received: Shutting down!
May 05 10:52:19 host.example.com systemd[1]: Started IPA key daemon.
May 05 10:52:19 host.example.com systemd[1]: Starting IPA key daemon...
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing all plugin modules in ipalib.plugins...
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.aci May 05 10:52:19 host.example.com
ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.automember May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.automount May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.baseldap May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.baseuser May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.batch May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.caacl May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.cert May 05 10:52:19 host.example.com
ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.certprofile May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.config May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.delegation May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.dns May 05 10:52:19 host.example.com
ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.domainlevel May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.group May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.hbacrule May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.hbacsvc May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.hbacsvcgroup May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.hbactest May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.host May 05 10:52:19 host.example.com
ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.hostgroup May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.idrange May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.idviews May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.internal May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.kerberos May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.krbtpolicy May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.migration May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.misc May 05 10:52:19 host.example.com
ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.netgroup May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.otpconfig May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.otptoken May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.otptoken_yubikey May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.passwd May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.permission May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.ping May 05 10:52:19 host.example.com
ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.pkinit May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.privilege May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.pwpolicy May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
Starting external process
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
args='klist' '-V'
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: Process
finished, return code=0 May 05 10:52:19 host.example.com
ipa-dnskeysyncd[13834]: ipa: DEBUG:
stdout=Kerberos 5 version 1.13.2
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG: stderr=
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.radiusproxy May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.realmdomains May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.role May 05 10:52:19 host.example.com
ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.rpcclient May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.selfservice May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.selinuxusermap May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.server May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.service May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.servicedelegation May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.session May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: WARNING:
session memcached servers not running
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.stageuser May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.sudocmd May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.sudocmdgroup May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.sudorule May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.topology May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.trust May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.user May 05 10:52:19 host.example.com
ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.vault May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipalib.plugins.virtual May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing all plugin modules in ipaserver.plugins...
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipaserver.plugins.dogtag May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipaserver.plugins.join May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipaserver.plugins.ldap2 May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipaserver.plugins.rabase May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
importing plugin module ipaserver.plugins.xmlserver May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
SessionAuthManager.register: name=jsonserver_session_43658512 May 05
10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
SessionAuthManager.register: name=xmlserver_session_43681424 May 05 10:52:19
host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml'
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
session_auth_duration: 0:20:00
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
session_auth_duration: 0:20:00
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
Mounting ipaserver.rpcserver.xmlserver() at '/xml'
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
session_auth_duration: 0:20:00
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token'
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json'
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
session_auth_duration: 0:20:00
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json'
May 05 10:52:19 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
session_auth_duration: 0:20:00
May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos'
May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
session_auth_duration: 0:20:00
May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
Mounting ipaserver.rpcserver.login_password() at '/session/login_password'
May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
session_auth_duration: 0:20:00
May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa: DEBUG:
Mounting ipaserver.rpcserver.change_password() at '/session/change_password'
May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa         : DEBUG
Kerberos principal: ipa-dnskeysyncd/host.example.com
May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa         : DEBUG
Initializing principal ipa-dnskeysyncd/host.example.com using keytab
/etc/ipa/dnssec/ipa-dnskeysyncd.keytab
May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa         : DEBUG
using ccache /tmp/ipa-dnskeysyncd.ccache
May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa         : DEBUG
Attempt 1/5: success
May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa         : DEBUG
LDAP URL:
ldapi://%2Fvar%2Frun%2Fslapd-EXAMPLE-COM.socket/cn%3Ddns%2Cdc%3Dexample%2Cdc
%3Dme??sub?%28%7C%28objectClass%3DidnsZone%29%28objectClass%3DidnsSecKey%29%
28objectClass%3Dipk11PublicKey%29%29
May 05 10:52:20 host.example.com ipa-dnskeysyncd[13834]: ipa         : INFO
LDAP bind...
May 05 10:52:20 host.example.com python2[13834]: GSSAPI client step 1 May 05
10:52:20 host.example.com python2[13834]: GSSAPI client step 1 May 05
10:52:21 host.example.com python2[13834]: GSSAPI client step 1 May 05
10:52:21 host.example.com python2[13834]: GSSAPI client step 2
May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]: ipa         : INFO
Commencing sync process
May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Current cookie is: None
(not received yet)
May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of entry:
idnsname=example.com.,cn=dns,dc=example,dc=com
203dbe2d-8d9c-11e5-bb23-e7a3b46d8929
May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG    LDAP zones:
{'203dbe2d-8d9c-11e5-bb23-e7a3b46d8929': <DNS name example.com.>} May 05
10:52:21 host.example.com ipa-dnskeysyncd[13834]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of entry:
ipk11UniqueID=2a6519b4-8d9c-11e5-8ced-56000017eb11,cn=keys,cn=sec,cn=dns,dc=
example,dc=com 203dbe63-8d9c-11e5-bb23-e7a3b46d8929
May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of entry:
ipk11UniqueID=9fc0e8ec-ccd4-11e5-a9e6-56000017eb11,cn=keys,cn=sec,cn=dns,dc=
example,dc=com 9d5e3d66-ccd4-11e5-bb23-e7a3b46d8929
May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of entry:
ipk11UniqueID=70eca210-0ee0-11e6-9e98-56000017eb11,cn=keys,cn=sec,cn=dns,dc=
example,dc=com 59985f1f-0ee0-11e6-aa2d-e7a3b46d8929
May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of entry:
ipk11UniqueID=fba8d874-10a2-11e6-86aa-56000017eb11,cn=keys,cn=sec,cn=dns,dc=
example,dc=com dc691799-10a2-11e6-aa2d-e7a3b46d8929
May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of entry:
ipk11UniqueID=a7bac2a6-10a5-11e6-9c20-56000017eb11,cn=keys,cn=sec,cn=dns,dc=
example,dc=com 83e74997-10a5-11e6-aa2d-e7a3b46d8929
May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of entry:
ipk11UniqueID=2f32c0f8-10c9-11e6-bf47-56000017eb11,cn=keys,cn=sec,cn=dns,dc=
example,dc=com 0f260699-10c9-11e6-aa2d-e7a3b46d8929
May 05 10:52:21 host.example.com ipa-dnskeysyncd[13834]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    New cookie is:
host.example.com:389#krbprincipalname=ipa-dnskeysyncd/host.example.com@examp
le.com,cn=services,cn=accounts,dc=example,dc=com:cn=dns,dc=example,dc=com:(|
(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey))#
33443


Logs as a result of ipa-dnskeysyncd restart
(/var/log/dirsrv/slapd-EXAMPLE-COM/access):

[05/May/2016:10:52:20 -0400] conn=614 fd=83 slot=83 connection from local to
/var/run/slapd-EXAMPLE-COM.socket
[05/May/2016:10:52:20 -0400] conn=614 op=0 BIND dn="" method=sasl version=3
mech=GSSAPI
[05/May/2016:10:52:20 -0400] conn=614 op=0 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress
[05/May/2016:10:52:20 -0400] conn=614 op=1 BIND dn="" method=sasl version=3
mech=GSSAPI
[05/May/2016:10:52:20 -0400] conn=614 op=1 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress
[05/May/2016:10:52:20 -0400] conn=614 op=2 BIND dn="" method=sasl version=3
mech=GSSAPI
[05/May/2016:10:52:20 -0400] conn=614 op=2 RESULT err=0 tag=97 nentries=0
etime=0
dn="krbprincipalname=ipa-dnskeysyncd/host.example....@example.com,cn=service
s,cn=accounts,dc=example,dc=com"
[05/May/2016:10:52:20 -0400] conn=614 op=3 SRCH
base="cn=dns,dc=example,dc=com" scope=2
filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11Pu
blicKey))" attrs=ALL
[05/May/2016:10:52:20 -0400] conn=614 op=3 RESULT err=269 tag=121 nentries=0
etime=0


Cheers,

GTG

-----Original Message-----
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gary T. Giesen
Sent: May-03-16 10:19 AM
To: 'Petr Spacek' <pspa...@redhat.com>; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing

Thanks Petr. I'm on IRC as well if a more interactive troubleshooting
session would be better.

Cheers,

GTG

-----Original Message-----
From: Petr Spacek [mailto:pspa...@redhat.com]
Sent: May-03-16 9:59 AM
To: Gary T. Giesen <ggiesen+freeipa-us...@giesen.me>;
freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing

On 3.5.2016 15:29, Gary T. Giesen wrote:
All lines from the log file with conn=152.

[03/May/2016:07:21:06 -0400] conn=152 fd=83 slot=83 connection from
local to /var/run/slapd-EXAMPLE-COM.socket
[03/May/2016:07:21:06 -0400] conn=152 op=0 BIND dn="" method=sasl
version=3 mech=GSSAPI
[03/May/2016:07:21:06 -0400] conn=152 op=0 RESULT err=14 tag=97
nentries=0 etime=0, SASL bind in progress
[03/May/2016:07:21:06 -0400] conn=152 op=1 BIND dn="" method=sasl
version=3 mech=GSSAPI
[03/May/2016:07:21:06 -0400] conn=152 op=1 RESULT err=14 tag=97
nentries=0 etime=0, SASL bind in progress
[03/May/2016:07:21:06 -0400] conn=152 op=2 BIND dn="" method=sasl
version=3 mech=GSSAPI
[03/May/2016:07:21:06 -0400] conn=152 op=2 RESULT err=0 tag=97
nentries=0
etime=0
dn="krbprincipalname=ipa-dnskeysyncd/host.example....@example.com,cn=s
ervice
s,cn=accounts,dc=example,dc=com"
[03/May/2016:07:21:06 -0400] conn=152 op=3 SRCH
base="cn=dns,dc=example,dc=com" scope=2
filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=i
pk11Pu
blicKey))" attrs=ALL
[03/May/2016:07:21:06 -0400] conn=152 op=3 RESULT err=269 tag=121
nentries=0
etime=0
This seems to be okay, I will think about it a bit more and return back to
you when I find something.

Petr^2 Spacek

-----Original Message-----
From: Petr Spacek [mailto:pspa...@redhat.com]
Sent: May-03-16 8:50 AM
To: Gary T. Giesen <ggiesen+freeipa-us...@giesen.me>;
freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing

Hmm, this is really weird.

It should log message "Initial LDAP dump is done, sychronizing with
ODS and BIND" which is apparently not there. Maybe LDAP server is
doing something weird ...

Could you inspect /var/log/dirsrv/*/access_log and look for lines
similar to ones in the attached file, please?

It should start with log message like
"connection from local to /var/run/slapd-*".
This line will have identifier like "conn=84". We are looking for conn
number (e.g. "conn=84") which is related to BIND DN
"dn="krbprincipalname=ipa-dnskeysyncd/*".

If you find the right conn number, look for other lines containing the
same conn number and operation "SRCH base="cn=dns,*". This SRCH line
will have specific identifier like "conn=84 op=3".

Now you have identifier for particular operation. Look for RESULT line
with the same ID.

How does it look?

Can you copy&paste complete all lines with identifier conn=??? you found?

Thanks!
Petr^2 Spacek

On 3.5.2016 13:37, Gary T. Giesen wrote:
See attached.

GTG

-----Original Message-----
From: Petr Spacek [mailto:pspa...@redhat.com]
Sent: May-03-16 7:33 AM
To: Gary T. Giesen <ggiesen+freeipa-us...@giesen.me>;
freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing

On 3.5.2016 13:28, Gary T. Giesen wrote:
1. Confirmed, it was already set to ISMASTER=1

2. Logs:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Current cookie is:
None
May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of
entry:
May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG    LDAP zones:
{'203dbe2d-8d9c-1
May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of
entry:
May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of
entry:
May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of
entry:
May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of
entry:
May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of
entry:
May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of
entry:
May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    New cookie is:
host.exa
The log seems to be truncated. Please attach it as a file to avoid
truncation and line wrapping problems.

Thanks
Petr^2 Spacek


3. # rpm -q ipa-server
ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64

-----Original Message-----
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
Sent: May-03-16 7:08 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing

Okay, this is a problem. It should list your zone example.com
because it has DNSSEC signing enabled.

Make sure you are working on host.example.com (the host listed by
the ldapsearch above).

I would check two things:
1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1".
If it does not, re-run ipa-dns-install with --dnssec-master option
to fix
that.
2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and
make sure that it contains line "debug=True" and restart
ipa-dnskeysyncd when you are done with it.

The log should be much longer after this change.

I hope it will help to identify the root cause.

What IPA version do you use?
$ rpm -q freeipa-server

Petr^2 Spacek



Per the instructions, I've restarted ipa-dnskeysyncd, but it has
had no effect. The only log entries I see are:

# journalctl -u ipa-dnskeysyncd

May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key
daemon...
May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa         :
INFO
Signal 15 received: Shutting down!
May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon.
May 02 20:35:52 host.example.com systemd[1]: Starting IPA key
daemon...
May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING:
session memcached servers not running
May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa         :
INFO
LDAP bind...
May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step
1 May 02 20:35:53 host.example.com python2[15014]: GSSAPI client
step 1 May 02 20:35:54 host.example.com python2[15014]: GSSAPI
client step 1 May 02 20:35:54 host.example.com python2[15014]:
GSSAPI
client step 2
May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa         :
INFO
Commencing sync process



Can anyone advise on next steps? I've been banging my head against
a wall for a couple days now and would really appreciate some help.

--
Petr^2 Spacek


--
Petr^2 Spacek

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to