Re: [Freeipa-users] named-pkcs11 fails to start on new replica [SOLVED]
On 14/07/2016 08:39, Martin Babinsky wrote: > On 07/13/2016 09:56 PM, Bob Hinton wrote: >> Hi, >> >> We are trying to create a new replica on RHEL 7.2 >> >> This completes but named-pkcs11 fails to start - >> >> systemctl status named-pkcs11.service >> ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native >> PKCS#11 >>Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; >> disabled; vendor preset: disabled) >>Active: failed (Result: exit-code) since Wed 2016-07-13 18:38:15 BST; >> 51min ago >> Process: 25913 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS >> (code=exited, status=1/FAILURE) >> Process: 25910 ExecStartPre=/bin/bash -c if [ ! >> "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z >> /etc/named.conf; else echo "Checking of zone files is disabled"; fi >> (code=exited, status=0/SUCCESS) >> >> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: corporation. >> Support and training for BIND 9 are >> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: available at >> https://www.isc.org/support >> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: >> >> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: adjusted limit on >> open files from 4096 to 1048576 >> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: found 1 CPU, >> using 1 worker thread >> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: using 1 UDP >> listener per interface >> Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service: >> control process exited, code=exited status=1 >> Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Failed to start Berkeley >> Internet Name Domain (DNS) with native PKCS#11. >> Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Unit named-pkcs11.service >> entered failed state. >> Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service >> failed. >> >> # /usr/sbin/named-pkcs11 -d 9 -g >> 13-Jul-2016 19:31:01.283 starting BIND 9.9.4-RedHat-9.9.4-29.el7_2.1 >> -d 9 -g >> 13-Jul-2016 19:31:01.283 built with '--build=x86_64-redhat-linux-gnu' >> '--host=x86_64-redhat-linux-gnu' '--program-prefix=' >> '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' >> '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' >> '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' >> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' >> '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' >> '--localstatedir=/var' '--enable-threads' '--enable-ipv6' >> '--enable-filter-' '--enable-rrl' '--with-pic' '--disable-static' >> '--disable-openssl-version-check' '--enable-exportlib' >> '--with-export-libdir=/usr/lib64' >> '--with-export-includedir=/usr/include' >> '--includedir=/usr/include/bind9' '--enable-native-pkcs11' >> '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' >> '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' >> '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' >> '--disable-isc-spnego' '--enable-fixed-rrset' >> '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' >> 'build_alias=x86_64-redhat-linux-gnu' >> 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall >> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong >> --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' >> 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE' >> 13-Jul-2016 19:31:01.283 >> >> 13-Jul-2016 19:31:01.284 BIND 9 is maintained by Internet Systems >> Consortium, >> 13-Jul-2016 19:31:01.284 Inc. (ISC), a non-profit 501(c)(3) >> public-benefit >> 13-Jul-2016 19:31:01.284 corporation. Support and training for BIND >> 9 are >> 13-Jul-2016 19:31:01.284 available at https://www.isc.org/support >> 13-Jul-2016 19:31:01.284 >> >> 13-Jul-2016 19:31:01.284 adjusted limit on open files from 4096 to >> 1048576 >> 13-Jul-2016 19:31:01.284 found 1 CPU, using 1 worker thread >> 13-Jul-2016 19:31:01.284 using 1 UDP listener per interface >> 13-Jul-2016 19:31:01.284 using up to 4096 sockets >> 13-Jul-2016 19:31:01.284 Registering DLZ_dlopen driver >> 13-Jul-2016 19:31:01.284 Registering SDLZ driver 'dlopen' >> 13-Jul-2016 19:31:01.284 Registering DLZ driver 'dlopen' >> 13-Jul-2016 19:31:01.287 initializing DST: PKCS#11 initialization failed >> 13-Jul-2016 19:31:01.287 exiting (due to fatal error) >> >> # tail -2 /var/log >> >> Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: >> ObjectStore.cpp(59): Failed to enumerate object store in >> /var/lib/softhsm/tokens/ >> >> Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: SoftHSM.cpp(456): >> Could not load the object store >> >> I've tried "ipa-server-upgrade" and >> >> mv /var/lib/ipa/dnssec/tokens /var/lib/ipa/dnssec/tokens-OLD >> >> ipa-dns-install >> >> But I haven't managed to
Re: [Freeipa-users] named-pkcs11 fails to start on new replica
On 07/13/2016 09:56 PM, Bob Hinton wrote: Hi, We are trying to create a new replica on RHEL 7.2 This completes but named-pkcs11 fails to start - systemctl status named-pkcs11.service ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11 Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-07-13 18:38:15 BST; 51min ago Process: 25913 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS (code=exited, status=1/FAILURE) Process: 25910 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: corporation. Support and training for BIND 9 are Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: available at https://www.isc.org/support Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: adjusted limit on open files from 4096 to 1048576 Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: found 1 CPU, using 1 worker thread Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: using 1 UDP listener per interface Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service: control process exited, code=exited status=1 Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11. Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Unit named-pkcs11.service entered failed state. Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service failed. # /usr/sbin/named-pkcs11 -d 9 -g 13-Jul-2016 19:31:01.283 starting BIND 9.9.4-RedHat-9.9.4-29.el7_2.1 -d 9 -g 13-Jul-2016 19:31:01.283 built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-' '--enable-rrl' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE' 13-Jul-2016 19:31:01.283 13-Jul-2016 19:31:01.284 BIND 9 is maintained by Internet Systems Consortium, 13-Jul-2016 19:31:01.284 Inc. (ISC), a non-profit 501(c)(3) public-benefit 13-Jul-2016 19:31:01.284 corporation. Support and training for BIND 9 are 13-Jul-2016 19:31:01.284 available at https://www.isc.org/support 13-Jul-2016 19:31:01.284 13-Jul-2016 19:31:01.284 adjusted limit on open files from 4096 to 1048576 13-Jul-2016 19:31:01.284 found 1 CPU, using 1 worker thread 13-Jul-2016 19:31:01.284 using 1 UDP listener per interface 13-Jul-2016 19:31:01.284 using up to 4096 sockets 13-Jul-2016 19:31:01.284 Registering DLZ_dlopen driver 13-Jul-2016 19:31:01.284 Registering SDLZ driver 'dlopen' 13-Jul-2016 19:31:01.284 Registering DLZ driver 'dlopen' 13-Jul-2016 19:31:01.287 initializing DST: PKCS#11 initialization failed 13-Jul-2016 19:31:01.287 exiting (due to fatal error) # tail -2 /var/log Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: ObjectStore.cpp(59): Failed to enumerate object store in /var/lib/softhsm/tokens/ Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: SoftHSM.cpp(456): Could not load the object store I've tried "ipa-server-upgrade" and mv /var/lib/ipa/dnssec/tokens /var/lib/ipa/dnssec/tokens-OLD ipa-dns-install But I haven't managed to fix it. Using "ipactl start -f" means the rest of the ipa services seem to work properly, but without named. Is there a way to fix the named issue or is it much simpler to disconnect the replica, uninstall it and start again ? Thanks Bob Hinton Hi Bob, If your SElinux is in enforcing mode I would check for AVCs, maybe the token
[Freeipa-users] named-pkcs11 fails to start on new replica
Hi, We are trying to create a new replica on RHEL 7.2 This completes but named-pkcs11 fails to start - systemctl status named-pkcs11.service ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11 Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-07-13 18:38:15 BST; 51min ago Process: 25913 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS (code=exited, status=1/FAILURE) Process: 25910 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: corporation. Support and training for BIND 9 are Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: available at https://www.isc.org/support Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: adjusted limit on open files from 4096 to 1048576 Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: found 1 CPU, using 1 worker thread Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: using 1 UDP listener per interface Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service: control process exited, code=exited status=1 Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11. Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Unit named-pkcs11.service entered failed state. Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service failed. # /usr/sbin/named-pkcs11 -d 9 -g 13-Jul-2016 19:31:01.283 starting BIND 9.9.4-RedHat-9.9.4-29.el7_2.1 -d 9 -g 13-Jul-2016 19:31:01.283 built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-' '--enable-rrl' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE' 13-Jul-2016 19:31:01.283 13-Jul-2016 19:31:01.284 BIND 9 is maintained by Internet Systems Consortium, 13-Jul-2016 19:31:01.284 Inc. (ISC), a non-profit 501(c)(3) public-benefit 13-Jul-2016 19:31:01.284 corporation. Support and training for BIND 9 are 13-Jul-2016 19:31:01.284 available at https://www.isc.org/support 13-Jul-2016 19:31:01.284 13-Jul-2016 19:31:01.284 adjusted limit on open files from 4096 to 1048576 13-Jul-2016 19:31:01.284 found 1 CPU, using 1 worker thread 13-Jul-2016 19:31:01.284 using 1 UDP listener per interface 13-Jul-2016 19:31:01.284 using up to 4096 sockets 13-Jul-2016 19:31:01.284 Registering DLZ_dlopen driver 13-Jul-2016 19:31:01.284 Registering SDLZ driver 'dlopen' 13-Jul-2016 19:31:01.284 Registering DLZ driver 'dlopen' 13-Jul-2016 19:31:01.287 initializing DST: PKCS#11 initialization failed 13-Jul-2016 19:31:01.287 exiting (due to fatal error) # tail -2 /var/log Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: ObjectStore.cpp(59): Failed to enumerate object store in /var/lib/softhsm/tokens/ Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: SoftHSM.cpp(456): Could not load the object store I've tried "ipa-server-upgrade" and mv /var/lib/ipa/dnssec/tokens /var/lib/ipa/dnssec/tokens-OLD ipa-dns-install But I haven't managed to fix it. Using "ipactl start -f" means the rest of the ipa services seem to work properly, but without named. Is there a way to fix the named issue or is it much simpler to disconnect the replica, uninstall it and start again ? Thanks Bob Hinton -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to