On 14/07/2016 08:39, Martin Babinsky wrote: > On 07/13/2016 09:56 PM, Bob Hinton wrote: >> Hi, >> >> We are trying to create a new replica on RHEL 7.2 >> >> This completes but named-pkcs11 fails to start - >> >> systemctl status named-pkcs11.service >> ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native >> PKCS#11 >> Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; >> disabled; vendor preset: disabled) >> Active: failed (Result: exit-code) since Wed 2016-07-13 18:38:15 BST; >> 51min ago >> Process: 25913 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS >> (code=exited, status=1/FAILURE) >> Process: 25910 ExecStartPre=/bin/bash -c if [ ! >> "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z >> /etc/named.conf; else echo "Checking of zone files is disabled"; fi >> (code=exited, status=0/SUCCESS) >> >> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: corporation. >> Support and training for BIND 9 are >> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: available at >> https://www.isc.org/support >> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: >> ---------------------------------------------------- >> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: adjusted limit on >> open files from 4096 to 1048576 >> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: found 1 CPU, >> using 1 worker thread >> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: using 1 UDP >> listener per interface >> Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service: >> control process exited, code=exited status=1 >> Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Failed to start Berkeley >> Internet Name Domain (DNS) with native PKCS#11. >> Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Unit named-pkcs11.service >> entered failed state. >> Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service >> failed. >> >> # /usr/sbin/named-pkcs11 -d 9 -g >> 13-Jul-2016 19:31:01.283 starting BIND 9.9.4-RedHat-9.9.4-29.el7_2.1 >> -d 9 -g >> 13-Jul-2016 19:31:01.283 built with '--build=x86_64-redhat-linux-gnu' >> '--host=x86_64-redhat-linux-gnu' '--program-prefix=' >> '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' >> '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' >> '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' >> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' >> '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' >> '--localstatedir=/var' '--enable-threads' '--enable-ipv6' >> '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static' >> '--disable-openssl-version-check' '--enable-exportlib' >> '--with-export-libdir=/usr/lib64' >> '--with-export-includedir=/usr/include' >> '--includedir=/usr/include/bind9' '--enable-native-pkcs11' >> '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' >> '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' >> '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' >> '--disable-isc-spnego' '--enable-fixed-rrset' >> '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' >> 'build_alias=x86_64-redhat-linux-gnu' >> 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall >> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong >> --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' >> 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE' >> 13-Jul-2016 19:31:01.283 >> ---------------------------------------------------- >> 13-Jul-2016 19:31:01.284 BIND 9 is maintained by Internet Systems >> Consortium, >> 13-Jul-2016 19:31:01.284 Inc. (ISC), a non-profit 501(c)(3) >> public-benefit >> 13-Jul-2016 19:31:01.284 corporation. Support and training for BIND >> 9 are >> 13-Jul-2016 19:31:01.284 available at https://www.isc.org/support >> 13-Jul-2016 19:31:01.284 >> ---------------------------------------------------- >> 13-Jul-2016 19:31:01.284 adjusted limit on open files from 4096 to >> 1048576 >> 13-Jul-2016 19:31:01.284 found 1 CPU, using 1 worker thread >> 13-Jul-2016 19:31:01.284 using 1 UDP listener per interface >> 13-Jul-2016 19:31:01.284 using up to 4096 sockets >> 13-Jul-2016 19:31:01.284 Registering DLZ_dlopen driver >> 13-Jul-2016 19:31:01.284 Registering SDLZ driver 'dlopen' >> 13-Jul-2016 19:31:01.284 Registering DLZ driver 'dlopen' >> 13-Jul-2016 19:31:01.287 initializing DST: PKCS#11 initialization failed >> 13-Jul-2016 19:31:01.287 exiting (due to fatal error) >> >> # tail -2 /var/log >> >> Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: >> ObjectStore.cpp(59): Failed to enumerate object store in >> /var/lib/softhsm/tokens/ >> >> Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: SoftHSM.cpp(456): >> Could not load the object store >> >> I've tried "ipa-server-upgrade" and >> >> mv /var/lib/ipa/dnssec/tokens /var/lib/ipa/dnssec/tokens-OLD >> >> ipa-dns-install >> >> But I haven't managed to fix it. >> >> Using "ipactl start -f" means the rest of the ipa services seem to work >> properly, but without named. >> >> Is there a way to fix the named issue or is it much simpler to >> disconnect the replica, uninstall it and start again ? >> >> Thanks >> >> Bob Hinton >> >> >> > > Hi Bob, > > If your SElinux is in enforcing mode I would check for AVCs, maybe the > token directory is mislabeled. > > You also may be hitting > https://fedorahosted.org/freeipa/ticket/5520 , there is a workaround > described in the ticket. > Hi Martin,
It was the umask on RHEL 7.2 that had caused the problem as per ticket 5520 chmod 770 /var/lib/ipa/dnssec chmod 644 /etc/ipa/dnssec/softhsm2.conf ipactl restart Fixed it Many thanks Bob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project