subject:"\[Freeipa\-users\] F20 Problem upgrading to 4.1"

Re: [Freeipa-users] F20 Problem upgrading to 4.1

2014-10-30 Thread Michael Lasevich

*sigh* Feel like I am going around in circles

"ipa-ldap-updater --upgrade" failed with:  "Upgrade failed with
attribute "allowWeakCipher" not allowed"


I am running 1.3.3 from mkosek-freeipa copr:

389-ds-base-libs-1.3.3.5-1.fc20.x86_64
389-ds-base-1.3.3.5-1.fc20.x86_64

 yum info 389-ds-base
Loaded plugins: copr
Installed Packages
Name: 389-ds-base
Arch: x86_64
Version : 1.3.3.5
Release : 1.fc20
Size: 5.2 M
Repo: installed
>From repo   : mkosek-freeipa
Summary : 389 Directory Server (base)
URL : http://port389.org/
License : GPLv2 with exceptions
Description : 389 Directory Server is an LDAPv3 compliant server.  The
base package includes
: the LDAP server and command line utilities for server
administration.


-M

On 10/30/14, 1:44 AM, Martin Basti wrote:
> On 30/10/14 06:09, Michael Lasevich wrote:
>> Maybe I should not be doing this late at night, but I cannot find
>> "cn=IPK11 Unique IDs,cn=IPA UUID,cn=plugins,cn=config " anywhere.
>>
>> -M
>
> IMO something bad happens during the ipa upgrade,
>
> can you remove
>
> ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com
>
> entry, and run ipa-ldap-updater --upgrade, then reinstall DNS  (rerun
> ipa-dns-install)
>
> Let me know if it works.
>
>>
>> On 10/29/14, 3:03 AM, Martin Basti wrote:
>>> On 28/10/14 20:54, Michael Lasevich wrote:
 I have a pair of servers that were both installed on clean Fedora20
 4.0.1 from pviktori copr repo and then upgraded from mkosek to 4.1

 During update, secondary was done first and worked but primary run
 into
 trouble as described

 Looking under cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com I get one
 entry with dn:

 ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com


 Not sure what of that you need there, but for ipk11Label it has:
 dnssec-replica:infra-dc-02.my.domain.com. (which is the replica
 that IS
 working)

 Thanks,

 -M

 On 10/28/14, 3:21 AM, Martin Basti wrote:
> On 28/10/14 06:14, Michael Lasevich wrote:
>> Running into same thing, but running ipa-dnsinstall does not
>> complete:
>>
>> =
>> Configuring DNS (named)
>> [1/8]: generating rndc key file
>> WARNING: Your system is running out of entropy, you may experience
>> long delays
>> [2/8]: setting up our own record
>> [3/8]: adding NS record to the zones
>> [4/8]: setting up CA record
>> [5/8]: setting up kerberos principal
>> [6/8]: setting up named.conf
>> [7/8]: configuring named to start on boot
>> [8/8]: changing resolv.conf to point to ourselves
>> Done configuring DNS (named).
>> Configuring DNS key synchronization service (ipa-dnskeysyncd)
>> [1/6]: checking status
>> [2/6]: setting up kerberos principal
>> [3/6]: setting up SoftHSM
>> [4/6]: adding DNSSEC containers
>> [5/6]: creating replica keys
>> [error] DuplicateEntry: This entry already exists
>> Unexpected error - see /var/log/ipaserver-install.log for details:
>> DuplicateEntry: This entry already exists
>> =
>>
>> Looking into the /var/log/ipaserver-install.log gets:
>> =
>> 2014-10-28T05:01:24Z DEBUG Storing replica public key to LDAP,
>> ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com
>>
>>
>> 2014-10-28T05:01:24Z DEBUG flushing
>> ldap://infra-dc-01.my.domain.com:389 from SchemaCache
>> 2014-10-28T05:01:24Z DEBUG retrieving schema for SchemaCache
>> url=ldap://infra-dc-01.my.domain.com:389
>> conn=
>> 2014-10-28T05:01:24Z DEBUG Traceback (most recent call last):
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line
>> 382, in start_creation run_step(full_msg, method)
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line
>> 372, in run_step method()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
>>
>>
>> line 340, in __setup_replica_keys ldap.add_entry(entry)
>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>> line
>> 1592, in add_entry self.conn.add_s(entry.dn, attrs.items())
>> File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
>> self.gen.throw(type, value, traceback)
>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>> line
>> 1169, in error_handler raise errors.DuplicateEntry()
>> DuplicateEntry: This entry already exists
>>
>> 2014-10-28T05:01:24Z DEBUG   [error] DuplicateEntry: This entry
>> already exists
>> 2014-10-28T05:01:24Z DEBUG   File
>> "/usr/lib/python2.7/site-packages/ipaserver/in

Re: [Freeipa-users] F20 Problem upgrading to 4.1

2014-10-30 Thread Martin Basti


On 30/10/14 06:09, Michael Lasevich wrote:

Maybe I should not be doing this late at night, but I cannot find
"cn=IPK11 Unique IDs,cn=IPA UUID,cn=plugins,cn=config " anywhere.

-M


IMO something bad happens during the ipa upgrade,

can you remove

ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com

entry, and run ipa-ldap-updater --upgrade, then reinstall DNS  (rerun 
ipa-dns-install)

Let me know if it works.



On 10/29/14, 3:03 AM, Martin Basti wrote:

On 28/10/14 20:54, Michael Lasevich wrote:

I have a pair of servers that were both installed on clean Fedora20
4.0.1 from pviktori copr repo and then upgraded from mkosek to 4.1

During update, secondary was done first and worked but primary run into
trouble as described

Looking under cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com I get one
entry with dn:

ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com

Not sure what of that you need there, but for ipk11Label it has:
dnssec-replica:infra-dc-02.my.domain.com. (which is the replica that IS
working)

Thanks,

-M

On 10/28/14, 3:21 AM, Martin Basti wrote:

On 28/10/14 06:14, Michael Lasevich wrote:

Running into same thing, but running ipa-dnsinstall does not complete:

=
Configuring DNS (named)
[1/8]: generating rndc key file
WARNING: Your system is running out of entropy, you may experience
long delays
[2/8]: setting up our own record
[3/8]: adding NS record to the zones
[4/8]: setting up CA record
[5/8]: setting up kerberos principal
[6/8]: setting up named.conf
[7/8]: configuring named to start on boot
[8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/6]: checking status
[2/6]: setting up kerberos principal
[3/6]: setting up SoftHSM
[4/6]: adding DNSSEC containers
[5/6]: creating replica keys
[error] DuplicateEntry: This entry already exists
Unexpected error - see /var/log/ipaserver-install.log for details:
DuplicateEntry: This entry already exists
=

Looking into the /var/log/ipaserver-install.log gets:
=
2014-10-28T05:01:24Z DEBUG Storing replica public key to LDAP,
ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com

2014-10-28T05:01:24Z DEBUG flushing
ldap://infra-dc-01.my.domain.com:389 from SchemaCache
2014-10-28T05:01:24Z DEBUG retrieving schema for SchemaCache
url=ldap://infra-dc-01.my.domain.com:389
conn=
2014-10-28T05:01:24Z DEBUG Traceback (most recent call last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
382, in start_creation run_step(full_msg, method)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
372, in run_step method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",

line 340, in __setup_replica_keys ldap.add_entry(entry)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1592, in add_entry self.conn.add_s(entry.dn, attrs.items())
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1169, in error_handler raise errors.DuplicateEntry()
DuplicateEntry: This entry already exists

2014-10-28T05:01:24Z DEBUG   [error] DuplicateEntry: This entry
already exists
2014-10-28T05:01:24Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 646, in run_script
  return_value = main_function()
File "/sbin/ipa-dns-install", line 218, in main
dnskeysyncd.create_instance(api.env.host, api.env.realm)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",

line 128, in create_instance self.start_creation()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
382, in start_creation run_step(full_msg, method)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
372, in run_step method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",

line 340, in __setup_replica_keys ldap.add_entry(entry)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1592, in add_entry self.conn.add_s(entry.dn, attrs.items())
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1169, in error_handler raise errors.DuplicateEntry()
2014-10-28T05:01:24Z DEBUG The ipa-dns-install command failed,
exception: DuplicateEntry: This entry already exists

Hello Michael,

can you send me which entries do you have in
cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com, it looks like directory
server doesn't generate uniqueID for keys.

Do you have upgraded IPA or fresh installed?

Martin^2


Can you send me conte

Re: [Freeipa-users] F20 Problem upgrading to 4.1

2014-10-29 Thread Michael Lasevich

Maybe I should not be doing this late at night, but I cannot find
"cn=IPK11 Unique IDs,cn=IPA UUID,cn=plugins,cn=config " anywhere.

-M

On 10/29/14, 3:03 AM, Martin Basti wrote:
> On 28/10/14 20:54, Michael Lasevich wrote:
>> I have a pair of servers that were both installed on clean Fedora20
>> 4.0.1 from pviktori copr repo and then upgraded from mkosek to 4.1
>>
>> During update, secondary was done first and worked but primary run into
>> trouble as described
>>
>> Looking under cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com I get one
>> entry with dn:
>>
>> ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com
>>
>> Not sure what of that you need there, but for ipk11Label it has:
>> dnssec-replica:infra-dc-02.my.domain.com. (which is the replica that IS
>> working)
>>
>> Thanks,
>>
>> -M
>>
>> On 10/28/14, 3:21 AM, Martin Basti wrote:
>>> On 28/10/14 06:14, Michael Lasevich wrote:
 Running into same thing, but running ipa-dnsinstall does not complete:

 =
 Configuring DNS (named)
[1/8]: generating rndc key file
 WARNING: Your system is running out of entropy, you may experience
 long delays
[2/8]: setting up our own record
[3/8]: adding NS record to the zones
[4/8]: setting up CA record
[5/8]: setting up kerberos principal
[6/8]: setting up named.conf
[7/8]: configuring named to start on boot
[8/8]: changing resolv.conf to point to ourselves
 Done configuring DNS (named).
 Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/6]: checking status
[2/6]: setting up kerberos principal
[3/6]: setting up SoftHSM
[4/6]: adding DNSSEC containers
[5/6]: creating replica keys
[error] DuplicateEntry: This entry already exists
 Unexpected error - see /var/log/ipaserver-install.log for details:
 DuplicateEntry: This entry already exists
 =

 Looking into the /var/log/ipaserver-install.log gets:
 =
 2014-10-28T05:01:24Z DEBUG Storing replica public key to LDAP,
 ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com

 2014-10-28T05:01:24Z DEBUG flushing
 ldap://infra-dc-01.my.domain.com:389 from SchemaCache
 2014-10-28T05:01:24Z DEBUG retrieving schema for SchemaCache
 url=ldap://infra-dc-01.my.domain.com:389
 conn=
 2014-10-28T05:01:24Z DEBUG Traceback (most recent call last):
File
 "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
 382, in start_creation run_step(full_msg, method)
File
 "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
 372, in run_step method()
File
 "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",

 line 340, in __setup_replica_keys ldap.add_entry(entry)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
 1592, in add_entry self.conn.add_s(entry.dn, attrs.items())
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
 self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
 1169, in error_handler raise errors.DuplicateEntry()
 DuplicateEntry: This entry already exists

 2014-10-28T05:01:24Z DEBUG   [error] DuplicateEntry: This entry
 already exists
 2014-10-28T05:01:24Z DEBUG   File
 "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
 line 646, in run_script
  return_value = main_function()
File "/sbin/ipa-dns-install", line 218, in main
 dnskeysyncd.create_instance(api.env.host, api.env.realm)
File
 "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",

 line 128, in create_instance self.start_creation()
File
 "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
 382, in start_creation run_step(full_msg, method)
File
 "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
 372, in run_step method()
File
 "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",

 line 340, in __setup_replica_keys ldap.add_entry(entry)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
 1592, in add_entry self.conn.add_s(entry.dn, attrs.items())
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
 self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
 1169, in error_handler raise errors.DuplicateEntry()
 2014-10-28T05:01:24Z DEBUG The ipa-dns-install command failed,
 exception: DuplicateEntry: This entry already exists
>>> Hello Michael,
>>>
>>> can you send me which entries do you have in
>>> cn=keys,cn=sec,cn=dns,dc=my,dc=domain

Re: [Freeipa-users] F20 Problem upgrading to 4.1

2014-10-29 Thread Martin Basti


On 28/10/14 20:54, Michael Lasevich wrote:

I have a pair of servers that were both installed on clean Fedora20
4.0.1 from pviktori copr repo and then upgraded from mkosek to 4.1

During update, secondary was done first and worked but primary run into
trouble as described

Looking under cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com I get one
entry with dn:

ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com

Not sure what of that you need there, but for ipk11Label it has:
dnssec-replica:infra-dc-02.my.domain.com. (which is the replica that IS
working)

Thanks,

-M

On 10/28/14, 3:21 AM, Martin Basti wrote:

On 28/10/14 06:14, Michael Lasevich wrote:

Running into same thing, but running ipa-dnsinstall does not complete:

=
Configuring DNS (named)
   [1/8]: generating rndc key file
WARNING: Your system is running out of entropy, you may experience
long delays
   [2/8]: setting up our own record
   [3/8]: adding NS record to the zones
   [4/8]: setting up CA record
   [5/8]: setting up kerberos principal
   [6/8]: setting up named.conf
   [7/8]: configuring named to start on boot
   [8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Configuring DNS key synchronization service (ipa-dnskeysyncd)
   [1/6]: checking status
   [2/6]: setting up kerberos principal
   [3/6]: setting up SoftHSM
   [4/6]: adding DNSSEC containers
   [5/6]: creating replica keys
   [error] DuplicateEntry: This entry already exists
Unexpected error - see /var/log/ipaserver-install.log for details:
DuplicateEntry: This entry already exists
=

Looking into the /var/log/ipaserver-install.log gets:
=
2014-10-28T05:01:24Z DEBUG Storing replica public key to LDAP,
ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com
2014-10-28T05:01:24Z DEBUG flushing
ldap://infra-dc-01.my.domain.com:389 from SchemaCache
2014-10-28T05:01:24Z DEBUG retrieving schema for SchemaCache
url=ldap://infra-dc-01.my.domain.com:389
conn=
2014-10-28T05:01:24Z DEBUG Traceback (most recent call last):
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
382, in start_creation run_step(full_msg, method)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
372, in run_step method()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
line 340, in __setup_replica_keys ldap.add_entry(entry)
   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1592, in add_entry self.conn.add_s(entry.dn, attrs.items())
   File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1169, in error_handler raise errors.DuplicateEntry()
DuplicateEntry: This entry already exists

2014-10-28T05:01:24Z DEBUG   [error] DuplicateEntry: This entry
already exists
2014-10-28T05:01:24Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 646, in run_script
 return_value = main_function()
   File "/sbin/ipa-dns-install", line 218, in main
dnskeysyncd.create_instance(api.env.host, api.env.realm)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
line 128, in create_instance self.start_creation()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
382, in start_creation run_step(full_msg, method)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
372, in run_step method()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
line 340, in __setup_replica_keys ldap.add_entry(entry)
   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1592, in add_entry self.conn.add_s(entry.dn, attrs.items())
   File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1169, in error_handler raise errors.DuplicateEntry()
2014-10-28T05:01:24Z DEBUG The ipa-dns-install command failed,
exception: DuplicateEntry: This entry already exists

Hello Michael,

can you send me which entries do you have in
cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com, it looks like directory
server doesn't generate uniqueID for keys.

Do you have upgraded IPA or fresh installed?

Martin^2

Can you send me content of cn=IPK11 Unique IDs,cn=IPA 
UUID,cn=plugins,cn=config entry? (If exists)

It looks like DS doesn't generate unique IDs

Martin^2


--
Martin Basti

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] F20 Problem upgrading to 4.1

2014-10-28 Thread Michael Lasevich

I have a pair of servers that were both installed on clean Fedora20
4.0.1 from pviktori copr repo and then upgraded from mkosek to 4.1

During update, secondary was done first and worked but primary run into
trouble as described

Looking under cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com I get one
entry with dn:

ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com

Not sure what of that you need there, but for ipk11Label it has:
dnssec-replica:infra-dc-02.my.domain.com. (which is the replica that IS
working)

Thanks,

-M

On 10/28/14, 3:21 AM, Martin Basti wrote:
> On 28/10/14 06:14, Michael Lasevich wrote:
>> Running into same thing, but running ipa-dnsinstall does not complete:
>>
>> =
>> Configuring DNS (named)
>>   [1/8]: generating rndc key file
>> WARNING: Your system is running out of entropy, you may experience
>> long delays
>>   [2/8]: setting up our own record
>>   [3/8]: adding NS record to the zones
>>   [4/8]: setting up CA record
>>   [5/8]: setting up kerberos principal
>>   [6/8]: setting up named.conf
>>   [7/8]: configuring named to start on boot
>>   [8/8]: changing resolv.conf to point to ourselves
>> Done configuring DNS (named).
>> Configuring DNS key synchronization service (ipa-dnskeysyncd)
>>   [1/6]: checking status
>>   [2/6]: setting up kerberos principal
>>   [3/6]: setting up SoftHSM
>>   [4/6]: adding DNSSEC containers
>>   [5/6]: creating replica keys
>>   [error] DuplicateEntry: This entry already exists
>> Unexpected error - see /var/log/ipaserver-install.log for details:
>> DuplicateEntry: This entry already exists
>> =
>>
>> Looking into the /var/log/ipaserver-install.log gets:
>> =
>> 2014-10-28T05:01:24Z DEBUG Storing replica public key to LDAP,
>> ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com
>> 2014-10-28T05:01:24Z DEBUG flushing
>> ldap://infra-dc-01.my.domain.com:389 from SchemaCache
>> 2014-10-28T05:01:24Z DEBUG retrieving schema for SchemaCache
>> url=ldap://infra-dc-01.my.domain.com:389
>> conn=
>> 2014-10-28T05:01:24Z DEBUG Traceback (most recent call last):
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
>> 382, in start_creation run_step(full_msg, method)
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
>> 372, in run_step method()
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
>> line 340, in __setup_replica_keys ldap.add_entry(entry)
>>   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
>> 1592, in add_entry self.conn.add_s(entry.dn, attrs.items())
>>   File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
>> self.gen.throw(type, value, traceback)
>>   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
>> 1169, in error_handler raise errors.DuplicateEntry()
>> DuplicateEntry: This entry already exists
>>
>> 2014-10-28T05:01:24Z DEBUG   [error] DuplicateEntry: This entry
>> already exists
>> 2014-10-28T05:01:24Z DEBUG   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>> line 646, in run_script
>> return_value = main_function()
>>   File "/sbin/ipa-dns-install", line 218, in main
>> dnskeysyncd.create_instance(api.env.host, api.env.realm)
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
>> line 128, in create_instance self.start_creation()
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
>> 382, in start_creation run_step(full_msg, method)
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
>> 372, in run_step method()
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
>> line 340, in __setup_replica_keys ldap.add_entry(entry)
>>   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
>> 1592, in add_entry self.conn.add_s(entry.dn, attrs.items())
>>   File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
>> self.gen.throw(type, value, traceback)
>>   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
>> 1169, in error_handler raise errors.DuplicateEntry()
>> 2014-10-28T05:01:24Z DEBUG The ipa-dns-install command failed,
>> exception: DuplicateEntry: This entry already exists
> Hello Michael,
>
> can you send me which entries do you have in
> cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com, it looks like directory
> server doesn't generate uniqueID for keys.
>
> Do you have upgraded IPA or fresh installed?
>
> Martin^2
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] F20 Problem upgrading to 4.1

2014-10-28 Thread Martin Basti


On 28/10/14 06:14, Michael Lasevich wrote:

Running into same thing, but running ipa-dnsinstall does not complete:

=
Configuring DNS (named)
  [1/8]: generating rndc key file
WARNING: Your system is running out of entropy, you may experience 
long delays

  [2/8]: setting up our own record
  [3/8]: adding NS record to the zones
  [4/8]: setting up CA record
  [5/8]: setting up kerberos principal
  [6/8]: setting up named.conf
  [7/8]: configuring named to start on boot
  [8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/6]: checking status
  [2/6]: setting up kerberos principal
  [3/6]: setting up SoftHSM
  [4/6]: adding DNSSEC containers
  [5/6]: creating replica keys
  [error] DuplicateEntry: This entry already exists
Unexpected error - see /var/log/ipaserver-install.log for details:
DuplicateEntry: This entry already exists
=

Looking into the /var/log/ipaserver-install.log gets:
=
2014-10-28T05:01:24Z DEBUG Storing replica public key to LDAP, 
ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com
2014-10-28T05:01:24Z DEBUG flushing 
ldap://infra-dc-01.my.domain.com:389 from SchemaCache
2014-10-28T05:01:24Z DEBUG retrieving schema for SchemaCache 
url=ldap://infra-dc-01.my.domain.com:389 
conn=

2014-10-28T05:01:24Z DEBUG Traceback (most recent call last):
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
382, in start_creation run_step(full_msg, method)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
372, in run_step method()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", 
line 340, in __setup_replica_keys ldap.add_entry(entry)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 
1592, in add_entry self.conn.add_s(entry.dn, attrs.items())
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ 
self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 
1169, in error_handler raise errors.DuplicateEntry()

DuplicateEntry: This entry already exists

2014-10-28T05:01:24Z DEBUG   [error] DuplicateEntry: This entry 
already exists
2014-10-28T05:01:24Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", 
line 646, in run_script

return_value = main_function()
  File "/sbin/ipa-dns-install", line 218, in main 
dnskeysyncd.create_instance(api.env.host, api.env.realm)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", 
line 128, in create_instance self.start_creation()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
382, in start_creation run_step(full_msg, method)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
372, in run_step method()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", 
line 340, in __setup_replica_keys ldap.add_entry(entry)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 
1592, in add_entry self.conn.add_s(entry.dn, attrs.items())
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ 
self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 
1169, in error_handler raise errors.DuplicateEntry()
2014-10-28T05:01:24Z DEBUG The ipa-dns-install command failed, 
exception: DuplicateEntry: This entry already exists

Hello Michael,

can you send me which entries do you have in 
cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com, it looks like directory 
server doesn't generate uniqueID for keys.


Do you have upgraded IPA or fresh installed?

Martin^2

--
Martin Basti

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] F20 Problem upgrading to 4.1

2014-10-27 Thread Michael Lasevich

Running into same thing, but running ipa-dnsinstall does not complete:

=
Configuring DNS (named)
  [1/8]: generating rndc key file
WARNING: Your system is running out of entropy, you may experience long
delays
  [2/8]: setting up our own record
  [3/8]: adding NS record to the zones
  [4/8]: setting up CA record
  [5/8]: setting up kerberos principal
  [6/8]: setting up named.conf
  [7/8]: configuring named to start on boot
  [8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/6]: checking status
  [2/6]: setting up kerberos principal
  [3/6]: setting up SoftHSM
  [4/6]: adding DNSSEC containers
  [5/6]: creating replica keys
  [error] DuplicateEntry: This entry already exists
Unexpected error - see /var/log/ipaserver-install.log for details:
DuplicateEntry: This entry already exists
=

Looking into the /var/log/ipaserver-install.log gets:
=
2014-10-28T05:01:24Z DEBUG Storing replica public key to LDAP,
ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com
2014-10-28T05:01:24Z DEBUG flushing ldap://infra-dc-01.my.domain.com:389
from SchemaCache
2014-10-28T05:01:24Z DEBUG retrieving schema for SchemaCache
url=ldap://infra-dc-01.my.domain.com:389
conn=
2014-10-28T05:01:24Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 372, in run_step method()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
line 340, in __setup_replica_keys ldap.add_entry(entry)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1592, in add_entry self.conn.add_s(entry.dn, attrs.items())
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1169, in error_handler raise errors.DuplicateEntry()
DuplicateEntry: This entry already exists

2014-10-28T05:01:24Z DEBUG   [error] DuplicateEntry: This entry already
exists
2014-10-28T05:01:24Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 646, in run_script
return_value = main_function()
  File "/sbin/ipa-dns-install", line 218, in main
dnskeysyncd.create_instance(api.env.host, api.env.realm)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
line 128, in create_instance self.start_creation()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 372, in run_step method()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
line 340, in __setup_replica_keys ldap.add_entry(entry)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1592, in add_entry self.conn.add_s(entry.dn, attrs.items())
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1169, in error_handler raise errors.DuplicateEntry()
2014-10-28T05:01:24Z DEBUG The ipa-dns-install command failed,
exception: DuplicateEntry: This entry already exists


-M

On 10/27/14, 12:52 PM, Martin Basti wrote:
> On 27/10/14 20:50, John Obaterspok wrote:
>> Hello Martin,
>>
>> It works perfectly again!
>>
>> note, I noticed in /var/log/ipaserver-install.log that
>> ipa-dns-installed failed due to 389 wasn't started (failed to
>> connect). Once it was started manually the ipa-dns-installed worked fine.
>>
>> Thanks a lot Martin,
>>
>> -- john
>>
> You are welcome :-)
>
>>
>> 2014-10-27 20:40 GMT+01:00 Martin Basti > >:
>>
>> On 27/10/14 20:34, John Obaterspok wrote:
>>> hmm... Could not connect to the Directory Server 
>>>
>>> So I started it with start-dirsrv since "systemctl start ipa"
>>> failed. Then it was a breeze, ipa-dns-install worked fine.
>>>
>>> # systemctl --failed
>>> 0 loaded units listed.
>> I'm lost, does IPA work or not?
>> are all services running? (ipactl status)
>> are tokens created in /var/lib/ipa/dnssec/tokens
>> can you dig records from IPA DNS?
>>
>> Martin^2
>>
>>>
>>> I haven't verified that it works, but I feel confident :)
>>>
>>> -- john
>>>
>>>
>>> 2014-10-27 20:09 GMT+01:00 Martin Basti >> >:
>>>
>>> On 27/10/14 19:57, John Obaterspok wrote:
 Hello Martin,

 Still no go.

 I installed the softhsm-devel package (that only contains
 header files), removed the token directory, reinstalled the
 bind &

Re: [Freeipa-users] F20 Problem upgrading to 4.1

2014-10-27 Thread Martin Basti


On 27/10/14 20:50, John Obaterspok wrote:

Hello Martin,

It works perfectly again!

note, I noticed in /var/log/ipaserver-install.log that 
ipa-dns-installed failed due to 389 wasn't started (failed to 
connect). Once it was started manually the ipa-dns-installed worked fine.


Thanks a lot Martin,

-- john


You are welcome :-)



2014-10-27 20:40 GMT+01:00 Martin Basti >:


On 27/10/14 20:34, John Obaterspok wrote:

hmm... Could not connect to the Directory Server

So I started it with start-dirsrv since "systemctl start ipa"
failed. Then it was a breeze, ipa-dns-install worked fine.

# systemctl --failed
0 loaded units listed.

I'm lost, does IPA work or not?
are all services running? (ipactl status)
are tokens created in /var/lib/ipa/dnssec/tokens
can you dig records from IPA DNS?

Martin^2



I haven't verified that it works, but I feel confident :)

-- john


2014-10-27 20:09 GMT+01:00 Martin Basti mailto:mba...@redhat.com>>:

On 27/10/14 19:57, John Obaterspok wrote:

Hello Martin,

Still no go.

I installed the softhsm-devel package (that only contains
header files), removed the token directory, reinstalled the
bind & bind-pkcs11, did ipa-dns-install that completed ok (I
guess):

To accept the default shown in brackets, press the Enter key.

Existing BIND configuration detected, overwrite? [no]: yes
Directory Manager password:

# ipa-upgradeconfig
[Verifying that root certificate is published]
*Failed to backup CS.cfg: no magic attribute 'dogtag'*
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Removing self-signed CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Setting up Firefox extension]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Enabling serial autoincrement in DNS]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Masking named]
Changes to named.conf have been made, restart named
*Failed to restart named: Command ''/bin/systemctl'
'restart' 'named-pkcs11.service'' returned non-zero exit
status 1*
[Verifying that CA service certificate profile is updated]
[Update certmonger certificate renewal configuration to
version 2]
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
The ipa-upgradeconfig command was successful


# systemctl restart named-pkcs11 && journalctl -xn
19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed to
enumerate object store in /var/lib/ipa/dnssec/tokens
19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not load
the object store
19:38:54 named-pkcs11[838]: initializing DST: PKCS#11
initialization failed
19:38:54 named-pkcs11[838]: exiting (due to fatal error)
19:38:54 systemd[1]: named-pkcs11.service: control process
exited, code=exited status=1
19:38:54 systemd[1]: Failed to start Berkeley Internet Name
Domain (DNS) with native PKCS#11.


It seems the problem is now there are no tokens:
# ll /var/lib/ipa/dnssec/
total 4.0K
-rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin


This is interesting, ipa-dns-install should detect missing
directory and create new one.
Could you send me tail of /var/log/ipaserver-install.log,
where DNS debug lines are?

Martin^2



Any ideas?

-- john

2014-10-27 19:05 GMT+01:00 Martin Basti mailto:mba...@redhat.com>>:

On 27/10/14 18:53, John Obaterspok wrote:



2014-10-27 12:19 GMT+01:00 Martin Basti
mailto:mba...@redhat.com>>:

On 26/10/14 21:39, John Obaterspok wrote:

Hi,

I enabled mkosek-freeipa repo for F20 and updated
freeipa-server from 3.3.5 to 4.1. The yum update
reported just a single error:

Could not load host key: /etc/ssh/ssh_host_dsa_key

After reboot I had 3 services that failed to start:
ipa, kadmin, named-pkcs11

Doing "strace -f named-pkcs11 -u named -f -g" I
can see:

Re: [Freeipa-users] F20 Problem upgrading to 4.1

2014-10-27 Thread John Obaterspok

Hello Martin,

It works perfectly again!

note, I noticed in /var/log/ipaserver-install.log that ipa-dns-installed failed
due to 389 wasn't started (failed to connect). Once it was started manually
the ipa-dns-installed worked fine.

Thanks a lot Martin,

-- john


2014-10-27 20:40 GMT+01:00 Martin Basti :

>  On 27/10/14 20:34, John Obaterspok wrote:
>
> hmm... Could not connect to the Directory Server
>
>  So I started it with start-dirsrv since "systemctl start ipa" failed.
> Then it was a breeze, ipa-dns-install worked fine.
>
>  # systemctl --failed
> 0 loaded units listed.
>
> I'm lost, does IPA work or not?
> are all services running? (ipactl status)
> are tokens created in /var/lib/ipa/dnssec/tokens
> can you dig records from IPA DNS?
>
> Martin^2
>
>
>  I haven't verified that it works, but I feel confident :)
>
>  -- john
>
>
> 2014-10-27 20:09 GMT+01:00 Martin Basti :
>
>>   On 27/10/14 19:57, John Obaterspok wrote:
>>
>> Hello Martin,
>>
>>  Still no go.
>>
>>  I installed the softhsm-devel package (that only contains header
>> files), removed the token directory, reinstalled the bind & bind-pkcs11,
>> did ipa-dns-install that completed ok (I guess):
>>
>>  To accept the default shown in brackets, press the Enter key.
>>
>>  Existing BIND configuration detected, overwrite? [no]: yes
>> Directory Manager password:
>>
>>  # ipa-upgradeconfig
>> [Verifying that root certificate is published]
>> *Failed to backup CS.cfg: no magic attribute 'dogtag'*
>> [Migrate CRL publish directory]
>> CRL tree already moved
>> [Verifying that CA proxy configuration is correct]
>> [Verifying that KDC configuration is using ipa-kdb backend]
>> [Fixing trust flags in /etc/httpd/alias]
>> Trust flags already processed
>> [Fix DS schema file syntax]
>> Syntax already fixed
>> [Removing RA cert from DS NSS database]
>> RA cert already removed
>> [Removing self-signed CA]
>> [Checking for deprecated KDC configuration files]
>> [Checking for deprecated backups of Samba configuration files]
>> [Setting up Firefox extension]
>> [Add missing CA DNS records]
>> IPA CA DNS records already processed
>> [Removing deprecated DNS configuration options]
>> [Ensuring minimal number of connections]
>> [Enabling serial autoincrement in DNS]
>> [Updating GSSAPI configuration in DNS]
>> [Updating pid-file configuration in DNS]
>> [Masking named]
>> Changes to named.conf have been made, restart named
>> *Failed to restart named: Command ''/bin/systemctl' 'restart'
>> 'named-pkcs11.service'' returned non-zero exit status 1*
>> [Verifying that CA service certificate profile is updated]
>> [Update certmonger certificate renewal configuration to version 2]
>> [Enable PKIX certificate path discovery and validation]
>> PKIX already enabled
>> The ipa-upgradeconfig command was successful
>>
>>
>>  # systemctl restart named-pkcs11 && journalctl -xn
>>  19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed to enumerate
>> object store in /var/lib/ipa/dnssec/tokens
>> 19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not load the object
>> store
>> 19:38:54 named-pkcs11[838]: initializing DST: PKCS#11 initialization
>> failed
>> 19:38:54 named-pkcs11[838]: exiting (due to fatal error)
>> 19:38:54 systemd[1]: named-pkcs11.service: control process exited,
>> code=exited status=1
>> 19:38:54 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS)
>> with native PKCS#11.
>>
>>
>>  It seems the problem is now there are no tokens:
>>  # ll /var/lib/ipa/dnssec/
>> total 4.0K
>> -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin
>>
>>
>>  This is interesting, ipa-dns-install should detect missing directory
>> and create new one.
>> Could you send me tail of /var/log/ipaserver-install.log, where DNS debug
>> lines are?
>>
>> Martin^2
>>
>>
>>  Any ideas?
>>
>>  -- john
>>
>> 2014-10-27 19:05 GMT+01:00 Martin Basti :
>>
>>>   On 27/10/14 18:53, John Obaterspok wrote:
>>>
>>>
>>>
>>> 2014-10-27 12:19 GMT+01:00 Martin Basti :
>>>
  On 26/10/14 21:39, John Obaterspok wrote:

 Hi,

  I enabled mkosek-freeipa repo for F20 and updated freeipa-server from
 3.3.5 to 4.1. The yum update reported just a single error:

  Could not load host key: /etc/ssh/ssh_host_dsa_key

  After reboot I had 3 services that failed to start:
 ipa, kadmin, named-pkcs11

  Doing "strace -f named-pkcs11 -u named -f -g" I can see:
 "/var/lib/softhsm/tokens/" => -1 EACCES (Permission denied)
initializing DST: PKCS#11 initialization failed
exiting (due to fatal error)


  For kadmin the error is due to not being able to connect to sldap

  I noticed that softhsm2-util --show-slots reported "ERROR: Could not
 initialize the library." But that seemed to be because   wasn't part of the
 update. After that I could show the default slot and then I manually called
 following (as root):

  "/usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC --pin
 XX

Re: [Freeipa-users] F20 Problem upgrading to 4.1

2014-10-27 Thread Martin Basti


On 27/10/14 20:34, John Obaterspok wrote:

hmm... Could not connect to the Directory Server

So I started it with start-dirsrv since "systemctl start ipa" failed. 
Then it was a breeze, ipa-dns-install worked fine.


# systemctl --failed
0 loaded units listed.

I'm lost, does IPA work or not?
are all services running? (ipactl status)
are tokens created in /var/lib/ipa/dnssec/tokens
can you dig records from IPA DNS?

Martin^2


I haven't verified that it works, but I feel confident :)

-- john


2014-10-27 20:09 GMT+01:00 Martin Basti >:


On 27/10/14 19:57, John Obaterspok wrote:

Hello Martin,

Still no go.

I installed the softhsm-devel package (that only contains header
files), removed the token directory, reinstalled the bind &
bind-pkcs11, did ipa-dns-install that completed ok (I guess):

To accept the default shown in brackets, press the Enter key.

Existing BIND configuration detected, overwrite? [no]: yes
Directory Manager password:

# ipa-upgradeconfig
[Verifying that root certificate is published]
*Failed to backup CS.cfg: no magic attribute 'dogtag'*
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Removing self-signed CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Setting up Firefox extension]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Enabling serial autoincrement in DNS]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Masking named]
Changes to named.conf have been made, restart named
*Failed to restart named: Command ''/bin/systemctl' 'restart'
'named-pkcs11.service'' returned non-zero exit status 1*
[Verifying that CA service certificate profile is updated]
[Update certmonger certificate renewal configuration to version 2]
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
The ipa-upgradeconfig command was successful


# systemctl restart named-pkcs11 && journalctl -xn
19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed to
enumerate object store in /var/lib/ipa/dnssec/tokens
19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not load the
object store
19:38:54 named-pkcs11[838]: initializing DST: PKCS#11
initialization failed
19:38:54 named-pkcs11[838]: exiting (due to fatal error)
19:38:54 systemd[1]: named-pkcs11.service: control process
exited, code=exited status=1
19:38:54 systemd[1]: Failed to start Berkeley Internet Name
Domain (DNS) with native PKCS#11.


It seems the problem is now there are no tokens:
# ll /var/lib/ipa/dnssec/
total 4.0K
-rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin


This is interesting, ipa-dns-install should detect missing
directory and create new one.
Could you send me tail of /var/log/ipaserver-install.log, where
DNS debug lines are?

Martin^2



Any ideas?

-- john

2014-10-27 19:05 GMT+01:00 Martin Basti mailto:mba...@redhat.com>>:

On 27/10/14 18:53, John Obaterspok wrote:



2014-10-27 12:19 GMT+01:00 Martin Basti mailto:mba...@redhat.com>>:

On 26/10/14 21:39, John Obaterspok wrote:

Hi,

I enabled mkosek-freeipa repo for F20 and updated
freeipa-server from 3.3.5 to 4.1. The yum update
reported just a single error:

Could not load host key: /etc/ssh/ssh_host_dsa_key

After reboot I had 3 services that failed to start:
ipa, kadmin, named-pkcs11

Doing "strace -f named-pkcs11 -u named -f -g" I can see:
 "/var/lib/softhsm/tokens/" => -1 EACCES (Permission
denied)
   initializing DST: PKCS#11 initialization failed
   exiting (due to fatal error)


For kadmin the error is due to not being able to
connect to sldap

I noticed that softhsm2-util --show-slots reported
"ERROR: Could not initialize the library." But that
seemed to be because wasn't part of the update. After
that I could show the default slot and then I manually
called following (as root):

"/usr/bin/softhsm2-util --init-token --slot 0 --label
ipaDNSSEC --pin  --so-pin "

But the problems won't go away. Any clues?

-- john





Hello,

Re: [Freeipa-users] F20 Problem upgrading to 4.1

2014-10-27 Thread John Obaterspok

hmm... Could not connect to the Directory Server

So I started it with start-dirsrv since "systemctl start ipa" failed. Then
it was a breeze, ipa-dns-install worked fine.

# systemctl --failed
0 loaded units listed.

I haven't verified that it works, but I feel confident :)

-- john


2014-10-27 20:09 GMT+01:00 Martin Basti :

>  On 27/10/14 19:57, John Obaterspok wrote:
>
> Hello Martin,
>
>  Still no go.
>
>  I installed the softhsm-devel package (that only contains header files),
> removed the token directory, reinstalled the bind & bind-pkcs11, did
> ipa-dns-install that completed ok (I guess):
>
>  To accept the default shown in brackets, press the Enter key.
>
>  Existing BIND configuration detected, overwrite? [no]: yes
> Directory Manager password:
>
>  # ipa-upgradeconfig
> [Verifying that root certificate is published]
> *Failed to backup CS.cfg: no magic attribute 'dogtag'*
> [Migrate CRL publish directory]
> CRL tree already moved
> [Verifying that CA proxy configuration is correct]
> [Verifying that KDC configuration is using ipa-kdb backend]
> [Fixing trust flags in /etc/httpd/alias]
> Trust flags already processed
> [Fix DS schema file syntax]
> Syntax already fixed
> [Removing RA cert from DS NSS database]
> RA cert already removed
> [Removing self-signed CA]
> [Checking for deprecated KDC configuration files]
> [Checking for deprecated backups of Samba configuration files]
> [Setting up Firefox extension]
> [Add missing CA DNS records]
> IPA CA DNS records already processed
> [Removing deprecated DNS configuration options]
> [Ensuring minimal number of connections]
> [Enabling serial autoincrement in DNS]
> [Updating GSSAPI configuration in DNS]
> [Updating pid-file configuration in DNS]
> [Masking named]
> Changes to named.conf have been made, restart named
> *Failed to restart named: Command ''/bin/systemctl' 'restart'
> 'named-pkcs11.service'' returned non-zero exit status 1*
> [Verifying that CA service certificate profile is updated]
> [Update certmonger certificate renewal configuration to version 2]
> [Enable PKIX certificate path discovery and validation]
> PKIX already enabled
> The ipa-upgradeconfig command was successful
>
>
>  # systemctl restart named-pkcs11 && journalctl -xn
>  19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed to enumerate
> object store in /var/lib/ipa/dnssec/tokens
> 19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not load the object
> store
> 19:38:54 named-pkcs11[838]: initializing DST: PKCS#11 initialization failed
> 19:38:54 named-pkcs11[838]: exiting (due to fatal error)
> 19:38:54 systemd[1]: named-pkcs11.service: control process exited,
> code=exited status=1
> 19:38:54 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS)
> with native PKCS#11.
>
>
>  It seems the problem is now there are no tokens:
>  # ll /var/lib/ipa/dnssec/
> total 4.0K
> -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin
>
>
> This is interesting, ipa-dns-install should detect missing directory and
> create new one.
> Could you send me tail of /var/log/ipaserver-install.log, where DNS debug
> lines are?
>
> Martin^2
>
>
>  Any ideas?
>
>  -- john
>
> 2014-10-27 19:05 GMT+01:00 Martin Basti :
>
>>   On 27/10/14 18:53, John Obaterspok wrote:
>>
>>
>>
>> 2014-10-27 12:19 GMT+01:00 Martin Basti :
>>
>>>  On 26/10/14 21:39, John Obaterspok wrote:
>>>
>>> Hi,
>>>
>>>  I enabled mkosek-freeipa repo for F20 and updated freeipa-server from
>>> 3.3.5 to 4.1. The yum update reported just a single error:
>>>
>>>  Could not load host key: /etc/ssh/ssh_host_dsa_key
>>>
>>>  After reboot I had 3 services that failed to start:
>>> ipa, kadmin, named-pkcs11
>>>
>>>  Doing "strace -f named-pkcs11 -u named -f -g" I can see:
>>> "/var/lib/softhsm/tokens/" => -1 EACCES (Permission denied)
>>>initializing DST: PKCS#11 initialization failed
>>>exiting (due to fatal error)
>>>
>>>
>>>  For kadmin the error is due to not being able to connect to sldap
>>>
>>>  I noticed that softhsm2-util --show-slots reported "ERROR: Could not
>>> initialize the library." But that seemed to be because   wasn't part of the
>>> update. After that I could show the default slot and then I manually called
>>> following (as root):
>>>
>>>  "/usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC --pin
>>>  --so-pin "
>>>
>>>  But the problems won't go away. Any clues?
>>>
>>>  -- john
>>>
>>>
>>>
>>>
>>>  Hello,
>>>
>>> 1)
>>> can you share your /var/log/ipaupgrade.log ?
>>>
>>
>>  Unfortunatly I removed the original ipaupgrade.log file when I did I
>> retry to install freeipa-server. The current ipaupgrade.log has two errors:
>> First)
>>
>>  2014-10-26T12:45:15Z DEBUG Live 1, updated 1
>> 2014-10-26T12:45:15Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR:
>> {'desc': 'Operations error'}
>> 2014-10-26T12:45:15Z ERROR Update failed: Operations error:
>> 2014-10-26T12:45:15Z INFO Updating existing entry: cn=MemberOf
>> Plugin,cn=plugins,cn=config
>> 2014-10-26T12:45:15Z D

Re: [Freeipa-users] F20 Problem upgrading to 4.1

2014-10-27 Thread Martin Basti


On 27/10/14 19:57, John Obaterspok wrote:

Hello Martin,

Still no go.

I installed the softhsm-devel package (that only contains header 
files), removed the token directory, reinstalled the bind & 
bind-pkcs11, did ipa-dns-install that completed ok (I guess):


To accept the default shown in brackets, press the Enter key.

Existing BIND configuration detected, overwrite? [no]: yes
Directory Manager password:

# ipa-upgradeconfig
[Verifying that root certificate is published]
*Failed to backup CS.cfg: no magic attribute 'dogtag'*
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Removing self-signed CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Setting up Firefox extension]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Enabling serial autoincrement in DNS]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Masking named]
Changes to named.conf have been made, restart named
*Failed to restart named: Command ''/bin/systemctl' 'restart' 
'named-pkcs11.service'' returned non-zero exit status 1*

[Verifying that CA service certificate profile is updated]
[Update certmonger certificate renewal configuration to version 2]
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
The ipa-upgradeconfig command was successful


# systemctl restart named-pkcs11 && journalctl -xn
19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed to enumerate 
object store in /var/lib/ipa/dnssec/tokens
19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not load the 
object store
19:38:54 named-pkcs11[838]: initializing DST: PKCS#11 initialization 
failed

19:38:54 named-pkcs11[838]: exiting (due to fatal error)
19:38:54 systemd[1]: named-pkcs11.service: control process exited, 
code=exited status=1
19:38:54 systemd[1]: Failed to start Berkeley Internet Name Domain 
(DNS) with native PKCS#11.



It seems the problem is now there are no tokens:
# ll /var/lib/ipa/dnssec/
total 4.0K
-rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin


This is interesting, ipa-dns-install should detect missing directory and 
create new one.
Could you send me tail of /var/log/ipaserver-install.log, where DNS 
debug lines are?


Martin^2


Any ideas?

-- john

2014-10-27 19:05 GMT+01:00 Martin Basti >:


On 27/10/14 18:53, John Obaterspok wrote:



2014-10-27 12:19 GMT+01:00 Martin Basti mailto:mba...@redhat.com>>:

On 26/10/14 21:39, John Obaterspok wrote:

Hi,

I enabled mkosek-freeipa repo for F20 and updated
freeipa-server from 3.3.5 to 4.1. The yum update reported
just a single error:

Could not load host key: /etc/ssh/ssh_host_dsa_key

After reboot I had 3 services that failed to start:
ipa, kadmin, named-pkcs11

Doing "strace -f named-pkcs11 -u named -f -g" I can see:
   "/var/lib/softhsm/tokens/" => -1 EACCES (Permission denied)
   initializing DST: PKCS#11 initialization failed
   exiting (due to fatal error)


For kadmin the error is due to not being able to connect to
sldap

I noticed that softhsm2-util --show-slots reported "ERROR:
Could not initialize the library." But that seemed to be
because   wasn't part of the update. After that I could show
the default slot and then I manually called following (as root):

"/usr/bin/softhsm2-util --init-token --slot 0 --label
ipaDNSSEC --pin  --so-pin "

But the problems won't go away. Any clues?

-- john





Hello,

1)
can you share your /var/log/ipaupgrade.log ?


Unfortunatly I removed the original ipaupgrade.log file when I
did I retry to install freeipa-server. The current ipaupgrade.log
has two errors:
First)

2014-10-26T12:45:15Z DEBUG Live 1, updated 1
2014-10-26T12:45:15Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR:
{'desc': 'Operations error'}
2014-10-26T12:45:15Z ERROR Update failed: Operations error:
2014-10-26T12:45:15Z INFO Updating existing entry: cn=MemberOf
Plugin,cn=plugins,cn=config
2014-10-26T12:45:15Z DEBUG
-

Are there some information about entry which is updated above?



Second) It complains about not being able to start named-pkcs11
service.

2)
your issue with softhsm can be caused by missing enviroment
variable
IPA internally uses

SOFTHSM2_CONF=/etc/ipa/dnssec/so

Re: [Freeipa-users] F20 Problem upgrading to 4.1

2014-10-27 Thread John Obaterspok

Hello Martin,

Still no go.

I installed the softhsm-devel package (that only contains header files),
removed the token directory, reinstalled the bind & bind-pkcs11, did
ipa-dns-install that completed ok (I guess):

To accept the default shown in brackets, press the Enter key.

Existing BIND configuration detected, overwrite? [no]: yes
Directory Manager password:

# ipa-upgradeconfig
[Verifying that root certificate is published]
*Failed to backup CS.cfg: no magic attribute 'dogtag'*
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Removing self-signed CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Setting up Firefox extension]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Enabling serial autoincrement in DNS]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Masking named]
Changes to named.conf have been made, restart named
*Failed to restart named: Command ''/bin/systemctl' 'restart'
'named-pkcs11.service'' returned non-zero exit status 1*
[Verifying that CA service certificate profile is updated]
[Update certmonger certificate renewal configuration to version 2]
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
The ipa-upgradeconfig command was successful


# systemctl restart named-pkcs11 && journalctl -xn
19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed to enumerate object
store in /var/lib/ipa/dnssec/tokens
19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not load the object
store
19:38:54 named-pkcs11[838]: initializing DST: PKCS#11 initialization failed
19:38:54 named-pkcs11[838]: exiting (due to fatal error)
19:38:54 systemd[1]: named-pkcs11.service: control process exited,
code=exited status=1
19:38:54 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS)
with native PKCS#11.


It seems the problem is now there are no tokens:
# ll /var/lib/ipa/dnssec/
total 4.0K
-rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin

Any ideas?

-- john

2014-10-27 19:05 GMT+01:00 Martin Basti :

>  On 27/10/14 18:53, John Obaterspok wrote:
>
>
>
> 2014-10-27 12:19 GMT+01:00 Martin Basti :
>
>>  On 26/10/14 21:39, John Obaterspok wrote:
>>
>> Hi,
>>
>>  I enabled mkosek-freeipa repo for F20 and updated freeipa-server from
>> 3.3.5 to 4.1. The yum update reported just a single error:
>>
>>  Could not load host key: /etc/ssh/ssh_host_dsa_key
>>
>>  After reboot I had 3 services that failed to start:
>> ipa, kadmin, named-pkcs11
>>
>>  Doing "strace -f named-pkcs11 -u named -f -g" I can see:
>> "/var/lib/softhsm/tokens/" => -1 EACCES (Permission denied)
>>initializing DST: PKCS#11 initialization failed
>>exiting (due to fatal error)
>>
>>
>>  For kadmin the error is due to not being able to connect to sldap
>>
>>  I noticed that softhsm2-util --show-slots reported "ERROR: Could not
>> initialize the library." But that seemed to be because   wasn't part of the
>> update. After that I could show the default slot and then I manually called
>> following (as root):
>>
>>  "/usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC --pin
>>  --so-pin "
>>
>>  But the problems won't go away. Any clues?
>>
>>  -- john
>>
>>
>>
>>
>>  Hello,
>>
>> 1)
>> can you share your /var/log/ipaupgrade.log ?
>>
>
>  Unfortunatly I removed the original ipaupgrade.log file when I did I
> retry to install freeipa-server. The current ipaupgrade.log has two errors:
> First)
>
>  2014-10-26T12:45:15Z DEBUG Live 1, updated 1
> 2014-10-26T12:45:15Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc':
> 'Operations error'}
> 2014-10-26T12:45:15Z ERROR Update failed: Operations error:
> 2014-10-26T12:45:15Z INFO Updating existing entry: cn=MemberOf
> Plugin,cn=plugins,cn=config
> 2014-10-26T12:45:15Z DEBUG -
>
> Are there some information about entry which is updated above?
>
>
>  Second) It complains about not being able to start named-pkcs11 service.
>
>
>
>>  2)
>> your issue with softhsm can be caused by missing enviroment variable
>> IPA internally uses
>>
>> SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
>> please try SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util
>> --show-slots, and let me know if it works
>>
>> same with named-pkcs11,
>>
>>
>  The filestamps for softhsm_pin & tokens match the time I did the
> original update
>
>  # ll /var/lib/ipa/dnssec/
> -rwxrwx---. 1 ods named   30 Oct 26 10:35 softhsm_pin
> drwxrws---. 2 ods named 4.0K Oct 26 10:35 tokens
>
>  # ll /var/lib/ipa/dnssec/tokens/
> total

Re: [Freeipa-users] F20 Problem upgrading to 4.1

2014-10-27 Thread Martin Basti


On 27/10/14 18:53, John Obaterspok wrote:



2014-10-27 12:19 GMT+01:00 Martin Basti >:


On 26/10/14 21:39, John Obaterspok wrote:

Hi,

I enabled mkosek-freeipa repo for F20 and updated freeipa-server
from 3.3.5 to 4.1. The yum update reported just a single error:

Could not load host key: /etc/ssh/ssh_host_dsa_key

After reboot I had 3 services that failed to start:
ipa, kadmin, named-pkcs11

Doing "strace -f named-pkcs11 -u named -f -g" I can see:
   "/var/lib/softhsm/tokens/" => -1 EACCES (Permission denied)
   initializing DST: PKCS#11 initialization failed
   exiting (due to fatal error)


For kadmin the error is due to not being able to connect to sldap

I noticed that softhsm2-util --show-slots reported "ERROR: Could
not initialize the library." But that seemed to be because  
wasn't part of the update. After that I could show the default

slot and then I manually called following (as root):

"/usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC
--pin  --so-pin "

But the problems won't go away. Any clues?

-- john





Hello,

1)
can you share your /var/log/ipaupgrade.log ?


Unfortunatly I removed the original ipaupgrade.log file when I did I 
retry to install freeipa-server. The current ipaupgrade.log has two 
errors:

First)

2014-10-26T12:45:15Z DEBUG Live 1, updated 1
2014-10-26T12:45:15Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: 
{'desc': 'Operations error'}

2014-10-26T12:45:15Z ERROR Update failed: Operations error:
2014-10-26T12:45:15Z INFO Updating existing entry: cn=MemberOf 
Plugin,cn=plugins,cn=config

2014-10-26T12:45:15Z DEBUG -

Are there some information about entry which is updated above?


Second) It complains about not being able to start named-pkcs11 service.

2)
your issue with softhsm can be caused by missing enviroment variable
IPA internally uses

SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
please try SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
softhsm2-util --show-slots, and let me know if it works

same with named-pkcs11,


The filestamps for softhsm_pin & tokens match the time I did the 
original update


# ll /var/lib/ipa/dnssec/
-rwxrwx---. 1 ods named   30 Oct 26 10:35 softhsm_pin
drwxrws---. 2 ods named 4.0K Oct 26 10:35 tokens

# ll /var/lib/ipa/dnssec/tokens/
total 0

# SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util --show-slots
Available slots:
Slot 0
Slot info:
Description:  SoftHSM slot 0
Manufacturer ID:  SoftHSM project
Hardware version: 2.0
Firmware version: 2.0
Token present:yes
Token info:
Manufacturer ID:  SoftHSM project
Model:SoftHSM v2
Hardware version: 2.0
Firmware version: 2.0
Serial number:
Initialized:  no
User PIN init.:   no
Label:

Slot was not initialized by IPA


3)
can you share journalctl -u named-pkcs11 output?


10:35:48 systemd[1]: named-pkcs11.service: control process exited, 
code=exited status=1
10:35:48 systemd[1]: Failed to start Berkeley Internet Name Domain 
(DNS) with native PKCS#11.

10:35:48 systemd[1]: Unit named-pkcs11.service entered failed state.
10:35:48 systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with 
native PKCS#11.

-- Reboot --
10:58:05 named-pkcs11[1496]: initializing DST: no PKCS#11 provider
10:58:05 named-pkcs11[1496]: exiting (due to fatal error)
10:58:05 systemd[1]: named-pkcs11.service: control process exited, 
code=exited status=1
10:58:05 systemd[1]: Failed to start Berkeley Internet Name Domain 
(DNS) with native PKCS#11.

10:58:05 systemd[1]: Unit named-pkcs11.service entered failed state.
10:58:05 systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with 
native PKCS#11.


... After some fiddeling a restart says this:

19:26:21 named-pkcs11[8807]: sha1.c:92: fatal error:
19:26:21 named-pkcs11[8807]: RUNTIME_CHECK(pk11_get_session(ctx, 
OP_DIGEST, isc_boolean_true, isc_boolean_false, isc_bo

19:26:21 named-pkcs11[8807]: exiting (due to fatal error in library)
19:26:21 systemd[1]: named-pkcs11.service: control process exited, 
code=exited status=1
19:26:21 systemd[1]: Failed to start Berkeley Internet Name Domain 
(DNS) with native PKCS#11.

19:26:21 systemd[1]: Unit named-pkcs11.service entered failed state.

4)
I'm not aware of that we need, krb5-libs/openssl, I was getting
this error if tokens directory doesnt exists, but IPA uses own
configuration (see 2) not default.


 ok


I took a deeper look, and I found there some packaging errors with softhsm.
You was right with missing dependency.

Please install softhsm-devel package, remove /var/lib/ipa/dnssec/tokens 
directory, then reinstall DNS, ipa-dns-install (requires running 
directory server)


Or if you have snapshot, install softhsm-devel before upgradin

Re: [Freeipa-users] F20 Problem upgrading to 4.1

2014-10-27 Thread John Obaterspok

2014-10-27 12:19 GMT+01:00 Martin Basti :

>  On 26/10/14 21:39, John Obaterspok wrote:
>
> Hi,
>
>  I enabled mkosek-freeipa repo for F20 and updated freeipa-server from
> 3.3.5 to 4.1. The yum update reported just a single error:
>
>  Could not load host key: /etc/ssh/ssh_host_dsa_key
>
>  After reboot I had 3 services that failed to start:
> ipa, kadmin, named-pkcs11
>
>  Doing "strace -f named-pkcs11 -u named -f -g" I can see:
> "/var/lib/softhsm/tokens/" => -1 EACCES (Permission denied)
>initializing DST: PKCS#11 initialization failed
>exiting (due to fatal error)
>
>
>  For kadmin the error is due to not being able to connect to sldap
>
>  I noticed that softhsm2-util --show-slots reported "ERROR: Could not
> initialize the library." But that seemed to be because   wasn't part of the
> update. After that I could show the default slot and then I manually called
> following (as root):
>
>  "/usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC --pin
>  --so-pin "
>
>  But the problems won't go away. Any clues?
>
>  -- john
>
>
>
>
>  Hello,
>
> 1)
> can you share your /var/log/ipaupgrade.log ?
>

Unfortunatly I removed the original ipaupgrade.log file when I did I retry
to install freeipa-server. The current ipaupgrade.log has two errors:
First)

2014-10-26T12:45:15Z DEBUG Live 1, updated 1
2014-10-26T12:45:15Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc':
'Operations error'}
2014-10-26T12:45:15Z ERROR Update failed: Operations error:
2014-10-26T12:45:15Z INFO Updating existing entry: cn=MemberOf
Plugin,cn=plugins,cn=config
2014-10-26T12:45:15Z DEBUG -

Second) It complains about not being able to start named-pkcs11 service.



> 2)
> your issue with softhsm can be caused by missing enviroment variable
> IPA internally uses
>
> SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
> please try SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util
> --show-slots, and let me know if it works
>
> same with named-pkcs11,
>
>
The filestamps for softhsm_pin & tokens match the time I did the original
update

# ll /var/lib/ipa/dnssec/
-rwxrwx---. 1 ods named   30 Oct 26 10:35 softhsm_pin
drwxrws---. 2 ods named 4.0K Oct 26 10:35 tokens

# ll /var/lib/ipa/dnssec/tokens/
total 0

# SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util --show-slots
Available slots:
Slot 0
Slot info:
Description:  SoftHSM slot 0
Manufacturer ID:  SoftHSM project
Hardware version: 2.0
Firmware version: 2.0
Token present:yes
Token info:
Manufacturer ID:  SoftHSM project
Model:SoftHSM v2
Hardware version: 2.0
Firmware version: 2.0
Serial number:
Initialized:  no
User PIN init.:   no
Label:

3)
> can you share journalctl -u named-pkcs11 output?
>

10:35:48 systemd[1]: named-pkcs11.service: control process exited,
code=exited status=1
10:35:48 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS)
with native PKCS#11.
10:35:48 systemd[1]: Unit named-pkcs11.service entered failed state.
10:35:48 systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with
native PKCS#11.
-- Reboot --
10:58:05 named-pkcs11[1496]: initializing DST: no PKCS#11 provider
10:58:05 named-pkcs11[1496]: exiting (due to fatal error)
10:58:05 systemd[1]: named-pkcs11.service: control process exited,
code=exited status=1
10:58:05 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS)
with native PKCS#11.
10:58:05 systemd[1]: Unit named-pkcs11.service entered failed state.
10:58:05 systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with
native PKCS#11.

... After some fiddeling a restart says this:

19:26:21 named-pkcs11[8807]: sha1.c:92: fatal error:
19:26:21 named-pkcs11[8807]: RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST,
isc_boolean_true, isc_boolean_false, isc_bo
19:26:21 named-pkcs11[8807]: exiting (due to fatal error in library)
19:26:21 systemd[1]: named-pkcs11.service: control process exited,
code=exited status=1
19:26:21 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS)
with native PKCS#11.
19:26:21 systemd[1]: Unit named-pkcs11.service entered failed state.

4)
> I'm not aware of that we need, krb5-libs/openssl, I was getting this error
> if tokens directory doesnt exists, but IPA uses own configuration (see 2)
> not default.
>

 ok
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] F20 Problem upgrading to 4.1

2014-10-27 Thread Martin Basti


On 26/10/14 21:39, John Obaterspok wrote:

Hi,

I enabled mkosek-freeipa repo for F20 and updated freeipa-server from 
3.3.5 to 4.1. The yum update reported just a single error:


Could not load host key: /etc/ssh/ssh_host_dsa_key

After reboot I had 3 services that failed to start:
ipa, kadmin, named-pkcs11

Doing "strace -f named-pkcs11 -u named -f -g" I can see:
   "/var/lib/softhsm/tokens/" => -1 EACCES (Permission denied)
   initializing DST: PKCS#11 initialization failed
   exiting (due to fatal error)


For kadmin the error is due to not being able to connect to sldap

I noticed that softhsm2-util --show-slots reported "ERROR: Could not 
initialize the library." But that seemed to be because   wasn't part 
of the update. After that I could show the default slot and then I 
manually called following (as root):


"/usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC --pin 
 --so-pin "


But the problems won't go away. Any clues?

-- john





Hello,

1)
can you share your /var/log/ipaupgrade.log ?

2)
your issue with softhsm can be caused by missing enviroment variable
IPA internally uses

SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
please try SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util 
--show-slots, and let me know if it works


same with named-pkcs11,

3)
can you share journalctl -u named-pkcs11 output?

4)
I'm not aware of that we need, krb5-libs/openssl, I was getting this 
error if tokens directory doesnt exists, but IPA uses own configuration 
(see 2) not default.


Martin^2

--
Martin Basti

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] F20 Problem upgrading to 4.1

2014-10-26 Thread John Obaterspok

Hi,

I enabled mkosek-freeipa repo for F20 and updated freeipa-server from 3.3.5
to 4.1. The yum update reported just a single error:

Could not load host key: /etc/ssh/ssh_host_dsa_key

After reboot I had 3 services that failed to start:
ipa, kadmin, named-pkcs11

Doing "strace -f named-pkcs11 -u named -f -g" I can see:
   "/var/lib/softhsm/tokens/" => -1 EACCES (Permission denied)
   initializing DST: PKCS#11 initialization failed
   exiting (due to fatal error)


For kadmin the error is due to not being able to connect to sldap

I noticed that softhsm2-util --show-slots reported "ERROR: Could not
initialize the library." But that seemed to be because krb5-libs/openssl
wasn't part of the update. After that I could show the default slot and
then I manually called following (as root):

"/usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC --pin
 --so-pin "

But the problems won't go away. Any clues?

-- john
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] F20 Problem upgrading to 4.1

Re: [Freeipa-users] F20 Problem upgrading to 4.1

Re: [Freeipa-users] F20 Problem upgrading to 4.1

Re: [Freeipa-users] F20 Problem upgrading to 4.1

Re: [Freeipa-users] F20 Problem upgrading to 4.1

Re: [Freeipa-users] F20 Problem upgrading to 4.1

Re: [Freeipa-users] F20 Problem upgrading to 4.1

Re: [Freeipa-users] F20 Problem upgrading to 4.1

Re: [Freeipa-users] F20 Problem upgrading to 4.1

Re: [Freeipa-users] F20 Problem upgrading to 4.1

Re: [Freeipa-users] F20 Problem upgrading to 4.1

Re: [Freeipa-users] F20 Problem upgrading to 4.1

Re: [Freeipa-users] F20 Problem upgrading to 4.1

Re: [Freeipa-users] F20 Problem upgrading to 4.1

Re: [Freeipa-users] F20 Problem upgrading to 4.1

Re: [Freeipa-users] F20 Problem upgrading to 4.1

[Freeipa-users] F20 Problem upgrading to 4.1

17 matches

Site Navigation

Mail list logo

Footer information