Re: [Freeipa-users] named-pkcs11 fails on new ipa replica
On 07/13/2016 08:51 PM, Bob Hinton wrote: > Hi, > > We are trying to create a new replica on RHEL 7.2 > > This completes but named-pkcs11 fails to start - > > systemctl status named-pkcs11.service > ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native > PKCS#11 >Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; > disabled; vendor preset: disabled) >Active: failed (Result: exit-code) since Wed 2016-07-13 18:38:15 BST; > 51min ago > Process: 25913 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS > (code=exited, status=1/FAILURE) > Process: 25910 ExecStartPre=/bin/bash -c if [ ! > "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z > /etc/named.conf; else echo "Checking of zone files is disabled"; fi > (code=exited, status=0/SUCCESS) > > Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: corporation. > Support and training for BIND 9 are > Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: available at > https://www.isc.org/support > Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: > > Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: adjusted limit on > open files from 4096 to 1048576 > Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: found 1 CPU, > using 1 worker thread > Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: using 1 UDP > listener per interface > Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service: > control process exited, code=exited status=1 > Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Failed to start Berkeley > Internet Name Domain (DNS) with native PKCS#11. > Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Unit named-pkcs11.service > entered failed state. > Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service failed. > > # /usr/sbin/named-pkcs11 -d 9 -g > 13-Jul-2016 19:31:01.283 starting BIND 9.9.4-RedHat-9.9.4-29.el7_2.1 -d 9 -g > 13-Jul-2016 19:31:01.283 built with '--build=x86_64-redhat-linux-gnu' > '--host=x86_64-redhat-linux-gnu' '--program-prefix=' > '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' > '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' > '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' > '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' > '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' > '--localstatedir=/var' '--enable-threads' '--enable-ipv6' > '--enable-filter-' '--enable-rrl' '--with-pic' '--disable-static' > '--disable-openssl-version-check' '--enable-exportlib' > '--with-export-libdir=/usr/lib64' > '--with-export-includedir=/usr/include' > '--includedir=/usr/include/bind9' '--enable-native-pkcs11' > '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' > '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' > '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' > '--disable-isc-spnego' '--enable-fixed-rrset' > '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' > 'build_alias=x86_64-redhat-linux-gnu' > 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall > -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong > --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' > 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE' > 13-Jul-2016 19:31:01.283 > > 13-Jul-2016 19:31:01.284 BIND 9 is maintained by Internet Systems > Consortium, > 13-Jul-2016 19:31:01.284 Inc. (ISC), a non-profit 501(c)(3) public-benefit > 13-Jul-2016 19:31:01.284 corporation. Support and training for BIND 9 are > 13-Jul-2016 19:31:01.284 available at https://www.isc.org/support > 13-Jul-2016 19:31:01.284 > > 13-Jul-2016 19:31:01.284 adjusted limit on open files from 4096 to 1048576 > 13-Jul-2016 19:31:01.284 found 1 CPU, using 1 worker thread > 13-Jul-2016 19:31:01.284 using 1 UDP listener per interface > 13-Jul-2016 19:31:01.284 using up to 4096 sockets > 13-Jul-2016 19:31:01.284 Registering DLZ_dlopen driver > 13-Jul-2016 19:31:01.284 Registering SDLZ driver 'dlopen' > 13-Jul-2016 19:31:01.284 Registering DLZ driver 'dlopen' > 13-Jul-2016 19:31:01.287 initializing DST: PKCS#11 initialization failed > 13-Jul-2016 19:31:01.287 exiting (due to fatal error) > > # tail -2 /var/log > > Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: > ObjectStore.cpp(59): Failed to enumerate object store in > /var/lib/softhsm/tokens/ > > Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: SoftHSM.cpp(456): > Could not load the object store > > I've tried "ipa-server-upgrade" and > > mv /var/lib/ipa/dnssec/tokens /var/lib/ipa/dnssec/tokens-OLD > > ipa-dns-install > > But I haven't managed to fix it. > > Using "ipactl start -f" means the rest of the ipa services seem to work > properly, but without named. > > Is there a way to fix the
[Freeipa-users] named-pkcs11 fails on new ipa replica
Hi, We are trying to create a new replica on RHEL 7.2 This completes but named-pkcs11 fails to start - systemctl status named-pkcs11.service ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11 Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-07-13 18:38:15 BST; 51min ago Process: 25913 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS (code=exited, status=1/FAILURE) Process: 25910 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: corporation. Support and training for BIND 9 are Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: available at https://www.isc.org/support Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: adjusted limit on open files from 4096 to 1048576 Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: found 1 CPU, using 1 worker thread Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: using 1 UDP listener per interface Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service: control process exited, code=exited status=1 Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11. Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Unit named-pkcs11.service entered failed state. Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service failed. # /usr/sbin/named-pkcs11 -d 9 -g 13-Jul-2016 19:31:01.283 starting BIND 9.9.4-RedHat-9.9.4-29.el7_2.1 -d 9 -g 13-Jul-2016 19:31:01.283 built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-' '--enable-rrl' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--enable-exportlib' '--with-export-libdir=/usr/lib64' '--with-export-includedir=/usr/include' '--includedir=/usr/include/bind9' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE' 13-Jul-2016 19:31:01.283 13-Jul-2016 19:31:01.284 BIND 9 is maintained by Internet Systems Consortium, 13-Jul-2016 19:31:01.284 Inc. (ISC), a non-profit 501(c)(3) public-benefit 13-Jul-2016 19:31:01.284 corporation. Support and training for BIND 9 are 13-Jul-2016 19:31:01.284 available at https://www.isc.org/support 13-Jul-2016 19:31:01.284 13-Jul-2016 19:31:01.284 adjusted limit on open files from 4096 to 1048576 13-Jul-2016 19:31:01.284 found 1 CPU, using 1 worker thread 13-Jul-2016 19:31:01.284 using 1 UDP listener per interface 13-Jul-2016 19:31:01.284 using up to 4096 sockets 13-Jul-2016 19:31:01.284 Registering DLZ_dlopen driver 13-Jul-2016 19:31:01.284 Registering SDLZ driver 'dlopen' 13-Jul-2016 19:31:01.284 Registering DLZ driver 'dlopen' 13-Jul-2016 19:31:01.287 initializing DST: PKCS#11 initialization failed 13-Jul-2016 19:31:01.287 exiting (due to fatal error) # tail -2 /var/log Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: ObjectStore.cpp(59): Failed to enumerate object store in /var/lib/softhsm/tokens/ Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: SoftHSM.cpp(456): Could not load the object store I've tried "ipa-server-upgrade" and mv /var/lib/ipa/dnssec/tokens /var/lib/ipa/dnssec/tokens-OLD ipa-dns-install But I haven't managed to fix it. Using "ipactl start -f" means the rest of the ipa services seem to work properly, but without named. Is there a way to fix the named issue or is it much simpler to disconnect the replica, uninstall it and start again ? Thanks Bob Hinton -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to