<div dir="ltr">Hello Martin,<div><br></div><div>It works perfectly again!</div><div><br></div><div>note, I noticed in <span style="font-size:13px;font-family:arial,sans-serif">/var/log/ipaserver-install.</span><span style="font-size:13px;font-family:arial,sans-serif">log that ipa-dns-installed</span><span style="font-family:arial,sans-serif;font-size:13px"> failed due to 389 wasn't started (failed to connect). Once it was started manually the ipa-dns-installed worked fine.</span></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Thanks a lot Martin,</span></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">-- john</span></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2014-10-27 20:40 GMT+01:00 Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 27/10/14 20:34, John Obaterspok
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">hmm... Could not connect to the Directory Server
<div><br>
</div>
<div>So I started it with start-dirsrv since "systemctl start
ipa" failed. Then it was a breeze, ipa-dns-install worked
fine.</div>
<div><br>
</div>
<div>
<div># systemctl --failed</div>
<div>0 loaded units listed.</div>
</div>
</div>
</blockquote></span>
I'm lost, does IPA work or not?<br>
are all services running? (ipactl status)<br>
are tokens created in /var/lib/ipa/dnssec/tokens<br>
can you dig records from IPA DNS?<br>
<br>
Martin^2<div><div class="h5"><br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>I haven't verified that it works, but I feel confident :)</div>
<div><br>
</div>
<div>-- john</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-10-27 20:09 GMT+01:00 Martin Basti
<span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div>
<div>On 27/10/14 19:57, John Obaterspok wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello Martin,
<div><br>
</div>
<div>Still no go.</div>
<div><br>
</div>
<div>I installed the softhsm-devel package (that
only contains header files), removed the token
directory, reinstalled the bind &
bind-pkcs11, did ipa-dns-install that completed
ok (I guess):</div>
<div><br>
</div>
<div>
<div>To accept the default shown in brackets,
press the Enter key.</div>
<div><br>
</div>
<div>Existing BIND configuration detected,
overwrite? [no]: yes</div>
<div>Directory Manager password:</div>
</div>
<div><br>
</div>
<div># ipa-upgradeconfig</div>
<div>[Verifying that root certificate is
published]</div>
<div><b><font color="#cc0000">Failed to backup
CS.cfg: no magic attribute 'dogtag'</font></b></div>
<div>[Migrate CRL publish directory]</div>
<div>CRL tree already moved</div>
<div>[Verifying that CA proxy configuration is
correct]</div>
<div>[Verifying that KDC configuration is using
ipa-kdb backend]</div>
<div>[Fixing trust flags in /etc/httpd/alias]</div>
<div>Trust flags already processed</div>
<div>[Fix DS schema file syntax]</div>
<div>Syntax already fixed</div>
<div>[Removing RA cert from DS NSS database]</div>
<div>RA cert already removed</div>
<div>[Removing self-signed CA]</div>
<div>[Checking for deprecated KDC configuration
files]</div>
<div>[Checking for deprecated backups of Samba
configuration files]</div>
<div>[Setting up Firefox extension]</div>
<div>[Add missing CA DNS records]</div>
<div>IPA CA DNS records already processed</div>
<div>[Removing deprecated DNS configuration
options]</div>
<div>[Ensuring minimal number of connections]</div>
<div>[Enabling serial autoincrement in DNS]</div>
<div>[Updating GSSAPI configuration in DNS]</div>
<div>[Updating pid-file configuration in DNS]</div>
<div>[Masking named]</div>
<div>Changes to named.conf have been made, restart
named</div>
<div><b><font color="#cc0000">Failed to restart
named: Command ''/bin/systemctl' 'restart'
'named-pkcs11.service'' returned non-zero
exit status 1</font></b></div>
<div>[Verifying that CA service certificate
profile is updated]</div>
<div>[Update certmonger certificate renewal
configuration to version 2]</div>
<div>[Enable PKIX certificate path discovery and
validation]</div>
<div>PKIX already enabled</div>
<div>The ipa-upgradeconfig command was successful</div>
<div><br>
</div>
<div><br>
</div>
<div># systemctl restart named-pkcs11 &&
journalctl -xn</div>
<div>
<div>19:38:54 named-pkcs11[838]:
ObjectStore.cpp(59): Failed to enumerate
object store in /var/lib/ipa/dnssec/tokens</div>
<div>19:38:54 named-pkcs11[838]:
SoftHSM.cpp(437): Could not load the object
store</div>
<div>19:38:54 named-pkcs11[838]: initializing
DST: PKCS#11 initialization failed</div>
<div>19:38:54 named-pkcs11[838]: exiting (due to
fatal error)</div>
<div>19:38:54 systemd[1]: named-pkcs11.service:
control process exited, code=exited status=1</div>
<div>19:38:54 systemd[1]: Failed to start
Berkeley Internet Name Domain (DNS) with
native PKCS#11.</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>It seems the problem is now there are no
tokens:</div>
<div>
<div># ll /var/lib/ipa/dnssec/</div>
<div>total 4.0K</div>
<div>-rwxrwx---. 1 ods named 30 Oct 26 10:35
softhsm_pin</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
This is interesting, ipa-dns-install should detect missing
directory and create new one.<br>
Could you send me tail of /var/log/ipaserver-install.log,
where DNS debug lines are?<br>
<br>
Martin^2
<div>
<div><br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Any ideas?</div>
<div><br>
</div>
<div>-- john</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-10-27 19:05
GMT+01:00 Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div>
<div>On 27/10/14 18:53, John Obaterspok
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-10-27
12:19 GMT+01:00 Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span>
<div>On 26/10/14 21:39,
John Obaterspok wrote:<br>
</div>
</span>
<blockquote type="cite">
<div dir="ltr"><span>Hi,
<div><br>
</div>
<div>I
enabled mkosek-freeipa
repo for F20 and
updated
freeipa-server from
3.3.5 to 4.1. The
yum update reported
just a single error:</div>
<div><br>
</div>
<div>Could not load
host key:
/etc/ssh/ssh_host_dsa_key</div>
<div><br>
</div>
<div>After reboot I
had 3 services that
failed to start:</div>
<div>ipa, kadmin,
named-pkcs11<br>
</div>
<div><br>
</div>
<div>Doing "strace -f
named-pkcs11 -u
named -f -g" I can
see:</div>
<div>
<div>
"/var/lib/softhsm/tokens/"
=> -1 EACCES
(Permission
denied)</div>
<div> initializing
DST: PKCS#11
initialization
failed</div>
<div> exiting (due
to fatal error)</div>
<div><br>
</div>
</div>
<div><br>
</div>
<div>For kadmin the
error is due to not
being able to
connect to sldap</div>
<div><br>
</div>
</span>
<div>I noticed that
softhsm2-util
--show-slots reported
"ERROR: Could not
initialize the
library." But that
seemed to be because
wasn't part of the
update. After that I
could show the default
slot and then I
manually called
following (as root):</div>
<span>
<div><br>
</div>
<div>"/usr/bin/softhsm2-util
--init-token --slot
0 --label ipaDNSSEC
--pin XXXXXXXX
--so-pin XXXXXXXX"<br>
</div>
<div><br>
</div>
<div>But the problems
won't go away. Any
clues?</div>
<div><br>
</div>
<div>-- john</div>
<div><br>
</div>
<div><br>
</div>
</span></div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
Hello, <br>
<br>
1)<br>
can you share your
/var/log/ipaupgrade.log ?<br>
</div>
</blockquote>
<div><br>
</div>
<div>Unfortunatly I removed the
original ipaupgrade.log file
when I did I retry to install
freeipa-server. The current
ipaupgrade.log has two errors:</div>
<div>First)</div>
<div><br>
</div>
<div>
<div>2014-10-26T12:45:15Z
DEBUG Live 1, updated 1</div>
<div>2014-10-26T12:45:15Z
DEBUG Unhandled LDAPError:
OPERATIONS_ERROR: {'desc':
'Operations error'}</div>
<div>2014-10-26T12:45:15Z
ERROR Update failed:
Operations error:</div>
<div>2014-10-26T12:45:15Z INFO
Updating existing entry:
cn=MemberOf
Plugin,cn=plugins,cn=config</div>
<div>2014-10-26T12:45:15Z
DEBUG
---------------------------------------------</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
Are there some information about entry which
is updated above?
<div>
<div><br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>Second) It complains about
not being able to start
named-pkcs11 service.</div>
<div> </div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> 2)<br>
your issue with softhsm can
be caused by missing
enviroment variable<br>
IPA internally uses <br>
<br>
SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
<br>
please try
SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
softhsm2-util --show-slots,
and let me know if it works<br>
<br>
same with named-pkcs11,<br>
<br>
</div>
</blockquote>
<div><br>
</div>
<div>The filestamps for
softhsm_pin & tokens match
the time I did the original
update</div>
<div><br>
</div>
<div>
<div># ll /var/lib/ipa/dnssec/</div>
<div>-rwxrwx---. 1 ods named
30 Oct 26 10:35 softhsm_pin</div>
<div>drwxrws---. 2 ods named
4.0K Oct 26 10:35 tokens</div>
<div><br>
</div>
<div># ll
/var/lib/ipa/dnssec/tokens/</div>
<div>total 0</div>
<div><br>
</div>
<div>#
SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
softhsm2-util --show-slots</div>
<div>Available slots:</div>
<div>Slot 0</div>
<div> Slot info:</div>
<div> Description:
SoftHSM slot 0</div>
<div> Manufacturer ID:
SoftHSM project</div>
<div> Hardware version:
2.0</div>
<div> Firmware version:
2.0</div>
<div> Token present:
yes</div>
<div> Token info:</div>
<div> Manufacturer ID:
SoftHSM project</div>
<div> Model:
SoftHSM v2</div>
<div> Hardware version:
2.0</div>
<div> Firmware version:
2.0</div>
<div> Serial number:</div>
<div> Initialized:
no</div>
<div> User PIN init.:
no</div>
<div> Label:</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
Slot was not initialized by IPA<span><br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> 3)<br>
can you share journalctl -u
named-pkcs11 output?<br>
</div>
</blockquote>
<div><br>
</div>
<div>
<div>10:35:48 systemd[1]:
named-pkcs11.service: control
process exited, code=exited
status=1</div>
<div>10:35:48 systemd[1]: Failed
to start Berkeley Internet
Name Domain (DNS) with native
PKCS#11.</div>
<div>10:35:48 systemd[1]: Unit
named-pkcs11.service entered
failed state.</div>
<div>10:35:48 systemd[1]:
Stopped Berkeley Internet Name
Domain (DNS) with native
PKCS#11.</div>
<div>-- Reboot --</div>
<div>10:58:05
named-pkcs11[1496]:
initializing DST: no PKCS#11
provider</div>
<div>10:58:05
named-pkcs11[1496]: exiting
(due to fatal error)</div>
<div>10:58:05 systemd[1]:
named-pkcs11.service: control
process exited, code=exited
status=1</div>
<div>10:58:05 systemd[1]: Failed
to start Berkeley Internet
Name Domain (DNS) with native
PKCS#11.</div>
<div>10:58:05 systemd[1]: Unit
named-pkcs11.service entered
failed state.</div>
<div>10:58:05 systemd[1]:
Stopped Berkeley Internet Name
Domain (DNS) with native
PKCS#11.</div>
<div><br>
</div>
<div>... After some fiddeling a
restart says this:</div>
<div><br>
</div>
<div>19:26:21
named-pkcs11[8807]: sha1.c:92:
fatal error:</div>
<div>19:26:21
named-pkcs11[8807]:
RUNTIME_CHECK(pk11_get_session(ctx,
OP_DIGEST, isc_boolean_true,
isc_boolean_false, isc_bo</div>
<div>19:26:21
named-pkcs11[8807]: exiting
(due to fatal error in
library)</div>
<div>19:26:21 systemd[1]:
named-pkcs11.service: control
process exited, code=exited
status=1</div>
<div>19:26:21 systemd[1]: Failed
to start Berkeley Internet
Name Domain (DNS) with native
PKCS#11.</div>
<div>19:26:21 systemd[1]: Unit
named-pkcs11.service entered
failed state. </div>
</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> 4)<br>
I'm not aware of that we need,
krb5-libs/openssl, I was
getting this error if tokens
directory doesnt exists, but
IPA uses own configuration
(see 2) not default.<br>
</div>
</blockquote>
<div><br>
</div>
<div> ok</div>
</div>
</div>
</div>
</blockquote>
<br>
</span> I took a deeper look, and I found
there some packaging errors with softhsm.<br>
You was right with missing dependency.<br>
<br>
Please install softhsm-devel package, remove
/var/lib/ipa/dnssec/tokens directory, then
reinstall DNS, ipa-dns-install (requires
running directory server)<br>
<br>
Or if you have snapshot, install
softhsm-devel before upgrading ipa<br>
<br>
HTH<br>
Martin^2<span><font color="#888888"><br>
<br>
<pre cols="72">--
Martin Basti</pre>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
</div>
</div>
<span><font color="#888888">
<pre cols="72">--
Martin Basti</pre>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888"><pre cols="72">--
Martin Basti</pre>
</font></span></div>
</blockquote></div><br></div>