<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 27/10/14 19:57, John Obaterspok
wrote:<br>
</div>
<blockquote
cite="mid:CAOscVdKD=n3vDf1ms4V7zOA3-O8D2QsB2X01XQ8Xj5q5gTM-pg@mail.gmail.com"
type="cite">
<div dir="ltr">Hello Martin,
<div><br>
</div>
<div>Still no go.</div>
<div><br>
</div>
<div>I installed the softhsm-devel package (that only contains
header files), removed the token directory, reinstalled the
bind & bind-pkcs11, did ipa-dns-install that completed ok
(I guess):</div>
<div><br>
</div>
<div>
<div>To accept the default shown in brackets, press the Enter
key.</div>
<div><br>
</div>
<div>Existing BIND configuration detected, overwrite? [no]:
yes</div>
<div>Directory Manager password:</div>
</div>
<div><br>
</div>
<div># ipa-upgradeconfig</div>
<div>[Verifying that root certificate is published]</div>
<div><b><font color="#cc0000">Failed to backup CS.cfg: no magic
attribute 'dogtag'</font></b></div>
<div>[Migrate CRL publish directory]</div>
<div>CRL tree already moved</div>
<div>[Verifying that CA proxy configuration is correct]</div>
<div>[Verifying that KDC configuration is using ipa-kdb backend]</div>
<div>[Fixing trust flags in /etc/httpd/alias]</div>
<div>Trust flags already processed</div>
<div>[Fix DS schema file syntax]</div>
<div>Syntax already fixed</div>
<div>[Removing RA cert from DS NSS database]</div>
<div>RA cert already removed</div>
<div>[Removing self-signed CA]</div>
<div>[Checking for deprecated KDC configuration files]</div>
<div>[Checking for deprecated backups of Samba configuration
files]</div>
<div>[Setting up Firefox extension]</div>
<div>[Add missing CA DNS records]</div>
<div>IPA CA DNS records already processed</div>
<div>[Removing deprecated DNS configuration options]</div>
<div>[Ensuring minimal number of connections]</div>
<div>[Enabling serial autoincrement in DNS]</div>
<div>[Updating GSSAPI configuration in DNS]</div>
<div>[Updating pid-file configuration in DNS]</div>
<div>[Masking named]</div>
<div>Changes to named.conf have been made, restart named</div>
<div><b><font color="#cc0000">Failed to restart named: Command
''/bin/systemctl' 'restart' 'named-pkcs11.service''
returned non-zero exit status 1</font></b></div>
<div>[Verifying that CA service certificate profile is updated]</div>
<div>[Update certmonger certificate renewal configuration to
version 2]</div>
<div>[Enable PKIX certificate path discovery and validation]</div>
<div>PKIX already enabled</div>
<div>The ipa-upgradeconfig command was successful</div>
<div><br>
</div>
<div><br>
</div>
<div># systemctl restart named-pkcs11 && journalctl -xn</div>
<div>
<div>19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed
to enumerate object store in /var/lib/ipa/dnssec/tokens</div>
<div>19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not
load the object store</div>
<div>19:38:54 named-pkcs11[838]: initializing DST: PKCS#11
initialization failed</div>
<div>19:38:54 named-pkcs11[838]: exiting (due to fatal error)</div>
<div>19:38:54 systemd[1]: named-pkcs11.service: control
process exited, code=exited status=1</div>
<div>19:38:54 systemd[1]: Failed to start Berkeley Internet
Name Domain (DNS) with native PKCS#11.</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>It seems the problem is now there are no tokens:</div>
<div>
<div># ll /var/lib/ipa/dnssec/</div>
<div>total 4.0K</div>
<div>-rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin</div>
</div>
</div>
</blockquote>
<br>
This is interesting, ipa-dns-install should detect missing directory
and create new one.<br>
Could you send me tail of /var/log/ipaserver-install.log, where DNS
debug lines are?<br>
<br>
Martin^2<br>
<blockquote
cite="mid:CAOscVdKD=n3vDf1ms4V7zOA3-O8D2QsB2X01XQ8Xj5q5gTM-pg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Any ideas?</div>
<div><br>
</div>
<div>-- john</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-10-27 19:05 GMT+01:00 Martin Basti
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5">
<div>On 27/10/14 18:53, John Obaterspok wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-10-27 12:19
GMT+01:00 Martin Basti <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mbasti@redhat.com"
target="_blank">mbasti@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span>
<div>On 26/10/14 21:39, John Obaterspok
wrote:<br>
</div>
</span>
<blockquote type="cite">
<div dir="ltr"><span>Hi,
<div><br>
</div>
<div>I enabled mkosek-freeipa repo
for F20 and updated freeipa-server
from 3.3.5 to 4.1. The yum update
reported just a single error:</div>
<div><br>
</div>
<div>Could not load host key:
/etc/ssh/ssh_host_dsa_key</div>
<div><br>
</div>
<div>After reboot I had 3 services
that failed to start:</div>
<div>ipa, kadmin, named-pkcs11<br>
</div>
<div><br>
</div>
<div>Doing "strace -f named-pkcs11
-u named -f -g" I can see:</div>
<div>
<div> "/var/lib/softhsm/tokens/"
=> -1 EACCES (Permission
denied)</div>
<div> initializing DST: PKCS#11
initialization failed</div>
<div> exiting (due to fatal
error)</div>
<div><br>
</div>
</div>
<div><br>
</div>
<div>For kadmin the error is due to
not being able to connect to sldap</div>
<div><br>
</div>
</span>
<div>I noticed that softhsm2-util
--show-slots reported "ERROR: Could
not initialize the library." But
that seemed to be because wasn't
part of the update. After that I
could show the default slot and then
I manually called following (as
root):</div>
<span>
<div><br>
</div>
<div>"/usr/bin/softhsm2-util
--init-token --slot 0 --label
ipaDNSSEC --pin XXXXXXXX --so-pin
XXXXXXXX"<br>
</div>
<div><br>
</div>
<div>But the problems won't go away.
Any clues?</div>
<div><br>
</div>
<div>-- john</div>
<div><br>
</div>
<div><br>
</div>
</span></div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
Hello, <br>
<br>
1)<br>
can you share your /var/log/ipaupgrade.log
?<br>
</div>
</blockquote>
<div><br>
</div>
<div>Unfortunatly I removed the original
ipaupgrade.log file when I did I retry to
install freeipa-server. The current
ipaupgrade.log has two errors:</div>
<div>First)</div>
<div><br>
</div>
<div>
<div>2014-10-26T12:45:15Z DEBUG Live 1,
updated 1</div>
<div>2014-10-26T12:45:15Z DEBUG Unhandled
LDAPError: OPERATIONS_ERROR: {'desc':
'Operations error'}</div>
<div>2014-10-26T12:45:15Z ERROR Update
failed: Operations error:</div>
<div>2014-10-26T12:45:15Z INFO Updating
existing entry: cn=MemberOf
Plugin,cn=plugins,cn=config</div>
<div>2014-10-26T12:45:15Z DEBUG
---------------------------------------------</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
Are there some information about entry which is updated
above?
<div>
<div class="h5"><br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>Second) It complains about not being able
to start named-pkcs11 service.</div>
<div> </div>
<div> </div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> 2)<br>
your issue with softhsm can be caused by
missing enviroment variable<br>
IPA internally uses <br>
<br>
SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
<br>
please try
SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
softhsm2-util --show-slots, and let me
know if it works<br>
<br>
same with named-pkcs11,<br>
<br>
</div>
</blockquote>
<div><br>
</div>
<div>The filestamps for softhsm_pin &
tokens match the time I did the original
update</div>
<div><br>
</div>
<div>
<div># ll /var/lib/ipa/dnssec/</div>
<div>-rwxrwx---. 1 ods named 30 Oct 26
10:35 softhsm_pin</div>
<div>drwxrws---. 2 ods named 4.0K Oct 26
10:35 tokens</div>
<div><br>
</div>
<div># ll /var/lib/ipa/dnssec/tokens/</div>
<div>total 0</div>
<div><br>
</div>
<div>#
SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
softhsm2-util --show-slots</div>
<div>Available slots:</div>
<div>Slot 0</div>
<div> Slot info:</div>
<div> Description: SoftHSM slot
0</div>
<div> Manufacturer ID: SoftHSM
project</div>
<div> Hardware version: 2.0</div>
<div> Firmware version: 2.0</div>
<div> Token present: yes</div>
<div> Token info:</div>
<div> Manufacturer ID: SoftHSM
project</div>
<div> Model: SoftHSM v2</div>
<div> Hardware version: 2.0</div>
<div> Firmware version: 2.0</div>
<div> Serial number:</div>
<div> Initialized: no</div>
<div> User PIN init.: no</div>
<div> Label:</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
Slot was not initialized by IPA<span class=""><br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> 3)<br>
can you share journalctl -u named-pkcs11
output?<br>
</div>
</blockquote>
<div><br>
</div>
<div>
<div>10:35:48 systemd[1]:
named-pkcs11.service: control process
exited, code=exited status=1</div>
<div>10:35:48 systemd[1]: Failed to start
Berkeley Internet Name Domain (DNS) with
native PKCS#11.</div>
<div>10:35:48 systemd[1]: Unit
named-pkcs11.service entered failed state.</div>
<div>10:35:48 systemd[1]: Stopped Berkeley
Internet Name Domain (DNS) with native
PKCS#11.</div>
<div>-- Reboot --</div>
<div>10:58:05 named-pkcs11[1496]: initializing
DST: no PKCS#11 provider</div>
<div>10:58:05 named-pkcs11[1496]: exiting (due
to fatal error)</div>
<div>10:58:05 systemd[1]:
named-pkcs11.service: control process
exited, code=exited status=1</div>
<div>10:58:05 systemd[1]: Failed to start
Berkeley Internet Name Domain (DNS) with
native PKCS#11.</div>
<div>10:58:05 systemd[1]: Unit
named-pkcs11.service entered failed state.</div>
<div>10:58:05 systemd[1]: Stopped Berkeley
Internet Name Domain (DNS) with native
PKCS#11.</div>
<div><br>
</div>
<div>... After some fiddeling a restart says
this:</div>
<div><br>
</div>
<div>19:26:21 named-pkcs11[8807]: sha1.c:92:
fatal error:</div>
<div>19:26:21 named-pkcs11[8807]:
RUNTIME_CHECK(pk11_get_session(ctx,
OP_DIGEST, isc_boolean_true,
isc_boolean_false, isc_bo</div>
<div>19:26:21 named-pkcs11[8807]: exiting (due
to fatal error in library)</div>
<div>19:26:21 systemd[1]:
named-pkcs11.service: control process
exited, code=exited status=1</div>
<div>19:26:21 systemd[1]: Failed to start
Berkeley Internet Name Domain (DNS) with
native PKCS#11.</div>
<div>19:26:21 systemd[1]: Unit
named-pkcs11.service entered failed state. </div>
</div>
<div><br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> 4)<br>
I'm not aware of that we need,
krb5-libs/openssl, I was getting this error
if tokens directory doesnt exists, but IPA
uses own configuration (see 2) not default.<br>
</div>
</blockquote>
<div><br>
</div>
<div> ok</div>
</div>
</div>
</div>
</blockquote>
<br>
</span> I took a deeper look, and I found there some
packaging errors with softhsm.<br>
You was right with missing dependency.<br>
<br>
Please install softhsm-devel package, remove
/var/lib/ipa/dnssec/tokens directory, then reinstall DNS,
ipa-dns-install (requires running directory server)<br>
<br>
Or if you have snapshot, install softhsm-devel before
upgrading ipa<br>
<br>
HTH<br>
Martin^2<span class="HOEnZb"><font color="#888888"><br>
<br>
<pre cols="72">--
Martin Basti</pre>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Martin Basti</pre>
</body>
</html>