<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Running into same thing, but running
ipa-dnsinstall does not complete:<br>
<br>
=============================<br>
Configuring DNS (named)<br>
[1/8]: generating rndc key file<br>
WARNING: Your system is running out of entropy, you may experience
long delays<br>
[2/8]: setting up our own record<br>
[3/8]: adding NS record to the zones<br>
[4/8]: setting up CA record<br>
[5/8]: setting up kerberos principal<br>
[6/8]: setting up named.conf<br>
[7/8]: configuring named to start on boot<br>
[8/8]: changing resolv.conf to point to ourselves<br>
Done configuring DNS (named).<br>
Configuring DNS key synchronization service (ipa-dnskeysyncd)<br>
[1/6]: checking status<br>
[2/6]: setting up kerberos principal<br>
[3/6]: setting up SoftHSM<br>
[4/6]: adding DNSSEC containers<br>
[5/6]: creating replica keys<br>
[error] DuplicateEntry: This entry already exists<br>
Unexpected error - see /var/log/ipaserver-install.log for details:<br>
DuplicateEntry: This entry already exists<br>
=============================<br>
<br>
Looking into the /var/log/ipaserver-install.log gets:<br>
=============================<br>
2014-10-28T05:01:24Z DEBUG Storing replica public key to LDAP,
ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com<br>
2014-10-28T05:01:24Z DEBUG flushing
<a class="moz-txt-link-freetext" href="ldap://infra-dc-01.my.domain.com:389">ldap://infra-dc-01.my.domain.com:389</a> from SchemaCache<br>
2014-10-28T05:01:24Z DEBUG retrieving schema for SchemaCache
url=<a class="moz-txt-link-freetext" href="ldap://infra-dc-01.my.domain.com:389">ldap://infra-dc-01.my.domain.com:389</a>
conn=<ldap.ldapobject.SimpleLDAPObject instance at
0x47d0d88><br>
2014-10-28T05:01:24Z DEBUG Traceback (most recent call last):<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation run_step(full_msg, method)<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 372, in run_step method()<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
line 340, in __setup_replica_keys ldap.add_entry(entry)<br>
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
line 1592, in add_entry self.conn.add_s(entry.dn, attrs.items())<br>
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)<br>
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
line 1169, in error_handler raise errors.DuplicateEntry()<br>
DuplicateEntry: This entry already exists<br>
<br>
2014-10-28T05:01:24Z DEBUG [error] DuplicateEntry: This entry
already exists<br>
2014-10-28T05:01:24Z DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 646, in run_script<br>
return_value = main_function()<br>
File "/sbin/ipa-dns-install", line 218, in main
dnskeysyncd.create_instance(api.env.host, api.env.realm)<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
line 128, in create_instance self.start_creation()<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation run_step(full_msg, method)<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 372, in run_step method()<br>
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
line 340, in __setup_replica_keys ldap.add_entry(entry)<br>
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
line 1592, in add_entry self.conn.add_s(entry.dn, attrs.items())<br>
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)<br>
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
line 1169, in error_handler raise errors.DuplicateEntry()<br>
2014-10-28T05:01:24Z DEBUG The ipa-dns-install command failed,
exception: DuplicateEntry: This entry already exists<br>
<br>
<br>
-M<br>
<br>
On 10/27/14, 12:52 PM, Martin Basti wrote:<br>
</div>
<blockquote cite="mid:544EA28B.5050402@redhat.com" type="cite">
<meta http-equiv="Context-Type" content="text/html; charset=UTF-8">
<div class="moz-cite-prefix">On 27/10/14 20:50, John Obaterspok
wrote:<br>
</div>
<blockquote
cite="mid:CAOscVdK5F-dk7Sw+HE+hzdNZNsLbOmzrVbcJCeo8viR-tnwCsA@mail.gmail.com"
type="cite">
<div dir="ltr">Hello Martin,
<div><br>
</div>
<div>It works perfectly again!</div>
<div><br>
</div>
<div>note, I noticed in <span>/var/log/ipaserver-install.</span><span>log
that ipa-dns-installed</span><span> failed due to 389
wasn't started (failed to connect). Once it was started
manually the ipa-dns-installed worked fine.</span></div>
<div><span><br>
</span></div>
<div><span>Thanks a lot Martin,</span></div>
<div><span><br>
</span></div>
<div><span>-- john</span></div>
<div><br>
</div>
</div>
</blockquote>
You are welcome :-)<br>
<br>
<blockquote
cite="mid:CAOscVdK5F-dk7Sw+HE+hzdNZNsLbOmzrVbcJCeo8viR-tnwCsA@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-10-27 20:40 GMT+01:00 Martin
Basti <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote">
<div><span class="">
<div>On 27/10/14 20:34, John Obaterspok wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">hmm... Could not connect to the
Directory Server
<div><br>
</div>
<div>So I started it with start-dirsrv since
"systemctl start ipa" failed. Then it was a
breeze, ipa-dns-install worked fine.</div>
<div><br>
</div>
<div>
<div># systemctl --failed</div>
<div>0 loaded units listed.</div>
</div>
</div>
</blockquote>
</span> I'm lost, does IPA work or not?<br>
are all services running? (ipactl status)<br>
are tokens created in /var/lib/ipa/dnssec/tokens<br>
can you dig records from IPA DNS?<br>
<br>
Martin^2
<div>
<div class="h5"><br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>I haven't verified that it works, but I
feel confident :)</div>
<div><br>
</div>
<div>-- john</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-10-27 20:09
GMT+01:00 Martin Basti <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mbasti@redhat.com"
target="_blank">mbasti@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote">
<div>
<div>
<div>
<div>On 27/10/14 19:57, John
Obaterspok wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello Martin,
<div><br>
</div>
<div>Still no go.</div>
<div><br>
</div>
<div>I installed the softhsm-devel
package (that only contains
header files), removed the token
directory, reinstalled the bind
& bind-pkcs11, did
ipa-dns-install that completed
ok (I guess):</div>
<div><br>
</div>
<div>
<div>To accept the default shown
in brackets, press the Enter
key.</div>
<div><br>
</div>
<div>Existing BIND configuration
detected, overwrite? [no]: yes</div>
<div>Directory Manager password:</div>
</div>
<div><br>
</div>
<div># ipa-upgradeconfig</div>
<div>[Verifying that root
certificate is published]</div>
<div><b>Failed to backup CS.cfg:
no magic attribute 'dogtag'</b></div>
<div>[Migrate CRL publish
directory]</div>
<div>CRL tree already moved</div>
<div>[Verifying that CA proxy
configuration is correct]</div>
<div>[Verifying that KDC
configuration is using ipa-kdb
backend]</div>
<div>[Fixing trust flags in
/etc/httpd/alias]</div>
<div>Trust flags already processed</div>
<div>[Fix DS schema file syntax]</div>
<div>Syntax already fixed</div>
<div>[Removing RA cert from DS NSS
database]</div>
<div>RA cert already removed</div>
<div>[Removing self-signed CA]</div>
<div>[Checking for deprecated KDC
configuration files]</div>
<div>[Checking for deprecated
backups of Samba configuration
files]</div>
<div>[Setting up Firefox
extension]</div>
<div>[Add missing CA DNS records]</div>
<div>IPA CA DNS records already
processed</div>
<div>[Removing deprecated DNS
configuration options]</div>
<div>[Ensuring minimal number of
connections]</div>
<div>[Enabling serial
autoincrement in DNS]</div>
<div>[Updating GSSAPI
configuration in DNS]</div>
<div>[Updating pid-file
configuration in DNS]</div>
<div>[Masking named]</div>
<div>Changes to named.conf have
been made, restart named</div>
<div><b>Failed to restart named:
Command ''/bin/systemctl'
'restart'
'named-pkcs11.service''
returned non-zero exit status
1</b></div>
<div>[Verifying that CA service
certificate profile is updated]</div>
<div>[Update certmonger
certificate renewal
configuration to version 2]</div>
<div>[Enable PKIX certificate path
discovery and validation]</div>
<div>PKIX already enabled</div>
<div>The ipa-upgradeconfig command
was successful</div>
<div><br>
</div>
<div><br>
</div>
<div># systemctl restart
named-pkcs11 &&
journalctl -xn</div>
<div>
<div>19:38:54 named-pkcs11[838]:
ObjectStore.cpp(59): Failed to
enumerate object store in
/var/lib/ipa/dnssec/tokens</div>
<div>19:38:54 named-pkcs11[838]:
SoftHSM.cpp(437): Could not
load the object store</div>
<div>19:38:54 named-pkcs11[838]:
initializing DST: PKCS#11
initialization failed</div>
<div>19:38:54 named-pkcs11[838]:
exiting (due to fatal error)</div>
<div>19:38:54 systemd[1]:
named-pkcs11.service: control
process exited, code=exited
status=1</div>
<div>19:38:54 systemd[1]: Failed
to start Berkeley Internet
Name Domain (DNS) with native
PKCS#11.</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>It seems the problem is now
there are no tokens:</div>
<div>
<div># ll /var/lib/ipa/dnssec/</div>
<div>total 4.0K</div>
<div>-rwxrwx---. 1 ods named 30
Oct 26 10:35 softhsm_pin</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
This is interesting, ipa-dns-install
should detect missing directory and create
new one.<br>
Could you send me tail of
/var/log/ipaserver-install.log, where DNS
debug lines are?<br>
<br>
Martin^2
<div>
<div><br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Any ideas?</div>
<div><br>
</div>
<div>-- john</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-10-27
19:05 GMT+01:00 Martin Basti <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mbasti@redhat.com"
target="_blank">mbasti@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote">
<div>
<div>
<div>
<div>On 27/10/14 18:53,
John Obaterspok wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">2014-10-27
12:19 GMT+01:00
Martin Basti <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br>
<blockquote
class="gmail_quote">
<div><span>
<div>On
26/10/14
21:39, John
Obaterspok
wrote:<br>
</div>
</span>
<blockquote
type="cite">
<div dir="ltr"><span>Hi,
<div><br>
</div>
<div>I
enabled mkosek-freeipa
repo for F20
and updated
freeipa-server
from 3.3.5 to
4.1. The yum
update
reported just
a single
error:</div>
<div><br>
</div>
<div>Could not
load host key:
/etc/ssh/ssh_host_dsa_key</div>
<div><br>
</div>
<div>After
reboot I had 3
services that
failed to
start:</div>
<div>ipa,
kadmin,
named-pkcs11<br>
</div>
<div><br>
</div>
<div>Doing
"strace -f
named-pkcs11
-u named -f
-g" I can see:</div>
<div>
<div>
"/var/lib/softhsm/tokens/"
=> -1
EACCES
(Permission
denied)</div>
<div>
initializing
DST: PKCS#11
initialization
failed</div>
<div>
exiting (due
to fatal
error)</div>
<div><br>
</div>
</div>
<div><br>
</div>
<div>For
kadmin the
error is due
to not being
able to
connect to
sldap</div>
<div><br>
</div>
</span>
<div>I noticed
that
softhsm2-util
--show-slots
reported
"ERROR: Could
not initialize
the library."
But that
seemed to be
because
wasn't part of
the update.
After that I
could show the
default slot
and then I
manually
called
following (as
root):</div>
<span>
<div><br>
</div>
<div>"/usr/bin/softhsm2-util
--init-token
--slot 0
--label
ipaDNSSEC
--pin XXXXXXXX
--so-pin
XXXXXXXX"<br>
</div>
<div><br>
</div>
<div>But the
problems won't
go away. Any
clues?</div>
<div><br>
</div>
<div>-- john</div>
<div><br>
</div>
<div><br>
</div>
</span></div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
Hello, <br>
<br>
1)<br>
can you share
your
/var/log/ipaupgrade.log
?<br>
</div>
</blockquote>
<div><br>
</div>
<div>Unfortunatly
I removed the
original
ipaupgrade.log
file when I
did I retry to
install
freeipa-server.
The current
ipaupgrade.log
has two
errors:</div>
<div>First)</div>
<div><br>
</div>
<div>
<div>2014-10-26T12:45:15Z
DEBUG Live 1,
updated 1</div>
<div>2014-10-26T12:45:15Z
DEBUG
Unhandled
LDAPError:
OPERATIONS_ERROR:
{'desc':
'Operations
error'}</div>
<div>2014-10-26T12:45:15Z
ERROR Update
failed:
Operations
error:</div>
<div>2014-10-26T12:45:15Z
INFO Updating
existing
entry:
cn=MemberOf
Plugin,cn=plugins,cn=config</div>
<div>2014-10-26T12:45:15Z
DEBUG
---------------------------------------------</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
Are there some information
about entry which is updated
above?
<div>
<div><br>
<blockquote type="cite">
<div dir="ltr">
<div
class="gmail_extra">
<div
class="gmail_quote">
<div><br>
</div>
<div>Second) It
complains
about not
being able to
start
named-pkcs11
service.</div>
<div> </div>
<div> </div>
<blockquote
class="gmail_quote">
<div> 2)<br>
your issue
with softhsm
can be caused
by missing
enviroment
variable<br>
IPA internally
uses <br>
<br>
SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
<br>
please try
SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
softhsm2-util
--show-slots,
and let me
know if it
works<br>
<br>
same with
named-pkcs11,<br>
<br>
</div>
</blockquote>
<div><br>
</div>
<div>The
filestamps for
softhsm_pin
& tokens
match the time
I did the
original
update</div>
<div><br>
</div>
<div>
<div># ll
/var/lib/ipa/dnssec/</div>
<div>-rwxrwx---.
1 ods named
30 Oct 26
10:35
softhsm_pin</div>
<div>drwxrws---.
2 ods named
4.0K Oct 26
10:35 tokens</div>
<div><br>
</div>
<div># ll
/var/lib/ipa/dnssec/tokens/</div>
<div>total 0</div>
<div><br>
</div>
<div>#
SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
softhsm2-util
--show-slots</div>
<div>Available
slots:</div>
<div>Slot 0</div>
<div> Slot
info:</div>
<div>
Description:
SoftHSM
slot 0</div>
<div>
Manufacturer
ID: SoftHSM
project</div>
<div>
Hardware
version: 2.0</div>
<div>
Firmware
version: 2.0</div>
<div>
Token present:
yes</div>
<div> Token
info:</div>
<div>
Manufacturer
ID: SoftHSM
project</div>
<div>
Model:
SoftHSM v2</div>
<div>
Hardware
version: 2.0</div>
<div>
Firmware
version: 2.0</div>
<div>
Serial number:</div>
<div>
Initialized:
no</div>
<div>
User PIN
init.: no</div>
<div>
Label:</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
Slot was not initialized by
IPA<span><br>
<blockquote type="cite">
<div dir="ltr">
<div
class="gmail_extra">
<div
class="gmail_quote">
<div><br>
</div>
<blockquote
class="gmail_quote">
<div> 3)<br>
can you share
journalctl -u
named-pkcs11
output?<br>
</div>
</blockquote>
<div><br>
</div>
<div>
<div>10:35:48
systemd[1]:
named-pkcs11.service:
control
process
exited,
code=exited
status=1</div>
<div>10:35:48
systemd[1]:
Failed to
start Berkeley
Internet Name
Domain (DNS)
with native
PKCS#11.</div>
<div>10:35:48
systemd[1]:
Unit
named-pkcs11.service
entered failed
state.</div>
<div>10:35:48
systemd[1]:
Stopped
Berkeley
Internet Name
Domain (DNS)
with native
PKCS#11.</div>
<div>-- Reboot
--</div>
<div>10:58:05
named-pkcs11[1496]:
initializing
DST: no
PKCS#11
provider</div>
<div>10:58:05
named-pkcs11[1496]:
exiting (due
to fatal
error)</div>
<div>10:58:05
systemd[1]:
named-pkcs11.service:
control
process
exited,
code=exited
status=1</div>
<div>10:58:05
systemd[1]:
Failed to
start Berkeley
Internet Name
Domain (DNS)
with native
PKCS#11.</div>
<div>10:58:05
systemd[1]:
Unit
named-pkcs11.service
entered failed
state.</div>
<div>10:58:05
systemd[1]:
Stopped
Berkeley
Internet Name
Domain (DNS)
with native
PKCS#11.</div>
<div><br>
</div>
<div>... After
some fiddeling
a restart says
this:</div>
<div><br>
</div>
<div>19:26:21
named-pkcs11[8807]:
sha1.c:92:
fatal error:</div>
<div>19:26:21
named-pkcs11[8807]:
RUNTIME_CHECK(pk11_get_session(ctx,
OP_DIGEST,
isc_boolean_true,
isc_boolean_false,
isc_bo</div>
<div>19:26:21
named-pkcs11[8807]:
exiting (due
to fatal error
in library)</div>
<div>19:26:21
systemd[1]:
named-pkcs11.service:
control
process
exited,
code=exited
status=1</div>
<div>19:26:21
systemd[1]:
Failed to
start Berkeley
Internet Name
Domain (DNS)
with native
PKCS#11.</div>
<div>19:26:21
systemd[1]:
Unit
named-pkcs11.service
entered failed
state. </div>
</div>
<div><br>
</div>
<blockquote
class="gmail_quote">
<div> 4)<br>
I'm not aware
of that we
need,
krb5-libs/openssl,
I was getting
this error if
tokens
directory
doesnt exists,
but IPA uses
own
configuration
(see 2) not
default.<br>
</div>
</blockquote>
<div><br>
</div>
<div> ok</div>
</div>
</div>
</div>
</blockquote>
<br>
</span> I took a deeper
look, and I found there some
packaging errors with
softhsm.<br>
You was right with missing
dependency.<br>
<br>
Please install softhsm-devel
package, remove
/var/lib/ipa/dnssec/tokens
directory, then reinstall
DNS, ipa-dns-install
(requires running directory
server)<br>
<br>
Or if you have snapshot,
install softhsm-devel before
upgrading ipa<br>
<br>
HTH<br>
Martin^2<span><br>
<br>
<pre cols="72">--
Martin Basti</pre>
</span></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
</div>
</div>
<span>
<pre cols="72">--
Martin Basti</pre>
</span></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
</div>
</div>
<span class="HOEnZb">
<pre cols="72">--
Martin Basti</pre>
</span></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Martin Basti</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>