<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 27/10/14 18:53, John Obaterspok
wrote:<br>
</div>
<blockquote
cite="mid:CAOscVdKaivgcVH43YukpEfUzx1dwsazsa1=yOiMoXrUmcyy_-Q@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-10-27 12:19 GMT+01:00 Martin
Basti <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 26/10/14 21:39, John Obaterspok wrote:<br>
</div>
</span>
<blockquote type="cite">
<div dir="ltr"><span class="">Hi,
<div><br>
</div>
<div>I enabled mkosek-freeipa repo for F20 and
updated freeipa-server from 3.3.5 to 4.1. The
yum update reported just a single error:</div>
<div><br>
</div>
<div>Could not load host key:
/etc/ssh/ssh_host_dsa_key</div>
<div><br>
</div>
<div>After reboot I had 3 services that failed to
start:</div>
<div>ipa, kadmin, named-pkcs11<br>
</div>
<div><br>
</div>
<div>Doing "strace -f named-pkcs11 -u named -f -g"
I can see:</div>
<div>
<div> "/var/lib/softhsm/tokens/" => -1
EACCES (Permission denied)</div>
<div> initializing DST: PKCS#11 initialization
failed</div>
<div> exiting (due to fatal error)</div>
<div><br>
</div>
</div>
<div><br>
</div>
<div>For kadmin the error is due to not being able
to connect to sldap</div>
<div><br>
</div>
</span>
<div>I noticed that softhsm2-util --show-slots
reported "ERROR: Could not initialize the
library." But that seemed to be because wasn't
part of the update. After that I could show the
default slot and then I manually called following
(as root):</div>
<span class="">
<div><br>
</div>
<div>"/usr/bin/softhsm2-util --init-token --slot 0
--label ipaDNSSEC --pin XXXXXXXX --so-pin
XXXXXXXX"<br>
</div>
<div><br>
</div>
<div>But the problems won't go away. Any clues?</div>
<div><br>
</div>
<div>-- john</div>
<div><br>
</div>
<div><br>
</div>
</span></div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
Hello, <br>
<br>
1)<br>
can you share your /var/log/ipaupgrade.log ?<br>
</div>
</blockquote>
<div><br>
</div>
<div>Unfortunatly I removed the original ipaupgrade.log file
when I did I retry to install freeipa-server. The current
ipaupgrade.log has two errors:</div>
<div>First)</div>
<div><br>
</div>
<div>
<div>2014-10-26T12:45:15Z DEBUG Live 1, updated 1</div>
<div>2014-10-26T12:45:15Z DEBUG Unhandled LDAPError:
OPERATIONS_ERROR: {'desc': 'Operations error'}</div>
<div>2014-10-26T12:45:15Z ERROR Update failed: Operations
error:</div>
<div>2014-10-26T12:45:15Z INFO Updating existing entry:
cn=MemberOf Plugin,cn=plugins,cn=config</div>
<div>2014-10-26T12:45:15Z DEBUG
---------------------------------------------</div>
</div>
</div>
</div>
</div>
</blockquote>
Are there some information about entry which is updated above?<br>
<blockquote
cite="mid:CAOscVdKaivgcVH43YukpEfUzx1dwsazsa1=yOiMoXrUmcyy_-Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>Second) It complains about not being able to start
named-pkcs11 service.</div>
<div> </div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> 2)<br>
your issue with softhsm can be caused by missing
enviroment variable<br>
IPA internally uses <br>
<br>
SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf <br>
please try SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
softhsm2-util --show-slots, and let me know if it works<br>
<br>
same with named-pkcs11,<br>
<br>
</div>
</blockquote>
<div><br>
</div>
<div>The filestamps for softhsm_pin & tokens match the
time I did the original update</div>
<div><br>
</div>
<div>
<div># ll /var/lib/ipa/dnssec/</div>
<div>-rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin</div>
<div>drwxrws---. 2 ods named 4.0K Oct 26 10:35 tokens</div>
<div><br>
</div>
<div># ll /var/lib/ipa/dnssec/tokens/</div>
<div>total 0</div>
<div><br>
</div>
<div># SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
softhsm2-util --show-slots</div>
<div>Available slots:</div>
<div>Slot 0</div>
<div> Slot info:</div>
<div> Description: SoftHSM slot 0</div>
<div> Manufacturer ID: SoftHSM project</div>
<div> Hardware version: 2.0</div>
<div> Firmware version: 2.0</div>
<div> Token present: yes</div>
<div> Token info:</div>
<div> Manufacturer ID: SoftHSM project</div>
<div> Model: SoftHSM v2</div>
<div> Hardware version: 2.0</div>
<div> Firmware version: 2.0</div>
<div> Serial number:</div>
<div> Initialized: no</div>
<div> User PIN init.: no</div>
<div> Label:</div>
</div>
</div>
</div>
</div>
</blockquote>
Slot was not initialized by IPA<br>
<blockquote
cite="mid:CAOscVdKaivgcVH43YukpEfUzx1dwsazsa1=yOiMoXrUmcyy_-Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> 3)<br>
can you share journalctl -u named-pkcs11 output?<br>
</div>
</blockquote>
<div><br>
</div>
<div>
<div>10:35:48 systemd[1]: named-pkcs11.service: control
process exited, code=exited status=1</div>
<div>10:35:48 systemd[1]: Failed to start Berkeley
Internet Name Domain (DNS) with native PKCS#11.</div>
<div>10:35:48 systemd[1]: Unit named-pkcs11.service
entered failed state.</div>
<div>10:35:48 systemd[1]: Stopped Berkeley Internet Name
Domain (DNS) with native PKCS#11.</div>
<div>-- Reboot --</div>
<div>10:58:05 named-pkcs11[1496]: initializing DST: no
PKCS#11 provider</div>
<div>10:58:05 named-pkcs11[1496]: exiting (due to fatal
error)</div>
<div>10:58:05 systemd[1]: named-pkcs11.service: control
process exited, code=exited status=1</div>
<div>10:58:05 systemd[1]: Failed to start Berkeley
Internet Name Domain (DNS) with native PKCS#11.</div>
<div>10:58:05 systemd[1]: Unit named-pkcs11.service
entered failed state.</div>
<div>10:58:05 systemd[1]: Stopped Berkeley Internet Name
Domain (DNS) with native PKCS#11.</div>
<div><br>
</div>
<div>... After some fiddeling a restart says this:</div>
<div><br>
</div>
<div>19:26:21 named-pkcs11[8807]: sha1.c:92: fatal error:</div>
<div>19:26:21 named-pkcs11[8807]:
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST,
isc_boolean_true, isc_boolean_false, isc_bo</div>
<div>19:26:21 named-pkcs11[8807]: exiting (due to fatal
error in library)</div>
<div>19:26:21 systemd[1]: named-pkcs11.service: control
process exited, code=exited status=1</div>
<div>19:26:21 systemd[1]: Failed to start Berkeley
Internet Name Domain (DNS) with native PKCS#11.</div>
<div>19:26:21 systemd[1]: Unit named-pkcs11.service
entered failed state. </div>
</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> 4)<br>
I'm not aware of that we need, krb5-libs/openssl, I was
getting this error if tokens directory doesnt exists,
but IPA uses own configuration (see 2) not default.<br>
</div>
</blockquote>
<div><br>
</div>
<div> ok</div>
</div>
</div>
</div>
</blockquote>
<br>
I took a deeper look, and I found there some packaging errors with
softhsm.<br>
You was right with missing dependency.<br>
<br>
Please install softhsm-devel package, remove
/var/lib/ipa/dnssec/tokens directory, then reinstall DNS,
ipa-dns-install (requires running directory server)<br>
<br>
Or if you have snapshot, install softhsm-devel before upgrading ipa<br>
<br>
HTH<br>
Martin^2<br>
<br>
<pre class="moz-signature" cols="72">--
Martin Basti</pre>
</body>
</html>