<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Greetings all! Thanks for all the continued work on FreeIPA! :)<div class=""><br class=""></div><div class="">I saw that 4.2 made it to RHEL 7.2 and upgraded. Unfortunately, the system did not come up cleanly.</div><div class=""><br class=""></div><div class="">It seems to be some problem with the DNS server:</div><div class=""><br class=""></div><div class=""><blockquote type="cite" class="">[root@ipa01 ~]# systemctl status named-pkcs11<br class="">● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11<br class="">   Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled; vendor preset: disabled)<br class="">   Active: failed (Result: exit-code) since Wed 2015-12-23 01:56:37 EST; 4s ago<br class="">  Process: 16506 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS (code=exited, status=1/FAILURE)<br class="">  Process: 16503 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)<br class=""><br class="">Dec 23 01:56:37 <a href="http://ipa01.example.com" class="">ipa01.example.com</a> named-pkcs11[16509]: GSSAPI client step 2<br class="">Dec 23 01:56:37 <a href="http://ipa01.example.com" class="">ipa01.example.com</a> named-pkcs11[16509]: LDAP error: Invalid credentials: SASL(-14): authorization failure: security flags do not match required: bind to LDAP server failed<br class="">Dec 23 01:56:37 <a href="http://ipa01.example.com" class="">ipa01.example.com</a> named-pkcs11[16509]: couldn't establish connection in LDAP connection pool: permission denied<br class="">Dec 23 01:56:37 <a href="http://ipa01.example.com" class="">ipa01.example.com</a> named-pkcs11[16509]: dynamic database 'ipa' configuration failed: permission denied<br class="">Dec 23 01:56:37 <a href="http://ipa01.example.com" class="">ipa01.example.com</a> named-pkcs11[16509]: loading configuration: permission denied<br class="">Dec 23 01:56:37 <a href="http://ipa01.example.com" class="">ipa01.example.com</a> named-pkcs11[16509]: exiting (due to fatal error)<br class="">Dec 23 01:56:37 <a href="http://ipa01.example.com" class="">ipa01.example.com</a> systemd[1]: named-pkcs11.service: control process exited, code=exited status=1<br class="">Dec 23 01:56:37 <a href="http://ipa01.example.com" class="">ipa01.example.com</a> systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.<br class="">Dec 23 01:56:37 <a href="http://ipa01.example.com" class="">ipa01.example.com</a> systemd[1]: Unit named-pkcs11.service entered failed state.<br class="">Dec 23 01:56:37 <a href="http://ipa01.example.com" class="">ipa01.example.com</a> systemd[1]: named-pkcs11.service failed.<br class=""></blockquote></div><div class=""><br class=""></div><div class=""><a href="https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart" class="">https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart</a> provides some good information. After manually starting 389, I was able to confirm that the LDAP credentials are able to retrieve the DNS tree with:</div><div class=""><br class=""></div><div class=""><blockquote type="cite" class="">[root@ipa01 ~]# ldapsearch -H '<a href="ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket'" class="">ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket'</a> -Y GSSAPI -b 'cn=dns,dc=example,dc=com' </blockquote><br class=""></div><div class="">I was also able to confirm that I the named.keytab file is correct:</div><div class=""><br class=""></div><div class=""><blockquote type="cite" class="">[root@ipa01 ~]# kinit -k -t /etc/named.keytab DNS/<a href="http://ipa01.example.com" class="">ipa01.example.com</a><br class="">[root@ipa01 ~]# klist<br class="">Ticket cache: KEYRING:persistent:0:krb_ccache_th1WCcV<br class="">Default principal: <a href="mailto:DNS/ipa01.example.com@example.com" class="">DNS/ipa01.example.com@EXAMPLE.COM</a><br class=""><br class="">Valid starting       Expires              Service principal<br class="">12/23/2015 02:07:14  12/24/2015 02:07:14  <a href="mailto:krbtgt/EXAMPLE.COM@example.com" class="">krbtgt/EXAMPLE.COM@EXAMPLE.COM</a><br class=""></blockquote><br class=""></div><div class="">I have disabled unencrypted binds to 389, but I read somewhere this evening this should not be an issue since passwords were being sent and the STARTTLS is always being used. </div><div class=""><br class=""></div><div class=""><a href="https://fedorahosted.org/freeipa/ticket/5232" class="">https://fedorahosted.org/freeipa/ticket/5232</a> seems to be related here, but I did the install on a healthy server, so I can't imagine that it's the same. I also don't see any recovery techniques listed here or in the issue that it links to at <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1254412" class="">https://bugzilla.redhat.com/show_bug.cgi?id=1254412</a>. I searched the list archives for this error and came up empty. The versions I have are as follows:</div><div class=""><br class=""></div><div class=""><blockquote type="cite" class="">bind-license-9.9.4-29.el7_2.1.noarch<br class="">bind-libs-lite-9.9.4-29.el7_2.1.x86_64<br class="">bind-utils-9.9.4-29.el7_2.1.x86_64<br class="">bind-pkcs11-libs-9.9.4-29.el7_2.1.x86_64<br class="">bind-dyndb-ldap-8.0-1.el7.x86_64<br class="">bind-pkcs11-utils-9.9.4-29.el7_2.1.x86_64<br class="">bind-9.9.4-29.el7_2.1.x86_64<br class="">bind-pkcs11-9.9.4-29.el7_2.1.x86_64<br class="">bind-libs-9.9.4-29.el7_2.1.x86_64<br class="">ipa-python-4.2.0-15.el7.centos.3.x86_64<br class="">ipa-admintools-4.2.0-15.el7.centos.3.x86_64<br class="">sssd-ipa-1.13.0-40.el7_2.1.x86_64<br class="">ipa-client-4.2.0-15.el7.centos.3.x86_64<br class="">ipa-server-dns-4.2.0-15.el7.centos.3.x86_64<br class="">ipa-server-4.2.0-15.el7.centos.3.x86_64<br class="">python-libipa_hbac-1.13.0-40.el7_2.1.x86_64<br class="">libipa_hbac-1.13.0-40.el7_2.1.x86_64<br class=""></blockquote><br class=""></div><div class="">I'm also attaching the ipaupgrade.log</div><div class=""><br class=""></div><div class="">Hopefully I am missing something simple here. Can anyone help?</div><div class=""><br class=""></div><div class="">Happy solstice!</div><div class=""><br class=""></div><div class="">Brian</div><div class=""><br class=""></div><div class=""></div></body></html>