[Freeipa-users] F20 Problem upgrading to 4.1
John Obaterspok
john.obaterspok at gmail.com
Mon Oct 27 17:53:33 UTC 2014
2014-10-27 12:19 GMT+01:00 Martin Basti <mbasti at redhat.com>:
> On 26/10/14 21:39, John Obaterspok wrote:
>
> Hi,
>
> I enabled mkosek-freeipa repo for F20 and updated freeipa-server from
> 3.3.5 to 4.1. The yum update reported just a single error:
>
> Could not load host key: /etc/ssh/ssh_host_dsa_key
>
> After reboot I had 3 services that failed to start:
> ipa, kadmin, named-pkcs11
>
> Doing "strace -f named-pkcs11 -u named -f -g" I can see:
> "/var/lib/softhsm/tokens/" => -1 EACCES (Permission denied)
> initializing DST: PKCS#11 initialization failed
> exiting (due to fatal error)
>
>
> For kadmin the error is due to not being able to connect to sldap
>
> I noticed that softhsm2-util --show-slots reported "ERROR: Could not
> initialize the library." But that seemed to be because wasn't part of the
> update. After that I could show the default slot and then I manually called
> following (as root):
>
> "/usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC --pin
> XXXXXXXX --so-pin XXXXXXXX"
>
> But the problems won't go away. Any clues?
>
> -- john
>
>
>
>
> Hello,
>
> 1)
> can you share your /var/log/ipaupgrade.log ?
>
Unfortunatly I removed the original ipaupgrade.log file when I did I retry
to install freeipa-server. The current ipaupgrade.log has two errors:
First)
2014-10-26T12:45:15Z DEBUG Live 1, updated 1
2014-10-26T12:45:15Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc':
'Operations error'}
2014-10-26T12:45:15Z ERROR Update failed: Operations error:
2014-10-26T12:45:15Z INFO Updating existing entry: cn=MemberOf
Plugin,cn=plugins,cn=config
2014-10-26T12:45:15Z DEBUG ---------------------------------------------
Second) It complains about not being able to start named-pkcs11 service.
> 2)
> your issue with softhsm can be caused by missing enviroment variable
> IPA internally uses
>
> SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
> please try SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util
> --show-slots, and let me know if it works
>
> same with named-pkcs11,
>
>
The filestamps for softhsm_pin & tokens match the time I did the original
update
# ll /var/lib/ipa/dnssec/
-rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin
drwxrws---. 2 ods named 4.0K Oct 26 10:35 tokens
# ll /var/lib/ipa/dnssec/tokens/
total 0
# SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util --show-slots
Available slots:
Slot 0
Slot info:
Description: SoftHSM slot 0
Manufacturer ID: SoftHSM project
Hardware version: 2.0
Firmware version: 2.0
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.0
Firmware version: 2.0
Serial number:
Initialized: no
User PIN init.: no
Label:
3)
> can you share journalctl -u named-pkcs11 output?
>
10:35:48 systemd[1]: named-pkcs11.service: control process exited,
code=exited status=1
10:35:48 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS)
with native PKCS#11.
10:35:48 systemd[1]: Unit named-pkcs11.service entered failed state.
10:35:48 systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with
native PKCS#11.
-- Reboot --
10:58:05 named-pkcs11[1496]: initializing DST: no PKCS#11 provider
10:58:05 named-pkcs11[1496]: exiting (due to fatal error)
10:58:05 systemd[1]: named-pkcs11.service: control process exited,
code=exited status=1
10:58:05 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS)
with native PKCS#11.
10:58:05 systemd[1]: Unit named-pkcs11.service entered failed state.
10:58:05 systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with
native PKCS#11.
... After some fiddeling a restart says this:
19:26:21 named-pkcs11[8807]: sha1.c:92: fatal error:
19:26:21 named-pkcs11[8807]: RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST,
isc_boolean_true, isc_boolean_false, isc_bo
19:26:21 named-pkcs11[8807]: exiting (due to fatal error in library)
19:26:21 systemd[1]: named-pkcs11.service: control process exited,
code=exited status=1
19:26:21 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS)
with native PKCS#11.
19:26:21 systemd[1]: Unit named-pkcs11.service entered failed state.
4)
> I'm not aware of that we need, krb5-libs/openssl, I was getting this error
> if tokens directory doesnt exists, but IPA uses own configuration (see 2)
> not default.
>
ok
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141027/80a32cfa/attachment.htm>
More information about the Freeipa-users
mailing list