[Freeipa-users] F20 Problem upgrading to 4.1

Martin Basti mbasti at redhat.com
Mon Oct 27 18:05:51 UTC 2014 

On 27/10/14 18:53, John Obaterspok wrote:
>
>
> 2014-10-27 12:19 GMT+01:00 Martin Basti <mbasti at redhat.com 
> <mailto:mbasti at redhat.com>>:
>
>     On 26/10/14 21:39, John Obaterspok wrote:
>>     Hi,
>>
>>     I enabled mkosek-freeipa repo for F20 and updated freeipa-server
>>     from 3.3.5 to 4.1. The yum update reported just a single error:
>>
>>     Could not load host key: /etc/ssh/ssh_host_dsa_key
>>
>>     After reboot I had 3 services that failed to start:
>>     ipa, kadmin, named-pkcs11
>>
>>     Doing "strace -f named-pkcs11 -u named -f -g" I can see:
>>        "/var/lib/softhsm/tokens/" => -1 EACCES (Permission denied)
>>        initializing DST: PKCS#11 initialization failed
>>        exiting (due to fatal error)
>>
>>
>>     For kadmin the error is due to not being able to connect to sldap
>>
>>     I noticed that softhsm2-util --show-slots reported "ERROR: Could
>>     not initialize the library." But that seemed to be because  
>>     wasn't part of the update. After that I could show the default
>>     slot and then I manually called following (as root):
>>
>>     "/usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC
>>     --pin XXXXXXXX --so-pin XXXXXXXX"
>>
>>     But the problems won't go away. Any clues?
>>
>>     -- john
>>
>>
>>
>>
>     Hello,
>
>     1)
>     can you share your /var/log/ipaupgrade.log ?
>
>
> Unfortunatly I removed the original ipaupgrade.log file when I did I 
> retry to install freeipa-server. The current ipaupgrade.log has two 
> errors:
> First)
>
> 2014-10-26T12:45:15Z DEBUG Live 1, updated 1
> 2014-10-26T12:45:15Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: 
> {'desc': 'Operations error'}
> 2014-10-26T12:45:15Z ERROR Update failed: Operations error:
> 2014-10-26T12:45:15Z INFO Updating existing entry: cn=MemberOf 
> Plugin,cn=plugins,cn=config
> 2014-10-26T12:45:15Z DEBUG ---------------------------------------------
Are there some information about entry which is updated above?
>
> Second) It complains about not being able to start named-pkcs11 service.
>
>     2)
>     your issue with softhsm can be caused by missing enviroment variable
>     IPA internally uses
>
>     SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
>     please try SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
>     softhsm2-util --show-slots, and let me know if it works
>
>     same with named-pkcs11,
>
>
> The filestamps for softhsm_pin & tokens match the time I did the 
> original update
>
> # ll /var/lib/ipa/dnssec/
> -rwxrwx---. 1 ods named   30 Oct 26 10:35 softhsm_pin
> drwxrws---. 2 ods named 4.0K Oct 26 10:35 tokens
>
> # ll /var/lib/ipa/dnssec/tokens/
> total 0
>
> # SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util --show-slots
> Available slots:
> Slot 0
>     Slot info:
>         Description:      SoftHSM slot 0
>         Manufacturer ID:  SoftHSM project
>         Hardware version: 2.0
>         Firmware version: 2.0
>         Token present:    yes
>     Token info:
>         Manufacturer ID:  SoftHSM project
>         Model:            SoftHSM v2
>         Hardware version: 2.0
>         Firmware version: 2.0
>         Serial number:
>         Initialized:      no
>         User PIN init.:   no
>         Label:
Slot was not initialized by IPA
>
>     3)
>     can you share journalctl -u named-pkcs11 output?
>
>
> 10:35:48 systemd[1]: named-pkcs11.service: control process exited, 
> code=exited status=1
> 10:35:48 systemd[1]: Failed to start Berkeley Internet Name Domain 
> (DNS) with native PKCS#11.
> 10:35:48 systemd[1]: Unit named-pkcs11.service entered failed state.
> 10:35:48 systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with 
> native PKCS#11.
> -- Reboot --
> 10:58:05 named-pkcs11[1496]: initializing DST: no PKCS#11 provider
> 10:58:05 named-pkcs11[1496]: exiting (due to fatal error)
> 10:58:05 systemd[1]: named-pkcs11.service: control process exited, 
> code=exited status=1
> 10:58:05 systemd[1]: Failed to start Berkeley Internet Name Domain 
> (DNS) with native PKCS#11.
> 10:58:05 systemd[1]: Unit named-pkcs11.service entered failed state.
> 10:58:05 systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with 
> native PKCS#11.
>
> ... After some fiddeling a restart says this:
>
> 19:26:21 named-pkcs11[8807]: sha1.c:92: fatal error:
> 19:26:21 named-pkcs11[8807]: RUNTIME_CHECK(pk11_get_session(ctx, 
> OP_DIGEST, isc_boolean_true, isc_boolean_false, isc_bo
> 19:26:21 named-pkcs11[8807]: exiting (due to fatal error in library)
> 19:26:21 systemd[1]: named-pkcs11.service: control process exited, 
> code=exited status=1
> 19:26:21 systemd[1]: Failed to start Berkeley Internet Name Domain 
> (DNS) with native PKCS#11.
> 19:26:21 systemd[1]: Unit named-pkcs11.service entered failed state.
>
>     4)
>     I'm not aware of that we need, krb5-libs/openssl, I was getting
>     this error if tokens directory doesnt exists, but IPA uses own
>     configuration (see 2) not default.
>
>
>  ok

I took a deeper look, and I found there some packaging errors with softhsm.
You was right with missing dependency.

Please install softhsm-devel package, remove /var/lib/ipa/dnssec/tokens 
directory, then reinstall DNS, ipa-dns-install (requires running 
directory server)

Or if you have snapshot, install softhsm-devel before upgrading ipa

HTH
Martin^2

-- 
Martin Basti

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141027/ac877581/attachment.htm>

More information about the Freeipa-users mailing list