[Freeipa-users] F20 Problem upgrading to 4.1
Michael Lasevich
mlasevich at gmail.com
Tue Oct 28 05:14:22 UTC 2014
Running into same thing, but running ipa-dnsinstall does not complete:
=============================
Configuring DNS (named)
[1/8]: generating rndc key file
WARNING: Your system is running out of entropy, you may experience long
delays
[2/8]: setting up our own record
[3/8]: adding NS record to the zones
[4/8]: setting up CA record
[5/8]: setting up kerberos principal
[6/8]: setting up named.conf
[7/8]: configuring named to start on boot
[8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/6]: checking status
[2/6]: setting up kerberos principal
[3/6]: setting up SoftHSM
[4/6]: adding DNSSEC containers
[5/6]: creating replica keys
[error] DuplicateEntry: This entry already exists
Unexpected error - see /var/log/ipaserver-install.log for details:
DuplicateEntry: This entry already exists
=============================
Looking into the /var/log/ipaserver-install.log gets:
=============================
2014-10-28T05:01:24Z DEBUG Storing replica public key to LDAP,
ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com
2014-10-28T05:01:24Z DEBUG flushing ldap://infra-dc-01.my.domain.com:389
from SchemaCache
2014-10-28T05:01:24Z DEBUG retrieving schema for SchemaCache
url=ldap://infra-dc-01.my.domain.com:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x47d0d88>
2014-10-28T05:01:24Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 372, in run_step method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
line 340, in __setup_replica_keys ldap.add_entry(entry)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1592, in add_entry self.conn.add_s(entry.dn, attrs.items())
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1169, in error_handler raise errors.DuplicateEntry()
DuplicateEntry: This entry already exists
2014-10-28T05:01:24Z DEBUG [error] DuplicateEntry: This entry already
exists
2014-10-28T05:01:24Z DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 646, in run_script
return_value = main_function()
File "/sbin/ipa-dns-install", line 218, in main
dnskeysyncd.create_instance(api.env.host, api.env.realm)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
line 128, in create_instance self.start_creation()
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 372, in run_step method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
line 340, in __setup_replica_keys ldap.add_entry(entry)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1592, in add_entry self.conn.add_s(entry.dn, attrs.items())
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1169, in error_handler raise errors.DuplicateEntry()
2014-10-28T05:01:24Z DEBUG The ipa-dns-install command failed,
exception: DuplicateEntry: This entry already exists
-M
On 10/27/14, 12:52 PM, Martin Basti wrote:
> On 27/10/14 20:50, John Obaterspok wrote:
>> Hello Martin,
>>
>> It works perfectly again!
>>
>> note, I noticed in /var/log/ipaserver-install.log that
>> ipa-dns-installed failed due to 389 wasn't started (failed to
>> connect). Once it was started manually the ipa-dns-installed worked fine.
>>
>> Thanks a lot Martin,
>>
>> -- john
>>
> You are welcome :-)
>
>>
>> 2014-10-27 20:40 GMT+01:00 Martin Basti <mbasti at redhat.com
>> <mailto:mbasti at redhat.com>>:
>>
>> On 27/10/14 20:34, John Obaterspok wrote:
>>> hmm... Could not connect to the Directory Server
>>>
>>> So I started it with start-dirsrv since "systemctl start ipa"
>>> failed. Then it was a breeze, ipa-dns-install worked fine.
>>>
>>> # systemctl --failed
>>> 0 loaded units listed.
>> I'm lost, does IPA work or not?
>> are all services running? (ipactl status)
>> are tokens created in /var/lib/ipa/dnssec/tokens
>> can you dig records from IPA DNS?
>>
>> Martin^2
>>
>>>
>>> I haven't verified that it works, but I feel confident :)
>>>
>>> -- john
>>>
>>>
>>> 2014-10-27 20:09 GMT+01:00 Martin Basti <mbasti at redhat.com
>>> <mailto:mbasti at redhat.com>>:
>>>
>>> On 27/10/14 19:57, John Obaterspok wrote:
>>>> Hello Martin,
>>>>
>>>> Still no go.
>>>>
>>>> I installed the softhsm-devel package (that only contains
>>>> header files), removed the token directory, reinstalled the
>>>> bind & bind-pkcs11, did ipa-dns-install that completed ok
>>>> (I guess):
>>>>
>>>> To accept the default shown in brackets, press the Enter key.
>>>>
>>>> Existing BIND configuration detected, overwrite? [no]: yes
>>>> Directory Manager password:
>>>>
>>>> # ipa-upgradeconfig
>>>> [Verifying that root certificate is published]
>>>> *Failed to backup CS.cfg: no magic attribute 'dogtag'*
>>>> [Migrate CRL publish directory]
>>>> CRL tree already moved
>>>> [Verifying that CA proxy configuration is correct]
>>>> [Verifying that KDC configuration is using ipa-kdb backend]
>>>> [Fixing trust flags in /etc/httpd/alias]
>>>> Trust flags already processed
>>>> [Fix DS schema file syntax]
>>>> Syntax already fixed
>>>> [Removing RA cert from DS NSS database]
>>>> RA cert already removed
>>>> [Removing self-signed CA]
>>>> [Checking for deprecated KDC configuration files]
>>>> [Checking for deprecated backups of Samba configuration files]
>>>> [Setting up Firefox extension]
>>>> [Add missing CA DNS records]
>>>> IPA CA DNS records already processed
>>>> [Removing deprecated DNS configuration options]
>>>> [Ensuring minimal number of connections]
>>>> [Enabling serial autoincrement in DNS]
>>>> [Updating GSSAPI configuration in DNS]
>>>> [Updating pid-file configuration in DNS]
>>>> [Masking named]
>>>> Changes to named.conf have been made, restart named
>>>> *Failed to restart named: Command ''/bin/systemctl'
>>>> 'restart' 'named-pkcs11.service'' returned non-zero exit
>>>> status 1*
>>>> [Verifying that CA service certificate profile is updated]
>>>> [Update certmonger certificate renewal configuration to
>>>> version 2]
>>>> [Enable PKIX certificate path discovery and validation]
>>>> PKIX already enabled
>>>> The ipa-upgradeconfig command was successful
>>>>
>>>>
>>>> # systemctl restart named-pkcs11 && journalctl -xn
>>>> 19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed to
>>>> enumerate object store in /var/lib/ipa/dnssec/tokens
>>>> 19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not
>>>> load the object store
>>>> 19:38:54 named-pkcs11[838]: initializing DST: PKCS#11
>>>> initialization failed
>>>> 19:38:54 named-pkcs11[838]: exiting (due to fatal error)
>>>> 19:38:54 systemd[1]: named-pkcs11.service: control process
>>>> exited, code=exited status=1
>>>> 19:38:54 systemd[1]: Failed to start Berkeley Internet Name
>>>> Domain (DNS) with native PKCS#11.
>>>>
>>>>
>>>> It seems the problem is now there are no tokens:
>>>> # ll /var/lib/ipa/dnssec/
>>>> total 4.0K
>>>> -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin
>>>
>>> This is interesting, ipa-dns-install should detect missing
>>> directory and create new one.
>>> Could you send me tail of /var/log/ipaserver-install.log,
>>> where DNS debug lines are?
>>>
>>> Martin^2
>>>
>>>>
>>>> Any ideas?
>>>>
>>>> -- john
>>>>
>>>> 2014-10-27 19:05 GMT+01:00 Martin Basti <mbasti at redhat.com
>>>> <mailto:mbasti at redhat.com>>:
>>>>
>>>> On 27/10/14 18:53, John Obaterspok wrote:
>>>>>
>>>>>
>>>>> 2014-10-27 12:19 GMT+01:00 Martin Basti
>>>>> <mbasti at redhat.com <mailto:mbasti at redhat.com>>:
>>>>>
>>>>> On 26/10/14 21:39, John Obaterspok wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I enabled mkosek-freeipa repo for F20 and updated
>>>>>> freeipa-server from 3.3.5 to 4.1. The yum update
>>>>>> reported just a single error:
>>>>>>
>>>>>> Could not load host key: /etc/ssh/ssh_host_dsa_key
>>>>>>
>>>>>> After reboot I had 3 services that failed to start:
>>>>>> ipa, kadmin, named-pkcs11
>>>>>>
>>>>>> Doing "strace -f named-pkcs11 -u named -f -g" I
>>>>>> can see:
>>>>>> "/var/lib/softhsm/tokens/" => -1 EACCES
>>>>>> (Permission denied)
>>>>>> initializing DST: PKCS#11 initialization failed
>>>>>> exiting (due to fatal error)
>>>>>>
>>>>>>
>>>>>> For kadmin the error is due to not being able to
>>>>>> connect to sldap
>>>>>>
>>>>>> I noticed that softhsm2-util --show-slots
>>>>>> reported "ERROR: Could not initialize the
>>>>>> library." But that seemed to be because wasn't
>>>>>> part of the update. After that I could show the
>>>>>> default slot and then I manually called following
>>>>>> (as root):
>>>>>>
>>>>>> "/usr/bin/softhsm2-util --init-token --slot 0
>>>>>> --label ipaDNSSEC --pin XXXXXXXX --so-pin XXXXXXXX"
>>>>>>
>>>>>> But the problems won't go away. Any clues?
>>>>>>
>>>>>> -- john
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> Hello,
>>>>>
>>>>> 1)
>>>>> can you share your /var/log/ipaupgrade.log ?
>>>>>
>>>>>
>>>>> Unfortunatly I removed the original ipaupgrade.log
>>>>> file when I did I retry to install freeipa-server. The
>>>>> current ipaupgrade.log has two errors:
>>>>> First)
>>>>>
>>>>> 2014-10-26T12:45:15Z DEBUG Live 1, updated 1
>>>>> 2014-10-26T12:45:15Z DEBUG Unhandled LDAPError:
>>>>> OPERATIONS_ERROR: {'desc': 'Operations error'}
>>>>> 2014-10-26T12:45:15Z ERROR Update failed: Operations
>>>>> error:
>>>>> 2014-10-26T12:45:15Z INFO Updating existing entry:
>>>>> cn=MemberOf Plugin,cn=plugins,cn=config
>>>>> 2014-10-26T12:45:15Z DEBUG
>>>>> ---------------------------------------------
>>>> Are there some information about entry which is updated
>>>> above?
>>>>
>>>>>
>>>>> Second) It complains about not being able to start
>>>>> named-pkcs11 service.
>>>>>
>>>>>
>>>>>
>>>>> 2)
>>>>> your issue with softhsm can be caused by missing
>>>>> enviroment variable
>>>>> IPA internally uses
>>>>>
>>>>> SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
>>>>> please try
>>>>> SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
>>>>> softhsm2-util --show-slots, and let me know if it
>>>>> works
>>>>>
>>>>> same with named-pkcs11,
>>>>>
>>>>>
>>>>> The filestamps for softhsm_pin & tokens match the time
>>>>> I did the original update
>>>>>
>>>>> # ll /var/lib/ipa/dnssec/
>>>>> -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin
>>>>> drwxrws---. 2 ods named 4.0K Oct 26 10:35 tokens
>>>>>
>>>>> # ll /var/lib/ipa/dnssec/tokens/
>>>>> total 0
>>>>>
>>>>> # SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
>>>>> softhsm2-util --show-slots
>>>>> Available slots:
>>>>> Slot 0
>>>>> Slot info:
>>>>> Description: SoftHSM slot 0
>>>>> Manufacturer ID: SoftHSM project
>>>>> Hardware version: 2.0
>>>>> Firmware version: 2.0
>>>>> Token present: yes
>>>>> Token info:
>>>>> Manufacturer ID: SoftHSM project
>>>>> Model: SoftHSM v2
>>>>> Hardware version: 2.0
>>>>> Firmware version: 2.0
>>>>> Serial number:
>>>>> Initialized: no
>>>>> User PIN init.: no
>>>>> Label:
>>>> Slot was not initialized by IPA
>>>>>
>>>>> 3)
>>>>> can you share journalctl -u named-pkcs11 output?
>>>>>
>>>>>
>>>>> 10:35:48 systemd[1]: named-pkcs11.service: control
>>>>> process exited, code=exited status=1
>>>>> 10:35:48 systemd[1]: Failed to start Berkeley Internet
>>>>> Name Domain (DNS) with native PKCS#11.
>>>>> 10:35:48 systemd[1]: Unit named-pkcs11.service entered
>>>>> failed state.
>>>>> 10:35:48 systemd[1]: Stopped Berkeley Internet Name
>>>>> Domain (DNS) with native PKCS#11.
>>>>> -- Reboot --
>>>>> 10:58:05 named-pkcs11[1496]: initializing DST: no
>>>>> PKCS#11 provider
>>>>> 10:58:05 named-pkcs11[1496]: exiting (due to fatal error)
>>>>> 10:58:05 systemd[1]: named-pkcs11.service: control
>>>>> process exited, code=exited status=1
>>>>> 10:58:05 systemd[1]: Failed to start Berkeley Internet
>>>>> Name Domain (DNS) with native PKCS#11.
>>>>> 10:58:05 systemd[1]: Unit named-pkcs11.service entered
>>>>> failed state.
>>>>> 10:58:05 systemd[1]: Stopped Berkeley Internet Name
>>>>> Domain (DNS) with native PKCS#11.
>>>>>
>>>>> ... After some fiddeling a restart says this:
>>>>>
>>>>> 19:26:21 named-pkcs11[8807]: sha1.c:92: fatal error:
>>>>> 19:26:21 named-pkcs11[8807]:
>>>>> RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST,
>>>>> isc_boolean_true, isc_boolean_false, isc_bo
>>>>> 19:26:21 named-pkcs11[8807]: exiting (due to fatal
>>>>> error in library)
>>>>> 19:26:21 systemd[1]: named-pkcs11.service: control
>>>>> process exited, code=exited status=1
>>>>> 19:26:21 systemd[1]: Failed to start Berkeley Internet
>>>>> Name Domain (DNS) with native PKCS#11.
>>>>> 19:26:21 systemd[1]: Unit named-pkcs11.service entered
>>>>> failed state.
>>>>>
>>>>> 4)
>>>>> I'm not aware of that we need, krb5-libs/openssl,
>>>>> I was getting this error if tokens directory
>>>>> doesnt exists, but IPA uses own configuration (see
>>>>> 2) not default.
>>>>>
>>>>>
>>>>> ok
>>>>
>>>> I took a deeper look, and I found there some packaging
>>>> errors with softhsm.
>>>> You was right with missing dependency.
>>>>
>>>> Please install softhsm-devel package, remove
>>>> /var/lib/ipa/dnssec/tokens directory, then reinstall
>>>> DNS, ipa-dns-install (requires running directory server)
>>>>
>>>> Or if you have snapshot, install softhsm-devel before
>>>> upgrading ipa
>>>>
>>>> HTH
>>>> Martin^2
>>>>
>>>> --
>>>> Martin Basti
>>>>
>>>>
>>>
>>>
>>> --
>>> Martin Basti
>>>
>>>
>>
>>
>> --
>> Martin Basti
>>
>>
>
>
> --
> Martin Basti
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141027/198903a3/attachment.htm>
More information about the Freeipa-users
mailing list