[Freeipa-users] F20 Problem upgrading to 4.1
Martin Basti
mbasti at redhat.com
Mon Oct 27 11:19:56 UTC 2014
On 26/10/14 21:39, John Obaterspok wrote:
> Hi,
>
> I enabled mkosek-freeipa repo for F20 and updated freeipa-server from
> 3.3.5 to 4.1. The yum update reported just a single error:
>
> Could not load host key: /etc/ssh/ssh_host_dsa_key
>
> After reboot I had 3 services that failed to start:
> ipa, kadmin, named-pkcs11
>
> Doing "strace -f named-pkcs11 -u named -f -g" I can see:
> "/var/lib/softhsm/tokens/" => -1 EACCES (Permission denied)
> initializing DST: PKCS#11 initialization failed
> exiting (due to fatal error)
>
>
> For kadmin the error is due to not being able to connect to sldap
>
> I noticed that softhsm2-util --show-slots reported "ERROR: Could not
> initialize the library." But that seemed to be because wasn't part
> of the update. After that I could show the default slot and then I
> manually called following (as root):
>
> "/usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC --pin
> XXXXXXXX --so-pin XXXXXXXX"
>
> But the problems won't go away. Any clues?
>
> -- john
>
>
>
>
Hello,
1)
can you share your /var/log/ipaupgrade.log ?
2)
your issue with softhsm can be caused by missing enviroment variable
IPA internally uses
SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
please try SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util
--show-slots, and let me know if it works
same with named-pkcs11,
3)
can you share journalctl -u named-pkcs11 output?
4)
I'm not aware of that we need, krb5-libs/openssl, I was getting this
error if tokens directory doesnt exists, but IPA uses own configuration
(see 2) not default.
Martin^2
--
Martin Basti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141027/8260b346/attachment.htm>
More information about the Freeipa-users
mailing list