[Freeipa-users] F20 Problem upgrading to 4.1

John Obaterspok john.obaterspok at gmail.com
Mon Oct 27 19:50:01 UTC 2014 

Hello Martin,

It works perfectly again!

note, I noticed in /var/log/ipaserver-install.log that ipa-dns-installed failed
due to 389 wasn't started (failed to connect). Once it was started manually
the ipa-dns-installed worked fine.

Thanks a lot Martin,

-- john


2014-10-27 20:40 GMT+01:00 Martin Basti <mbasti at redhat.com>:

>  On 27/10/14 20:34, John Obaterspok wrote:
>
> hmm... Could not connect to the Directory Server
>
>  So I started it with start-dirsrv since "systemctl start ipa" failed.
> Then it was a breeze, ipa-dns-install worked fine.
>
>  # systemctl --failed
> 0 loaded units listed.
>
> I'm lost, does IPA work or not?
> are all services running? (ipactl status)
> are tokens created in /var/lib/ipa/dnssec/tokens
> can you dig records from IPA DNS?
>
> Martin^2
>
>
>  I haven't verified that it works, but I feel confident :)
>
>  -- john
>
>
> 2014-10-27 20:09 GMT+01:00 Martin Basti <mbasti at redhat.com>:
>
>>   On 27/10/14 19:57, John Obaterspok wrote:
>>
>> Hello Martin,
>>
>>  Still no go.
>>
>>  I installed the softhsm-devel package (that only contains header
>> files), removed the token directory, reinstalled the bind & bind-pkcs11,
>> did ipa-dns-install that completed ok (I guess):
>>
>>  To accept the default shown in brackets, press the Enter key.
>>
>>  Existing BIND configuration detected, overwrite? [no]: yes
>> Directory Manager password:
>>
>>  # ipa-upgradeconfig
>> [Verifying that root certificate is published]
>> *Failed to backup CS.cfg: no magic attribute 'dogtag'*
>> [Migrate CRL publish directory]
>> CRL tree already moved
>> [Verifying that CA proxy configuration is correct]
>> [Verifying that KDC configuration is using ipa-kdb backend]
>> [Fixing trust flags in /etc/httpd/alias]
>> Trust flags already processed
>> [Fix DS schema file syntax]
>> Syntax already fixed
>> [Removing RA cert from DS NSS database]
>> RA cert already removed
>> [Removing self-signed CA]
>> [Checking for deprecated KDC configuration files]
>> [Checking for deprecated backups of Samba configuration files]
>> [Setting up Firefox extension]
>> [Add missing CA DNS records]
>> IPA CA DNS records already processed
>> [Removing deprecated DNS configuration options]
>> [Ensuring minimal number of connections]
>> [Enabling serial autoincrement in DNS]
>> [Updating GSSAPI configuration in DNS]
>> [Updating pid-file configuration in DNS]
>> [Masking named]
>> Changes to named.conf have been made, restart named
>> *Failed to restart named: Command ''/bin/systemctl' 'restart'
>> 'named-pkcs11.service'' returned non-zero exit status 1*
>> [Verifying that CA service certificate profile is updated]
>> [Update certmonger certificate renewal configuration to version 2]
>> [Enable PKIX certificate path discovery and validation]
>> PKIX already enabled
>> The ipa-upgradeconfig command was successful
>>
>>
>>  # systemctl restart named-pkcs11 && journalctl -xn
>>  19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed to enumerate
>> object store in /var/lib/ipa/dnssec/tokens
>> 19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not load the object
>> store
>> 19:38:54 named-pkcs11[838]: initializing DST: PKCS#11 initialization
>> failed
>> 19:38:54 named-pkcs11[838]: exiting (due to fatal error)
>> 19:38:54 systemd[1]: named-pkcs11.service: control process exited,
>> code=exited status=1
>> 19:38:54 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS)
>> with native PKCS#11.
>>
>>
>>  It seems the problem is now there are no tokens:
>>  # ll /var/lib/ipa/dnssec/
>> total 4.0K
>> -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin
>>
>>
>>  This is interesting, ipa-dns-install should detect missing directory
>> and create new one.
>> Could you send me tail of /var/log/ipaserver-install.log, where DNS debug
>> lines are?
>>
>> Martin^2
>>
>>
>>  Any ideas?
>>
>>  -- john
>>
>> 2014-10-27 19:05 GMT+01:00 Martin Basti <mbasti at redhat.com>:
>>
>>>   On 27/10/14 18:53, John Obaterspok wrote:
>>>
>>>
>>>
>>> 2014-10-27 12:19 GMT+01:00 Martin Basti <mbasti at redhat.com>:
>>>
>>>>  On 26/10/14 21:39, John Obaterspok wrote:
>>>>
>>>> Hi,
>>>>
>>>>  I enabled mkosek-freeipa repo for F20 and updated freeipa-server from
>>>> 3.3.5 to 4.1. The yum update reported just a single error:
>>>>
>>>>  Could not load host key: /etc/ssh/ssh_host_dsa_key
>>>>
>>>>  After reboot I had 3 services that failed to start:
>>>> ipa, kadmin, named-pkcs11
>>>>
>>>>  Doing "strace -f named-pkcs11 -u named -f -g" I can see:
>>>>     "/var/lib/softhsm/tokens/" => -1 EACCES (Permission denied)
>>>>    initializing DST: PKCS#11 initialization failed
>>>>    exiting (due to fatal error)
>>>>
>>>>
>>>>  For kadmin the error is due to not being able to connect to sldap
>>>>
>>>>  I noticed that softhsm2-util --show-slots reported "ERROR: Could not
>>>> initialize the library." But that seemed to be because   wasn't part of the
>>>> update. After that I could show the default slot and then I manually called
>>>> following (as root):
>>>>
>>>>  "/usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC --pin
>>>> XXXXXXXX --so-pin XXXXXXXX"
>>>>
>>>>  But the problems won't go away. Any clues?
>>>>
>>>>  -- john
>>>>
>>>>
>>>>
>>>>
>>>>  Hello,
>>>>
>>>> 1)
>>>> can you share your /var/log/ipaupgrade.log ?
>>>>
>>>
>>>  Unfortunatly I removed the original ipaupgrade.log file when I did I
>>> retry to install freeipa-server. The current ipaupgrade.log has two errors:
>>> First)
>>>
>>>  2014-10-26T12:45:15Z DEBUG Live 1, updated 1
>>> 2014-10-26T12:45:15Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR:
>>> {'desc': 'Operations error'}
>>> 2014-10-26T12:45:15Z ERROR Update failed: Operations error:
>>> 2014-10-26T12:45:15Z INFO Updating existing entry: cn=MemberOf
>>> Plugin,cn=plugins,cn=config
>>> 2014-10-26T12:45:15Z DEBUG ---------------------------------------------
>>>
>>>  Are there some information about entry which is updated above?
>>>
>>>
>>>  Second) It complains about not being able to start named-pkcs11
>>> service.
>>>
>>>
>>>
>>>>  2)
>>>> your issue with softhsm can be caused by missing enviroment variable
>>>> IPA internally uses
>>>>
>>>> SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
>>>> please try SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util
>>>> --show-slots, and let me know if it works
>>>>
>>>> same with named-pkcs11,
>>>>
>>>>
>>>  The filestamps for softhsm_pin & tokens match the time I did the
>>> original update
>>>
>>>  # ll /var/lib/ipa/dnssec/
>>> -rwxrwx---. 1 ods named   30 Oct 26 10:35 softhsm_pin
>>> drwxrws---. 2 ods named 4.0K Oct 26 10:35 tokens
>>>
>>>  # ll /var/lib/ipa/dnssec/tokens/
>>> total 0
>>>
>>>  # SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util
>>> --show-slots
>>> Available slots:
>>> Slot 0
>>>     Slot info:
>>>         Description:      SoftHSM slot 0
>>>         Manufacturer ID:  SoftHSM project
>>>         Hardware version: 2.0
>>>         Firmware version: 2.0
>>>         Token present:    yes
>>>     Token info:
>>>         Manufacturer ID:  SoftHSM project
>>>         Model:            SoftHSM v2
>>>         Hardware version: 2.0
>>>         Firmware version: 2.0
>>>         Serial number:
>>>         Initialized:      no
>>>         User PIN init.:   no
>>>         Label:
>>>
>>>  Slot was not initialized by IPA
>>>
>>>
>>>   3)
>>>> can you share journalctl -u named-pkcs11 output?
>>>>
>>>
>>>  10:35:48 systemd[1]: named-pkcs11.service: control process exited,
>>> code=exited status=1
>>> 10:35:48 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS)
>>> with native PKCS#11.
>>> 10:35:48 systemd[1]: Unit named-pkcs11.service entered failed state.
>>> 10:35:48 systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with
>>> native PKCS#11.
>>> -- Reboot --
>>> 10:58:05 named-pkcs11[1496]: initializing DST: no PKCS#11 provider
>>> 10:58:05 named-pkcs11[1496]: exiting (due to fatal error)
>>> 10:58:05 systemd[1]: named-pkcs11.service: control process exited,
>>> code=exited status=1
>>> 10:58:05 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS)
>>> with native PKCS#11.
>>> 10:58:05 systemd[1]: Unit named-pkcs11.service entered failed state.
>>> 10:58:05 systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with
>>> native PKCS#11.
>>>
>>>  ... After some fiddeling a restart says this:
>>>
>>>  19:26:21 named-pkcs11[8807]: sha1.c:92: fatal error:
>>> 19:26:21 named-pkcs11[8807]: RUNTIME_CHECK(pk11_get_session(ctx,
>>> OP_DIGEST, isc_boolean_true, isc_boolean_false, isc_bo
>>> 19:26:21 named-pkcs11[8807]: exiting (due to fatal error in library)
>>> 19:26:21 systemd[1]: named-pkcs11.service: control process exited,
>>> code=exited status=1
>>> 19:26:21 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS)
>>> with native PKCS#11.
>>> 19:26:21 systemd[1]: Unit named-pkcs11.service entered failed state.
>>>
>>>   4)
>>>> I'm not aware of that we need, krb5-libs/openssl, I was getting this
>>>> error if tokens directory doesnt exists, but IPA uses own configuration
>>>> (see 2) not default.
>>>>
>>>
>>>   ok
>>>
>>>
>>>  I took a deeper look, and I found there some packaging errors with
>>> softhsm.
>>> You was right with missing dependency.
>>>
>>> Please install softhsm-devel package, remove /var/lib/ipa/dnssec/tokens
>>> directory, then reinstall DNS, ipa-dns-install (requires running directory
>>> server)
>>>
>>> Or if you have snapshot, install softhsm-devel before upgrading ipa
>>>
>>> HTH
>>> Martin^2
>>>
>>> --
>>> Martin Basti
>>>
>>>
>>
>>
>>   --
>> Martin Basti
>>
>>
>
>
> --
> Martin Basti
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141027/08813e52/attachment.htm>

More information about the Freeipa-users mailing list