[Freeipa-users] F20 Problem upgrading to 4.1
Martin Basti
mbasti at redhat.com
Mon Oct 27 19:52:43 UTC 2014
On 27/10/14 20:50, John Obaterspok wrote:
> Hello Martin,
>
> It works perfectly again!
>
> note, I noticed in /var/log/ipaserver-install.log that
> ipa-dns-installed failed due to 389 wasn't started (failed to
> connect). Once it was started manually the ipa-dns-installed worked fine.
>
> Thanks a lot Martin,
>
> -- john
>
You are welcome :-)
>
> 2014-10-27 20:40 GMT+01:00 Martin Basti <mbasti at redhat.com
> <mailto:mbasti at redhat.com>>:
>
> On 27/10/14 20:34, John Obaterspok wrote:
>> hmm... Could not connect to the Directory Server
>>
>> So I started it with start-dirsrv since "systemctl start ipa"
>> failed. Then it was a breeze, ipa-dns-install worked fine.
>>
>> # systemctl --failed
>> 0 loaded units listed.
> I'm lost, does IPA work or not?
> are all services running? (ipactl status)
> are tokens created in /var/lib/ipa/dnssec/tokens
> can you dig records from IPA DNS?
>
> Martin^2
>
>>
>> I haven't verified that it works, but I feel confident :)
>>
>> -- john
>>
>>
>> 2014-10-27 20:09 GMT+01:00 Martin Basti <mbasti at redhat.com
>> <mailto:mbasti at redhat.com>>:
>>
>> On 27/10/14 19:57, John Obaterspok wrote:
>>> Hello Martin,
>>>
>>> Still no go.
>>>
>>> I installed the softhsm-devel package (that only contains
>>> header files), removed the token directory, reinstalled the
>>> bind & bind-pkcs11, did ipa-dns-install that completed ok (I
>>> guess):
>>>
>>> To accept the default shown in brackets, press the Enter key.
>>>
>>> Existing BIND configuration detected, overwrite? [no]: yes
>>> Directory Manager password:
>>>
>>> # ipa-upgradeconfig
>>> [Verifying that root certificate is published]
>>> *Failed to backup CS.cfg: no magic attribute 'dogtag'*
>>> [Migrate CRL publish directory]
>>> CRL tree already moved
>>> [Verifying that CA proxy configuration is correct]
>>> [Verifying that KDC configuration is using ipa-kdb backend]
>>> [Fixing trust flags in /etc/httpd/alias]
>>> Trust flags already processed
>>> [Fix DS schema file syntax]
>>> Syntax already fixed
>>> [Removing RA cert from DS NSS database]
>>> RA cert already removed
>>> [Removing self-signed CA]
>>> [Checking for deprecated KDC configuration files]
>>> [Checking for deprecated backups of Samba configuration files]
>>> [Setting up Firefox extension]
>>> [Add missing CA DNS records]
>>> IPA CA DNS records already processed
>>> [Removing deprecated DNS configuration options]
>>> [Ensuring minimal number of connections]
>>> [Enabling serial autoincrement in DNS]
>>> [Updating GSSAPI configuration in DNS]
>>> [Updating pid-file configuration in DNS]
>>> [Masking named]
>>> Changes to named.conf have been made, restart named
>>> *Failed to restart named: Command ''/bin/systemctl'
>>> 'restart' 'named-pkcs11.service'' returned non-zero exit
>>> status 1*
>>> [Verifying that CA service certificate profile is updated]
>>> [Update certmonger certificate renewal configuration to
>>> version 2]
>>> [Enable PKIX certificate path discovery and validation]
>>> PKIX already enabled
>>> The ipa-upgradeconfig command was successful
>>>
>>>
>>> # systemctl restart named-pkcs11 && journalctl -xn
>>> 19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed to
>>> enumerate object store in /var/lib/ipa/dnssec/tokens
>>> 19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not load
>>> the object store
>>> 19:38:54 named-pkcs11[838]: initializing DST: PKCS#11
>>> initialization failed
>>> 19:38:54 named-pkcs11[838]: exiting (due to fatal error)
>>> 19:38:54 systemd[1]: named-pkcs11.service: control process
>>> exited, code=exited status=1
>>> 19:38:54 systemd[1]: Failed to start Berkeley Internet Name
>>> Domain (DNS) with native PKCS#11.
>>>
>>>
>>> It seems the problem is now there are no tokens:
>>> # ll /var/lib/ipa/dnssec/
>>> total 4.0K
>>> -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin
>>
>> This is interesting, ipa-dns-install should detect missing
>> directory and create new one.
>> Could you send me tail of /var/log/ipaserver-install.log,
>> where DNS debug lines are?
>>
>> Martin^2
>>
>>>
>>> Any ideas?
>>>
>>> -- john
>>>
>>> 2014-10-27 19:05 GMT+01:00 Martin Basti <mbasti at redhat.com
>>> <mailto:mbasti at redhat.com>>:
>>>
>>> On 27/10/14 18:53, John Obaterspok wrote:
>>>>
>>>>
>>>> 2014-10-27 12:19 GMT+01:00 Martin Basti
>>>> <mbasti at redhat.com <mailto:mbasti at redhat.com>>:
>>>>
>>>> On 26/10/14 21:39, John Obaterspok wrote:
>>>>> Hi,
>>>>>
>>>>> I enabled mkosek-freeipa repo for F20 and updated
>>>>> freeipa-server from 3.3.5 to 4.1. The yum update
>>>>> reported just a single error:
>>>>>
>>>>> Could not load host key: /etc/ssh/ssh_host_dsa_key
>>>>>
>>>>> After reboot I had 3 services that failed to start:
>>>>> ipa, kadmin, named-pkcs11
>>>>>
>>>>> Doing "strace -f named-pkcs11 -u named -f -g" I
>>>>> can see:
>>>>> "/var/lib/softhsm/tokens/" => -1 EACCES
>>>>> (Permission denied)
>>>>> initializing DST: PKCS#11 initialization failed
>>>>> exiting (due to fatal error)
>>>>>
>>>>>
>>>>> For kadmin the error is due to not being able to
>>>>> connect to sldap
>>>>>
>>>>> I noticed that softhsm2-util --show-slots reported
>>>>> "ERROR: Could not initialize the library." But
>>>>> that seemed to be because wasn't part of the
>>>>> update. After that I could show the default slot
>>>>> and then I manually called following (as root):
>>>>>
>>>>> "/usr/bin/softhsm2-util --init-token --slot 0
>>>>> --label ipaDNSSEC --pin XXXXXXXX --so-pin XXXXXXXX"
>>>>>
>>>>> But the problems won't go away. Any clues?
>>>>>
>>>>> -- john
>>>>>
>>>>>
>>>>>
>>>>>
>>>> Hello,
>>>>
>>>> 1)
>>>> can you share your /var/log/ipaupgrade.log ?
>>>>
>>>>
>>>> Unfortunatly I removed the original ipaupgrade.log file
>>>> when I did I retry to install freeipa-server. The
>>>> current ipaupgrade.log has two errors:
>>>> First)
>>>>
>>>> 2014-10-26T12:45:15Z DEBUG Live 1, updated 1
>>>> 2014-10-26T12:45:15Z DEBUG Unhandled LDAPError:
>>>> OPERATIONS_ERROR: {'desc': 'Operations error'}
>>>> 2014-10-26T12:45:15Z ERROR Update failed: Operations error:
>>>> 2014-10-26T12:45:15Z INFO Updating existing entry:
>>>> cn=MemberOf Plugin,cn=plugins,cn=config
>>>> 2014-10-26T12:45:15Z DEBUG
>>>> ---------------------------------------------
>>> Are there some information about entry which is updated
>>> above?
>>>
>>>>
>>>> Second) It complains about not being able to start
>>>> named-pkcs11 service.
>>>>
>>>> 2)
>>>> your issue with softhsm can be caused by missing
>>>> enviroment variable
>>>> IPA internally uses
>>>>
>>>> SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
>>>> please try
>>>> SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
>>>> softhsm2-util --show-slots, and let me know if it works
>>>>
>>>> same with named-pkcs11,
>>>>
>>>>
>>>> The filestamps for softhsm_pin & tokens match the time
>>>> I did the original update
>>>>
>>>> # ll /var/lib/ipa/dnssec/
>>>> -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin
>>>> drwxrws---. 2 ods named 4.0K Oct 26 10:35 tokens
>>>>
>>>> # ll /var/lib/ipa/dnssec/tokens/
>>>> total 0
>>>>
>>>> # SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
>>>> softhsm2-util --show-slots
>>>> Available slots:
>>>> Slot 0
>>>> Slot info:
>>>> Description: SoftHSM slot 0
>>>> Manufacturer ID: SoftHSM project
>>>> Hardware version: 2.0
>>>> Firmware version: 2.0
>>>> Token present: yes
>>>> Token info:
>>>> Manufacturer ID: SoftHSM project
>>>> Model: SoftHSM v2
>>>> Hardware version: 2.0
>>>> Firmware version: 2.0
>>>> Serial number:
>>>> Initialized: no
>>>> User PIN init.: no
>>>> Label:
>>> Slot was not initialized by IPA
>>>>
>>>> 3)
>>>> can you share journalctl -u named-pkcs11 output?
>>>>
>>>>
>>>> 10:35:48 systemd[1]: named-pkcs11.service: control
>>>> process exited, code=exited status=1
>>>> 10:35:48 systemd[1]: Failed to start Berkeley Internet
>>>> Name Domain (DNS) with native PKCS#11.
>>>> 10:35:48 systemd[1]: Unit named-pkcs11.service entered
>>>> failed state.
>>>> 10:35:48 systemd[1]: Stopped Berkeley Internet Name
>>>> Domain (DNS) with native PKCS#11.
>>>> -- Reboot --
>>>> 10:58:05 named-pkcs11[1496]: initializing DST: no
>>>> PKCS#11 provider
>>>> 10:58:05 named-pkcs11[1496]: exiting (due to fatal error)
>>>> 10:58:05 systemd[1]: named-pkcs11.service: control
>>>> process exited, code=exited status=1
>>>> 10:58:05 systemd[1]: Failed to start Berkeley Internet
>>>> Name Domain (DNS) with native PKCS#11.
>>>> 10:58:05 systemd[1]: Unit named-pkcs11.service entered
>>>> failed state.
>>>> 10:58:05 systemd[1]: Stopped Berkeley Internet Name
>>>> Domain (DNS) with native PKCS#11.
>>>>
>>>> ... After some fiddeling a restart says this:
>>>>
>>>> 19:26:21 named-pkcs11[8807]: sha1.c:92: fatal error:
>>>> 19:26:21 named-pkcs11[8807]:
>>>> RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST,
>>>> isc_boolean_true, isc_boolean_false, isc_bo
>>>> 19:26:21 named-pkcs11[8807]: exiting (due to fatal
>>>> error in library)
>>>> 19:26:21 systemd[1]: named-pkcs11.service: control
>>>> process exited, code=exited status=1
>>>> 19:26:21 systemd[1]: Failed to start Berkeley Internet
>>>> Name Domain (DNS) with native PKCS#11.
>>>> 19:26:21 systemd[1]: Unit named-pkcs11.service entered
>>>> failed state.
>>>>
>>>> 4)
>>>> I'm not aware of that we need, krb5-libs/openssl, I
>>>> was getting this error if tokens directory doesnt
>>>> exists, but IPA uses own configuration (see 2) not
>>>> default.
>>>>
>>>>
>>>> ok
>>>
>>> I took a deeper look, and I found there some packaging
>>> errors with softhsm.
>>> You was right with missing dependency.
>>>
>>> Please install softhsm-devel package, remove
>>> /var/lib/ipa/dnssec/tokens directory, then reinstall
>>> DNS, ipa-dns-install (requires running directory server)
>>>
>>> Or if you have snapshot, install softhsm-devel before
>>> upgrading ipa
>>>
>>> HTH
>>> Martin^2
>>>
>>> --
>>> Martin Basti
>>>
>>>
>>
>>
>> --
>> Martin Basti
>>
>>
>
>
> --
> Martin Basti
>
>
--
Martin Basti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141027/3fc24dbc/attachment.htm>
More information about the Freeipa-users
mailing list