[Freeipa-users] Failed upgrade to 4.2 via RHEL 7.2

Brian Topping brian.topping at gmail.com
Wed Dec 23 07:28:41 UTC 2015 

Greetings all! Thanks for all the continued work on FreeIPA! :)

I saw that 4.2 made it to RHEL 7.2 and upgraded. Unfortunately, the system did not come up cleanly.

It seems to be some problem with the DNS server:

> [root at ipa01 ~]# systemctl status named-pkcs11
> ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11
>    Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled; vendor preset: disabled)
>    Active: failed (Result: exit-code) since Wed 2015-12-23 01:56:37 EST; 4s ago
>   Process: 16506 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS (code=exited, status=1/FAILURE)
>   Process: 16503 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
> 
> Dec 23 01:56:37 ipa01.example.com named-pkcs11[16509]: GSSAPI client step 2
> Dec 23 01:56:37 ipa01.example.com named-pkcs11[16509]: LDAP error: Invalid credentials: SASL(-14): authorization failure: security flags do not match required: bind to LDAP server failed
> Dec 23 01:56:37 ipa01.example.com named-pkcs11[16509]: couldn't establish connection in LDAP connection pool: permission denied
> Dec 23 01:56:37 ipa01.example.com named-pkcs11[16509]: dynamic database 'ipa' configuration failed: permission denied
> Dec 23 01:56:37 ipa01.example.com named-pkcs11[16509]: loading configuration: permission denied
> Dec 23 01:56:37 ipa01.example.com named-pkcs11[16509]: exiting (due to fatal error)
> Dec 23 01:56:37 ipa01.example.com systemd[1]: named-pkcs11.service: control process exited, code=exited status=1
> Dec 23 01:56:37 ipa01.example.com systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.
> Dec 23 01:56:37 ipa01.example.com systemd[1]: Unit named-pkcs11.service entered failed state.
> Dec 23 01:56:37 ipa01.example.com systemd[1]: named-pkcs11.service failed.


https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart <https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart> provides some good information. After manually starting 389, I was able to confirm that the LDAP credentials are able to retrieve the DNS tree with:

> [root at ipa01 ~]# ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket' -Y GSSAPI -b 'cn=dns,dc=example,dc=com'

I was also able to confirm that I the named.keytab file is correct:

> [root at ipa01 ~]# kinit -k -t /etc/named.keytab DNS/ipa01.example.com
> [root at ipa01 ~]# klist
> Ticket cache: KEYRING:persistent:0:krb_ccache_th1WCcV
> Default principal: DNS/ipa01.example.com at EXAMPLE.COM
> 
> Valid starting       Expires              Service principal
> 12/23/2015 02:07:14  12/24/2015 02:07:14  krbtgt/EXAMPLE.COM at EXAMPLE.COM <mailto:krbtgt/EXAMPLE.COM at example.com>

I have disabled unencrypted binds to 389, but I read somewhere this evening this should not be an issue since passwords were being sent and the STARTTLS is always being used.

https://fedorahosted.org/freeipa/ticket/5232 <https://fedorahosted.org/freeipa/ticket/5232> seems to be related here, but I did the install on a healthy server, so I can't imagine that it's the same. I also don't see any recovery techniques listed here or in the issue that it links to at https://bugzilla.redhat.com/show_bug.cgi?id=1254412 <https://bugzilla.redhat.com/show_bug.cgi?id=1254412>. I searched the list archives for this error and came up empty. The versions I have are as follows:

> bind-license-9.9.4-29.el7_2.1.noarch
> bind-libs-lite-9.9.4-29.el7_2.1.x86_64
> bind-utils-9.9.4-29.el7_2.1.x86_64
> bind-pkcs11-libs-9.9.4-29.el7_2.1.x86_64
> bind-dyndb-ldap-8.0-1.el7.x86_64
> bind-pkcs11-utils-9.9.4-29.el7_2.1.x86_64
> bind-9.9.4-29.el7_2.1.x86_64
> bind-pkcs11-9.9.4-29.el7_2.1.x86_64
> bind-libs-9.9.4-29.el7_2.1.x86_64
> ipa-python-4.2.0-15.el7.centos.3.x86_64
> ipa-admintools-4.2.0-15.el7.centos.3.x86_64
> sssd-ipa-1.13.0-40.el7_2.1.x86_64
> ipa-client-4.2.0-15.el7.centos.3.x86_64
> ipa-server-dns-4.2.0-15.el7.centos.3.x86_64
> ipa-server-4.2.0-15.el7.centos.3.x86_64
> python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
> libipa_hbac-1.13.0-40.el7_2.1.x86_64

I'm also attaching the ipaupgrade.log

Hopefully I am missing something simple here. Can anyone help?

Happy solstice!

Brian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151223/83e3b11a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipaupgrade.log
Type: application/octet-stream
Size: 9188292 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151223/83e3b11a/attachment.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151223/83e3b11a/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151223/83e3b11a/attachment.sig>

More information about the Freeipa-users mailing list