[Freeipa-users] Failed upgrade to 4.2 via RHEL 7.2

Martin Basti mbasti at redhat.com
Mon Jan 4 09:48:13 UTC 2016 


On 23.12.2015 08:28, Brian Topping wrote:
> Greetings all! Thanks for all the continued work on FreeIPA! :)
>
> I saw that 4.2 made it to RHEL 7.2 and upgraded. Unfortunately, the 
> system did not come up cleanly.
>
> It seems to be some problem with the DNS server:
>
>> [root at ipa01 ~]# systemctl status named-pkcs11
>> ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with 
>> native PKCS#11
>>    Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; 
>> disabled; vendor preset: disabled)
>>    Active: failed (Result: exit-code) since Wed 2015-12-23 01:56:37 
>> EST; 4s ago
>>   Process: 16506 ExecStart=/usr/sbin/named-pkcs11 -u named 
>> $OPTIONS (code=exited, status=1/FAILURE)
>>   Process: 16503 ExecStartPre=/bin/bash -c if [ ! 
>> "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf 
>> -z /etc/named.conf; else echo "Checking of zone files is disabled"; 
>> fi (code=exited, status=0/SUCCESS)
>>
>> Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com> 
>> named-pkcs11[16509]: GSSAPI client step 2
>> Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com> 
>> named-pkcs11[16509]: LDAP error: Invalid credentials: 
>> SASL(-14): authorization failure: security flags do not match 
>> required: bind to LDAP server failed
>> Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com> 
>> named-pkcs11[16509]: couldn't establish connection in LDAP connection 
>> pool: permission denied
>> Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com> 
>> named-pkcs11[16509]: dynamic database 'ipa' configuration failed: 
>> permission denied
>> Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com> 
>> named-pkcs11[16509]: loading configuration: permission denied
>> Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com> 
>> named-pkcs11[16509]: exiting (due to fatal error)
>> Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com> 
>> systemd[1]: named-pkcs11.service: control process exited, 
>> code=exited status=1
>> Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com> 
>> systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with 
>> native PKCS#11.
>> Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com> 
>> systemd[1]: Unit named-pkcs11.service entered failed state.
>> Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com> 
>> systemd[1]: named-pkcs11.service failed.
>
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart provides 
> some good information. After manually starting 389, I was able to 
> confirm that the LDAP credentials are able to retrieve the DNS tree with:
>
>> [root at ipa01 ~]# ldapsearch -H 
>> 'ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket' 
>> <ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket%27> -Y GSSAPI -b 
>> 'cn=dns,dc=example,dc=com' 
>
> I was also able to confirm that I the named.keytab file is correct:
>
>> [root at ipa01 ~]# kinit -k -t /etc/named.keytab DNS/ipa01.example.com 
>> <http://ipa01.example.com>
>> [root at ipa01 ~]# klist
>> Ticket cache: KEYRING:persistent:0:krb_ccache_th1WCcV
>> Default principal: DNS/ipa01.example.com at EXAMPLE.COM 
>> <mailto:DNS/ipa01.example.com at example.com>
>>
>> Valid starting       Expires              Service principal
>> 12/23/2015 02:07:14  12/24/2015 02:07:14 
>> krbtgt/EXAMPLE.COM at EXAMPLE.COM <mailto:krbtgt/EXAMPLE.COM at example.com>
>
> I have disabled unencrypted binds to 389, but I read somewhere this 
> evening this should not be an issue since passwords were being sent 
> and the STARTTLS is always being used.
>
> https://fedorahosted.org/freeipa/ticket/5232 seems to be related here, 
> but I did the install on a healthy server, so I can't imagine that 
> it's the same. I also don't see any recovery techniques listed here or 
> in the issue that it links to at 
> https://bugzilla.redhat.com/show_bug.cgi?id=1254412. I searched the 
> list archives for this error and came up empty. The versions I have 
> are as follows:
>
>> bind-license-9.9.4-29.el7_2.1.noarch
>> bind-libs-lite-9.9.4-29.el7_2.1.x86_64
>> bind-utils-9.9.4-29.el7_2.1.x86_64
>> bind-pkcs11-libs-9.9.4-29.el7_2.1.x86_64
>> bind-dyndb-ldap-8.0-1.el7.x86_64
>> bind-pkcs11-utils-9.9.4-29.el7_2.1.x86_64
>> bind-9.9.4-29.el7_2.1.x86_64
>> bind-pkcs11-9.9.4-29.el7_2.1.x86_64
>> bind-libs-9.9.4-29.el7_2.1.x86_64
>> ipa-python-4.2.0-15.el7.centos.3.x86_64
>> ipa-admintools-4.2.0-15.el7.centos.3.x86_64
>> sssd-ipa-1.13.0-40.el7_2.1.x86_64
>> ipa-client-4.2.0-15.el7.centos.3.x86_64
>> ipa-server-dns-4.2.0-15.el7.centos.3.x86_64
>> ipa-server-4.2.0-15.el7.centos.3.x86_64
>> python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
>> libipa_hbac-1.13.0-40.el7_2.1.x86_64
>
> I'm also attaching the ipaupgrade.log
>
> Hopefully I am missing something simple here. Can anyone help?
>
> Happy solstice!
>
> Brian
>
>
>
>
>
Hello,

can you check your value of umask?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160104/07343076/attachment.htm>

More information about the Freeipa-users mailing list