[Freeipa-users] Failed upgrade to 4.2 via RHEL 7.2
Martin Basti
mbasti at redhat.com
Mon Jan 4 09:48:13 UTC 2016
On 23.12.2015 08:28, Brian Topping wrote:
> Greetings all! Thanks for all the continued work on FreeIPA! :)
>
> I saw that 4.2 made it to RHEL 7.2 and upgraded. Unfortunately, the
> system did not come up cleanly.
>
> It seems to be some problem with the DNS server:
>
>> [root at ipa01 ~]# systemctl status named-pkcs11
>> ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with
>> native PKCS#11
>> Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service;
>> disabled; vendor preset: disabled)
>> Active: failed (Result: exit-code) since Wed 2015-12-23 01:56:37
>> EST; 4s ago
>> Process: 16506 ExecStart=/usr/sbin/named-pkcs11 -u named
>> $OPTIONS (code=exited, status=1/FAILURE)
>> Process: 16503 ExecStartPre=/bin/bash -c if [ !
>> "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf
>> -z /etc/named.conf; else echo "Checking of zone files is disabled";
>> fi (code=exited, status=0/SUCCESS)
>>
>> Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com>
>> named-pkcs11[16509]: GSSAPI client step 2
>> Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com>
>> named-pkcs11[16509]: LDAP error: Invalid credentials:
>> SASL(-14): authorization failure: security flags do not match
>> required: bind to LDAP server failed
>> Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com>
>> named-pkcs11[16509]: couldn't establish connection in LDAP connection
>> pool: permission denied
>> Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com>
>> named-pkcs11[16509]: dynamic database 'ipa' configuration failed:
>> permission denied
>> Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com>
>> named-pkcs11[16509]: loading configuration: permission denied
>> Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com>
>> named-pkcs11[16509]: exiting (due to fatal error)
>> Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com>
>> systemd[1]: named-pkcs11.service: control process exited,
>> code=exited status=1
>> Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com>
>> systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with
>> native PKCS#11.
>> Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com>
>> systemd[1]: Unit named-pkcs11.service entered failed state.
>> Dec 23 01:56:37 ipa01.example.com <http://ipa01.example.com>
>> systemd[1]: named-pkcs11.service failed.
>
> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart provides
> some good information. After manually starting 389, I was able to
> confirm that the LDAP credentials are able to retrieve the DNS tree with:
>
>> [root at ipa01 ~]# ldapsearch -H
>> 'ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket'
>> <ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket%27> -Y GSSAPI -b
>> 'cn=dns,dc=example,dc=com'
>
> I was also able to confirm that I the named.keytab file is correct:
>
>> [root at ipa01 ~]# kinit -k -t /etc/named.keytab DNS/ipa01.example.com
>> <http://ipa01.example.com>
>> [root at ipa01 ~]# klist
>> Ticket cache: KEYRING:persistent:0:krb_ccache_th1WCcV
>> Default principal: DNS/ipa01.example.com at EXAMPLE.COM
>> <mailto:DNS/ipa01.example.com at example.com>
>>
>> Valid starting Expires Service principal
>> 12/23/2015 02:07:14 12/24/2015 02:07:14
>> krbtgt/EXAMPLE.COM at EXAMPLE.COM <mailto:krbtgt/EXAMPLE.COM at example.com>
>
> I have disabled unencrypted binds to 389, but I read somewhere this
> evening this should not be an issue since passwords were being sent
> and the STARTTLS is always being used.
>
> https://fedorahosted.org/freeipa/ticket/5232 seems to be related here,
> but I did the install on a healthy server, so I can't imagine that
> it's the same. I also don't see any recovery techniques listed here or
> in the issue that it links to at
> https://bugzilla.redhat.com/show_bug.cgi?id=1254412. I searched the
> list archives for this error and came up empty. The versions I have
> are as follows:
>
>> bind-license-9.9.4-29.el7_2.1.noarch
>> bind-libs-lite-9.9.4-29.el7_2.1.x86_64
>> bind-utils-9.9.4-29.el7_2.1.x86_64
>> bind-pkcs11-libs-9.9.4-29.el7_2.1.x86_64
>> bind-dyndb-ldap-8.0-1.el7.x86_64
>> bind-pkcs11-utils-9.9.4-29.el7_2.1.x86_64
>> bind-9.9.4-29.el7_2.1.x86_64
>> bind-pkcs11-9.9.4-29.el7_2.1.x86_64
>> bind-libs-9.9.4-29.el7_2.1.x86_64
>> ipa-python-4.2.0-15.el7.centos.3.x86_64
>> ipa-admintools-4.2.0-15.el7.centos.3.x86_64
>> sssd-ipa-1.13.0-40.el7_2.1.x86_64
>> ipa-client-4.2.0-15.el7.centos.3.x86_64
>> ipa-server-dns-4.2.0-15.el7.centos.3.x86_64
>> ipa-server-4.2.0-15.el7.centos.3.x86_64
>> python-libipa_hbac-1.13.0-40.el7_2.1.x86_64
>> libipa_hbac-1.13.0-40.el7_2.1.x86_64
>
> I'm also attaching the ipaupgrade.log
>
> Hopefully I am missing something simple here. Can anyone help?
>
> Happy solstice!
>
> Brian
>
>
>
>
>
Hello,
can you check your value of umask?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160104/07343076/attachment.htm>
More information about the Freeipa-users
mailing list