[Freeipa-users] named-pkcs11 fails to start on new replica [SOLVED]

Bob Hinton bob at jackland.demon.co.uk
Thu Jul 14 08:14:41 UTC 2016 

On 14/07/2016 08:39, Martin Babinsky wrote:
> On 07/13/2016 09:56 PM, Bob Hinton wrote:
>> Hi,
>>
>> We are trying to create a new replica on RHEL 7.2
>>
>> This completes but named-pkcs11 fails to start -
>>
>>  systemctl status named-pkcs11.service
>> ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native
>> PKCS#11
>>    Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service;
>> disabled; vendor preset: disabled)
>>    Active: failed (Result: exit-code) since Wed 2016-07-13 18:38:15 BST;
>> 51min ago
>>   Process: 25913 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS
>> (code=exited, status=1/FAILURE)
>>   Process: 25910 ExecStartPre=/bin/bash -c if [ !
>> "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z
>> /etc/named.conf; else echo "Checking of zone files is disabled"; fi
>> (code=exited, status=0/SUCCESS)
>>
>> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: corporation.
>> Support and training for BIND 9 are
>> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: available at
>> https://www.isc.org/support
>> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]:
>> ----------------------------------------------------
>> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: adjusted limit on
>> open files from 4096 to 1048576
>> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: found 1 CPU,
>> using 1 worker thread
>> Jul 13 18:38:15 ipa001.mgmt.local named-pkcs11[25916]: using 1 UDP
>> listener per interface
>> Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service:
>> control process exited, code=exited status=1
>> Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Failed to start Berkeley
>> Internet Name Domain (DNS) with native PKCS#11.
>> Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: Unit named-pkcs11.service
>> entered failed state.
>> Jul 13 18:38:15 ipa001.mgmt.local systemd[1]: named-pkcs11.service
>> failed.
>>
>> # /usr/sbin/named-pkcs11 -d 9 -g
>> 13-Jul-2016 19:31:01.283 starting BIND 9.9.4-RedHat-9.9.4-29.el7_2.1
>> -d 9 -g
>> 13-Jul-2016 19:31:01.283 built with '--build=x86_64-redhat-linux-gnu'
>> '--host=x86_64-redhat-linux-gnu' '--program-prefix='
>> '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr'
>> '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
>> '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
>> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
>> '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool'
>> '--localstatedir=/var' '--enable-threads' '--enable-ipv6'
>> '--enable-filter-aaaa' '--enable-rrl' '--with-pic' '--disable-static'
>> '--disable-openssl-version-check' '--enable-exportlib'
>> '--with-export-libdir=/usr/lib64'
>> '--with-export-includedir=/usr/include'
>> '--includedir=/usr/include/bind9' '--enable-native-pkcs11'
>> '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes'
>> '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
>> '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes'
>> '--disable-isc-spnego' '--enable-fixed-rrset'
>> '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
>> 'build_alias=x86_64-redhat-linux-gnu'
>> 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall
>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
>> --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic'
>> 'LDFLAGS=-Wl,-z,relro ' 'CPPFLAGS= -DDIG_SIGCHASE'
>> 13-Jul-2016 19:31:01.283
>> ----------------------------------------------------
>> 13-Jul-2016 19:31:01.284 BIND 9 is maintained by Internet Systems
>> Consortium,
>> 13-Jul-2016 19:31:01.284 Inc. (ISC), a non-profit 501(c)(3)
>> public-benefit
>> 13-Jul-2016 19:31:01.284 corporation.  Support and training for BIND
>> 9 are
>> 13-Jul-2016 19:31:01.284 available at https://www.isc.org/support
>> 13-Jul-2016 19:31:01.284
>> ----------------------------------------------------
>> 13-Jul-2016 19:31:01.284 adjusted limit on open files from 4096 to
>> 1048576
>> 13-Jul-2016 19:31:01.284 found 1 CPU, using 1 worker thread
>> 13-Jul-2016 19:31:01.284 using 1 UDP listener per interface
>> 13-Jul-2016 19:31:01.284 using up to 4096 sockets
>> 13-Jul-2016 19:31:01.284 Registering DLZ_dlopen driver
>> 13-Jul-2016 19:31:01.284 Registering SDLZ driver 'dlopen'
>> 13-Jul-2016 19:31:01.284 Registering DLZ driver 'dlopen'
>> 13-Jul-2016 19:31:01.287 initializing DST: PKCS#11 initialization failed
>> 13-Jul-2016 19:31:01.287 exiting (due to fatal error)
>>
>> # tail -2 /var/log
>>
>> Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]:
>> ObjectStore.cpp(59): Failed to enumerate object store in
>> /var/lib/softhsm/tokens/
>>
>> Jul 13 19:31:01 ipa001.mgmt.local named-pkcs11[27088]: SoftHSM.cpp(456):
>> Could not load the object store
>>
>> I've tried "ipa-server-upgrade" and
>>
>> mv /var/lib/ipa/dnssec/tokens /var/lib/ipa/dnssec/tokens-OLD
>>
>> ipa-dns-install
>>
>> But I haven't managed to fix it.
>>
>> Using "ipactl start -f" means the rest of the ipa services seem to work
>> properly, but without named.
>>
>> Is there a way to fix the named issue or is it much simpler to
>> disconnect the replica, uninstall it and start again ?
>>
>> Thanks
>>
>> Bob Hinton
>>
>>
>>
>
> Hi Bob,
>
> If your SElinux is in enforcing mode I would check for AVCs, maybe the
> token directory is mislabeled.
>
> You also may be hitting
> https://fedorahosted.org/freeipa/ticket/5520 , there is a workaround
> described in the ticket.
>
Hi Martin,

It was the umask on RHEL 7.2 that had caused the problem as per ticket 5520

chmod 770 /var/lib/ipa/dnssec

chmod 644 /etc/ipa/dnssec/softhsm2.conf

ipactl restart

Fixed it

Many thanks

Bob

More information about the Freeipa-users mailing list