[Freeipa-users] Unable to configure DNSSEC signing
Gary T. Giesen
ggiesen+freeipa-users at giesen.me
Tue May 3 11:28:44 UTC 2016
1. Confirmed, it was already set to ISMASTER=1
2. Logs:
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27099]: ipa : INFO
Signal 15 received: Shutting down!
May 03 07:21:05 host.example.com systemd[1]: Started IPA key daemon.
May 03 07:21:05 host.example.com systemd[1]: Starting IPA key daemon...
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing all plugin modules in ipalib.plugins...
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.aci
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.automember
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.automount
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.baseldap
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.baseuser
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.batch
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.caacl
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.cert
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.certprofile
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.config
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.delegation
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.dns
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.domainlevel
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.group
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.hbacrule
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.hbacsvc
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.hbacsvcgroup
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.hbactest
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.host
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.hostgroup
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.idrange
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.idviews
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.internal
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.kerberos
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.krbtpolicy
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.migration
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.misc
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.netgroup
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.otpconfig
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.otptoken
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.otptoken_yubikey
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.passwd
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.permission
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.ping
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.pkinit
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.privilege
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.pwpolicy
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
Starting external process
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
args='klist' '-V'
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: Process
finished, return code=0
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
stdout=Kerberos 5 version 1.13.2
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG: stderr=
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.radiusproxy
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.realmdomains
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.role
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.rpcclient
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.selfservice
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.selinuxusermap
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.server
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.service
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.servicedelegation
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.session
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: WARNING:
session memcached servers not running
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.stageuser
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.sudocmd
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.sudocmdgroup
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.sudorule
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.topology
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.trust
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.user
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.vault
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipalib.plugins.virtual
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing all plugin modules in ipaserver.plugins...
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipaserver.plugins.dogtag
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipaserver.plugins.join
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipaserver.plugins.ldap2
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipaserver.plugins.rabase
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
importing plugin module ipaserver.plugins.xmlserver
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
SessionAuthManager.register: name=jsonserver_session_61570320
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
SessionAuthManager.register: name=xmlserver_session_61593232
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
Mounting ipaserver.rpcserver.login_kerberos() at '/session/log
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
session_auth_duration: 0:20:00
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
Mounting ipaserver.rpcserver.jsonserver_session() at '/session
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
session_auth_duration: 0:20:00
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json'
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
session_auth_duration: 0:20:00
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
Mounting ipaserver.rpcserver.xmlserver_session() at '/session/
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
session_auth_duration: 0:20:00
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
session_auth_duration: 0:20:00
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
Mounting ipaserver.rpcserver.login_password() at '/session/log
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
session_auth_duration: 0:20:00
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
Mounting ipaserver.rpcserver.change_password() at '/session/ch
May 03 07:21:05 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
Mounting ipaserver.rpcserver.sync_token() at '/session/sync_to
May 03 07:21:06 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
Mounting ipaserver.rpcserver.xmlserver() at '/xml'
May 03 07:21:06 host.example.com ipa-dnskeysyncd[27240]: ipa: DEBUG:
session_auth_duration: 0:20:00
May 03 07:21:06 host.example.com ipa-dnskeysyncd[27240]: ipa : DEBUG
Kerberos principal: ipa-dnskeysyncd/host.example.com
May 03 07:21:06 host.example.com ipa-dnskeysyncd[27240]: ipa : DEBUG
Initializing principal ipa-dnskeysyncd/host.example.com
May 03 07:21:06 host.example.com ipa-dnskeysyncd[27240]: ipa : DEBUG
using ccache /tmp/ipa-dnskeysyncd.ccache
May 03 07:21:06 host.example.com ipa-dnskeysyncd[27240]: ipa : DEBUG
Attempt 1/5: success
May 03 07:21:06 host.example.com python2[27240]: GSSAPI client step 1
May 03 07:21:06 host.example.com python2[27240]: GSSAPI client step 1
May 03 07:21:06 host.example.com ipa-dnskeysyncd[27240]: ipa : DEBUG
LDAP URL: ldapi://%2Fvar%2Frun%2Fslapd-EXAMPLE-COM.so
May 03 07:21:06 host.example.com ipa-dnskeysyncd[27240]: ipa : INFO
LDAP bind...
May 03 07:21:07 host.example.com python2[27240]: GSSAPI client step 1
May 03 07:21:07 host.example.com python2[27240]: GSSAPI client step 2
May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]: ipa : INFO
Commencing sync process
May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Current cookie is: None
May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG LDAP zones: {'203dbe2d-8d9c-1
May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG Detected add of entry:
May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG New cookie is: host.exa
3. # rpm -q ipa-server
ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
-----Original Message-----
From: freeipa-users-bounces at redhat.com
[mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
Sent: May-03-16 7:08 AM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
Okay, this is a problem. It should list your zone example.com because it has
DNSSEC signing enabled.
Make sure you are working on host.example.com (the host listed by the
ldapsearch above).
I would check two things:
1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1". If it
does not, re-run ipa-dns-install with --dnssec-master option to fix that.
2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and make
sure that it contains line "debug=True" and restart ipa-dnskeysyncd when you
are done with it.
The log should be much longer after this change.
I hope it will help to identify the root cause.
What IPA version do you use?
$ rpm -q freeipa-server
Petr^2 Spacek
> Per the instructions, I've restarted ipa-dnskeysyncd, but it has had
> no effect. The only log entries I see are:
>
> # journalctl -u ipa-dnskeysyncd
>
> May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key daemon...
> May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa :
INFO
> Signal 15 received: Shutting down!
> May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon.
> May 02 20:35:52 host.example.com systemd[1]: Starting IPA key daemon...
> May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING:
> session memcached servers not running
> May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa :
INFO
> LDAP bind...
> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1
> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step 1
> May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 1
> May 02 20:35:54 host.example.com python2[15014]: GSSAPI client step 2
> May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa :
INFO
> Commencing sync process
>
>
>
> Can anyone advise on next steps? I've been banging my head against a
> wall for a couple days now and would really appreciate some help.
>
--
Petr^2 Spacek
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list