[Freeipa-users] Unable to configure DNSSEC signing

Gary T. Giesen ggiesen+freeipa-users at giesen.me
Tue May 3 14:18:32 UTC 2016 

Thanks Petr. I'm on IRC as well if a more interactive troubleshooting
session would be better.

Cheers,

GTG

-----Original Message-----
From: Petr Spacek [mailto:pspacek at redhat.com] 
Sent: May-03-16 9:59 AM
To: Gary T. Giesen <ggiesen+freeipa-users at giesen.me>;
freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing

On 3.5.2016 15:29, Gary T. Giesen wrote:
> All lines from the log file with conn=152.
> 
> [03/May/2016:07:21:06 -0400] conn=152 fd=83 slot=83 connection from 
> local to /var/run/slapd-EXAMPLE-COM.socket
> [03/May/2016:07:21:06 -0400] conn=152 op=0 BIND dn="" method=sasl 
> version=3 mech=GSSAPI
> [03/May/2016:07:21:06 -0400] conn=152 op=0 RESULT err=14 tag=97 
> nentries=0 etime=0, SASL bind in progress
> [03/May/2016:07:21:06 -0400] conn=152 op=1 BIND dn="" method=sasl 
> version=3 mech=GSSAPI
> [03/May/2016:07:21:06 -0400] conn=152 op=1 RESULT err=14 tag=97 
> nentries=0 etime=0, SASL bind in progress
> [03/May/2016:07:21:06 -0400] conn=152 op=2 BIND dn="" method=sasl 
> version=3 mech=GSSAPI
> [03/May/2016:07:21:06 -0400] conn=152 op=2 RESULT err=0 tag=97 
> nentries=0
> etime=0
> dn="krbprincipalname=ipa-dnskeysyncd/host.example.com at example.com,cn=s
> ervice
> s,cn=accounts,dc=example,dc=com"
> [03/May/2016:07:21:06 -0400] conn=152 op=3 SRCH 
> base="cn=dns,dc=example,dc=com" scope=2 
> filter="(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=i
> pk11Pu
> blicKey))" attrs=ALL
> [03/May/2016:07:21:06 -0400] conn=152 op=3 RESULT err=269 tag=121 
> nentries=0
> etime=0

This seems to be okay, I will think about it a bit more and return back to
you when I find something.

Petr^2 Spacek

> 
> -----Original Message-----
> From: Petr Spacek [mailto:pspacek at redhat.com]
> Sent: May-03-16 8:50 AM
> To: Gary T. Giesen <ggiesen+freeipa-users at giesen.me>;
> freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
> 
> Hmm, this is really weird.
> 
> It should log message "Initial LDAP dump is done, sychronizing with 
> ODS and BIND" which is apparently not there. Maybe LDAP server is 
> doing something weird ...
> 
> Could you inspect /var/log/dirsrv/*/access_log and look for lines 
> similar to ones in the attached file, please?
> 
> It should start with log message like
> "connection from local to /var/run/slapd-*".
> This line will have identifier like "conn=84". We are looking for conn 
> number (e.g. "conn=84") which is related to BIND DN 
> "dn="krbprincipalname=ipa-dnskeysyncd/*".
> 
> If you find the right conn number, look for other lines containing the 
> same conn number and operation "SRCH base="cn=dns,*". This SRCH line 
> will have specific identifier like "conn=84 op=3".
> 
> Now you have identifier for particular operation. Look for RESULT line 
> with the same ID.
> 
> How does it look?
> 
> Can you copy&paste complete all lines with identifier conn=??? you found?
> 
> Thanks!
> Petr^2 Spacek
> 
> On 3.5.2016 13:37, Gary T. Giesen wrote:
>> See attached.
>>
>> GTG
>>
>> -----Original Message-----
>> From: Petr Spacek [mailto:pspacek at redhat.com]
>> Sent: May-03-16 7:33 AM
>> To: Gary T. Giesen <ggiesen+freeipa-users at giesen.me>;
>> freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
>>
>> On 3.5.2016 13:28, Gary T. Giesen wrote:
>>> 1. Confirmed, it was already set to ISMASTER=1
>>>
>>> 2. Logs:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Current cookie is:
> None
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of
> entry: 
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.odsmgr.ODSMgr: DEBUG    LDAP zones:
> {'203dbe2d-8d9c-1
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of
> entry: 
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of
> entry: 
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of
> entry: 
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of
> entry: 
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of
> entry: 
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    Detected add of
> entry: 
>>> May 03 07:21:07 host.example.com ipa-dnskeysyncd[27240]:
>>> ipa.ipapython.dnssec.keysyncer.KeySyncer: DEBUG    New cookie is:
> host.exa
>>
>> The log seems to be truncated. Please attach it as a file to avoid 
>> truncation and line wrapping problems.
>>
>> Thanks
>> Petr^2 Spacek
>>
>>>
>>>
>>> 3. # rpm -q ipa-server
>>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
>>>
>>> -----Original Message-----
>>> From: freeipa-users-bounces at redhat.com 
>>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
>>> Sent: May-03-16 7:08 AM
>>> To: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Unable to configure DNSSEC signing
>>>
>>> Okay, this is a problem. It should list your zone example.com 
>>> because it has DNSSEC signing enabled.
>>>
>>> Make sure you are working on host.example.com (the host listed by 
>>> the ldapsearch above).
>>>
>>> I would check two things:
>>> 1. File /etc/sysconfig/ipa-dnskeysyncd contains line "ISMASTER=1". 
>>> If it does not, re-run ipa-dns-install with --dnssec-master option 
>>> to fix
>> that.
>>>
>>> 2. Debug logs from the daemon. Please edit /etc/ipa/default.conf and 
>>> make sure that it contains line "debug=True" and restart 
>>> ipa-dnskeysyncd when you are done with it.
>>>
>>> The log should be much longer after this change.
>>>
>>> I hope it will help to identify the root cause.
>>>
>>> What IPA version do you use?
>>> $ rpm -q freeipa-server
>>>
>>> Petr^2 Spacek
>>>
>>>
>>>
>>>> Per the instructions, I've restarted ipa-dnskeysyncd, but it has 
>>>> had no effect. The only log entries I see are:
>>>>
>>>> # journalctl -u ipa-dnskeysyncd
>>>>
>>>> May 02 20:35:52 host.example.com systemd[1]: Stopping IPA key
> daemon...
>>>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[14903]: ipa         :
>>> INFO
>>>> Signal 15 received: Shutting down!
>>>> May 02 20:35:52 host.example.com systemd[1]: Started IPA key daemon.
>>>> May 02 20:35:52 host.example.com systemd[1]: Starting IPA key
> daemon...
>>>> May 02 20:35:52 host.example.com ipa-dnskeysyncd[15014]: ipa: WARNING:
>>>> session memcached servers not running
>>>> May 02 20:35:53 host.example.com ipa-dnskeysyncd[15014]: ipa         :
>>> INFO
>>>> LDAP bind...
>>>> May 02 20:35:53 host.example.com python2[15014]: GSSAPI client step
>>>> 1 May 02 20:35:53 host.example.com python2[15014]: GSSAPI client 
>>>> step 1 May 02 20:35:54 host.example.com python2[15014]: GSSAPI 
>>>> client step 1 May 02 20:35:54 host.example.com python2[15014]: 
>>>> GSSAPI
> client step 2
>>>> May 02 20:35:54 host.example.com ipa-dnskeysyncd[15014]: ipa         :
>>> INFO
>>>> Commencing sync process
>>>>
>>>>
>>>>
>>>> Can anyone advise on next steps? I've been banging my head against 
>>>> a wall for a couple days now and would really appreciate some help.
> 
> 
> --
> Petr^2 Spacek
> 


--
Petr^2 Spacek

More information about the Freeipa-users mailing list