<html> <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> <br> <br> <div class="moz-cite-prefix">On 23.12.2015 08:28, Brian Topping wrote:<br> </div> <blockquote cite="mid:611D1200-92B8-4F2B-B8FC-110F7BA51FC5@gmail.com" type="cite">Greetings all! Thanks for all the continued work on FreeIPA! :) <div class=""><br class=""> </div> <div class="">I saw that 4.2 made it to RHEL 7.2 and upgraded. Unfortunately, the system did not come up cleanly.</div> <div class=""><br class=""> </div> <div class="">It seems to be some problem with the DNS server:</div> <div class=""><br class=""> </div> <div class=""> <blockquote type="cite" class="">[root@ipa01 ~]# systemctl status named-pkcs11<br class=""> ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11<br class=""> Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled; vendor preset: disabled)<br class=""> Active: failed (Result: exit-code) since Wed 2015-12-23 01:56:37 EST; 4s ago<br class=""> Process: 16506 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS (code=exited, status=1/FAILURE)<br class=""> Process: 16503 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)<br class=""> <br class=""> Dec 23 01:56:37 <a moz-do-not-send="true" href="http://ipa01.example.com" class="">ipa01.example.com</a> named-pkcs11[16509]: GSSAPI client step 2<br class=""> Dec 23 01:56:37 <a moz-do-not-send="true" href="http://ipa01.example.com" class="">ipa01.example.com</a> named-pkcs11[16509]: LDAP error: Invalid credentials: SASL(-14): authorization failure: security flags do not match required: bind to LDAP server failed<br class=""> Dec 23 01:56:37 <a moz-do-not-send="true" href="http://ipa01.example.com" class="">ipa01.example.com</a> named-pkcs11[16509]: couldn't establish connection in LDAP connection pool: permission denied<br class=""> Dec 23 01:56:37 <a moz-do-not-send="true" href="http://ipa01.example.com" class="">ipa01.example.com</a> named-pkcs11[16509]: dynamic database 'ipa' configuration failed: permission denied<br class=""> Dec 23 01:56:37 <a moz-do-not-send="true" href="http://ipa01.example.com" class="">ipa01.example.com</a> named-pkcs11[16509]: loading configuration: permission denied<br class=""> Dec 23 01:56:37 <a moz-do-not-send="true" href="http://ipa01.example.com" class="">ipa01.example.com</a> named-pkcs11[16509]: exiting (due to fatal error)<br class=""> Dec 23 01:56:37 <a moz-do-not-send="true" href="http://ipa01.example.com" class="">ipa01.example.com</a> systemd[1]: named-pkcs11.service: control process exited, code=exited status=1<br class=""> Dec 23 01:56:37 <a moz-do-not-send="true" href="http://ipa01.example.com" class="">ipa01.example.com</a> systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.<br class=""> Dec 23 01:56:37 <a moz-do-not-send="true" href="http://ipa01.example.com" class="">ipa01.example.com</a> systemd[1]: Unit named-pkcs11.service entered failed state.<br class=""> Dec 23 01:56:37 <a moz-do-not-send="true" href="http://ipa01.example.com" class="">ipa01.example.com</a> systemd[1]: named-pkcs11.service failed.<br class=""> </blockquote> </div> <div class=""><br class=""> </div> <div class=""><a moz-do-not-send="true" href="https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart" class="">https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart</a> provides some good information. After manually starting 389, I was able to confirm that the LDAP credentials are able to retrieve the DNS tree with:</div> <div class=""><br class=""> </div> <div class=""> <blockquote type="cite" class="">[root@ipa01 ~]# ldapsearch -H '<a moz-do-not-send="true" href="ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket%27" class="">ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket'</a> -Y GSSAPI -b 'cn=dns,dc=example,dc=com' </blockquote> <br class=""> </div> <div class="">I was also able to confirm that I the named.keytab file is correct:</div> <div class=""><br class=""> </div> <div class=""> <blockquote type="cite" class="">[root@ipa01 ~]# kinit -k -t /etc/named.keytab DNS/<a moz-do-not-send="true" href="http://ipa01.example.com" class="">ipa01.example.com</a><br class=""> [root@ipa01 ~]# klist<br class=""> Ticket cache: KEYRING:persistent:0:krb_ccache_th1WCcV<br class=""> Default principal: <a moz-do-not-send="true" href="mailto:DNS/ipa01.example.com@example.com" class="">DNS/ipa01.example.com@EXAMPLE.COM</a><br class=""> <br class=""> Valid starting Expires Service principal<br class=""> 12/23/2015 02:07:14 12/24/2015 02:07:14 <a moz-do-not-send="true" href="mailto:krbtgt/EXAMPLE.COM@example.com" class=""><a class="moz-txt-link-abbreviated" href="mailto:krbtgt/EXAMPLE.COM@EXAMPLE.COM">krbtgt/EXAMPLE.COM@EXAMPLE.COM</a></a><br class=""> </blockquote> <br class=""> </div> <div class="">I have disabled unencrypted binds to 389, but I read somewhere this evening this should not be an issue since passwords were being sent and the STARTTLS is always being used. </div> <div class=""><br class=""> </div> <div class=""><a moz-do-not-send="true" href="https://fedorahosted.org/freeipa/ticket/5232" class="">https://fedorahosted.org/freeipa/ticket/5232</a> seems to be related here, but I did the install on a healthy server, so I can't imagine that it's the same. I also don't see any recovery techniques listed here or in the issue that it links to at <a moz-do-not-send="true" href="https://bugzilla.redhat.com/show_bug.cgi?id=1254412" class="">https://bugzilla.redhat.com/show_bug.cgi?id=1254412</a>. I searched the list archives for this error and came up empty. The versions I have are as follows:</div> <div class=""><br class=""> </div> <div class=""> <blockquote type="cite" class="">bind-license-9.9.4-29.el7_2.1.noarch<br class=""> bind-libs-lite-9.9.4-29.el7_2.1.x86_64<br class=""> bind-utils-9.9.4-29.el7_2.1.x86_64<br class=""> bind-pkcs11-libs-9.9.4-29.el7_2.1.x86_64<br class=""> bind-dyndb-ldap-8.0-1.el7.x86_64<br class=""> bind-pkcs11-utils-9.9.4-29.el7_2.1.x86_64<br class=""> bind-9.9.4-29.el7_2.1.x86_64<br class=""> bind-pkcs11-9.9.4-29.el7_2.1.x86_64<br class=""> bind-libs-9.9.4-29.el7_2.1.x86_64<br class=""> ipa-python-4.2.0-15.el7.centos.3.x86_64<br class=""> ipa-admintools-4.2.0-15.el7.centos.3.x86_64<br class=""> sssd-ipa-1.13.0-40.el7_2.1.x86_64<br class=""> ipa-client-4.2.0-15.el7.centos.3.x86_64<br class=""> ipa-server-dns-4.2.0-15.el7.centos.3.x86_64<br class=""> ipa-server-4.2.0-15.el7.centos.3.x86_64<br class=""> python-libipa_hbac-1.13.0-40.el7_2.1.x86_64<br class=""> libipa_hbac-1.13.0-40.el7_2.1.x86_64<br class=""> </blockquote> <br class=""> </div> <div class="">I'm also attaching the ipaupgrade.log</div> <div class=""><br class=""> </div> <div class="">Hopefully I am missing something simple here. Can anyone help?</div> <div class=""><br class=""> </div> <div class="">Happy solstice!</div> <div class=""><br class=""> </div> <div class="">Brian</div> <div class=""><br class=""> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> </blockquote> Hello,<br> <br> can you check your value of umask?<br> </body> </html>