#4741 ipa-server-install crashed on named-pkcs11 restart
Closed: Fixed None Opened 9 years ago by mkosek.

FreeIPA installation on CentOS crashed when I installed with custom hostname:

# ipa-server-install --setup-dns --forwarder 10.0.0.1 --ip-address 10.0.0.2 --hostname ipa.mkosek-rhel70.test
...
The IPA Master Server will be configured with:
Hostname:       ipa.mkosek-rhel70.test
IP address(es): 10.16.78.67
Domain name:    mkosek-rhel70.test
Realm name:     MKOSEK-RHEL70.TEST
...
Done configuring DNS (named).
Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/6]: checking status
  [2/6]: setting up kerberos principal
  [3/6]: setting up SoftHSM
  [4/6]: adding DNSSEC containers
  [5/6]: creating replica keys
  [6/6]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
ipa         : ERROR    Named service failed to start (Command ''/bin/systemctl' 'restart' 'named-pkcs11.service'' returned non-zero exit status 1)
named service failed to start

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
Unexpected error - see /var/log/ipaserver-install.log for details:
CalledProcessError: Command ''/bin/systemctl' 'restart' 'ipa.service'' returned non-zero exit status 1

install log:

2014-11-19T03:15:41Z DEBUG stderr=
2014-11-19T03:15:41Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2014-11-19T03:15:41Z DEBUG Starting external process
2014-11-19T03:15:41Z DEBUG args='/bin/systemctl' 'restart' 'named-pkcs11.service'
2014-11-19T03:15:42Z DEBUG Process finished, return code=1
2014-11-19T03:15:42Z DEBUG stdout=
2014-11-19T03:15:42Z DEBUG stderr=Job for named-pkcs11.service failed. See 'systemctl status named-pkcs11.service' and 'journalctl -xn' for details.

2014-11-19T03:15:42Z ERROR Named service failed to start (Command ''/bin/systemctl' 'restart' 'named-pkcs11.service'' returned non-zero exit status 1)
2014-11-19T03:15:42Z DEBUG raw: dnsconfig_show(version=u'2.108')
2014-11-19T03:15:42Z DEBUG dnsconfig_show(rights=False, all=False, raw=False, version=u'2.108')
2014-11-19T03:15:42Z DEBUG Restarting the web server

named-pkcs11 service status:

# service named-pkcs11 status
Redirecting to /bin/systemctl status  named-pkcs11.service
named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11
   Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled)
   Active: failed (Result: exit-code) since Tue 2014-11-18 22:18:06 EST; 11min ago
  Process: 4879 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS (code=exited, status=1/FAILURE)
  Process: 4877 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf (code=exited, status=0/SUCCESS)

Nov 18 22:18:06 vm-067.idm.lab.bos.redhat.com named-pkcs11[4882]: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server krbtgt/IDM.LAB.BOS.REDHAT.COM@MKOSEK-RHEL70.TEST not found in Kerberos database)
Nov 18 22:18:06 vm-067.idm.lab.bos.redhat.com named-pkcs11[4882]: LDAP error: Local error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server krbtgt/IDM.LAB.BOS.REDHAT.COM@MKOSEK-RHEL70.TEST not found in Kerberos database): bind to LDAP server failed
Nov 18 22:18:06 vm-067.idm.lab.bos.redhat.com named-pkcs11[4882]: couldn't establish connection in LDAP connection pool: failure
Nov 18 22:18:06 vm-067.idm.lab.bos.redhat.com named-pkcs11[4882]: dynamic database 'ipa' configuration failed: failure
Nov 18 22:18:06 vm-067.idm.lab.bos.redhat.com named-pkcs11[4882]: loading configuration: failure
Nov 18 22:18:06 vm-067.idm.lab.bos.redhat.com named-pkcs11[4882]: exiting (due to fatal error)
Nov 18 22:18:06 vm-067.idm.lab.bos.redhat.com systemd[1]: named-pkcs11.service: control process exited, code=exited status=1
Nov 18 22:18:06 vm-067.idm.lab.bos.redhat.com systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.
Nov 18 22:18:06 vm-067.idm.lab.bos.redhat.com systemd[1]: Unit named-pkcs11.service entered failed state.
Nov 18 22:18:06 vm-067.idm.lab.bos.redhat.com systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with native PKCS#11.

I am not sure where did the "EXAMPLE.COM" came from as server was installed with a whole different realm. Apparently, the original hostname's vm-067.idm.lab.bos.redhat.com domain was used/cached somewhere.


4.1.4 was released, moving to new milestone

The problem is probably caused by an extra entry in /etc/hosts file. Reverse lookup in kerberos then results in hostname from /etc/hosts instead the one curently configured and used.

This bug is caused by unchanged hostname. bind-pkcs11 tries to use old hostname. Also hostname command returns old hostname.

When hostname was changed manually after installation to proper one, bind-pkcs11 sucesfuly started.

To resolve this issue we need to find out why sometimes IPA did not change hostname.

Metadata Update from @mkosek:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.3

7 years ago

Login to comment on this ticket.

Metadata