October 2018 - FreeIPA-users - Fedora Mailing-Lists

by Winfried de Heiden

Hi all, The Red Hat manual is not too clear about this (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...) IdM supports user names that can be described by the following regular expression: [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]? Note User names ending with the trailing dollar sign ($) are supported to enable Samba 3.x machine support. If you add a user whose user name contains uppercase characters, IdM automatically converts the name to lowercase when saving it. Therefore, IdM always requires users to enter their user names all lowercase when logging in. Additionally, it is not possible to add users whose user names only differ in letter casing, such as user and User. Having co-workers from different countries using different languages we want to avoid "strange" character from Cyrilic, German, Hindoi etc. etc. Reading the docs, it suggest only plain UTF ASCII is supported, no "strange" characters. Correct? Or else: how to avoid/not allow non standard ASCII usernames? Winfried

5 years, 1 month

2
3
0 / 0

FreeIPA Samba integration slow since update 7.4->7.5

by dbischof＠hrz.uni-kassel.de

Hi, in order to be able to use IPA auth for Samba shares, I followed this guide: https://bgstack15.wordpress.com/2017/05/10/samba-share-with-freeipa-auth/ IPA and Samba are running on the same server, everything worked fine. Actually, it still does, but since the upgrade from 7.4 to 7.5 (including IPA 4.5.0->4.5.4, Samba 4.6.2->4.7.1 and sssd-1.15.2->1.60.0) file browsing and copying is painfully slow on Mac, Windows and Linux (<10% of the theoretical maximum). It "feels" as whether there is a timeout after each file operation. Nothing in the server logs. Client logs on Linux occasionally show a "CIFS VFS: ioctl error in smb2_get_dfs_refer rc=-2". Reverting Samba back to non-IPA auth (dedicated Samba accounts) gives expected performance (near theoretical maximum). I'm out of ideas on how to diagnose this. Any hints? Mit freundlichen Gruessen/With best regards, --Daniel.

5 years, 1 month

1
1
0 / 0

SSL Private Key Recovery

by Winfried de Heiden

Hi all, Creating the SSL certs/keys for for example Apache can easily be done by using the FreeIPA Dogtag CA-server. With some effort, I put it in an Ansible playbook which will install Apache and certficates "on demand". Sometimes a server needs to be re-installed ("cattle-servers"); why bother about backup/restore when a server can be redeployed within minutes. However, a new certificate needs to created; it seems since I cannot (re)download the private key once created. Now: is it just impossible to (re) download the private ssl key later on for re-use? If not possible: FreeIPA vault (KRA) seems a proper way to store private key. Correct? Thanks! Winfried

5 years, 1 month

3
4
0 / 0

IPA DNS Forwarders don't are not forwarding.

by TomK

Hey All, (Hopefully) a quick DNS Forwarding question. My Windows DNS is authoritative on MY.DOM . My IPA servers are authoritative on NIX.MY.DOM . Forwarding from the Windows DNS to the IPA DNS servers seems to work just fine. But not the other way despite having the forwarder defined in IPA: Zone name: my.dom. Active zone: TRUE Zone forwarders: 192.168.0.224, 192.168.0.220, 192.168.0.221 Forward policy: first So when I list the IPA DNS servers in /etc/resolv.conf first, they won't resolv on MY.DOM. But if I place the Windows DNS server first (192.168.0.224) then resolution on MY.DOM and NIX.MY.DOM work just fine. Any hints to make the forwarder work on the IPA side? -- Cheers, Tom K. ------------------------------------------------------------------------------------- Living on earth is expensive, but it includes a free trip around the sun.

5 years, 1 month

3
3
0 / 0

Automatic Hostgroup Membership

by Peter Tselios

Hello, I want to create an automember rule for my IPA Clients. The regular expression is tested in the https://regex101.com/ and it matches my sample FQDNs. On the IPA server, I have created the Automember --> Host --> Rules rule with the same RegEx. I tried the following: ============================================================================= Automember Rule: nn-stg1-aws Description: Automatic Group Membership rule for Staging servers in SD North Inclusive Regex: fqdn=[agb]{1}\d{2}[cC]\d{2}[aA][bB][a-zA-Z]\d{3}\.example\.com ============================================================================= The regular expression muches the hostname a01c03abn001.example.com However, when I add the host, it is not added in the hostgroup! I tried with the following Includesive rules as well: cn=[agb]{1}\d{2}[cC]\d{2}[aA][bB][a-zA-Z]\d{3}\.example\.com serverhostname=[agb]{1}\d{2}[cC]\d{2}[aA][bB][a-zA-Z]\d{3}\.example\.com So, my questions are: 1. Can you please pin-point to me the mistake? 2. How do I see the LDAP entries of the host? I need to understand why the automember rule fails in order to avoid the same mistake in the future and to understand how I can form future automember rules.

5 years, 1 month

2
2
0 / 0

freeipa and two DNS domains

by Ranbir

Hello, I have freeipa running with two DNS zones: one I configured during the initial install and a second one I added later. This new zone is obviously still part of the same kerberos realm. When I join a client in the new DNS zone to the freeipa domain, I see these errors: Failed to update DNS records. Missing A/AAAA record(s) for host server.seconddomain.tld: 1.2.3.4. Missing reverse record(s) for address(es): 1.2.3.4. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub [try 1]: Forwarding 'host_mod' to json server 'https://ipa2.seconddomain.tld/ipa/session/json' Could not update DNS SSHFP records. Only clients joined to zone B exhibit this behaviour. What do I need to add to my freeipa DNS configuration to make this work properly? Thanks! -- Ranbir

5 years, 1 month

1
1
0 / 0

Certificate issuer has been marked as not trusted by the user

by Israel Brewster

I recently had the certificates I use on my FreeIPA server expire, preventing ipa from starting. So I replaced them with the new ones, and IPA still wouldn't start, whereupon after some digging I discovered the new certificates came with new Intermediate and root certificates. So I installed those using ipa-cacert-manage, ran ipa-certupdate, and then re-installed my certificates using ipa-server-certinstall, all of which appeared to work. However, the IPA service still won't start, with the issue apparently being that pki-tomcat isn't starting properly. Looking at the /var/log/pki/pki-tomcat/ca/debug file shows that the reason for this is: Internal Database Error encountered: Could not connect to LDAP server host freeipaserver-a.ravnalaska.net<http://freeipaserver-a.ravnalaska.net> port 636 Error netscape.ldap.LDAPException: Unable to create socket: org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8172) Peer's certificate issuer has been marked as not trusted by the user. (-1) Ok, sounds simple enough, so how do I mark the Peer's certificate issuer as trusted? Thanks. ----------------------------------------------- Israel Brewster Systems Analyst II 5245 Airport Industrial Rd Fairbanks, AK 99709 (907) 450-7293 ----------------------------------------------- [cid:bbb3ec17-fa02-4086-bd73-424320375dec@flyravn.com] [cid:87ffc6bc-252a-4547-aad0-730f4e1b9a16@flyravn.com]

5 years, 1 month

2
4
0 / 0

is running sssd and nscd in parallel a better option?

by Harald Dunkel

Hi folks, I read somewhere that it is not recommended to run nscd to cache passwd on ipa clients, but I wonder: What if? I still have the problem that sometimes some sssd components disappear somehow, e.g. sssd_pam. The logfile on our mail gateway said : (Tue Sep 18 22:34:28 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. (Tue Sep 18 22:34:28 2018) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal. (Tue Sep 18 22:34:28 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 74 (Tue Sep 18 22:34:28 2018) [sssd[pam]] [pam_dp_process_reply] (0x0010): Reply error. (Tue Sep 18 22:34:28 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error. (Tue Sep 18 22:34:28 2018) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal. (Tue Sep 18 22:34:28 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 26 (Tue Sep 18 22:34:28 2018) [sssd[pam]] [pam_dp_process_reply] (0x0010): Reply error. (Tue Sep 18 22:34:28 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error. (Tue Sep 18 22:34:28 2018) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal. (Tue Sep 18 22:34:28 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 26 (Tue Sep 18 22:34:28 2018) [sssd[pam]] [pam_dp_process_reply] (0x0080): Client already disconnected (Tue Sep 18 22:34:28 2018) [sssd[pam]] [pam_dp_process_reply] (0x0080): Client already disconnected (Tue Sep 18 22:34:28 2018) [sssd[pam]] [sbus_dispatch] (0x0020): Performing auto-reconnect (Tue Sep 18 22:34:28 2018) [sssd[pam]] [sbus_dispatch] (0x0400): SBUS is reconnecting. Deferring. (Tue Sep 18 22:34:28 2018) [sssd[pam]] [sbus_dispatch] (0x0400): SBUS is reconnecting. Deferring. (Tue Sep 18 22:34:28 2018) [sssd[pam]] [sbus_dispatch] (0x0400): SBUS is reconnecting. Deferring. (Tue Sep 18 22:34:28 2018) [sssd[pam]] [sbus_dispatch] (0x0400): SBUS is reconnecting. Deferring. : : (Tue Sep 18 22:34:29 2018) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 11 (Tue Sep 18 22:34:29 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error. (Tue Sep 18 22:34:29 2018) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal. (Tue Sep 18 22:34:29 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 26 (Tue Sep 18 22:34:29 2018) [sssd[pam]] [sbus_dispatch] (0x0400): SBUS is reconnecting. Deferring. (Tue Sep 18 22:34:29 2018) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Tue Sep 18 22:34:29 2018) [sssd[pam]] [sbus_dispatch] (0x0400): SBUS is reconnecting. Deferring. (Tue Sep 18 22:34:29 2018) [sssd[pam]] [sbus_dispatch] (0x0400): SBUS is reconnecting. Deferring. (Tue Sep 18 22:34:29 2018) [sssd[pam]] [sbus_dispatch] (0x0400): SBUS is reconnecting. Deferring. (Tue Sep 18 22:34:29 2018) [sssd[pam]] [sbus_dispatch] (0x0400): SBUS is reconnecting. Deferring. (Tue Sep 18 22:34:29 2018) [sssd[pam]] [sbus_dispatch] (0x0400): SBUS is reconnecting. Deferring. : : (Tue Sep 18 22:34:29 2018) [sssd[pam]] [sbus_reconnect] (0x0080): Making reconnection attempt 1 to [unix:path=/var/lib/sss/pipes/private/sbus-dp_aixigo.de] (Tue Sep 18 22:34:29 2018) [sssd[pam]] [sbus_reconnect] (0x0080): Reconnected to [unix:path=/var/lib/sss/pipes/private/sbus-dp_aixigo.de] (Tue Sep 18 22:34:29 2018) [sssd[pam]] [sbus_conn_register_path] (0x0400): Registering object path /org/freedesktop/sssd/responder with D-Bus connection (Tue Sep 18 22:34:29 2018) [sssd[pam]] [pam_dp_reconnect_init] (0x0020): Reconnected to the Data Provider. : Some EMails were bounced with user unknown at the same time, so I would guess there is a coincidence. Question is, could nscd be an option here, providing an additional cache for user accounts? What side effects could come up? Platform is Debian 9, sssd is version 1.16.2, nscd version 2.24. Every helpful comment is highly appreciated. Regards Harri

5 years, 1 month

2
2
0 / 0

Unable to sudo to obtain root privileges with root account present in AD

by Bart

Hi all, I have a strange (at least to me) issue with a replica instance of FreeIPA server. Almost every time I power cycle this instance after short period of time I cannot 'sudo -s'/'sudo su -' to switch to the local root account. Due to the root account being present in AD (I have a working trust relationship established with AD) I am switched to the root(a)win.domain.com where win.domain.com is a placeholder for my real AD domain name. Obviously, this account has no HBAC rules configured that would allow him to switch account to the local root account... This behaviour is something I do not understand because in my sssd configuration I attach below I added an entry for a root user to the filter_users list. In an attempt to resolve this I added enable_files_domain = false to my config but this didn't improve anything. I would really appreciate any help/pointing to possible misconfiguration that might be causing this. My sssd.conf looks like this: [domain/linux.domain.com/win.domain.com] debug_level = 6 krb_auth_timeout = 90 use_fully_qualified_names = False subdomain_homedir = /home/%u selinux_provider = none entry_cache_timeout = 5400 cached_auth_timeout = 5400 cache_credentials = True [domain/linux.domain.com] debug_level = 6 entry_cache_timeout = 5400 cached_auth_timeout = 5400 cache_credentials = True subdomain_homedir = /home/%u # Optimization subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout ignore_group_members = True #cache_first = True ldap_purge_cache_timeout = 0 ldap_sudo_full_refresh_interval = 21600 krb5_store_password_if_offline = True ipa_domain = linux.domain.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = freeipa-1b.linux.domain.com chpass_provider = ipa ipa_server = freeipa-1b.linux.domain.com dns_discovery_domain = linux.domain.com ipa_server_mode = True [sssd] entry_cache_timeout = 5400 enable_files_domain = false debug_level = 6 domain_resolution_order = win.domain.com, linux.domain.com services = nss, sudo, pam, ssh domains = linux.domain.com [nss] entry_cache_timeout = 5400 debug_level = 6 filter_users = fedora,root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,dirsrv,pkiuser,kdcproxy,ipaapi,apache,tomcat filter_groups = fedora,wheel,adm,root override_shell = /bin/bash override_homedir = /home/%u homedir_substring = /home [pam] entry_cache_timeout = 5400 debug_level = 6 pam_id_timeout = 90 [sudo] entry_cache_timeout = 5400 debug_level = 6 [autofs] entry_cache_timeout = 5400 debug_level = 6 [ssh] entry_cache_timeout = 5400 debug_level = 6 [pac] entry_cache_timeout = 5400 debug_level = 6 Relevant entries from the sssd.log: (Mon Oct 8 12:11:59 2018) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Mon Oct 8 12:11:59 2018) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Oct 8 12:11:59 2018) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Oct 8 12:11:59 2018) [sssd[nss]] [nss_getby_id] (0x0400): Input ID: 0 (Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_send] (0x0400): CR #14945: New request 'User by ID' (Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #14945: Performing a multi-domain search (Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #14945: Search will check the cache and check the data provider (Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #14945: Using domain [win.domain.com] (Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_search_send] (0x0400): CR #14945: Looking up UID:0@win.domain.com (Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #14945: Checking negative cache for [UID:0@win.domain.com] (Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #14945: [UID:0@win.domain.com] does not exist (negative cache) (Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #14945: Using domain [linux.domain.com] (Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_search_send] (0x0400): CR #14945: Looking up UID:0@linux.domain.com (Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #14945: Checking negative cache for [UID:0@linux.domain.com] (Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #14945: [UID:0@linux.domain.com] does not exist (negative cache) (Mon Oct 8 12:11:59 2018) [sssd[nss]] [cache_req_process_result] (0x0400): CR #14945: Finished: Not found (Mon Oct 8 12:12:00 2018) [sssd[nss]] [nss_getby_name] (0x0400): Input name: root (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_send] (0x0400): CR #14946: New request 'User by name' (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_process_input] (0x0400): CR #14946: Parsing input name [root] (Mon Oct 8 12:12:00 2018) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_set_name] (0x0400): CR #14946: Setting name [root] (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #14946: Performing a multi-domain search (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #14946: Search will check the cache and check the data provider (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #14946: Using domain [win.domain.com] (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_prepare_domain_data] (0x0400): CR #14946: Preparing input data for domain [win.domain.com] rules (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_send] (0x0400): CR #14946: Looking up root(a)win.domain.com (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #14946: Checking negative cache for [root(a)win.domain.com] (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #14946: [root(a)win.domain.com] is not present in negative cache (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #14946: Looking up [root(a)win.domain.com] in cache (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_send] (0x0400): CR #14946: Returning [root(a)win.domain.com] from cache (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_ncache_filter] (0x0400): CR #14946: This request type does not support filtering result by negative cache (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_create_and_add_result] (0x0400): CR #14946: Found 1 entries in domain win.domain.com (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_done] (0x0400): CR #14946: Finished: Success (Mon Oct 8 12:12:00 2018) [sssd[nss]] [nss_getby_name] (0x0400): Input name: root (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_send] (0x0400): CR #14947: New request 'Group by name' (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_process_input] (0x0400): CR #14947: Parsing input name [root] (Mon Oct 8 12:12:00 2018) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_set_name] (0x0400): CR #14947: Setting name [root] (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #14947: Performing a multi-domain search (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #14947: Search will check the cache and check the data provider (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #14947: Using domain [win.domain.com] (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_prepare_domain_data] (0x0400): CR #14947: Preparing input data for domain [win.domain.com] rules (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_send] (0x0400): CR #14947: Looking up root(a)win.domain.com (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #14947: Checking negative cache for [root(a)win.domain.com] (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #14947: [root(a)win.domain.com] is not present in negative cache (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #14947: Looking up [root(a)win.domain.com] in cache (Mon Oct 8 12:12:00 2018) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_send] (0x0400): CR #14947: Returning [root(a)win.domain.com] from cache (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_search_ncache_filter] (0x0400): CR #14947: This request type does not support filtering result by negative cache (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_create_and_add_result] (0x0400): CR #14947: Found 1 entries in domain win.domain.com (Mon Oct 8 12:12:00 2018) [sssd[nss]] [cache_req_done] (0x0400): CR #14947: Finished: Success (Mon Oct 8 12:12:00 2018) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Mon Oct 8 12:12:02 2018) [sssd[nss]] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled: SELINUX_getpeercon failed [92][Protocol not available]. Additional info: I use Fedora 27 with freeipa: Name : freeipa-server Version : 4.6.3 Release : 2.fc27 Arch : x86_64 and sssd: Name : sssd Version : 1.16.3 Release : 2.fc27 Arch : x86_64 nsswitch.conf content: passwd: sss files systemd shadow: files sss group: sss files systemd #hosts: db files nisplus nis dns hosts: files dns myhostname # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: nisplus sss publickey: nisplus automount: files nisplus aliases: files nisplus sudoers: files sss

5 years, 1 month

1
0
0 / 0

Error installing dnssec-master

by Quan Zhou

Hi, I'm having a problem setting up dnssec master with freeipa 4.7.0. An validity error occurs when the `ipa-dns-install --dnssec-master` was configuration OpenDNSSEC enforcer daemon: ``` Done configuring IPA OpenDNSSEC exporter daemon (ipa-ods-exporter). Configuring OpenDNSSEC enforcer daemon (ods-enforcerd) [1/8]: checking status [2/8]: setting up configuration files [3/8]: setting up ownership and file mode bits [4/8]: generating master key [5/8]: setting up OpenDNSSEC [error] CalledProcessError: CalledProcessError(Command ['/usr/sbin/ods-enforcer-db-setup', 'setup'] returned non-zero exit status 1: '/etc/opendnssec/conf.xml:11: element AllowExtraction: Relax-NG validity error : Element Repository has extra content: AllowExtraction\n/etc/opendnssec/conf.xml:7: element Repository: Relax-NG validity error : Element RepositoryList has extra content: Repository\n/etc/opendnssec/conf.xml:36: element Interval: Relax-NG validity error : Element Enforcer has extra content: Interval\nError: unable to load configuration!\n') Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: CalledProcessError(Command ['/usr/sbin/ods-enforcer-db-setup', 'setup'] returned non-zero exit status 1: '/etc/opendnssec/conf.xml:11: element AllowExtraction: Relax-NG validity error : Element Repository has extra content: AllowExtraction\n/etc/opendnssec/conf.xml:7: element Repository: Relax-NG validity error : Element RepositoryList has extra content: Repository\n/etc/opendnssec/conf.xml:36: element Interval: Relax-NG validity error : Element Enforcer has extra content: Interval\nError: unable to load configuration!\n') ``` I've took the liberty of removing complained keys, then the setup went through but the named-pkcs11 failed to start. Logs follow: ``` Sep 29 02:21:10 ubuntu named-pkcs11[4796]: starting BIND 9.11.3-1ubuntu1.2-Ubuntu (Extended Support Version) <id:a375815> Sep 29 02:21:10 ubuntu named-pkcs11[4796]: running on Linux x86_64 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27 15:21:48 UTC 2018 Sep 29 02:21:10 ubuntu named-pkcs11[4796]: built with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libjson=/usr' '--without-lmdb' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-ITBgWn/bind9-9.11.3+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' Sep 29 02:21:10 ubuntu named-pkcs11[4796]: running as: named-pkcs11 -f -u bind Sep 29 02:21:10 ubuntu named-pkcs11[4796]: ---------------------------------------------------- Sep 29 02:21:10 ubuntu named-pkcs11[4796]: BIND 9 is maintained by Internet Systems Consortium, Sep 29 02:21:10 ubuntu named-pkcs11[4796]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Sep 29 02:21:10 ubuntu named-pkcs11[4796]: corporation. Support and training for BIND 9 are Sep 29 02:21:10 ubuntu named-pkcs11[4796]: available at https://www.isc.org/support Sep 29 02:21:10 ubuntu named-pkcs11[4796]: ---------------------------------------------------- Sep 29 02:21:10 ubuntu named-pkcs11[4796]: adjusted limit on open files from 4096 to 1048576 Sep 29 02:21:10 ubuntu named-pkcs11[4796]: found 4 CPUs, using 4 worker threads Sep 29 02:21:10 ubuntu named-pkcs11[4796]: using 3 UDP listeners per interface Sep 29 02:21:10 ubuntu named-pkcs11[4796]: using up to 4096 sockets Sep 29 02:21:10 ubuntu named-pkcs11[4796]: loading configuration from '/etc/bind/named.conf' Sep 29 02:21:10 ubuntu named-pkcs11[4796]: reading built-in trust anchors from file '/etc/bind/bind.keys' Sep 29 02:21:10 ubuntu named-pkcs11[4796]: initializing GeoIP Country (IPv4) (type 1) DB Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GEO-106FREE 20180315 Build Sep 29 02:21:10 ubuntu named-pkcs11[4796]: initializing GeoIP Country (IPv6) (type 12) DB Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GEO-106FREE 20180315 Build Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GeoIP City (IPv4) (type 2) DB not available Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GeoIP City (IPv4) (type 6) DB not available Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GeoIP City (IPv6) (type 30) DB not available Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GeoIP City (IPv6) (type 31) DB not available Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GeoIP Region (type 3) DB not available Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GeoIP Region (type 7) DB not available Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GeoIP ISP (type 4) DB not available Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GeoIP Org (type 5) DB not available Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GeoIP AS (type 9) DB not available Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GeoIP Domain (type 11) DB not available Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GeoIP NetSpeed (type 10) DB not available Sep 29 02:21:10 ubuntu named-pkcs11[4796]: using default UDP/IPv4 port range: [32768, 60999] Sep 29 02:21:10 ubuntu named-pkcs11[4796]: using default UDP/IPv6 port range: [32768, 60999] Sep 29 02:21:10 ubuntu named-pkcs11[4796]: listening on IPv6 interfaces, port 53 Sep 29 02:21:10 ubuntu named-pkcs11[4796]: listening on IPv4 interface lo, 127.0.0.1#53 Sep 29 02:21:10 ubuntu named-pkcs11[4796]: listening on IPv4 interface ens3, 136.243.101.250#53 Sep 29 02:21:10 ubuntu named-pkcs11[4796]: generating session key for dynamic DNS Sep 29 02:21:10 ubuntu named-pkcs11[4796]: sizing zone task pool based on 5 zones Sep 29 02:21:10 ubuntu named-pkcs11[4796]: none:103: 'max-cache-size 90%' - setting to 7178MB (out of 7976MB) Sep 29 02:21:10 ubuntu named-pkcs11[4796]: set up managed keys zone for view _default, file '/var/cache/bind/dynamic/managed-keys.bind' Sep 29 02:21:10 ubuntu named-pkcs11[4796]: loading DynDB instance 'ipa' driver '/usr/lib/bind/ldap.so' Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 10.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 16.172.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 17.172.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 18.172.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 19.172.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 20.172.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 21.172.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 22.172.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 23.172.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 24.172.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 25.172.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 26.172.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 27.172.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 28.172.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 29.172.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 30.172.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 31.172.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 168.192.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 64.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 65.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 66.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 67.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 68.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 69.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 70.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 71.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 72.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 73.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 74.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 75.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 76.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 77.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 78.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 79.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 80.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 81.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 82.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 83.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 84.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 85.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 86.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 87.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 88.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 89.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 90.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 91.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 92.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 93.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 94.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 95.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 96.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 97.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 98.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 99.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 100.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 101.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 102.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 103.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 104.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 105.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 106.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 107.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 108.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 109.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 110.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 111.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 112.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 113.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 114.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 115.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 116.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 117.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 118.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 119.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 120.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 121.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 122.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 123.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 124.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 125.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 126.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 127.100.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 254.169.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 2.0.192.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 100.51.198.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 113.0.203.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: D.F.IP6.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 8.E.F.IP6.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 9.E.F.IP6.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: A.E.F.IP6.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: B.E.F.IP6.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: EMPTY.AS112.ARPA Sep 29 02:21:10 ubuntu named-pkcs11[4796]: ../../../lib/dns-pkcs11/view.c:962: REQUIRE(view->zonetable != ((void *)0)) failed, back trace Sep 29 02:21:10 ubuntu named-pkcs11[4796]: #0 0x55bdc918fcd0 in ?? Sep 29 02:21:10 ubuntu named-pkcs11[4796]: #1 0x7f1b8b33f7fa in ?? Sep 29 02:21:10 ubuntu named-pkcs11[4796]: #2 0x7f1b8bd512ea in ?? Sep 29 02:21:10 ubuntu named-pkcs11[4796]: #3 0x55bdc91ada87 in ?? Sep 29 02:21:10 ubuntu named-pkcs11[4796]: #4 0x55bdc9171793 in ?? Sep 29 02:21:10 ubuntu named-pkcs11[4796]: #5 0x55bdc91ba319 in ?? Sep 29 02:21:10 ubuntu named-pkcs11[4796]: #6 0x55bdc91bbf43 in ?? Sep 29 02:21:10 ubuntu named-pkcs11[4796]: #7 0x7f1b8b366b59 in ?? Sep 29 02:21:10 ubuntu named-pkcs11[4796]: #8 0x7f1b8a8e06db in ?? Sep 29 02:21:10 ubuntu named-pkcs11[4796]: #9 0x7f1b8a01488f in ?? Sep 29 02:21:10 ubuntu named-pkcs11[4796]: exiting (due to assertion failure) Sep 29 02:21:10 ubuntu systemd[1]: bind9-pkcs11.service: Main process exited, code=killed, status=6/ABRT Sep 29 02:21:10 ubuntu systemd[1]: bind9-pkcs11.service: Failed with result 'signal'. ``` -- Regards, Quan Zhou F2999657195657205828D56F35F9E5CDBD86324B quanzhou822(a)gmail.com

5 years, 1 month

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users October 2018