On Чцв, 17 жні 2023, Yavor Marinov wrote:
Hey Alex, thanks for your answer ;)
Here is the information you requested for:
------------------------------------------------------
# /usr/lib/systemd/system/ipa-dnskeysyncd.service
[Unit]
Description=IPA key daemon
[Service]
Environment=LC_ALL=C.UTF-8
EnvironmentFile=/etc/sysconfig/ipa-dnskeysyncd
ExecStart=/usr/libexec/ipa/ipa-dnskeysyncd
User=ods
Group=named
SupplementaryGroups=ods
PrivateTmp=yes
Restart=on-failure
RestartSec=60s
[Install]
WantedBy=multi-user.target
------------------------------------------------------
------------------------------------------------------
SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
OPENSSL_CONF=/etc/ipa/dnssec/openssl.cnf
ISMASTER=1
------------------------------------------------------
------------------------------------------------------
[image: image.png]
The issue is present only on the master, on replica ipa-dnskeysyncd is
running without issues
The permissions aren't entirely correct in that token directory. Here is for
comparison what I have in my test install on Fedora 38:
[root@master ~]# cat /etc/ipa/dnssec/softhsm2.conf
# SoftHSM v2 configuration file
# File generated by IPA instalation
directories.tokendir = /var/lib/ipa/dnssec/tokens
objectstore.backend = file[root@master ~]#
[root@master ~]# ls -lRaZ /var/lib/ipa/dnssec/tokens
/var/lib/ipa/dnssec/tokens:
total 0
drwxrws---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 72 Jul 24 10:18
.
drwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 34 Jul 24 10:18
..
drwxrws---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 400 Jul 24 10:18
a0513325-f9e4-a3e2-9da2-b4900ab20587
/var/lib/ipa/dnssec/tokens/a0513325-f9e4-a3e2-9da2-b4900ab20587:
total 16
drwxrws---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 400 Jul 24
10:18 .
drwxrws---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 72 Jul 24
10:18 ..
-rw-rwS---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 0 Jul 24
10:18 c10fcfde-a196-8fa8-2327-9a5702a0e1ea.lock
-rw-rwS---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 2241 Jul 24
10:18 c10fcfde-a196-8fa8-2327-9a5702a0e1ea.object
-rw-rwS---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 0 Jul 24
10:18 d2380275-1560-9892-65f9-be7d4256ec64.lock
-rw-rwS---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 964 Jul 24
10:18 d2380275-1560-9892-65f9-be7d4256ec64.object
-rw-rwS---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 8 Aug 14
08:06 generation
-rw-rwS---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 0 Aug 14
08:06 token.lock
-rw-rwS---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 320 Aug 14
08:06 token.object
You have only -rw-rw---- for those objects in the token's directory.
S_ISGID is missing for the normal files even though the ownership is
right. Now, for normal files, S_ISGID indicates mandatory file locking
but otherwise should not be affecting operations.
Can you compare these directories between replica and master?
Thanks again
On Thu, Aug 17, 2023 at 11:14 AM Alexander Bokovoy <aboko...@redhat.com>
wrote:
On Чцв, 17 жні 2023, Yavor Marinov via FreeIPA-users wrote:
>Hello all,
>
>I have a running IPA and replica 4.10 on Alma 9 and lately i can see some
>errors starting from ipa-ods-exporter and involving some other services.
>
>The error is constant on the master and obviously is spawned from
>starting ipa-ods-exporter. Below is the exact error from dnssec-keyfroml
>
>Aug 17 13:07:46 login.redacted.net kernel: dnssec-keyfroml[670202]:
>segfault at 18 ip 00007fdea693a284 sp 00007ffd544af608 error 4 in
>libsofthsm2.so[7fdea68a3000+9b000]
>Aug 17 13:07:46 login.redacted.net kernel: Code: 75 f4 48 8b 53 30 49 89
4c
>24 20 49 89 44 24 10 49 89 54 24 28 48 83 c4 08 4c 89 e0 5b 41 5c c3 66 0f
>1f 44 00 00 f3 0f 1e fa <48> 8b 47 18 48 85 c0 74 44 4c 8d 47 10 4c 89 c7
>eb 12 66 2e 0f 1f
>
>The final error is from ip-dnskeysyncd and it is
>
>Aug 17 13:07:46 login.redacted.net ipa-dnskeysyncd[670193]:
>ipapython.ipautil.CalledProcessError: CalledProcessError(Command
>['/usr/sbin/dnssec-keyfromlabel', '-E', 'pkcs11', '-K',
>'/var/named/dyndb-ldap/ipa/master/redacted.net/tmpo7cj2ohc', '-a',
>b'RSASHA256', '-l',
>b'pkcs11:object=76f06adc7594d5f0dbb882e271636a40;pin-source=/var/lib/ipa/dnssec/softhsm_pin',
>'-P', b'20230419122315', '-A', 'none', '-I', 'none', '-D', 'none', '-E',
>'pkcs11', 'redacted.net.'] returned non-zero exit status -11: 'Found
>uninitialized token\nFound uninitialized token\nKey not
>found.\nPKCS11_load_public_key returned NULL\nFound uninitialized
>token\nKey not found.\nPKCS11_get_private_key returned
>NULL\ndnssec-keyfromlabel: warning: ENGINE_load_private_key failed (not
>found)\ndnssec-keyfromlabel: fatal: failed to get key
redacted.net/RSASHA256:
>not found\n')
>
>I'm not quite sure where the main reason is, so that's why I'm asking
here,
>and would appreciate your help on this
The output says that dnssec-keyfromlabel was launched to operate against
an uninitialized token. The token in question should be the one setup by
IPA.
Can you show output of
# systemctl cat ipa-dnskeysyncd.service
# cat /etc/sysconfig/ipa-dnskeysyncd
# ls -lRaZ /var/lib/ipa/dnssec/tokens
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
