The only difference is the number of files I think. Are those should be identical on both?
master: https://imgur.com/a/YeZRpXX replica: https://imgur.com/a/8iEWZXJ my previous message is awaiting approval because I tried to use screenshots :) On Thu, Aug 17, 2023 at 11:58 AM Alexander Bokovoy <aboko...@redhat.com> wrote: > On Чцв, 17 жні 2023, Yavor Marinov wrote: > >Hey Alex, thanks for your answer ;) > > > >Here is the information you requested for: > > > >------------------------------------------------------ > ># /usr/lib/systemd/system/ipa-dnskeysyncd.service > >[Unit] > >Description=IPA key daemon > > > >[Service] > >Environment=LC_ALL=C.UTF-8 > >EnvironmentFile=/etc/sysconfig/ipa-dnskeysyncd > >ExecStart=/usr/libexec/ipa/ipa-dnskeysyncd > >User=ods > >Group=named > >SupplementaryGroups=ods > >PrivateTmp=yes > >Restart=on-failure > >RestartSec=60s > > > >[Install] > >WantedBy=multi-user.target > >------------------------------------------------------ > > > >------------------------------------------------------ > >SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf > >OPENSSL_CONF=/etc/ipa/dnssec/openssl.cnf > >ISMASTER=1 > >------------------------------------------------------ > > > >------------------------------------------------------ > >[image: image.png] > > > >The issue is present only on the master, on replica ipa-dnskeysyncd is > >running without issues > > The permissions aren't entirely correct in that token directory. Here is > for > comparison what I have in my test install on Fedora 38: > > [root@master ~]# cat /etc/ipa/dnssec/softhsm2.conf > # SoftHSM v2 configuration file > # File generated by IPA instalation > directories.tokendir = /var/lib/ipa/dnssec/tokens > objectstore.backend = file[root@master ~]# > [root@master ~]# ls -lRaZ /var/lib/ipa/dnssec/tokens > /var/lib/ipa/dnssec/tokens: > total 0 > drwxrws---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 72 Jul 24 > 10:18 . > drwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 34 Jul 24 > 10:18 .. > drwxrws---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 400 Jul 24 > 10:18 a0513325-f9e4-a3e2-9da2-b4900ab20587 > > /var/lib/ipa/dnssec/tokens/a0513325-f9e4-a3e2-9da2-b4900ab20587: > total 16 > drwxrws---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 400 Jul 24 > 10:18 . > drwxrws---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 72 Jul 24 > 10:18 .. > -rw-rwS---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 0 Jul 24 > 10:18 c10fcfde-a196-8fa8-2327-9a5702a0e1ea.lock > -rw-rwS---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 2241 Jul 24 > 10:18 c10fcfde-a196-8fa8-2327-9a5702a0e1ea.object > -rw-rwS---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 0 Jul 24 > 10:18 d2380275-1560-9892-65f9-be7d4256ec64.lock > -rw-rwS---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 964 Jul 24 > 10:18 d2380275-1560-9892-65f9-be7d4256ec64.object > -rw-rwS---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 8 Aug 14 > 08:06 generation > -rw-rwS---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 0 Aug 14 > 08:06 token.lock > -rw-rwS---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 320 Aug 14 > 08:06 token.object > > > You have only -rw-rw---- for those objects in the token's directory. > S_ISGID is missing for the normal files even though the ownership is > right. Now, for normal files, S_ISGID indicates mandatory file locking > but otherwise should not be affecting operations. > > Can you compare these directories between replica and master? > > > > > >Thanks again > > > >On Thu, Aug 17, 2023 at 11:14 AM Alexander Bokovoy <aboko...@redhat.com> > >wrote: > > > >> On Чцв, 17 жні 2023, Yavor Marinov via FreeIPA-users wrote: > >> >Hello all, > >> > > >> >I have a running IPA and replica 4.10 on Alma 9 and lately i can see > some > >> >errors starting from ipa-ods-exporter and involving some other > services. > >> > > >> >The error is constant on the master and obviously is spawned from > >> >starting ipa-ods-exporter. Below is the exact error from > dnssec-keyfroml > >> > > >> >Aug 17 13:07:46 login.redacted.net kernel: dnssec-keyfroml[670202]: > >> >segfault at 18 ip 00007fdea693a284 sp 00007ffd544af608 error 4 in > >> >libsofthsm2.so[7fdea68a3000+9b000] > >> >Aug 17 13:07:46 login.redacted.net kernel: Code: 75 f4 48 8b 53 30 49 > 89 > >> 4c > >> >24 20 49 89 44 24 10 49 89 54 24 28 48 83 c4 08 4c 89 e0 5b 41 5c c3 > 66 0f > >> >1f 44 00 00 f3 0f 1e fa <48> 8b 47 18 48 85 c0 74 44 4c 8d 47 10 4c 89 > c7 > >> >eb 12 66 2e 0f 1f > >> > > >> >The final error is from ip-dnskeysyncd and it is > >> > > >> >Aug 17 13:07:46 login.redacted.net ipa-dnskeysyncd[670193]: > >> >ipapython.ipautil.CalledProcessError: CalledProcessError(Command > >> >['/usr/sbin/dnssec-keyfromlabel', '-E', 'pkcs11', '-K', > >> >'/var/named/dyndb-ldap/ipa/master/redacted.net/tmpo7cj2ohc', '-a', > >> >b'RSASHA256', '-l', > >> > >> > >b'pkcs11:object=76f06adc7594d5f0dbb882e271636a40;pin-source=/var/lib/ipa/dnssec/softhsm_pin', > >> >'-P', b'20230419122315', '-A', 'none', '-I', 'none', '-D', 'none', > '-E', > >> >'pkcs11', 'redacted.net.'] returned non-zero exit status -11: 'Found > >> >uninitialized token\nFound uninitialized token\nKey not > >> >found.\nPKCS11_load_public_key returned NULL\nFound uninitialized > >> >token\nKey not found.\nPKCS11_get_private_key returned > >> >NULL\ndnssec-keyfromlabel: warning: ENGINE_load_private_key failed (not > >> >found)\ndnssec-keyfromlabel: fatal: failed to get key > >> redacted.net/RSASHA256: > >> >not found\n') > >> > > >> >I'm not quite sure where the main reason is, so that's why I'm asking > >> here, > >> >and would appreciate your help on this > >> > >> The output says that dnssec-keyfromlabel was launched to operate against > >> an uninitialized token. The token in question should be the one setup by > >> IPA. > >> > >> Can you show output of > >> > >> # systemctl cat ipa-dnskeysyncd.service > >> # cat /etc/sysconfig/ipa-dnskeysyncd > >> # ls -lRaZ /var/lib/ipa/dnssec/tokens > >> > >> > >> -- > >> / Alexander Bokovoy > >> Sr. Principal Software Engineer > >> Security / Identity Management Engineering > >> Red Hat Limited, Finland > >> > >> > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
