UPDATE: Tried again the whole procedure with ipa-dns-install, and it DOES work with SElinux disable, and still fails with SElinux enabled.
So the error "Failed to enumerate object store in /var/lib/softhsm/tokens/" makes sense. Can someone help me fix it? $ ll -Z /var/lib/ipa/dnssec/ total 12 -rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 30 Jul 21 22:50 softhsm_pin* drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0 4096 Jul 21 22:50 tokens/ On 21 July 2016 at 23:11, Roberto Cornacchia <roberto.cornacc...@gmail.com> wrote: > - FC23 > - IPA 4.2.4 > > After a dnf update, bind was updated (no ipa updates), and named-pkcs11 > doesn't start anymore. > > > $ /usr/sbin/named-pkcs11 -d 9 -g > 21-Jul-2016 23:08:50.332 starting BIND 9.10.3-P4-RedHat-9.10.3-13.P4.fc23 > <id:ebd72b3> -d 9 -g > 21-Jul-2016 23:08:50.332 built with '--build=x86_64-redhat-linux-gnu' > '--host=x86_64-redhat-linux-gnu' '--program-prefix=' > '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' > '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' > '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' > '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' > '--mandir=/usr/share/man' '--infodir=/usr/share/info' > '--with-python=/usr/bin/python3' '--with-libtool' '--localstatedir=/var' > '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' > '--disable-static' '--disable-openssl-version-check' > '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-geoip' > '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' > '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' > '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' > '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset' > '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' > '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' > 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall > -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions > -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches > -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' > 'LDFLAGS=-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' > 'CPPFLAGS= -DDIG_SIGCHASE' > 21-Jul-2016 23:08:50.332 > ---------------------------------------------------- > 21-Jul-2016 23:08:50.332 BIND 9 is maintained by Internet Systems > Consortium, > 21-Jul-2016 23:08:50.332 Inc. (ISC), a non-profit 501(c)(3) public-benefit > 21-Jul-2016 23:08:50.332 corporation. Support and training for BIND 9 are > 21-Jul-2016 23:08:50.332 available at https://www.isc.org/support > 21-Jul-2016 23:08:50.332 > ---------------------------------------------------- > 21-Jul-2016 23:08:50.332 adjusted limit on open files from 4096 to 1048576 > 21-Jul-2016 23:08:50.332 found 2 CPUs, using 2 worker threads > 21-Jul-2016 23:08:50.332 using 2 UDP listeners per interface > 21-Jul-2016 23:08:50.332 using up to 21000 sockets > 21-Jul-2016 23:08:50.332 Registering DLZ_dlopen driver > 21-Jul-2016 23:08:50.332 Registering SDLZ driver 'dlopen' > 21-Jul-2016 23:08:50.332 Registering DLZ driver 'dlopen' > 21-Jul-2016 23:08:50.335 initializing DST: PKCS#11 initialization failed > 21-Jul-2016 23:08:50.335 exiting (due to fatal error) > > journalctl shows: > > named-pkcs11[9085]: ObjectStore.cpp(59): Failed to enumerate object store > in /var/lib/softhsm/tokens/ > named-pkcs11[9085]: SoftHSM.cpp(476): Could not load the object store > > > > $ ll -Z /var/lib/ipa/dnssec/ > total 12 > -rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 30 Jul 21 > 22:50 softhsm_pin* > drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0 4096 Jul 21 > 22:50 tokens/ > > > - I have seen https://fedorahosted.org/freeipa/ticket/5520 , it doesn't > help. > - With setenforce 0, same error. > - I have run ipa-dns-install, it recreates named.conf, tokens > etc. named-pkcs11 still doesn't start. > > > Please, any idea? > > Roberto >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project