Forum Stats

  • 3,814,159 Users
  • 2,258,828 Discussions
  • 7,892,596 Comments

Discussions

IPA Server installation with DNS fails on Oracle Linux 8.1

Sven Jansen
Sven Jansen Member Posts: 16 Green Ribbon
edited Aug 18, 2020 4:46PM in Oracle Linux

Hello,

i am in the process of replacing my Oracle Linux 7.x IPA Servers with Oracle Linux 8.1 using IPA from Oracle Linux 8.1 Appstream (module: idm:DL1). I made several attempts to install IPA with integrated DNS and the installation with "ipa-server-install --setup-dns" always fails with starting the named-pkcs11.service. I tested this with several new minimal installations of Oracle Linux 8.1 and with SE Linux enabled and disabled/permissive. I did the same process on a fresh RHEL 8.1 Minimal with same IP/Name/Hosts configuration and it always succeed. It looks like there is something wrong with the Oracle Linux 8.1 Appstream Repo for IPA.

In the Service log from named-pcs11.service show only this error:

Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: starting BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el8 (Extended Support Version) <id:7107deb>

Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: running on Linux x86_64 4.18.0-80.el8.x86_64 #1 SMP Thu May 30 02:01:36 GMT 2019

Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr>

Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: running as: named-pkcs11 -u named -c /etc/named.conf

Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: compiled by GCC 8.2.1 20180905 (Red Hat 8.2.1-3.0.1)

Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: compiled with libxml2 version: 2.9.7

Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: linked to libxml2 version: 20907

Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: compiled with zlib version: 1.2.11

Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: linked to zlib version: 1.2.11

Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: threads support is enabled

Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: ----------------------------------------------------

Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: BIND 9 is maintained by Internet Systems Consortium,

Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: Inc. (ISC), a non-profit 501(c)(3) public-benefit

Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: corporation.  Support and training for BIND 9 are

Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: available at https://www.isc.org/support

Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: ----------------------------------------------------

Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: adjusted limit on open files from 4096 to 1048576

Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: found 2 CPUs, using 2 worker threads

Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: using 1 UDP listener per interface

Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: using up to 21000 sockets

Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: initializing DST: no PKCS#11 provider

Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: exiting (due to fatal error)

Apr 09 13:08:26 ipa1.example.com systemd[1]: named-pkcs11.service: Control process exited, code=exited status=1

Apr 09 13:08:26 ipa1.example.com systemd[1]: named-pkcs11.service: Failed with result 'exit-code'.

Apr 09 13:08:26 ipa1.example.com systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.

-- Subject: Unit named-pkcs11.service has failed

-- Defined-By: systemd

-- Support: https://access.redhat.com/support

--

-- Unit named-pkcs11.service has failed.

--

-- The result is RESULT.

Anyone else succeed Installing IPA with DNS on Oracle Linux 8.1? any known workaround?

Thanks in advance.

Sven Jansencommenter-Oracleandreas.dijkman

Best Answer

  • Avi Miller-Oracle
    Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,821 Employee
    edited Jun 22, 2020 3:40PM Answer ✓

    Yes, we released bind-pkcs11-9.11.13-5.0.1.el8_2 about 6 hours ago which resolves this issue. You posted about an hour before it was published.

    andreas.dijkmanSven Jansen
«134

Answers

  • Sven Jansen
    Sven Jansen Member Posts: 16 Green Ribbon
    edited Apr 9, 2020 9:52AM

    Ok something is wrong with the following packges:

    bind-pkcs11-9.11.4-26.P2.el8.x86_64.rpm

    bind-pkcs11-libs-9.11.4-26.P2.el8.x86_64.rpm

    bind-pkcs11-utils-9.11.4-26.P2.el8.x86_64.rpm

    Using the Oracle 8.1 rpms produces this error using strace:

    Can't load PKCS#11 provider: dlopen("pkcs11") failed: /lib64/pkcs11: cannot read file data: Is a directory

    I make a force install of the CentOS Version of this rpm packages and the dlopen error went away.

  • Dude!
    Dude! Member Posts: 22,828 Black Diamond
    edited Apr 9, 2020 12:24PM

    "Exiting (due to fatal error)" is arguably not very useful information to work with. Programs often have fallback routines an these can show up as errors in "strace", but it does not necessarily mean that is causing your problem, unless it's the reason the software aborted. No one can look over your shoulder to see what you see or do exactly, or guess what Centos packages you have installed to make it work.

    What kernel are you using? If you are using the UEK6 kernel, perhaps you should try using the RHEL 4.18 kernel to see if the problem persists. PKCS stands for "Public Key Cryptography Standard".

  • Avi Miller-Oracle
    Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,821 Employee
    edited Apr 9, 2020 5:59PM

    If you have Oracle Linux support, please open an SR for this so engineering can investigate.

  • Sven Jansen
    Sven Jansen Member Posts: 16 Green Ribbon
    edited Apr 17, 2020 8:11AM

    Hi,

    i am not using the UEK Kernel. Stock OL 8.1 Minimal Server install with IDM:DL1 Modulestream enabled. Because this issue is repeatable in every installation and not having a service contract i switched to CentOS for my IPA Servers. Under CentOS FreeIPA deployment is working.

  • Avi Miller-Oracle
    Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,821 Employee
    edited Apr 17, 2020 4:32PM

    I'm sorry to hear that. I will raise a bug for this internally myself though. Thanks for reporting it.

  • Dude!
    Dude! Member Posts: 22,828 Black Diamond
    edited Apr 17, 2020 4:43PM

    Perhaps you can share what instructions you used. I did the following and it also failed, albeit for a different reason or so it seems.

    # uname -r

    4.18.0-147.5.1.el8_1.x86_64

    # yum -y update

    # reboot

    (this took quite a while)

    # uname -r

    4.18.0-147.8.1.el8_1.x86_64

    # echo "10.0.80.101   ipa.example.com ipa" >> /etc/hosts

    # hostnamectl set-hostname ipa.example.com

    # yum -y module enable idm:DL1

    # for SERVICES in ntp http https ldap ldaps kerberos kpasswd dns; do firewall-cmd --permanent --add-service=$SERVICES; done

    # reboot

    # yum install freeipa-server ipa-server-dns

    # systemctl restart chronyd

    # ipa-server-install --setup-dns

    Checking DNS domain example.com., please wait ...

    DNS zone example.com. already exists in DNS and is handled by server(s): a.iana-servers.net., b.iana-servers.net.

    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

    2020-04-17T20:41:00Z DEBUG   File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute

        return_value = self.run()

      File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 340, in run

        return cfgr.run()

      File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 358, in run

        self.validate()

      File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 368, in validate

    etc....

  • Avi Miller-Oracle
    Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,821 Employee
    edited Apr 17, 2020 4:59PM
    Dude! wrote:Checking DNS domain example.com., please wait ...DNS zone example.com. already exists in DNS and is handled by server(s): a.iana-servers.net., b.iana-servers.net.The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

    You can't using an existing domain name (or if you do, your VM shouldn't be able to resolve it). example.com is a valid, real domain name on the Internet.

  • Avi Miller-Oracle
    Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,821 Employee
    edited Apr 17, 2020 5:05PM

    You'll also want to disable the ol8_UEK6 repo that's enabled by default after the dnf update, to avoid getting the newer user space packages that are required for UEK6.

  • Avi Miller-Oracle
    Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,821 Employee
    edited Apr 17, 2020 6:42PM

    I have reproduced the bug internally. I'll log it for engineering. Thanks!

    Sven Jansencommenter-Oracle
  • Avi Miller-Oracle
    Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,821 Employee
    edited Apr 17, 2020 8:10PM

    This has been logged as Bug 31194343 internally. Thanks again for your contribution.

    Sven Jansen