Discussions
Categories
- 17.9K All Categories
- 3.4K Industry Applications
- 3.3K Intelligent Advisor
- 63 Insurance
- 535.7K On-Premises Infrastructure
- 138.1K Analytics Software
- 38.6K Application Development Software
- 5.6K Cloud Platform
- 109.3K Database Software
- 17.5K Enterprise Manager
- 8.8K Hardware
- 71K Infrastructure Software
- 105.2K Integration
- 41.5K Security Software
IPA Server installation with DNS fails on Oracle Linux 8.1
Hello,
i am in the process of replacing my Oracle Linux 7.x IPA Servers with Oracle Linux 8.1 using IPA from Oracle Linux 8.1 Appstream (module: idm:DL1). I made several attempts to install IPA with integrated DNS and the installation with "ipa-server-install --setup-dns" always fails with starting the named-pkcs11.service. I tested this with several new minimal installations of Oracle Linux 8.1 and with SE Linux enabled and disabled/permissive. I did the same process on a fresh RHEL 8.1 Minimal with same IP/Name/Hosts configuration and it always succeed. It looks like there is something wrong with the Oracle Linux 8.1 Appstream Repo for IPA.
In the Service log from named-pcs11.service show only this error:
Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: starting BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el8 (Extended Support Version) <id:7107deb>
Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: running on Linux x86_64 4.18.0-80.el8.x86_64 #1 SMP Thu May 30 02:01:36 GMT 2019
Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr>
Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: running as: named-pkcs11 -u named -c /etc/named.conf
Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: compiled by GCC 8.2.1 20180905 (Red Hat 8.2.1-3.0.1)
Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: compiled with libxml2 version: 2.9.7
Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: linked to libxml2 version: 20907
Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: compiled with zlib version: 1.2.11
Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: linked to zlib version: 1.2.11
Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: threads support is enabled
Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: ----------------------------------------------------
Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: BIND 9 is maintained by Internet Systems Consortium,
Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: corporation. Support and training for BIND 9 are
Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: available at https://www.isc.org/support
Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: ----------------------------------------------------
Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: adjusted limit on open files from 4096 to 1048576
Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: found 2 CPUs, using 2 worker threads
Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: using 1 UDP listener per interface
Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: using up to 21000 sockets
Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: initializing DST: no PKCS#11 provider
Apr 09 13:08:26 ipa1.example.com named-pkcs11[23997]: exiting (due to fatal error)
Apr 09 13:08:26 ipa1.example.com systemd[1]: named-pkcs11.service: Control process exited, code=exited status=1
Apr 09 13:08:26 ipa1.example.com systemd[1]: named-pkcs11.service: Failed with result 'exit-code'.
Apr 09 13:08:26 ipa1.example.com systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.
-- Subject: Unit named-pkcs11.service has failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit named-pkcs11.service has failed.
--
-- The result is RESULT.
Anyone else succeed Installing IPA with DNS on Oracle Linux 8.1? any known workaround?
Thanks in advance.
Best Answer
-
Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,821 EmployeeYes, we released bind-pkcs11-9.11.13-5.0.1.el8_2 about 6 hours ago which resolves this issue. You posted about an hour before it was published.
Answers
-
Ok something is wrong with the following packges:
bind-pkcs11-9.11.4-26.P2.el8.x86_64.rpm
bind-pkcs11-libs-9.11.4-26.P2.el8.x86_64.rpm
bind-pkcs11-utils-9.11.4-26.P2.el8.x86_64.rpm
Using the Oracle 8.1 rpms produces this error using strace:
Can't load PKCS#11 provider: dlopen("pkcs11") failed: /lib64/pkcs11: cannot read file data: Is a directory
I make a force install of the CentOS Version of this rpm packages and the dlopen error went away.
-
"Exiting (due to fatal error)" is arguably not very useful information to work with. Programs often have fallback routines an these can show up as errors in "strace", but it does not necessarily mean that is causing your problem, unless it's the reason the software aborted. No one can look over your shoulder to see what you see or do exactly, or guess what Centos packages you have installed to make it work.
What kernel are you using? If you are using the UEK6 kernel, perhaps you should try using the RHEL 4.18 kernel to see if the problem persists. PKCS stands for "Public Key Cryptography Standard".
-
Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,821 Employee
If you have Oracle Linux support, please open an SR for this so engineering can investigate.
-
Hi,
i am not using the UEK Kernel. Stock OL 8.1 Minimal Server install with IDM:DL1 Modulestream enabled. Because this issue is repeatable in every installation and not having a service contract i switched to CentOS for my IPA Servers. Under CentOS FreeIPA deployment is working.
-
Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,821 Employee
I'm sorry to hear that. I will raise a bug for this internally myself though. Thanks for reporting it.
-
Perhaps you can share what instructions you used. I did the following and it also failed, albeit for a different reason or so it seems.
# uname -r
4.18.0-147.5.1.el8_1.x86_64
# yum -y update
# reboot
(this took quite a while)
# uname -r
4.18.0-147.8.1.el8_1.x86_64
# echo "10.0.80.101 ipa.example.com ipa" >> /etc/hosts
# hostnamectl set-hostname ipa.example.com
# yum -y module enable idm:DL1
# for SERVICES in ntp http https ldap ldaps kerberos kpasswd dns; do firewall-cmd --permanent --add-service=$SERVICES; done
# reboot
# yum install freeipa-server ipa-server-dns
# systemctl restart chronyd
# ipa-server-install --setup-dns
Checking DNS domain example.com., please wait ...
DNS zone example.com. already exists in DNS and is handled by server(s): a.iana-servers.net., b.iana-servers.net.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
2020-04-17T20:41:00Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute
return_value = self.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 340, in run
return cfgr.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 358, in run
self.validate()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 368, in validate
etc....
-
Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,821 Employee
Dude! wrote:Checking DNS domain example.com., please wait ...DNS zone example.com. already exists in DNS and is handled by server(s): a.iana-servers.net., b.iana-servers.net.The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
You can't using an existing domain name (or if you do, your VM shouldn't be able to resolve it). example.com is a valid, real domain name on the Internet.
-
Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,821 Employee
You'll also want to disable the ol8_UEK6 repo that's enabled by default after the dnf update, to avoid getting the newer user space packages that are required for UEK6.
-
Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,821 Employee
I have reproduced the bug internally. I'll log it for engineering. Thanks!
-
Avi Miller-Oracle Senior Solution Architect, Oracle Cloud Infrastructure Developer Adoption Melbourne, AustraliaPosts: 4,821 Employee
This has been logged as Bug 31194343 internally. Thanks again for your contribution.
