[EN] FreeIPA 4.1 to 4.2 update problem
|pic. from fedoramagazine.org |
On two machines with CentOS 7.2 I was using the FreeIPA 4.1.0 that should theoretically update to a newer version 4.2.0 without any problem. The new version brings a few new feature, byt they should not generate any update issues.
yum update freeipa-server
package manager executed all
post-installation upgrade scripts (in current version: ipa-server-upgrade).
In the /var/log/ipaupgrade.log I did not found any interesting errors. All info looks ok:
2016-01-12T18:47:14Z INFO Upgrading the configuration of the IPA services 2016-01-12T18:47:14Z INFO [Verifying that root certificate is published] 2016-01-12T18:47:28Z INFO [Migrate CRL publish directory] 2016-01-12T18:47:28Z INFO CRL tree already moved 2016-01-12T18:47:28Z INFO [Verifying that CA proxy configuration is correct] 2016-01-12T18:47:36Z INFO [Verifying that KDC configuration is using ipa-kdb backend] 2016-01-12T18:47:37Z INFO [Fix DS schema file syntax] 2016-01-12T18:47:37Z INFO Syntax already fixed 2016-01-12T18:47:37Z INFO [Removing RA cert from DS NSS database] 2016-01-12T18:47:37Z INFO RA cert already removed 2016-01-12T18:47:38Z INFO [Enable sidgen and extdom plugins by default] 2016-01-12T18:47:40Z INFO [Updating mod_nss protocol versions] 2016-01-12T18:47:40Z INFO Protocol versions already updated 2016-01-12T18:47:40Z INFO [Fixing trust flags in /etc/httpd/alias] 2016-01-12T18:47:40Z INFO Trust flags already processed 2016-01-12T18:47:40Z INFO [Removing self-signed CA] 2016-01-12T18:47:40Z INFO [Checking for deprecated KDC configuration files] 2016-01-12T18:47:40Z INFO [Checking for deprecated backups of Samba configuration files] 2016-01-12T18:47:40Z INFO [Setting up Firefox extension] 2016-01-12T18:47:54Z INFO [Add missing CA DNS records] 2016-01-12T18:47:54Z INFO IPA CA DNS records already processed 2016-01-12T18:47:54Z INFO [Removing deprecated DNS configuration options] 2016-01-12T18:47:54Z INFO DNS is not configured 2016-01-12T18:47:54Z INFO [Ensuring minimal number of connections] 2016-01-12T18:47:54Z INFO DNS is not configured 2016-01-12T18:47:54Z INFO [Enabling serial autoincrement in DNS] 2016-01-12T18:47:54Z INFO DNS is not configured 2016-01-12T18:47:54Z INFO [Updating GSSAPI configuration in DNS] 2016-01-12T18:47:54Z INFO DNS is not configured 2016-01-12T18:47:54Z INFO [Updating pid-file configuration in DNS] 2016-01-12T18:47:54Z INFO DNS is not configured
Unfortunately the IPA server did not start correctly. The service named-pkcs11 responsible for DNSSEC could not correctly started and thrown error:
named-pkcs11:ObjectStore.cpp(59): Failed to enumerate object store in /var/lib/softhsm/tokens/
named-pkcs11: SoftHSM.cpp(437): Could not load the object store
In RH errata you can find a few info about broken install script, etc. All this hints did not solve my problem so I decided to run ipa-dns-install to check dns configuration. As you probably know in FreeIPA 4.2.0 the DNSSEC is enabled, so there was a tiny chance that during update the DNS re-configuration was skipped.
Unfortunately to run ipa-dns-install script you need to bring up the LDAP and Kerberos services. Luckily ipactl correctly bring up this service with foce parameter (ipactl start -f). After that the ipa-dns-install script overwrite the current named.conf, created missing tokens and after that the named-pkcs11 started correctly.
After a few hours digging in the logs files I realized that I'm using a custom named.conf with additional views and the upgrade script skipped named.conf file update (INFO DNS is not configured) . At the end you need to add your custom ACL and Zones sections to named.conf
So if you have custom bind configuration you need to:
- Backup current named.conf
- Update ipa server packages yum update freeipa-server
- Use the force switch in ipactl start -f
- Run ipa-dns-install or manually reconfigure bind-pkcs11
- Add your missing zones to named.conf
- Start ipa services.