This resolves the issue on a my IPA DNSSEC master, but on the replica:
ipa-dnskeysyncd: INFO Commencing sync process
ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND
Traceback (most recent call last):
File "/usr/libexec/ipa/ipa-dnskeysyncd", line 116, in <module>
while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
File "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 404, in syncrepl_poll
self.syncrepl_refreshdone()
File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 120, in syncrepl_refreshdone
self.hsm_replica_sync()
File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/keysyncer.py", line 186, in hsm_replica_sync
ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 523, in run
raise CalledProcessError(p.returncode, arg_string, str(output))
subprocess.CalledProcessError: Command '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit status 1
ipalib.install.kinit: DEBUG Attempt 1/5: success
ipa-dnskeysync-replica: DEBUG Got TGT
ipa-dnskeysync-replica: DEBUG Connecting to LDAP
ipa-dnskeysync-replica: DEBUG Connected
Traceback (most recent call last):
File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 169, in <module>
open(paths.DNSSEC_SOFTHSM_PIN).read())
File "/usr/lib/python2.7/site-packages/ipaserver/dnssec/localhsm.py", line 96, in __init__
self.p11 = _ipap11helper.P11_Helper(label, pin, library)
File "/usr/lib/python2.7/site-packages/ipaserver/p11helper.py", line 874, in __init__
raise Error("No slot for label {} found".format(self.token_label))
ipaserver.p11helper.Error: No slot for label ipaDNSSEC found
Exception AttributeError: "'LocalHSM' object has no attribute 'p11'" in <bound method LocalHSM.__del__ of <ipaserver.dnssec.localhsm.LocalHSM object at 0x7f7325688650>> ignored
@amessina there is a bug report with very similar error as you encountered. In that case it was issue in data in LDAP so no fix was created. I wonder if it might be the same thing. Check https://pagure.io/freeipa/issue/4967 there are some advices by pspacek later in the comments.
@pvoborni, thank you for the link to https://pagure.io/freeipa/issue/4967. I followed some notes there and got DNSSEC reinstalled on the master and things seem to be working again.
This update has been submitted for testing by cstratak.
cstratak edited this update.
This update has been pushed to testing.
This resolves the issue on a my IPA DNSSEC master, but on the replica:
Please run /usr/libexec/ipa/ipa-dnskeysync-replica manually and post the output.
works for me
This update has been submitted for batched by bodhi.
On the replica:
@amessina there is a bug report with very similar error as you encountered. In that case it was issue in data in LDAP so no fix was created. I wonder if it might be the same thing. Check https://pagure.io/freeipa/issue/4967 there are some advices by pspacek later in the comments.
I cannot reproduce the issue on a new F27 cluster. Did you upgrade an existing setup?
Please run these commands as root to get some diagnostics:
@pvoborni, thank you for the link to https://pagure.io/freeipa/issue/4967. I followed some notes there and got DNSSEC reinstalled on the master and things seem to be working again.
This update has been submitted for stable by bodhi.
This update has been pushed to stable.