On pe, 10 joulu 2021, lejeczek via FreeIPA-users wrote:
> Hi guys.
>
> I think after, but am not 100% certain, I signed my zones
> I get these(quite regularly):
>
> ...
> ipapython.ipautil: DEBUG stderr=
> ipaserver.dnssec.bindmgr: DEBUG Key metadata in LDAP:
> {<DNS name private.pawel.>:
> {'1d24e517-5612-11ec-9843-95791e1d967b':
> <ldap.cidict.cidict object at 0x7f12c2cc96a0>,
> '1d24e519-5612-11ec-9843-95791e1d967b':
> <ldap.cidict.cidict object at 0x7f12c2cc9670>}, <DNS name
> 1.3.10.in-addr.arpa.>:
> {'1d24e51d-5612-11ec-9843-95791e1d967b':
> <ldap.cidict.cidict object at 0x7f12c2cc9af0>,
> '1d24e51f-5612-11ec-9843-95791e1d967b':
> <ldap.cidict.cidict object at 0x7f12c2cc9cd0>}, <DNS name
> mine.private.>: {'64ab7109-5612-11ec-9843-95791e1d967b':
> <ldap.cidict.cidict object at 0x7f12c2cd67f0>,
> '64ab710b-5612-11ec-9843-95791e1d967b':
> <ldap.cidict.cidict object at 0x7f12c2cd67c0>}, <DNS name
> private.road.>: {'64ab7111-5612-11ec-9843-95791e1d967b':
> <ldap.cidict.cidict object at 0x7f12c2cd6df0>,
> '64ab7113-5612-11ec-9843-95791e1d967b':
> <ldap.cidict.cidict object at 0x7f12c2cdf040>}}
> ipaserver.dnssec.bindmgr: DEBUG Zones modified but
> skipped during bindmgr.sync: set()
> ipaserver.dnssec.bindmgr: INFO Synchronizing zone
> 1.3.10.in-addr.arpa.
> ipaserver.dnssec.bindmgr: DEBUG Fixing directory
> permissions:
> /var/lib/ipa/dnssec/tokens/7af30d9a-17e4-be64-d067-36773049ff7a
>
> ...
> ipapython.ipautil: DEBUG
> args=['/usr/sbin/dnssec-keyfromlabel-pkcs11', '-K',
> '/var/named/dyndb-ldap/ipa/master/1.3.10.in-addr.arpa/tmpsqtcpdk7',
> '-a', b'RSASHA256', '-l',
>
b'pkcs11:object=510d521b9dcec97000294dbcfa2af36a;pin-source=/var/lib/ipa/dnssec/softhsm_pin',
> '-P', b'20211205212748', '-A', b'20211205212748',
'-I',
> 'none', '-D', 'none', '-f', 'KSK',
'-E', 'pkcs11',
> '1.3.10.in-addr.arpa.']
> ipapython.ipautil: DEBUG Process execution failed
> Traceback (most recent call last):
> File "/usr/libexec/ipa/ipa-dnskeysyncd", line 113, in
> <module>
> while ldap_connection.syncrepl_poll(all=1,
> msgid=ldap_search):
> File
> "/usr/lib64/python3.9/site-packages/ldap/syncrepl.py",
> line 465, in syncrepl_poll
> self.syncrepl_refreshdone()
> File
> "/usr/lib/python3.9/site-packages/ipaserver/dnssec/keysyncer.py",
> line 128, in syncrepl_refreshdone
> self.bindmgr.sync(self.dnssec_zones)
> File
> "/usr/lib/python3.9/site-packages/ipaserver/dnssec/bindmgr.py",
> line 231, in sync
> self.sync_zone(zone)
> File
> "/usr/lib/python3.9/site-packages/ipaserver/dnssec/bindmgr.py",
> line 204, in sync_zone
> self.install_key(zone, uuid, attrs, tempdir)
> File
> "/usr/lib/python3.9/site-packages/ipaserver/dnssec/bindmgr.py",
> line 145, in install_key
> result = ipautil.run(cmd, capture_output=True)
> File
> "/usr/lib/python3.9/site-packages/ipapython/ipautil.py",
> line 534, in run
> p = subprocess.Popen(args, stdin=p_in, stdout=p_out,
> stderr=p_err,
> File "/usr/lib64/python3.9/subprocess.py", line 951, in
> __init__
> self._execute_child(args, executable, preexec_fn,
> close_fds,
> File "/usr/lib64/python3.9/subprocess.py", line 1821,
> in _execute_child
> raise child_exception_type(errno_num, err_msg,
> err_filename)
> FileNotFoundError: [Errno 2] No such file or directory:
> '/usr/sbin/dnssec-keyfromlabel-pkcs11'
> ..
>
> Before making it a BZ I thought I'd consult here - all
> thoughts much appreciated.
> I'm on CentOS 9 Stream with
> ipa-server-common-4.9.6-9.el9.noarch
> many thanks, L.
This should be fixed in 4.9.8 already:
9026: Missing bind-pkcs11-utils causing failures in
OpenDNSSec
OpenDNSSec integration: depend on bind-dnssec-utils
on all Fedora
releases and RHEL == 9+. Switch to
"/usr/sbin/dnssec-keyfromlabel
-E pkcs11" instead of
"/usr/sbin/dnssec-keyfromlabel-pkcs11" there
too.
We already built 4.9.8 for CentOS 9 Stream, it will be in
the compose
anytime soon:
https://kojihub.stream.rdu2.redhat.com/koji/buildinfo?buildID=15604
Note that you cannot just pull the packages from the
kojihub because
this package is built against new Samba version (and
libraries, and
SSSD, etc.). So it is better to wait until they appear in
the compose
altogether.