On pe, 10 joulu 2021, lejeczek via FreeIPA-users wrote:
Hi guys.
I think after, but am not 100% certain, I signed my zones I get
these(quite regularly):
...
ipapython.ipautil: DEBUG stderr=
ipaserver.dnssec.bindmgr: DEBUG Key metadata in LDAP: {<DNS name
private.pawel.>: {'1d24e517-5612-11ec-9843-95791e1d967b':
<ldap.cidict.cidict object at 0x7f12c2cc96a0>,
'1d24e519-5612-11ec-9843-95791e1d967b': <ldap.cidict.cidict object at
0x7f12c2cc9670>}, <DNS name 1.3.10.in-addr.arpa.>:
{'1d24e51d-5612-11ec-9843-95791e1d967b': <ldap.cidict.cidict object at
0x7f12c2cc9af0>, '1d24e51f-5612-11ec-9843-95791e1d967b':
<ldap.cidict.cidict object at 0x7f12c2cc9cd0>}, <DNS name
mine.private.>: {'64ab7109-5612-11ec-9843-95791e1d967b':
<ldap.cidict.cidict object at 0x7f12c2cd67f0>,
'64ab710b-5612-11ec-9843-95791e1d967b': <ldap.cidict.cidict object at
0x7f12c2cd67c0>}, <DNS name private.road.>:
{'64ab7111-5612-11ec-9843-95791e1d967b': <ldap.cidict.cidict object at
0x7f12c2cd6df0>, '64ab7113-5612-11ec-9843-95791e1d967b':
<ldap.cidict.cidict object at 0x7f12c2cdf040>}}
ipaserver.dnssec.bindmgr: DEBUG Zones modified but skipped during
bindmgr.sync: set()
ipaserver.dnssec.bindmgr: INFO Synchronizing zone
1.3.10.in-addr.arpa.
ipaserver.dnssec.bindmgr: DEBUG Fixing directory permissions:
/var/lib/ipa/dnssec/tokens/7af30d9a-17e4-be64-d067-36773049ff7a
...
ipapython.ipautil: DEBUG args=['/usr/sbin/dnssec-keyfromlabel-pkcs11',
'-K',
'/var/named/dyndb-ldap/ipa/master/1.3.10.in-addr.arpa/tmpsqtcpdk7',
'-a', b'RSASHA256', '-l',
b'pkcs11:object=510d521b9dcec97000294dbcfa2af36a;pin-source=/var/lib/ipa/dnssec/softhsm_pin',
'-P', b'20211205212748', '-A', b'20211205212748',
'-I', 'none', '-D',
'none', '-f', 'KSK', '-E', 'pkcs11',
'1.3.10.in-addr.arpa.']
ipapython.ipautil: DEBUG Process execution failed
Traceback (most recent call last):
File "/usr/libexec/ipa/ipa-dnskeysyncd", line 113, in <module>
while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
File "/usr/lib64/python3.9/site-packages/ldap/syncrepl.py", line
465, in syncrepl_poll
self.syncrepl_refreshdone()
File
"/usr/lib/python3.9/site-packages/ipaserver/dnssec/keysyncer.py", line
128, in syncrepl_refreshdone
self.bindmgr.sync(self.dnssec_zones)
File "/usr/lib/python3.9/site-packages/ipaserver/dnssec/bindmgr.py",
line 231, in sync
self.sync_zone(zone)
File "/usr/lib/python3.9/site-packages/ipaserver/dnssec/bindmgr.py",
line 204, in sync_zone
self.install_key(zone, uuid, attrs, tempdir)
File "/usr/lib/python3.9/site-packages/ipaserver/dnssec/bindmgr.py",
line 145, in install_key
result = ipautil.run(cmd, capture_output=True)
File "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line
534, in run
p = subprocess.Popen(args, stdin=p_in, stdout=p_out, stderr=p_err,
File "/usr/lib64/python3.9/subprocess.py", line 951, in __init__
self._execute_child(args, executable, preexec_fn, close_fds,
File "/usr/lib64/python3.9/subprocess.py", line 1821, in
_execute_child
raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory:
'/usr/sbin/dnssec-keyfromlabel-pkcs11'
..
Before making it a BZ I thought I'd consult here - all thoughts much
appreciated.
I'm on CentOS 9 Stream with ipa-server-common-4.9.6-9.el9.noarch
many thanks, L.
This should be fixed in 4.9.8 already:
9026: Missing bind-pkcs11-utils causing failures in OpenDNSSec
OpenDNSSec integration: depend on bind-dnssec-utils on all Fedora
releases and RHEL == 9+. Switch to "/usr/sbin/dnssec-keyfromlabel
-E pkcs11" instead of "/usr/sbin/dnssec-keyfromlabel-pkcs11" there
too.
We already built 4.9.8 for CentOS 9 Stream, it will be in the compose
anytime soon:
https://kojihub.stream.rdu2.redhat.com/koji/buildinfo?buildID=15604
Note that you cannot just pull the packages from the kojihub because
this package is built against new Samba version (and libraries, and
SSSD, etc.). So it is better to wait until they appear in the compose
altogether.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland