0005644: IPA - Cannot login in WebUI. It returns "Your session has expired". Running cli commands return GSSAPI error. - Rocky Linux BugTracker

ID	Project	Category	View Status	Date Submitted	Last Update

0005644	Rocky-Linux-8	ipa	public	2024-01-29 17:49	2024-02-04 20:01

Reporter	Jose Carvalho	Assigned To	Louis Abel
Priority	high	Severity	block	Reproducibility	always
Status	closed	Resolution	no change required
Platform	Rocky Linux	OS	Rocky Linux	OS Version	8.9

Summary	0005644: IPA - Cannot login in WebUI. It returns "Your session has expired". Running cli commands return GSSAPI error.
Description	Running cli commands like "ipa ping" or "ipa dnsrecord-add" returns the error: ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty) Sometimes I get the error: ipalib.cli ERROR cannot connect to 'https://my_ds_machine.subd.maind.com/ipa/session/json': Exceeded number of tries to forward a request. Theses errors occurred in 2 different machines serving 2 different domains. They were running fine for 2 years. Thanks
Tags	No tags attached.
Attached Files	ipa-error.txt (65,668 bytes) Jan 29 16:20:01 my_ds_machine systemd[1]: Starting system activity accounting tool... Jan 29 16:20:01 my_ds_machine systemd[1]: sysstat-collect.service: Succeeded. Jan 29 16:20:01 my_ds_machine systemd[1]: Started system activity accounting tool. Jan 29 16:20:11 my_ds_machine systemd[1]: Starting 389 Directory Server SUBD-MAIND-COM.... Jan 29 16:20:11 my_ds_machine systemd[1]: Started PC/SC Smart Card Daemon. Jan 29 16:20:11 my_ds_machine pcscd[6212]: 00000000 auth.c:139:IsClientAuthorized() Process 6210 (user: 1071) is NOT authorized for action: access_pcsc Jan 29 16:20:11 my_ds_machine pcscd[6212]: 00000208 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client Jan 29 16:20:11 my_ds_machine pcscd[6212]: 00039329 auth.c:139:IsClientAuthorized() Process 6210 (user: 1071) is NOT authorized for action: access_pcsc Jan 29 16:20:11 my_ds_machine pcscd[6212]: 00000107 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client Jan 29 16:20:11 my_ds_machine pcscd[6212]: 00036150 auth.c:139:IsClientAuthorized() Process 6210 (user: 1071) is NOT authorized for action: access_pcsc Jan 29 16:20:11 my_ds_machine pcscd[6212]: 00000120 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client Jan 29 16:20:11 my_ds_machine pcscd[6212]: 00036608 auth.c:139:IsClientAuthorized() Process 6210 (user: 1071) is NOT authorized for action: access_pcsc Jan 29 16:20:11 my_ds_machine pcscd[6212]: 00000110 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client Jan 29 16:20:11 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:11.744042686 +0000] - INFO - slapd_extract_cert - CA CERT NAME: SUBD.MAIND.COM IPA CA Jan 29 16:20:11 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:11.746386236 +0000] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Jan 29 16:20:11 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:11.863611189 +0000] - INFO - slapd_extract_cert - SERVER CERT NAME: Server-Cert Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.130458325 +0000] - INFO - Security Initialization - SSL info: Enabling default cipher set. Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.131573670 +0000] - INFO - Security Initialization - SSL info: Configured NSS Ciphers Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.132516274 +0000] - INFO - Security Initialization - SSL info: #011TLS_AES_128_GCM_SHA256: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.133330736 +0000] - INFO - Security Initialization - SSL info: #011TLS_CHACHA20_POLY1305_SHA256: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.134082618 +0000] - INFO - Security Initialization - SSL info: #011TLS_AES_256_GCM_SHA384: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.134877196 +0000] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.135941077 +0000] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.136731194 +0000] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.137445216 +0000] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.138244293 +0000] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.139224041 +0000] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.139997402 +0000] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.140974637 +0000] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.142404479 +0000] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.143324014 +0000] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.144018921 +0000] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.144983718 +0000] - INFO - Security Initialization - SSL info: #011TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.145745855 +0000] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.146718329 +0000] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.147577234 +0000] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.148832139 +0000] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.149689764 +0000] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.150602846 +0000] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.151809859 +0000] - INFO - Security Initialization - SSL info: #011TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.153186876 +0000] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.154135063 +0000] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.155073835 +0000] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.156355343 +0000] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.157446429 +0000] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.159616302 +0000] - INFO - Security Initialization - SSL info: #011TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.172605261 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.3 Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.174707212 +0000] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.3 Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.177934000 +0000] - INFO - main - 389-Directory/1.4.3.37 B2024.010.1841 starting up Jan 29 16:20:12 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:12.179615905 +0000] - INFO - main - Setting the maximum file descriptor limit to: 262144 Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.253564188 +0000] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.257907128 +0000] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.264289768 +0000] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.270077171 +0000] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.275512876 +0000] - NOTICE - ldbm_back_start - found 1808544k physical memory Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.276396589 +0000] - NOTICE - ldbm_back_start - found 1253836k available Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.277159921 +0000] - NOTICE - ldbm_back_start - cache autosizing: db cache: 113034k Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.278190719 +0000] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 131072k Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.279715977 +0000] - NOTICE - ldbm_back_start - cache autosizing: userRoot dn cache (3 total): 65536k Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.280765362 +0000] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 131072k Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.281795853 +0000] - NOTICE - ldbm_back_start - cache autosizing: ipaca dn cache (3 total): 65536k Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.282778373 +0000] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 131072k Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.283931141 +0000] - NOTICE - ldbm_back_start - cache autosizing: changelog dn cache (3 total): 65536k Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.285579689 +0000] - NOTICE - ldbm_back_start - total cache size: 696577228 B; Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.288111655 +0000] - INFO - bdb_start - Resizing db cache size: 28807987 -> 92597452 Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.480111970 +0000] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.493459557 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=subd,dc=maind,dc=com does not exist Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.494641446 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=subd,dc=maind,dc=com does not exist Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.496602792 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=subd,dc=maind,dc=com does not exist Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.497848449 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=subd,dc=maind,dc=com does not exist Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.499002274 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=subd,dc=maind,dc=com does not exist Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.500188358 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=subd,dc=maind,dc=com does not exist Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.501079694 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=subd,dc=maind,dc=com does not exist Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.502127233 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=subd,dc=maind,dc=com does not exist Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.503136851 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=subd,dc=maind,dc=com does not exist Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.504005652 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=subd,dc=maind,dc=com does not exist Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.505775455 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=subd,dc=maind,dc=com does not exist Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.506765017 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=subd,dc=maind,dc=com does not exist Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.507720123 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=subd,dc=maind,dc=com does not exist Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.508648979 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=subd,dc=maind,dc=com does not exist Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.509671201 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=subd,dc=maind,dc=com does not exist Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.510773569 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=subd,dc=maind,dc=com does not exist Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.521343616 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ad,cn=etc,dc=subd,dc=maind,dc=com does not exist Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.525255609 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=subd,dc=maind,dc=com does not exist Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.528463246 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=subd,dc=maind,dc=com does not exist Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.652975869 +0000] - WARN - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.660446802 +0000] - INFO - slapi_vattrspi_regattr - Because krbPwdPolicyReference is a new registered virtual attribute , nsslapd-ignore-virtual-attrs was set to 'off' Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.701562792 +0000] - INFO - validate_num_config_reservedescriptors - reserve descriptors changed from 64 to 218 Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.704137698 +0000] - INFO - connection_table_new - conntablesize:64000 Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.711589932 +0000] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.740642338 +0000] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.742061656 +0000] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests Jan 29 16:20:13 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:13.742955769 +0000] - INFO - slapd_daemon - Listening on /var/run/slapd-SUBD-MAIND-COM.socket for LDAPI requests Jan 29 16:20:13 my_ds_machine systemd[1]: Started 389 Directory Server SUBD-MAIND-COM.. Jan 29 16:20:14 my_ds_machine systemd[1]: Starting Kerberos 5 KDC... Jan 29 16:20:14 my_ds_machine systemd[1]: krb5kdc.service: Can't open PID file /var/run/krb5kdc.pid (yet?) after start: No such file or directory Jan 29 16:20:14 my_ds_machine systemd[1]: Started Kerberos 5 KDC. Jan 29 16:20:14 my_ds_machine systemd[1]: Starting Kerberos 5 Password-changing and Administration... Jan 29 16:20:14 my_ds_machine systemd[1]: kadmin.service: Can't open PID file /var/run/kadmind.pid (yet?) after start: No such file or directory Jan 29 16:20:14 my_ds_machine systemd[1]: Started Kerberos 5 Password-changing and Administration. Jan 29 16:20:14 my_ds_machine systemd[1]: Starting Generate rndc key for BIND (DNS)... Jan 29 16:20:14 my_ds_machine systemd[1]: named-setup-rndc.service: Succeeded. Jan 29 16:20:14 my_ds_machine systemd[1]: Started Generate rndc key for BIND (DNS). Jan 29 16:20:14 my_ds_machine systemd[1]: Starting Berkeley Internet Name Domain (DNS) with native PKCS#11... Jan 29 16:20:14 my_ds_machine bash[6280]: zone localhost.localdomain/IN: loaded serial 0 Jan 29 16:20:14 my_ds_machine bash[6280]: zone localhost/IN: loaded serial 0 Jan 29 16:20:14 my_ds_machine bash[6280]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Jan 29 16:20:14 my_ds_machine bash[6280]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Jan 29 16:20:14 my_ds_machine bash[6280]: zone 0.in-addr.arpa/IN: loaded serial 0 Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: starting BIND 9.11.36-RedHat-9.11.36-11.el8_9 (Extended Support Version) <id:68dbd5b> Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: running on Linux x86_64 4.18.0-513.11.1.el8_9.x86_64 #1 SMP Wed Jan 10 22:58:54 UTC 2024 Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/libexec/platform-python' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-libidn2' '--enable-openssl-hash' '--with-geoip2' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-lmdb=no' '--with-libjson' '--enable-dnstap' '--with-cmocka' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= -DDIG_SIGCHASE' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: running as: named-pkcs11 -u named -c /etc/named.conf Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: compiled by GCC 8.5.0 20210514 (Red Hat 8.5.0-20) Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: compiled with libxml2 version: 2.9.7 Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: linked to libxml2 version: 20907 Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: compiled with libjson-c version: 0.13.1 Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: linked to libjson-c version: 0.13.1 Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: compiled with zlib version: 1.2.11 Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: linked to zlib version: 1.2.11 Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: threads support is enabled Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: ---------------------------------------------------- Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: BIND 9 is maintained by Internet Systems Consortium, Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: corporation. Support and training for BIND 9 are Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: available at https://www.isc.org/support Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: ---------------------------------------------------- Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: adjusted limit on open files from 262144 to 1048576 Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: found 1 CPU, using 1 worker thread Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: using 1 UDP listener per interface Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: using up to 21000 sockets Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: Configuration.cpp(96): Missing log.level in configuration. Using default value: INFO Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: Configuration.cpp(96): Missing slots.mechanisms in configuration. Using default value: ALL Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: Configuration.cpp(124): Missing slots.removable in configuration. Using default value: false Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: loading configuration from '/etc/named.conf' Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: unable to open '/etc/bind.keys'; using built-in keys instead Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: looking for GeoIP2 databases in '/usr/share/GeoIP' Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: opened GeoIP2 database '/usr/share/GeoIP/GeoLite2-Country.mmdb' Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: opened GeoIP2 database '/usr/share/GeoIP/GeoLite2-City.mmdb' Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: using default UDP/IPv4 port range: [9000, 65500] Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: using default UDP/IPv6 port range: [9000, 65500] Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: listening on IPv6 interfaces, port 53 Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: listening on IPv4 interface lo, 127.0.0.1#53 Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: listening on IPv4 interface ens192, 10.210.205.233#53 Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: generating session key for dynamic DNS Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: sizing zone task pool based on 6 zones Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: none:106: 'max-cache-size 90%' - setting to 1589MB (out of 1766MB) Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind' Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: loading DynDB instance 'ipa' driver '/usr/lib64/bind/ldap.so' Jan 29 16:20:14 my_ds_machine named-pkcs11[6283]: bind-dyndb-ldap version 11.6 compiled at 22:28:01 Jul 17 2023, compiler 8.5.0 20210514 (Red Hat 8.5.0-20) Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 10.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 16.172.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 17.172.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 18.172.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 19.172.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 20.172.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 21.172.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 22.172.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 23.172.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 24.172.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 25.172.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 26.172.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 27.172.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 28.172.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 29.172.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 30.172.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 31.172.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 168.192.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 64.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 65.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 66.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 67.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 68.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine systemd[1]: Started Berkeley Internet Name Domain (DNS) with native PKCS#11. Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 69.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 70.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 71.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 72.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 73.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 74.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 75.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 76.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 77.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 78.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 79.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 80.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 81.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 82.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 83.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 84.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 85.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 86.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 87.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 88.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 89.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 90.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 91.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 92.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 93.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 94.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 95.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 96.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 97.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 98.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 99.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 100.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 101.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 102.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 103.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 104.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 105.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 106.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 107.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 108.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 109.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 110.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 111.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 112.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 113.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 114.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 115.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 116.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 117.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 118.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 119.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 120.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 121.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 122.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 123.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 124.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 125.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 126.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 127.100.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 127.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 254.169.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 2.0.192.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 100.51.198.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 113.0.203.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: D.F.IP6.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 8.E.F.IP6.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 9.E.F.IP6.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: A.E.F.IP6.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: B.E.F.IP6.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: EMPTY.AS112.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: automatic empty zone: HOME.ARPA Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: none:106: 'max-cache-size 90%' - setting to 1589MB (out of 1766MB) Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: configuring command channel from '/etc/rndc.key' Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: command channel listening on 127.0.0.1#953 Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: configuring command channel from '/etc/rndc.key' Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: command channel listening on ::1#953 Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: managed-keys-zone: journal file is out of date: removing journal file Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: managed-keys-zone: loaded serial 1982 Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 0.in-addr.arpa/IN: loaded serial 0 Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone localhost.localdomain/IN: loaded serial 0 Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone localhost/IN: loaded serial 0 Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: all zones loaded Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: running Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 10.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 16.172.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 17.172.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 18.172.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 19.172.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 20.172.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 21.172.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 22.172.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 23.172.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 24.172.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 25.172.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 26.172.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 27.172.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 28.172.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 29.172.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 30.172.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 31.172.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 168.192.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 64.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 65.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 66.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 67.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 68.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 69.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 70.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 71.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 72.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 73.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 74.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 75.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 76.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 77.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 78.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 79.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 80.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 81.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 82.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 83.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 84.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 85.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 86.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 87.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 88.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 89.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 90.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 91.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 92.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 93.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 94.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 95.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 96.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 97.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 98.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 99.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 100.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 101.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 102.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 103.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 104.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 105.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 106.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 107.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 108.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 109.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 110.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 111.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 112.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 113.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 114.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 115.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 116.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 117.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 118.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 119.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 120.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 121.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 122.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 123.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 124.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 125.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 126.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 127.100.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 254.169.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 2.0.192.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 100.51.198.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 113.0.203.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 255.255.255.255.IN-ADDR.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone D.F.IP6.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 8.E.F.IP6.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 9.E.F.IP6.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone A.E.F.IP6.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone B.E.F.IP6.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 8.B.D.0.1.0.0.2.IP6.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone EMPTY.AS112.ARPA/IN: shutting down Jan 29 16:20:15 my_ds_machine systemd[1]: Starting The Apache HTTP Server... Jan 29 16:20:15 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:15.205631329 +0000] - WARN - content-sync-plugin - sync_update_persist_betxn_pre_op - DB retried operation targets "idnsname=5.10.10.in-addr.arpa.,cn=dns,dc=subd,dc=maind,dc=com" (op=0x7f7ac5d18200 idx_pl=0) => op not changed in PL Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone 5.10.10.in-addr.arpa/IN: loaded serial 1706545215 Jan 29 16:20:15 my_ds_machine named-pkcs11[6283]: zone subd.maind.com/IN: loaded serial 1706545215 Jan 29 16:20:15 my_ds_machine ipa-httpd-kdcproxy[6292]: ipa: INFO: KDC proxy enabled Jan 29 16:20:15 my_ds_machine ipa-httpd-kdcproxy[6292]: ipa-httpd-kdcproxy: INFO KDC proxy enabled Jan 29 16:20:16 my_ds_machine systemd[1]: Started The Apache HTTP Server. Jan 29 16:20:16 my_ds_machine httpd[6293]: Server configured, listening on: port 443, port 80 Jan 29 16:20:16 my_ds_machine systemd[1]: Starting IPA Custodia Service... Jan 29 16:20:18 my_ds_machine ipa-custodia[6310]: 2024-01-29 16:20:18 - custodia - Custodia instance <main> Jan 29 16:20:18 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:18.731707759 +0000] - ERR - schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=subd,dc=maind,dc=com Jan 29 16:20:18 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:18.882829095 +0000] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=subd,dc=maind,dc=com Jan 29 16:20:18 my_ds_machine ns-slapd[6210]: [29/Jan/2024:16:20:18.891738415 +0000] - ERR - schema-compat-plugin - Finished plugin initialization. Jan 29 16:20:19 my_ds_machine systemd[1]: Started IPA Custodia Service. Jan 29 16:20:19 my_ds_machine systemd[1]: Starting PKI Tomcat Server pki-tomcat... Jan 29 16:20:29 my_ds_machine pcscd[6212]: 17469090 auth.c:139:IsClientAuthorized() Process 6576 (user: 17) is NOT authorized for action: access_pcsc Jan 29 16:20:29 my_ds_machine pcscd[6212]: 00000270 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client Jan 29 16:20:29 my_ds_machine pcscd[6212]: 00236500 auth.c:139:IsClientAuthorized() Process 6576 (user: 17) is NOT authorized for action: access_pcsc Jan 29 16:20:29 my_ds_machine pcscd[6212]: 00000111 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client Jan 29 16:20:29 my_ds_machine pcscd[6212]: 00259826 auth.c:139:IsClientAuthorized() Process 6576 (user: 17) is NOT authorized for action: access_pcsc Jan 29 16:20:29 my_ds_machine pcscd[6212]: 00000109 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client Jan 29 16:20:29 my_ds_machine pcscd[6212]: 00236862 auth.c:139:IsClientAuthorized() Process 6576 (user: 17) is NOT authorized for action: access_pcsc Jan 29 16:20:29 my_ds_machine pcscd[6212]: 00000108 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client Jan 29 16:20:31 my_ds_machine pki-server[6569]: AJP connector requiredSecret: None Jan 29 16:20:31 my_ds_machine server[6633]: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Jan 29 16:20:31 my_ds_machine server[6633]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-launcher.jar:/usr/lib/jvm/java/lib/tools.jar Jan 29 16:20:31 my_ds_machine server[6633]: main class used: org.apache.catalina.startup.Bootstrap Jan 29 16:20:31 my_ds_machine server[6633]: flags used: -Dcom.redhat.fips=false Jan 29 16:20:31 my_ds_machine server[6633]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Jan 29 16:20:31 my_ds_machine server[6633]: arguments used: start Jan 29 16:20:32 my_ds_machine ipa-pki-wait-running[6634]: pki.client: /usr/libexec/ipa/ipa-pki-wait-running:64: The subsystem in PKIConnection.__init__() has been deprecated (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes). Jan 29 16:20:32 my_ds_machine ipa-pki-wait-running[6634]: ipa-pki-wait-running: Created connection http://my_ds_machine.subd.maind.com:8080/ca Jan 29 16:20:32 my_ds_machine ipa-pki-wait-running[6634]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my_ds_machine.subd.maind.com', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f273cc23d30>: Failed to establish a new connection: [Errno 111] Connection refused',)) Jan 29 16:20:33 my_ds_machine ipa-pki-wait-running[6634]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my_ds_machine.subd.maind.com', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f273cbe2160>: Failed to establish a new connection: [Errno 111] Connection refused',)) Jan 29 16:20:34 my_ds_machine pcscd[6212]: 04496759 auth.c:139:IsClientAuthorized() Process 6633 (user: 17) is NOT authorized for action: access_pcsc Jan 29 16:20:34 my_ds_machine pcscd[6212]: 00000213 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client Jan 29 16:20:34 my_ds_machine pcscd[6212]: 00035945 auth.c:139:IsClientAuthorized() Process 6633 (user: 17) is NOT authorized for action: access_pcsc Jan 29 16:20:34 my_ds_machine pcscd[6212]: 00000108 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client Jan 29 16:20:34 my_ds_machine pcscd[6212]: 00031809 auth.c:139:IsClientAuthorized() Process 6633 (user: 17) is NOT authorized for action: access_pcsc Jan 29 16:20:34 my_ds_machine pcscd[6212]: 00000111 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client Jan 29 16:20:34 my_ds_machine pcscd[6212]: 00031886 auth.c:139:IsClientAuthorized() Process 6633 (user: 17) is NOT authorized for action: access_pcsc Jan 29 16:20:34 my_ds_machine pcscd[6212]: 00000106 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client Jan 29 16:20:34 my_ds_machine ipa-pki-wait-running[6634]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my_ds_machine.subd.maind.com', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f273cc23978>: Failed to establish a new connection: [Errno 111] Connection refused',)) Jan 29 16:20:36 my_ds_machine server[6633]: WARNING: Some of the specified [protocols] are not supported by the SSL engine and have been skipped: [[TLSv1, TLSv1.1]] Jan 29 16:20:36 my_ds_machine ipa-pki-wait-running[6634]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my_ds_machine.subd.maind.com', port=8080): Read timed out. (read timeout=1.0) Jan 29 16:20:38 my_ds_machine ipa-pki-wait-running[6634]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my_ds_machine.subd.maind.com', port=8080): Read timed out. (read timeout=1.0) Jan 29 16:20:40 my_ds_machine ipa-pki-wait-running[6634]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my_ds_machine.subd.maind.com', port=8080): Read timed out. (read timeout=1.0) Jan 29 16:20:42 my_ds_machine ipa-pki-wait-running[6634]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my_ds_machine.subd.maind.com', port=8080): Read timed out. (read timeout=1.0) Jan 29 16:20:44 my_ds_machine ipa-pki-wait-running[6634]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my_ds_machine.subd.maind.com', port=8080): Read timed out. (read timeout=1.0) Jan 29 16:20:46 my_ds_machine ipa-pki-wait-running[6634]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my_ds_machine.subd.maind.com', port=8080): Read timed out. (read timeout=1.0) Jan 29 16:20:48 my_ds_machine ipa-pki-wait-running[6634]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='my_ds_machine.subd.maind.com', port=8080): Read timed out. (read timeout=1.0) Jan 29 16:20:49 my_ds_machine ipa-pki-wait-running[6634]: ipa-pki-wait-running: Success, subsystem ca is running! Jan 29 16:20:50 my_ds_machine systemd[1]: Started PKI Tomcat Server pki-tomcat. Jan 29 16:20:50 my_ds_machine systemd[1]: Reached target PKI Tomcat Server. Jan 29 16:20:50 my_ds_machine systemd[1]: Listening on ipa-otpd socket. Jan 29 16:20:50 my_ds_machine systemd[1]: Started IPA key daemon. Jan 29 16:20:51 my_ds_machine ipa-dnskeysyncd[6803]: ipa-dnskeysyncd: INFO To increase debugging set debug=True in dns.conf See default.conf(5) for details Jan 29 16:20:53 my_ds_machine ipa-dnskeysyncd[6803]: ipa-dnskeysyncd: INFO LDAP bind... Jan 29 16:20:53 my_ds_machine ipa-dnskeysyncd[6803]: ipa-dnskeysyncd: INFO Commencing sync process Jan 29 16:20:53 my_ds_machine ipa-dnskeysyncd[6803]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Jan 29 16:20:56 my_ds_machine ipa-dnskeysyncd[6803]: Traceback (most recent call last): Jan 29 16:20:56 my_ds_machine ipa-dnskeysyncd[6803]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 130, in <module> Jan 29 16:20:56 my_ds_machine ipa-dnskeysyncd[6803]: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): Jan 29 16:20:56 my_ds_machine ipa-dnskeysyncd[6803]: File "/usr/lib64/python3.6/site-packages/ldap/syncrepl.py", line 465, in syncrepl_poll Jan 29 16:20:56 my_ds_machine ipa-dnskeysyncd[6803]: self.syncrepl_refreshdone() Jan 29 16:20:56 my_ds_machine ipa-dnskeysyncd[6803]: File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/keysyncer.py", line 126, in syncrepl_refreshdone Jan 29 16:20:56 my_ds_machine ipa-dnskeysyncd[6803]: self.hsm_replica_sync() Jan 29 16:20:56 my_ds_machine ipa-dnskeysyncd[6803]: File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/keysyncer.py", line 192, in hsm_replica_sync Jan 29 16:20:56 my_ds_machine ipa-dnskeysyncd[6803]: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA]) Jan 29 16:20:56 my_ds_machine ipa-dnskeysyncd[6803]: File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in run Jan 29 16:20:56 my_ds_machine ipa-dnskeysyncd[6803]: p.returncode, arg_string, output_log, error_log Jan 29 16:20:56 my_ds_machine ipa-dnskeysyncd[6803]: ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/libexec/ipa/ipa-dnskeysync-replica'] returned non-zero exit status 1: 'ipa-dnskeysync-replica: INFO To increase debugging set debug=True in dns.conf See default.conf(5) for details\nTraceback (most recent call last):\n File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 182, in <module>\n f.read()\n File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/localhsm.py", line 96, in __init__\n self.p11 = _ipap11helper.P11_Helper(label, pin, library)\n File "/usr/lib/python3.6/site-packages/ipaserver/p11helper.py", line 868, in __init__\n raise Error("No slot for label {} found".format(self.token_label))\nipaserver.p11helper.Error: No slot for label ipaDNSSEC found\nException ignored in: <bound method LocalHSM.__del__ of <ipaserver.dnssec.localhsm.LocalHSM object at 0x7f5dc86e1400>>\nTraceback (most recent call last):\n File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/localhsm.py", line 99, in __del__\n self.p11.finalize()\nAttributeError: \'LocalHSM\' object has no attribute \'p11\'\n') Jan 29 16:20:56 my_ds_machine systemd[1]: ipa-dnskeysyncd.service: Main process exited, code=exited, status=1/FAILURE Jan 29 16:20:56 my_ds_machine systemd[1]: ipa-dnskeysyncd.service: Failed with result 'exit-code'. Jan 29 16:21:04 my_ds_machine sssd_be[962]: Backend is online Jan 29 16:21:35 my_ds_machine systemd[1]: pcscd.service: Succeeded. Jan 29 16:21:43 my_ds_machine chronyd[938]: Received KoD RATE from 109.48.74.248 Jan 29 16:21:56 my_ds_machine systemd[1]: ipa-dnskeysyncd.service: Service RestartSec=1min expired, scheduling restart. Jan 29 16:21:56 my_ds_machine systemd[1]: ipa-dnskeysyncd.service: Scheduled restart job, restart counter is at 1. Jan 29 16:21:56 my_ds_machine systemd[1]: Stopped IPA key daemon. Jan 29 16:21:56 my_ds_machine systemd[1]: Started IPA key daemon. Jan 29 16:21:57 my_ds_machine ipa-dnskeysyncd[6825]: ipa-dnskeysyncd: INFO To increase debugging set debug=True in dns.conf See default.conf(5) for details Jan 29 16:21:59 my_ds_machine ipa-dnskeysyncd[6825]: ipa-dnskeysyncd: INFO LDAP bind... Jan 29 16:21:59 my_ds_machine ipa-dnskeysyncd[6825]: ipa-dnskeysyncd: INFO Commencing sync process Jan 29 16:21:59 my_ds_machine ipa-dnskeysyncd[6825]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Jan 29 16:22:01 my_ds_machine ipa-dnskeysyncd[6825]: Traceback (most recent call last): Jan 29 16:22:01 my_ds_machine ipa-dnskeysyncd[6825]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 130, in <module> Jan 29 16:22:01 my_ds_machine ipa-dnskeysyncd[6825]: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): Jan 29 16:22:01 my_ds_machine ipa-dnskeysyncd[6825]: File "/usr/lib64/python3.6/site-packages/ldap/syncrepl.py", line 465, in syncrepl_poll Jan 29 16:22:01 my_ds_machine ipa-dnskeysyncd[6825]: self.syncrepl_refreshdone() Jan 29 16:22:01 my_ds_machine ipa-dnskeysyncd[6825]: File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/keysyncer.py", line 126, in syncrepl_refreshdone Jan 29 16:22:01 my_ds_machine ipa-dnskeysyncd[6825]: self.hsm_replica_sync() Jan 29 16:22:01 my_ds_machine ipa-dnskeysyncd[6825]: File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/keysyncer.py", line 192, in hsm_replica_sync Jan 29 16:22:01 my_ds_machine ipa-dnskeysyncd[6825]: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA]) Jan 29 16:22:01 my_ds_machine ipa-dnskeysyncd[6825]: File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in run Jan 29 16:22:01 my_ds_machine ipa-dnskeysyncd[6825]: p.returncode, arg_string, output_log, error_log Jan 29 16:22:01 my_ds_machine ipa-dnskeysyncd[6825]: ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/libexec/ipa/ipa-dnskeysync-replica'] returned non-zero exit status 1: 'ipa-dnskeysync-replica: INFO To increase debugging set debug=True in dns.conf See default.conf(5) for details\nTraceback (most recent call last):\n File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 182, in <module>\n f.read()\n File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/localhsm.py", line 96, in __init__\n self.p11 = _ipap11helper.P11_Helper(label, pin, library)\n File "/usr/lib/python3.6/site-packages/ipaserver/p11helper.py", line 868, in __init__\n raise Error("No slot for label {} found".format(self.token_label))\nipaserver.p11helper.Error: No slot for label ipaDNSSEC found\nException ignored in: <bound method LocalHSM.__del__ of <ipaserver.dnssec.localhsm.LocalHSM object at 0x7fefe2601588>>\nTraceback (most recent call last):\n File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/localhsm.py", line 99, in __del__\n self.p11.finalize()\nAttributeError: \'LocalHSM\' object has no attribute \'p11\'\n') Jan 29 16:22:01 my_ds_machine systemd[1]: ipa-dnskeysyncd.service: Main process exited, code=exited, status=1/FAILURE Jan 29 16:22:01 my_ds_machine systemd[1]: ipa-dnskeysyncd.service: Failed with result 'exit-code'. Jan 29 16:23:02 my_ds_machine systemd[1]: ipa-dnskeysyncd.service: Service RestartSec=1min expired, scheduling restart. Jan 29 16:23:02 my_ds_machine systemd[1]: ipa-dnskeysyncd.service: Scheduled restart job, restart counter is at 2. Jan 29 16:23:02 my_ds_machine systemd[1]: Stopped IPA key daemon. Jan 29 16:23:02 my_ds_machine systemd[1]: Started IPA key daemon. Jan 29 16:23:02 my_ds_machine ipa-dnskeysyncd[6843]: ipa-dnskeysyncd: INFO To increase debugging set debug=True in dns.conf See default.conf(5) for details Jan 29 16:23:04 my_ds_machine ipa-dnskeysyncd[6843]: ipa-dnskeysyncd: INFO LDAP bind... Jan 29 16:23:04 my_ds_machine ipa-dnskeysyncd[6843]: ipa-dnskeysyncd: INFO Commencing sync process Jan 29 16:23:04 my_ds_machine ipa-dnskeysyncd[6843]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Jan 29 16:23:07 my_ds_machine ipa-dnskeysyncd[6843]: Traceback (most recent call last): Jan 29 16:23:07 my_ds_machine ipa-dnskeysyncd[6843]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 130, in <module> Jan 29 16:23:07 my_ds_machine ipa-dnskeysyncd[6843]: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): Jan 29 16:23:07 my_ds_machine ipa-dnskeysyncd[6843]: File "/usr/lib64/python3.6/site-packages/ldap/syncrepl.py", line 465, in syncrepl_poll Jan 29 16:23:07 my_ds_machine ipa-dnskeysyncd[6843]: self.syncrepl_refreshdone() Jan 29 16:23:07 my_ds_machine ipa-dnskeysyncd[6843]: File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/keysyncer.py", line 126, in syncrepl_refreshdone Jan 29 16:23:07 my_ds_machine ipa-dnskeysyncd[6843]: self.hsm_replica_sync() Jan 29 16:23:07 my_ds_machine ipa-dnskeysyncd[6843]: File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/keysyncer.py", line 192, in hsm_replica_sync Jan 29 16:23:07 my_ds_machine ipa-dnskeysyncd[6843]: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA]) Jan 29 16:23:07 my_ds_machine ipa-dnskeysyncd[6843]: File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in run Jan 29 16:23:07 my_ds_machine ipa-dnskeysyncd[6843]: p.returncode, arg_string, output_log, error_log Jan 29 16:23:07 my_ds_machine ipa-dnskeysyncd[6843]: ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/libexec/ipa/ipa-dnskeysync-replica'] returned non-zero exit status 1: 'ipa-dnskeysync-replica: INFO To increase debugging set debug=True in dns.conf See default.conf(5) for details\nTraceback (most recent call last):\n File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 182, in <module>\n f.read()\n File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/localhsm.py", line 96, in __init__\n self.p11 = _ipap11helper.P11_Helper(label, pin, library)\n File "/usr/lib/python3.6/site-packages/ipaserver/p11helper.py", line 868, in __init__\n raise Error("No slot for label {} found".format(self.token_label))\nipaserver.p11helper.Error: No slot for label ipaDNSSEC found\nException ignored in: <bound method LocalHSM.__del__ of <ipaserver.dnssec.localhsm.LocalHSM object at 0x7f649896f588>>\nTraceback (most recent call last):\n File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/localhsm.py", line 99, in __del__\n self.p11.finalize()\nAttributeError: \'LocalHSM\' object has no attribute \'p11\'\n') Jan 29 16:23:07 my_ds_machine systemd[1]: ipa-dnskeysyncd.service: Main process exited, code=exited, status=1/FAILURE Jan 29 16:23:07 my_ds_machine systemd[1]: ipa-dnskeysyncd.service: Failed with result 'exit-code'. Jan 29 16:24:07 my_ds_machine systemd[1]: ipa-dnskeysyncd.service: Service RestartSec=1min expired, scheduling restart. Jan 29 16:24:07 my_ds_machine systemd[1]: ipa-dnskeysyncd.service: Scheduled restart job, restart counter is at 3. Jan 29 16:24:07 my_ds_machine systemd[1]: Stopped IPA key daemon. Jan 29 16:24:07 my_ds_machine systemd[1]: Started IPA key daemon. Jan 29 16:24:08 my_ds_machine ipa-dnskeysyncd[6870]: ipa-dnskeysyncd: INFO To increase debugging set debug=True in dns.conf See default.conf(5) for details Jan 29 16:24:10 my_ds_machine ipa-dnskeysyncd[6870]: ipa-dnskeysyncd: INFO LDAP bind... Jan 29 16:24:10 my_ds_machine ipa-dnskeysyncd[6870]: ipa-dnskeysyncd: INFO Commencing sync process Jan 29 16:24:10 my_ds_machine ipa-dnskeysyncd[6870]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Jan 29 16:24:13 my_ds_machine ipa-dnskeysyncd[6870]: Traceback (most recent call last): Jan 29 16:24:13 my_ds_machine ipa-dnskeysyncd[6870]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 130, in <module> Jan 29 16:24:13 my_ds_machine ipa-dnskeysyncd[6870]: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): Jan 29 16:24:13 my_ds_machine ipa-dnskeysyncd[6870]: File "/usr/lib64/python3.6/site-packages/ldap/syncrepl.py", line 465, in syncrepl_poll Jan 29 16:24:13 my_ds_machine ipa-dnskeysyncd[6870]: self.syncrepl_refreshdone() Jan 29 16:24:13 my_ds_machine ipa-dnskeysyncd[6870]: File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/keysyncer.py", line 126, in syncrepl_refreshdone Jan 29 16:24:13 my_ds_machine ipa-dnskeysyncd[6870]: self.hsm_replica_sync() Jan 29 16:24:13 my_ds_machine ipa-dnskeysyncd[6870]: File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/keysyncer.py", line 192, in hsm_replica_sync Jan 29 16:24:13 my_ds_machine ipa-dnskeysyncd[6870]: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA]) Jan 29 16:24:13 my_ds_machine ipa-dnskeysyncd[6870]: File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in run Jan 29 16:24:13 my_ds_machine ipa-dnskeysyncd[6870]: p.returncode, arg_string, output_log, error_log Jan 29 16:24:13 my_ds_machine ipa-dnskeysyncd[6870]: ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/libexec/ipa/ipa-dnskeysync-replica'] returned non-zero exit status 1: 'ipa-dnskeysync-replica: INFO To increase debugging set debug=True in dns.conf See default.conf(5) for details\nTraceback (most recent call last):\n File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 182, in <module>\n f.read()\n File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/localhsm.py", line 96, in __init__\n self.p11 = _ipap11helper.P11_Helper(label, pin, library)\n File "/usr/lib/python3.6/site-packages/ipaserver/p11helper.py", line 868, in __init__\n raise Error("No slot for label {} found".format(self.token_label))\nipaserver.p11helper.Error: No slot for label ipaDNSSEC found\nException ignored in: <bound method LocalHSM.__del__ of <ipaserver.dnssec.localhsm.LocalHSM object at 0x7f0c926ca3c8>>\nTraceback (most recent call last):\n File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/localhsm.py", line 99, in __del__\n self.p11.finalize()\nAttributeError: \'LocalHSM\' object has no attribute \'p11\'\n') Jan 29 16:24:13 my_ds_machine systemd[1]: ipa-dnskeysyncd.service: Main process exited, code=exited, status=1/FAILURE Jan 29 16:24:13 my_ds_machine systemd[1]: ipa-dnskeysyncd.service: Failed with result 'exit-code'. Jan 29 16:25:13 my_ds_machine systemd[1]: ipa-dnskeysyncd.service: Service RestartSec=1min expired, scheduling restart. Jan 29 16:25:13 my_ds_machine systemd[1]: ipa-dnskeysyncd.service: Scheduled restart job, restart counter is at 4. Jan 29 16:25:13 my_ds_machine systemd[1]: Stopped IPA key daemon. Jan 29 16:25:13 my_ds_machine systemd[1]: Started IPA key daemon. ipa-error.txt (65,668 bytes)

Jose Carvalho 2024-02-01 11:58 reporter ~0005776	I have already concluded that the issue results from python3 subsystem of the distro. I have also python module load errors in system-config-selinux.py. If this is run directly, "plataform-python" is used (configured in the header of resulted from packages installed), and errors result, but if I run system-config-config.py with python3.6 interpreter (python3.6 system-config-selinux.py) it run fines. So the problem is in "platform-python" of the distro. Why?

Louis Abel 2024-02-01 16:50 administrator ~0005777	While I know the python situation is not easy to work with, platform-python should not be interacted with manual intervention in any case. That python and the python36 module stream are not the same. Looking at your logs, I see ipa-dnskeysyncd consistently failing. Prior to this, I see mentions of pcscd running. This makes it appear as though you are using smart cards or some sort of HSM. I don't know if this is actually the case, but that is just an observation. Either way, it is not clear what version this domain was stood up with. It could easily be related to smart cards or it could be related to how old the domain is. A common scenario for your credential cache being empty is kerberos and PAC signatures, and the requirements for that is SID's. For this particular case, users must be SID's on their profiles. This became default in 4.9.8 for new domains, but not older domains. If your IPA started before that, you may need to enable it. To confirm if SID's currently exist, `ipa user-show admin --all \| grep ipantsecurityidentifier` will help. You can replace "admin" also with whatever user is having issues. If you find there are no SID's, you may need to enable it: ipa config-mod --enable-sid --add-sids. With all that said, I don't have further details of your setup, environment, and if there is indeed an HSM/smart card involved. Having those details would help in reproducing the problem or trying to pinpoint where the issue is in your environment. Running a standard FreeIPA installation done on 8.9, I do not have any issues.

Jose Carvalho 2024-02-02 10:56 reporter ~0005809	Hi, thanks for your information, I run the command 'ipa user-show admin --all \| grep ipantsecurityidentifier' and i get the same GSSAPI error ("ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty"). I uninstalled pcsc and the I still get and see the same errors. How can I check the schema version? Thanks

Jose Carvalho 2024-02-02 10:57 reporter ~0005810	Hi, thanks for your information, I run the command 'ipa user-show admin --all \| grep ipantsecurityidentifier' and i get the same GSSAPI error ("ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty"). I uninstalled pcsc and the I still get and see the same errors. How can I check the schema version? Thanks

Louis Abel 2024-02-02 11:07 administrator ~0005811	You can alternatively use ldapsearch -xWD 'cn=Directory Manager' -h localhost -b 'cn=users,cn=accounts,dc=subd,dc=maind,dc=com' uid=admin ipantsecurityidentifier to look for it, which bypasses kerberos entirely. Change "admin" if you want to check other users. Change the dc values to your domain as needed. % ldapsearch -xWD 'cn=Directory Manager' -h localhost -b 'cn=users,cn=accounts,dc=angelsofclockwork,dc=net' uid=admin ipantsecurityidentifier Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=users,cn=accounts,dc=angelsofclockwork,dc=net> with scope subtree # filter: uid=admin # requesting: ipantsecurityidentifier # # admin, users, accounts, angelsofclockwork.net dn: uid=admin,cn=users,cn=accounts,dc=angelsofclockwork,dc=net ipantsecurityidentifier: S-1-5-21-000000000-111111111-0101010101-500 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 There's no direct "schema version" as in AD. What matters is the version of the ipa-server package which will dictate the schema and features available to you. The reason for this is ipa-server-upgrade is ran upon each update of the package.

Jose Carvalho 2024-02-04 11:00 reporter ~0005842	The issue is solved. This results from ipa upgrade to 4.9.12 where sids should be enabled even we do not use it. You mention it, but I do saw that as mandatory, but should be!. For me is a bug not invoking during the upgrade. Replica and pcsc erros always seemed to me very strange to be the cause because I do not use smartcard and I do not have replica, I run '/usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --netbios-name YOURNETBIOSDOMAIN --add-sids' and everything is working now as before. Thanks

Date Modified	Username	Field	Change
2024-01-29 17:49	Jose Carvalho	New Issue
2024-01-29 17:49	Jose Carvalho	File Added: ipa-error.txt
2024-02-01 11:58	Jose Carvalho	Note Added: 0005776
2024-02-01 16:50	Louis Abel	Assigned To	=> Louis Abel
2024-02-01 16:50	Louis Abel	Status	new => needinfo
2024-02-01 16:50	Louis Abel	Note Added: 0005777
2024-02-02 10:56	Jose Carvalho	Note Added: 0005809
2024-02-02 10:57	Jose Carvalho	Note Added: 0005810
2024-02-02 11:07	Louis Abel	Note Added: 0005811
2024-02-04 11:00	Jose Carvalho	Note Added: 0005842
2024-02-04 20:01	Louis Abel	Status	needinfo => closed
2024-02-04 20:01	Louis Abel	Resolution	open => no change required