I think the problem might be related to that error I got within dirsrv:
[12/Jun/2018:21:28:41.780869662 +0000] - ERR - set_krb5_creds - Could not
get initial credentials for principal
[ldap/freeipa-02.jahia.local@JAHIA.LOCAL] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
if I do a klist -kt /etc/dirsrv/ds.keytab
I get the following:
Keytab name: FILE:/etc/dirsrv/ds.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
2 12/20/16 09:39:50 ldap/freeipa-02.jahia.local@JAHIA.LOCAL
2 12/20/16 09:39:50 ldap/freeipa-02.jahia.local@JAHIA.LOCAL
2 12/20/16 09:39:50 ldap/freeipa-02.jahia.local@JAHIA.LOCAL
2 12/20/16 09:39:51 ldap/freeipa-02.jahia.local@JAHIA.LOCAL
2 12/20/16 09:39:51 ldap/freeipa-02.jahia.local@JAHIA.LOCAL
2 12/20/16 09:39:51 ldap/freeipa-02.jahia.local@JAHIA.LOCAL
And after I started the disabled service “krb5kdc”, everything was
“””solved””” for that part of errors.
I also found that during the upgrade from F25 -> F26 the dse.ldif was
changed to have
nsslapd-port: 0
instead of the port 389 as it was in F25.
Since `nsslapd-port: 0` means to use the ldaps.
and since everything behind is using that (ipa-server-upgrade) I cannot
finish the upgrade correctly.
I could go past some steps of the upgrade, but not past the CA verification:
Upgrading IPA:
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: starting directory server
[6/10]: updating schema
[7/10]: upgrading server
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
/etc/dirsrv/slapd-JAHIA-LOCAL/certmap.conf is now managed by IPA. It will
be overwritten. A backup of the original will be made.
[Verifying that CA proxy configuration is correct]
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
ipa-server-upgrade manually.
CA did not start in 300.0s
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
information
And the error I get is basically:
0.localhost-startStop-1 - [12/Jun/2018:21:22:29 UTC] [8] [3] In Ldap
(bound) connection pool to host freeipa-02.jahia.local port 636, Cannot
connect to LDAP server. Error: netscape.ldap.LDAPException: Unable to
create socket: java.net.ConnectException: Connection refused (Connection
refused) (-1)
which caused the following error:
12-Jun-2018 21:27:50.393 WARNING
[ContainerBackgroundProcessor[StandardEngine[Catalina]]]
org.apache.catalina.core.ContainerBase.backgroundProcess Exception
processing realm com.netscape.cms.tomcat.ProxyRealm@67a
992d background process
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
at
com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:130)
at
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1154)
at
org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5715)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1377)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1381)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1349)
at java.lang.Thread.run(Thread.java:748)
and then the following error:
2018-06-12T21:27:21Z DEBUG The CA status is: check interrupted due to
error: Retrieving CA status failed with status 500
2018-06-12T21:27:21Z DEBUG Waiting for CA to start...
2018-06-12T21:27:22Z DEBUG request POST
http://freeipa-02.jahia.local:8080/ca/admin/ca/getStatus
2018-06-12T21:27:22Z DEBUG request body ''
2018-06-12T21:27:22Z DEBUG response status 500
2018-06-12T21:27:22Z DEBUG response headers {'content-length': '2351',
'content-language': 'en', 'server': 'Apache-Coyote/1.1', 'connection':
'close', 'date': 'Tue, 12 Jun 2018 21:27:22 GMT', 'content-type': 'tex
t/html;charset=utf-8'}
2018-06-12T21:27:22Z DEBUG response body '<!DOCTYPE
html><html><head><title>Apache Tomcat/8.0.50 - Error report</title><style
type="text/css">H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#
525D76;font-size:22px;} H2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
BODY
{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
P {font-family:Tahoma,Arial,sans-serif;background:white
;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line
{height: 1px; background-color: #525D76; border: none;}</style>
</head><body><h1>HTTP Status 500 - Subsystem unavailable</h1><div class=
"line"></div><p><b>type</b> Exception report</p><p><b>message</b>
<u>Subsystem unavailable</u></p><p><b>description</b> <u>The server
encountered an internal error that prevented it from fulfilling this
request.<
/u></p><p><b>exception</b></p><pre>javax.ws.rs.ServiceUnavailableException:
Subsystem
unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:138)\n\torg.apache.catalina.authenti
cator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAcces
sLogValve.java:620)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)\n\torg.apache.coyo
te.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)\n\torg.apache.tomcat.util.net.NioEndpoint$So
cketProcessor.run(NioEndpoint.java:1495)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\tor
g.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre><p><b>note</b>
<u>The full stack trace of the root cause is available in the Apache
Tomcat/8.0.50 logs.</u></p><hr class="line"><h3>Apache
Tomcat/8.0.50</h3></body></html>'
So the question now would be… What am I missing to have ldaps with port 636?
Thank you in advance again!
Alessandro
On 12 June 2018 at 21:22:56, Simo Sorce (s...@redhat.com) wrote:
On Tue, 2018-06-12 at 12:15 -0700, Alessandro Perucchi via FreeIPA-
users wrote:
> Hello everyone,
>
> We were using Freeipa on Fedora 24. And we are in the process to upgrade
to
> Fedora 28.
> We have a cluster of 2 nodes (freeipa-01 and freeipa-02).
>
> I am trying to upgrade one server after the other, from one release to
the
> next.
>
> Basically:
>
> freeipa-01 Fedora 24 -> Fedora 25
>
> freeipa-02 Fedora 24 -> Fedora 25
> freeipa-02 Fedora 25 -> Fedora 26
>
> freeipa-01 Fedora 25 -> Fedora 26
> freeipa-01 Fedora 26 -> Fedora 27
>
> freeipa-02 Fedora 26 -> Fedora 27
> freeipa-02 Fedora 27 -> Fedora 28
>
> freeipa-01 Fedora 27 -> Fedora 28
>
> Since Fedora doesn’t support to jump from one version to another, except
> one release at the time.
>
> My idea is to check that once a server is upgraded, then everything is
> stable, before going to the next server, and try to be as near as
possible
> from a version point of view between the 2 freeipa node cluster.
>
> Today <http://airmail.calendar/2018-06-12%2012:00:00%20CEST>, I could
> upgrade without problems from Fedora 24 -> Fedora 25 on both nodes
> (freeipa-01 and freeipa-02).
>
> In trying to upgrade to Fedora 26, I got some problems, the main problem
is
> that the upgrade of ldap 389 is not successful, and the one from IPA
either.
> After investigating a long moment, I have found that ns-slapd listen only
> to IPv6, on UDP, and NOT on IPv4 and TCP.
>
> Here is what I have:
>
> [root@freeipa-02 lib]# lsof -Pni |grep slap
> ns-slapd 21005 dirsrv 9u IPv6 1617283379 <//1617283379> 0t0
> UDP *:389
> ns-slapd 21005 dirsrv 77u IPv4 1617321218 <//1617321218> 0t0
> TCP 10.100.0.102:60646->10.100.0.101:389 (ESTABLISHED)
> ns-slapd 21005 dirsrv 81u IPv4 1617317640 <//1617317640> 0t0
> TCP 10.100.0.102:60648->10.100.0.101:389 (ESTABLISHED)
>
>
> So, I decided to look at the file dse.ldif, and found that the entry
> "nsslapd-port” was set to “0” and no “nsslapd-listenhost” was not set at
> all.
> I have then added the line
>
> nsslapd-listenhost: 0.0.0.0
>
> and changed the nsslapd-port to look like:
>
> nsslap-port: 389
>
> And after doing a
>
> systemctl stop dirsrv@DOM-LOCAL ; systemctl start dirsrv@DOM-LOCAL
>
> No changes… all modification on my dse.ldif were gone.
>
> I stopped again the dirsrv, did again my changes on dse.ldif, and run the
> following command:
>
> /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-DOM-LOCAL -i
> /var/run/dirsrv/slapd-DOM-LOCAL.pid
>
> and now, I have the following:
>
> [root@freeipa-02 updates]# lsof -Pni |grep 389
> ns-slapd 78507 dirsrv 10u IPv6 1681165214 <//1681165214> 0t0
> UDP *:389
> ns-slapd 78507 dirsrv 11u IPv4 1681165216 <//1681165216> 0t0
> TCP *:389 (LISTEN)
> ns-slapd 78507 dirsrv 114u IPv4 1684131928 <//1684131928> 0t0
> TCP 10.100.0.102:389->10.100.0.110:36828 (ESTABLISHED)
>
> So my questions are:
> - how to change the dse.ldif file?
You have to stop ns-slapd before changing the file.
> - Is there another way to ensure that the port that listen is TCP / 389
on
> IPv4?
The port was disabled during some upgrade operations, your situation
meant some upgrade failed and that old version failed to set back the
port in dse.ldif
This is a bug and shouldn't happen in recent versions.
> - Is there something that needs to be done between Fedora 25 and 26?
Is this upgrade bug repeatable ? (keep in mind that F26 is practically
EOL)
> Knowing that I will go to Fedora 28, is there something that I need to be
> aware of?
Yes, read this list archives before you attempt F28 upgrades, you may
have to use updates-testing as the GA bits where busted wrt replication
for upgrades.
> - Anything that can help me generally with my upgrade path?
In general your approach is ok, make backups :-)
Simo.
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/M5ZFANHNY7HSX3GL7SDLBTS35K7S3H7S/
