Hi folks, I managed to get rid of the corrupted entry and to create a new user account. But there are still problems. The upgrade from Centos 7.4 to 7.5 got stuck for 5 to 10 minutes.
: Installing : libxkbcommon-0.7.1-1.el7.x86_64 297/787 Updating : adwaita-cursor-theme-3.26.0-1.el7.noarch 298/787 Updating : adwaita-icon-theme-3.26.0-1.el7.noarch 299/787 Updating : perl-Getopt-Long-2.40-3.el7.noarch 300/787 Updating : 389-ds-base-1.3.7.5-21.el7_5.x86_64 301/787 warning: /etc/sysconfig/dirsrv.systemd created as /etc/sysconfig/dirsrv.systemd.rpmnew Updating : slapi-nis-0.56.0-8.el7.x86_64 302/787 Updating : ipa-server-4.5.4-10.el7.centos.1.x86_64 303/787 Job for certmonger.service failed because a fatal signal was delivered to the control process. See "systemctl status certmonger.service" and "journalctl -xe" for details. Job for dbus.service failed. See "systemctl status dbus.service" and "journalctl -xe" for details. Updating : linux-firmware-20180220-62.2.git6d51311.el7_5.noarch 304/787 Installing : kernel-3.10.0-862.3.3.el7.x86_64 305/787 Installing : kmod-kvdo-6.1.0.168-16.el7_5.x86_64 306/787 Updating : 2:vim-filesystem-7.4.160-4.el7.x86_64 307/787 Updating : libgcc-4.8.5-28.el7_5.1.i686 308/787 Updating : 2:vim-common-7.4.160-4.el7.x86_64 309/787 : After a reboot I got this in the ldap error log on ipa1: [23/Jun/2018:10:58:55.823078141 +0200] - INFO - slapd_extract_cert - CA CERT NAME: CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE [23/Jun/2018:10:58:55.829958313 +0200] - INFO - slapd_extract_cert - CA CERT NAME: EXAMPLE.DE IPA CA [23/Jun/2018:10:58:55.842015522 +0200] - INFO - slapd_extract_cert - CA CERT NAME: EXAMPLE.DE IPA CA [23/Jun/2018:10:58:55.846444407 +0200] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. [23/Jun/2018:10:58:55.861363768 +0200] - INFO - slapd_extract_cert - SERVER CERT NAME: Server-Cert [23/Jun/2018:10:58:55.874174785 +0200] - INFO - Security Initialization - SSL info: Enabling default cipher set. [23/Jun/2018:10:58:55.887702841 +0200] - INFO - Security Initialization - SSL info: Configured NSS Ciphers [23/Jun/2018:10:58:55.891044528 +0200] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [23/Jun/2018:10:58:55.894701167 +0200] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [23/Jun/2018:10:58:55.899981889 +0200] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [23/Jun/2018:10:58:55.904520090 +0200] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled [23/Jun/2018:10:58:55.907593077 +0200] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [23/Jun/2018:10:58:55.911141652 +0200] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [23/Jun/2018:10:58:55.914589181 +0200] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [23/Jun/2018:10:58:55.918208985 +0200] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [23/Jun/2018:10:58:55.921672628 +0200] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [23/Jun/2018:10:58:55.924819609 +0200] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [23/Jun/2018:10:58:55.938295406 +0200] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [23/Jun/2018:10:58:55.941875247 +0200] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [23/Jun/2018:10:58:55.953854096 +0200] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [23/Jun/2018:10:58:55.957446420 +0200] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [23/Jun/2018:10:58:55.961207905 +0200] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [23/Jun/2018:10:58:55.964835089 +0200] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [23/Jun/2018:10:58:55.968648505 +0200] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [23/Jun/2018:10:58:55.972318327 +0200] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [23/Jun/2018:10:58:55.976103831 +0200] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [23/Jun/2018:10:58:55.979671357 +0200] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [23/Jun/2018:10:58:55.983360224 +0200] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [23/Jun/2018:10:58:55.986669322 +0200] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [23/Jun/2018:10:58:55.990993340 +0200] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [23/Jun/2018:10:58:55.996227069 +0200] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [23/Jun/2018:10:58:56.000432620 +0200] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [23/Jun/2018:10:58:56.004412052 +0200] - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled [23/Jun/2018:10:58:56.008280628 +0200] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled [23/Jun/2018:10:58:56.012133732 +0200] - INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled [23/Jun/2018:10:58:56.024303625 +0200] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2 [23/Jun/2018:10:58:56.051546046 +0200] - INFO - main - 389-Directory/1.3.7.5 B2018.136.418 starting up [23/Jun/2018:10:58:56.120225992 +0200] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 [23/Jun/2018:10:58:56.166848194 +0200] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match [23/Jun/2018:10:58:56.193231624 +0200] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 [23/Jun/2018:10:58:56.254850712 +0200] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 [23/Jun/2018:10:58:56.310858090 +0200] - NOTICE - ldbm_back_start - found 16161216k physical memory [23/Jun/2018:10:58:56.318314433 +0200] - NOTICE - ldbm_back_start - found 14213904k available [23/Jun/2018:10:58:56.322812389 +0200] - NOTICE - ldbm_back_start - cache autosizing: db cache: 646448k [23/Jun/2018:10:58:56.326409238 +0200] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 327680k [23/Jun/2018:10:58:56.331203527 +0200] - NOTICE - ldbm_back_start - cache autosizing: userRoot dn cache (3 total): 65536k [23/Jun/2018:10:58:56.335162194 +0200] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 327680k [23/Jun/2018:10:58:56.340161529 +0200] - NOTICE - ldbm_back_start - cache autosizing: ipaca dn cache (3 total): 65536k [23/Jun/2018:10:58:56.343711751 +0200] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 327680k [23/Jun/2018:10:58:56.349369943 +0200] - NOTICE - ldbm_back_start - cache autosizing: changelog dn cache (3 total): 65536k [23/Jun/2018:10:58:56.353364700 +0200] - NOTICE - ldbm_back_start - total cache size: 1869922959 B; [23/Jun/2018:10:58:56.358472005 +0200] - NOTICE - dblayer_start - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [23/Jun/2018:10:58:58.857681437 +0200] - ERR - nis-plugin - scheduled nis-plugin tree scan in about 5 seconds after the server startup! [23/Jun/2018:10:58:58.865552019 +0200] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [23/Jun/2018:10:58:58.877191957 +0200] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=example,dc=de does not exist [23/Jun/2018:10:58:58.880854587 +0200] - ERR - NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=example,dc=de does not exist [23/Jun/2018:10:58:58.884103915 +0200] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=example,dc=de does not exist [23/Jun/2018:10:58:58.887243214 +0200] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=example,dc=de does not exist [23/Jun/2018:10:58:58.890474842 +0200] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=example,dc=de does not exist [23/Jun/2018:10:58:58.893633261 +0200] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=example,dc=de does not exist [23/Jun/2018:10:58:58.906901814 +0200] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=example,dc=de does not exist [23/Jun/2018:10:58:58.910179620 +0200] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=example,dc=de does not exist [23/Jun/2018:10:58:58.913705495 +0200] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=example,dc=de does not exist [23/Jun/2018:10:58:58.917105354 +0200] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=de does not exist [23/Jun/2018:10:58:58.920459719 +0200] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=de does not exist [23/Jun/2018:10:58:58.923825413 +0200] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=de does not exist [23/Jun/2018:10:58:58.927130994 +0200] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=de does not exist [23/Jun/2018:10:58:58.930416966 +0200] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=de does not exist [23/Jun/2018:10:58:58.933690832 +0200] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=de does not exist [23/Jun/2018:10:58:58.937030149 +0200] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=de does not exist [23/Jun/2018:10:58:58.941587038 +0200] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=de does not exist [23/Jun/2018:10:58:58.945610436 +0200] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=de does not exist [23/Jun/2018:10:58:58.948794736 +0200] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=de does not exist [23/Jun/2018:10:58:58.952187805 +0200] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=de does not exist [23/Jun/2018:10:58:58.965228551 +0200] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=example,dc=de does not exist [23/Jun/2018:10:58:58.977526637 +0200] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ad,cn=etc,dc=example,dc=de does not exist [23/Jun/2018:10:58:59.059148942 +0200] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [23/Jun/2018:10:58:59.065451747 +0200] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=example,dc=de--no CoS Templates found, which should be added before the CoS Definition. [23/Jun/2018:10:58:59.126470240 +0200] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding the replication changelog RUV, this may take several minutes... [23/Jun/2018:10:58:59.390313225 +0200] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding replication changelog RUV complete. Result 0 (Success) [23/Jun/2018:10:58:59.395043283 +0200] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding the replication changelog RUV, this may take several minutes... [23/Jun/2018:10:58:59.667662575 +0200] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding replication changelog RUV complete. Result 0 (Success) [23/Jun/2018:10:58:59.672025982 +0200] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding the replication changelog RUV, this may take several minutes... [23/Jun/2018:10:58:59.686194564 +0200] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding replication changelog RUV complete. Result 0 (Success) [23/Jun/2018:10:58:59.697840642 +0200] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding the replication changelog RUV, this may take several minutes... [23/Jun/2018:10:58:59.704164352 +0200] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding replication changelog RUV complete. Result 0 (Success) [23/Jun/2018:10:58:59.718621878 +0200] - WARN - NSMMReplicationPlugin - replica_check_for_data_reload - Disorderly shutdown for replica dc=example,dc=de. Check if DB RUV needs to be updated [23/Jun/2018:10:58:59.731648339 +0200] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa1.example...@example.de] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [23/Jun/2018:10:58:59.739460046 +0200] - WARN - NSMMReplicationPlugin - replica_check_for_data_reload - Disorderly shutdown for replica o=ipaca. Check if DB RUV needs to be updated [23/Jun/2018:10:58:59.746372774 +0200] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa1.example...@example.de] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [23/Jun/2018:10:58:59.753714299 +0200] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa1.example...@example.de] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [23/Jun/2018:10:58:59.760457528 +0200] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ipa1.example...@example.de] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [23/Jun/2018:10:58:59.763682555 +0200] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [23/Jun/2018:10:58:59.768052097 +0200] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [23/Jun/2018:10:58:59.771314808 +0200] - INFO - slapd_daemon - Listening on /var/run/slapd-EXAMPLE-DE.socket for LDAPI requests [23/Jun/2018:10:58:59.774558043 +0200] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) [23/Jun/2018:10:58:59.777970184 +0200] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=masterAgreement1-ipa2.example.de-pki-tomcat" (ipa2:389) - Replication bind with SIMPLE auth failed: LDAP error -11 (Connect error) (error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)) [23/Jun/2018:10:58:59.810189785 +0200] - ERR - nis-plugin - nis-plugin tree scan will start in about 5 seconds! [23/Jun/2018:10:58:59.814626534 +0200] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [23/Jun/2018:10:59:02.848795335 +0200] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) [23/Jun/2018:10:59:05.464588727 +0200] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=example,dc=de [23/Jun/2018:10:59:05.477625182 +0200] - ERR - schema-compat-plugin - Finished plugin initialization. [23/Jun/2018:10:59:06.191245171 +0200] - ERR - nis-plugin - warning: no entries in domain=example.de,map=ethers.byname [23/Jun/2018:10:59:06.204461031 +0200] - ERR - nis-plugin - warning: no entries in domain=example.de,map=ethers.byaddr [23/Jun/2018:10:59:06.219354580 +0200] - ERR - nis-plugin - Finished plugin initialization. [23/Jun/2018:10:59:08.457412392 +0200] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) [23/Jun/2018:10:59:20.831326274 +0200] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) [23/Jun/2018:10:59:44.073335894 +0200] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) [23/Jun/2018:11:00:32.217779083 +0200] - ERR - slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) : : Apparently certmonger is still not working: # systemctl status certmonger.service * certmonger.service - Certificate monitoring and PKI enrollment Loaded: loaded (/usr/lib/systemd/system/certmonger.service; enabled; vendor preset: disabled) Active: failed (Result: timeout) since Sat 2018-06-23 11:00:13 CEST; 42min ago Process: 340 ExecStart=/usr/sbin/certmonger -S -p /var/run/certmonger.pid -n $OPTS (code=exited, status=0/SUCCESS) Main PID: 340 (code=exited, status=0/SUCCESS) Jun 23 10:58:43 ipa1.aixigo.de systemd[1]: Starting Certificate monitoring and PKI enrollment... Jun 23 11:00:13 ipa1.aixigo.de systemd[1]: certmonger.service start operation timed out. Terminating. Jun 23 11:00:13 ipa1.aixigo.de systemd[1]: Failed to start Certificate monitoring and PKI enrollment. Jun 23 11:00:13 ipa1.aixigo.de systemd[1]: Unit certmonger.service entered failed state. Jun 23 11:00:13 ipa1.aixigo.de systemd[1]: certmonger.service failed. I cannot stop or restart it either: [root@ipa1 pki-tomcat]# systemctl stop certmonger.service Error getting authority: Error initializing authority: Could not connect: Connection refused (g-io-error-quark, 39) [root@ipa1 pki-tomcat]# systemctl restart certmonger.service Error getting authority: Error initializing authority: Could not connect: Connection refused (g-io-error-quark, 39) Job for certmonger.service failed because a timeout was exceeded. See "systemctl status certmonger.service" and "journalctl -xe" for details. "ps -ef --forest" shows a systemd-tty-ask-password-agent: root 343 1 0 10:58 ? 00:00:00 /usr/sbin/sshd -D root 1150 343 0 10:59 ? 00:00:00 \_ sshd: root@pts/4 root 1157 1150 0 10:59 pts/4 00:00:00 | \_ -bash root 2725 1157 0 11:44 pts/4 00:00:00 | \_ systemctl restart certmonger.service root 2726 2725 0 11:44 pts/4 00:00:00 | \_ /usr/bin/systemd-tty-ask-password-agent --watch root 2727 2725 0 11:44 pts/4 00:00:00 | \_ [pkttyagent] <defunct> Whose password is it asking for? And why don't I see a prompt? I would highly prefer if these freeipa host could reboot unattended. Every helpful comment is highly appreciated Harri _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/ZTMKYXJVDCMWBBJPAFQDQ6CBPO442ORY/