Harald Dunkel via FreeIPA-users wrote: > Hi folks, > > I managed to get rid of the corrupted entry and to create a new > user account. But there are still problems. The upgrade from Centos > 7.4 to 7.5 got stuck for 5 to 10 minutes. > > : > Installing : libxkbcommon-0.7.1-1.el7.x86_64 > 297/787 > Updating : adwaita-cursor-theme-3.26.0-1.el7.noarch > 298/787 > Updating : adwaita-icon-theme-3.26.0-1.el7.noarch > 299/787 > Updating : perl-Getopt-Long-2.40-3.el7.noarch > 300/787 > Updating : 389-ds-base-1.3.7.5-21.el7_5.x86_64 > 301/787 > warning: /etc/sysconfig/dirsrv.systemd created as > /etc/sysconfig/dirsrv.systemd.rpmnew > Updating : slapi-nis-0.56.0-8.el7.x86_64 > 302/787 > Updating : ipa-server-4.5.4-10.el7.centos.1.x86_64 > 303/787 > Job for certmonger.service failed because a fatal signal was delivered > to the control process. See "systemctl status certmonger.service" and > "journalctl -xe" for details. > Job for dbus.service failed. See "systemctl status dbus.service" and > "journalctl -xe" for details. > Updating : linux-firmware-20180220-62.2.git6d51311.el7_5.noarch > 304/787 > Installing : kernel-3.10.0-862.3.3.el7.x86_64 > 305/787 > Installing : kmod-kvdo-6.1.0.168-16.el7_5.x86_64 > 306/787 > Updating : 2:vim-filesystem-7.4.160-4.el7.x86_64 > 307/787 > Updating : libgcc-4.8.5-28.el7_5.1.i686 > 308/787 > Updating : 2:vim-common-7.4.160-4.el7.x86_64 > 309/787 > : > > > After a reboot I got this in the ldap error log on ipa1: > > [23/Jun/2018:10:58:55.823078141 +0200] - INFO - slapd_extract_cert - CA > CERT NAME: CN=example Root CA,OU=example Certificate Authority,O=example > AG,C=DE > [23/Jun/2018:10:58:55.829958313 +0200] - INFO - slapd_extract_cert - CA > CERT NAME: EXAMPLE.DE IPA CA > [23/Jun/2018:10:58:55.842015522 +0200] - INFO - slapd_extract_cert - CA > CERT NAME: EXAMPLE.DE IPA CA > [23/Jun/2018:10:58:55.846444407 +0200] - WARN - Security Initialization > - SSL alert: Sending pin request to SVRCore. You may need to run > systemd-tty-ask-password-agent to provide the password. > [23/Jun/2018:10:58:55.861363768 +0200] - INFO - slapd_extract_cert - > SERVER CERT NAME: Server-Cert > [23/Jun/2018:10:58:55.874174785 +0200] - INFO - Security Initialization > - SSL info: Enabling default cipher set. > [23/Jun/2018:10:58:55.887702841 +0200] - INFO - Security Initialization > - SSL info: Configured NSS Ciphers > [23/Jun/2018:10:58:55.891044528 +0200] - INFO - Security Initialization > - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled > [23/Jun/2018:10:58:55.894701167 +0200] - INFO - Security Initialization > - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled > [23/Jun/2018:10:58:55.899981889 +0200] - INFO - Security Initialization > - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled > [23/Jun/2018:10:58:55.904520090 +0200] - INFO - Security Initialization > - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled > [23/Jun/2018:10:58:55.907593077 +0200] - INFO - Security Initialization > - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled > [23/Jun/2018:10:58:55.911141652 +0200] - INFO - Security Initialization > - SSL info: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled > [23/Jun/2018:10:58:55.914589181 +0200] - INFO - Security Initialization > - SSL info: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled > [23/Jun/2018:10:58:55.918208985 +0200] - INFO - Security Initialization > - SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled > [23/Jun/2018:10:58:55.921672628 +0200] - INFO - Security Initialization > - SSL info: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled > [23/Jun/2018:10:58:55.924819609 +0200] - INFO - Security Initialization > - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled > [23/Jun/2018:10:58:55.938295406 +0200] - INFO - Security Initialization > - SSL info: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled > [23/Jun/2018:10:58:55.941875247 +0200] - INFO - Security Initialization > - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled > [23/Jun/2018:10:58:55.953854096 +0200] - INFO - Security Initialization > - SSL info: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled > [23/Jun/2018:10:58:55.957446420 +0200] - INFO - Security Initialization > - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled > [23/Jun/2018:10:58:55.961207905 +0200] - INFO - Security Initialization > - SSL info: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled > [23/Jun/2018:10:58:55.964835089 +0200] - INFO - Security Initialization > - SSL info: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled > [23/Jun/2018:10:58:55.968648505 +0200] - INFO - Security Initialization > - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled > [23/Jun/2018:10:58:55.972318327 +0200] - INFO - Security Initialization > - SSL info: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled > [23/Jun/2018:10:58:55.976103831 +0200] - INFO - Security Initialization > - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled > [23/Jun/2018:10:58:55.979671357 +0200] - INFO - Security Initialization > - SSL info: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled > [23/Jun/2018:10:58:55.983360224 +0200] - INFO - Security Initialization > - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA: enabled > [23/Jun/2018:10:58:55.986669322 +0200] - INFO - Security Initialization > - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled > [23/Jun/2018:10:58:55.990993340 +0200] - INFO - Security Initialization > - SSL info: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled > [23/Jun/2018:10:58:55.996227069 +0200] - INFO - Security Initialization > - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA: enabled > [23/Jun/2018:10:58:56.000432620 +0200] - INFO - Security Initialization > - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled > [23/Jun/2018:10:58:56.004412052 +0200] - INFO - Security Initialization > - SSL info: TLS_AES_128_GCM_SHA256: enabled > [23/Jun/2018:10:58:56.008280628 +0200] - INFO - Security Initialization > - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled > [23/Jun/2018:10:58:56.012133732 +0200] - INFO - Security Initialization > - SSL info: TLS_AES_256_GCM_SHA384: enabled > [23/Jun/2018:10:58:56.024303625 +0200] - INFO - Security Initialization > - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2 > [23/Jun/2018:10:58:56.051546046 +0200] - INFO - main - > 389-Directory/1.3.7.5 B2018.136.418 starting up > [23/Jun/2018:10:58:56.120225992 +0200] - INFO - > ldbm_instance_config_cachememsize_set - force a minimal value 512000 > [23/Jun/2018:10:58:56.166848194 +0200] - WARN - > default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle > caseExactIA5Match > [23/Jun/2018:10:58:56.193231624 +0200] - INFO - > ldbm_instance_config_cachememsize_set - force a minimal value 512000 > [23/Jun/2018:10:58:56.254850712 +0200] - INFO - > ldbm_instance_config_cachememsize_set - force a minimal value 512000 > [23/Jun/2018:10:58:56.310858090 +0200] - NOTICE - ldbm_back_start - > found 16161216k physical memory > [23/Jun/2018:10:58:56.318314433 +0200] - NOTICE - ldbm_back_start - > found 14213904k available > [23/Jun/2018:10:58:56.322812389 +0200] - NOTICE - ldbm_back_start - > cache autosizing: db cache: 646448k > [23/Jun/2018:10:58:56.326409238 +0200] - NOTICE - ldbm_back_start - > cache autosizing: userRoot entry cache (3 total): 327680k > [23/Jun/2018:10:58:56.331203527 +0200] - NOTICE - ldbm_back_start - > cache autosizing: userRoot dn cache (3 total): 65536k > [23/Jun/2018:10:58:56.335162194 +0200] - NOTICE - ldbm_back_start - > cache autosizing: ipaca entry cache (3 total): 327680k > [23/Jun/2018:10:58:56.340161529 +0200] - NOTICE - ldbm_back_start - > cache autosizing: ipaca dn cache (3 total): 65536k > [23/Jun/2018:10:58:56.343711751 +0200] - NOTICE - ldbm_back_start - > cache autosizing: changelog entry cache (3 total): 327680k > [23/Jun/2018:10:58:56.349369943 +0200] - NOTICE - ldbm_back_start - > cache autosizing: changelog dn cache (3 total): 65536k > [23/Jun/2018:10:58:56.353364700 +0200] - NOTICE - ldbm_back_start - > total cache size: 1869922959 B; > [23/Jun/2018:10:58:56.358472005 +0200] - NOTICE - dblayer_start - > Detected Disorderly Shutdown last time Directory Server was running, > recovering database. > [23/Jun/2018:10:58:58.857681437 +0200] - ERR - nis-plugin - scheduled > nis-plugin tree scan in about 5 seconds after the server startup! > [23/Jun/2018:10:58:58.865552019 +0200] - ERR - schema-compat-plugin - > scheduled schema-compat-plugin tree scan in about 5 seconds after the > server startup! > [23/Jun/2018:10:58:58.877191957 +0200] - ERR - NSACLPlugin - acl_parse - > The ACL target cn=dns,dc=example,dc=de does not exist > [23/Jun/2018:10:58:58.880854587 +0200] - ERR - NSACLPlugin - acl_parse - > The ACL target cn=keys,cn=sec,cn=dns,dc=example,dc=de does not exist > [23/Jun/2018:10:58:58.884103915 +0200] - ERR - NSACLPlugin - acl_parse - > The ACL target cn=dns,dc=example,dc=de does not exist > [23/Jun/2018:10:58:58.887243214 +0200] - ERR - NSACLPlugin - acl_parse - > The ACL target cn=dns,dc=example,dc=de does not exist > [23/Jun/2018:10:58:58.890474842 +0200] - ERR - NSACLPlugin - acl_parse - > The ACL target cn=groups,cn=compat,dc=example,dc=de does not exist > [23/Jun/2018:10:58:58.893633261 +0200] - ERR - NSACLPlugin - acl_parse - > The ACL target cn=computers,cn=compat,dc=example,dc=de does not exist > [23/Jun/2018:10:58:58.906901814 +0200] - ERR - NSACLPlugin - acl_parse - > The ACL target cn=ng,cn=compat,dc=example,dc=de does not exist > [23/Jun/2018:10:58:58.910179620 +0200] - ERR - NSACLPlugin - acl_parse - > The ACL target ou=sudoers,dc=example,dc=de does not exist > [23/Jun/2018:10:58:58.913705495 +0200] - ERR - NSACLPlugin - acl_parse - > The ACL target cn=users,cn=compat,dc=example,dc=de does not exist > [23/Jun/2018:10:58:58.917105354 +0200] - ERR - NSACLPlugin - acl_parse - > The ACL target cn=vaults,cn=kra,dc=example,dc=de does not exist > [23/Jun/2018:10:58:58.920459719 +0200] - ERR - NSACLPlugin - acl_parse - > The ACL target cn=vaults,cn=kra,dc=example,dc=de does not exist > [23/Jun/2018:10:58:58.923825413 +0200] - ERR - NSACLPlugin - acl_parse - > The ACL target cn=vaults,cn=kra,dc=example,dc=de does not exist > [23/Jun/2018:10:58:58.927130994 +0200] - ERR - NSACLPlugin - acl_parse - > The ACL target cn=vaults,cn=kra,dc=example,dc=de does not exist > [23/Jun/2018:10:58:58.930416966 +0200] - ERR - NSACLPlugin - acl_parse - > The ACL target cn=vaults,cn=kra,dc=example,dc=de does not exist > [23/Jun/2018:10:58:58.933690832 +0200] - ERR - NSACLPlugin - acl_parse - > The ACL target cn=vaults,cn=kra,dc=example,dc=de does not exist > [23/Jun/2018:10:58:58.937030149 +0200] - ERR - NSACLPlugin - acl_parse - > The ACL target cn=vaults,cn=kra,dc=example,dc=de does not exist > [23/Jun/2018:10:58:58.941587038 +0200] - ERR - NSACLPlugin - acl_parse - > The ACL target cn=vaults,cn=kra,dc=example,dc=de does not exist > [23/Jun/2018:10:58:58.945610436 +0200] - ERR - NSACLPlugin - acl_parse - > The ACL target cn=vaults,cn=kra,dc=example,dc=de does not exist > [23/Jun/2018:10:58:58.948794736 +0200] - ERR - NSACLPlugin - acl_parse - > The ACL target cn=vaults,cn=kra,dc=example,dc=de does not exist > [23/Jun/2018:10:58:58.952187805 +0200] - ERR - NSACLPlugin - acl_parse - > The ACL target cn=vaults,cn=kra,dc=example,dc=de does not exist > [23/Jun/2018:10:58:58.965228551 +0200] - ERR - NSACLPlugin - acl_parse - > The ACL target cn=dns,dc=example,dc=de does not exist > [23/Jun/2018:10:58:58.977526637 +0200] - ERR - NSACLPlugin - acl_parse - > The ACL target cn=ad,cn=etc,dc=example,dc=de does not exist > [23/Jun/2018:10:58:59.059148942 +0200] - ERR - NSACLPlugin - acl_parse - > The ACL target cn=automember rebuild membership,cn=tasks,cn=config does > not exist > [23/Jun/2018:10:58:59.065451747 +0200] - ERR - cos-plugin - > cos_dn_defs_cb - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=example,dc=de--no CoS Templates found, which > should be added before the CoS Definition. > [23/Jun/2018:10:58:59.126470240 +0200] - NOTICE - NSMMReplicationPlugin > - changelog program - _cl5ConstructRUV - Rebuilding the replication > changelog RUV, this may take several minutes... > [23/Jun/2018:10:58:59.390313225 +0200] - NOTICE - NSMMReplicationPlugin > - changelog program - _cl5ConstructRUV - Rebuilding replication > changelog RUV complete. Result 0 (Success) > [23/Jun/2018:10:58:59.395043283 +0200] - NOTICE - NSMMReplicationPlugin > - changelog program - _cl5ConstructRUV - Rebuilding the replication > changelog RUV, this may take several minutes... > [23/Jun/2018:10:58:59.667662575 +0200] - NOTICE - NSMMReplicationPlugin > - changelog program - _cl5ConstructRUV - Rebuilding replication > changelog RUV complete. Result 0 (Success) > [23/Jun/2018:10:58:59.672025982 +0200] - NOTICE - NSMMReplicationPlugin > - changelog program - _cl5ConstructRUV - Rebuilding the replication > changelog RUV, this may take several minutes... > [23/Jun/2018:10:58:59.686194564 +0200] - NOTICE - NSMMReplicationPlugin > - changelog program - _cl5ConstructRUV - Rebuilding replication > changelog RUV complete. Result 0 (Success) > [23/Jun/2018:10:58:59.697840642 +0200] - NOTICE - NSMMReplicationPlugin > - changelog program - _cl5ConstructRUV - Rebuilding the replication > changelog RUV, this may take several minutes... > [23/Jun/2018:10:58:59.704164352 +0200] - NOTICE - NSMMReplicationPlugin > - changelog program - _cl5ConstructRUV - Rebuilding replication > changelog RUV complete. Result 0 (Success) > [23/Jun/2018:10:58:59.718621878 +0200] - WARN - NSMMReplicationPlugin - > replica_check_for_data_reload - Disorderly shutdown for replica > dc=example,dc=de. Check if DB RUV needs to be updated > [23/Jun/2018:10:58:59.731648339 +0200] - ERR - set_krb5_creds - Could > not get initial credentials for principal > [ldap/[email protected]] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [23/Jun/2018:10:58:59.739460046 +0200] - WARN - NSMMReplicationPlugin - > replica_check_for_data_reload - Disorderly shutdown for replica o=ipaca. > Check if DB RUV needs to be updated > [23/Jun/2018:10:58:59.746372774 +0200] - ERR - set_krb5_creds - Could > not get initial credentials for principal > [ldap/[email protected]] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [23/Jun/2018:10:58:59.753714299 +0200] - ERR - set_krb5_creds - Could > not get initial credentials for principal > [ldap/[email protected]] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [23/Jun/2018:10:58:59.760457528 +0200] - ERR - set_krb5_creds - Could > not get initial credentials for principal > [ldap/[email protected]] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > [23/Jun/2018:10:58:59.763682555 +0200] - INFO - slapd_daemon - slapd > started. Listening on All Interfaces port 389 for LDAP requests > [23/Jun/2018:10:58:59.768052097 +0200] - INFO - slapd_daemon - Listening > on All Interfaces port 636 for LDAPS requests > [23/Jun/2018:10:58:59.771314808 +0200] - INFO - slapd_daemon - Listening > on /var/run/slapd-EXAMPLE-DE.socket for LDAPI requests > [23/Jun/2018:10:58:59.774558043 +0200] - ERR - slapi_ldap_bind - Error: > could not send startTLS request: error -11 (Connect error) > [23/Jun/2018:10:58:59.777970184 +0200] - ERR - NSMMReplicationPlugin - > bind_and_check_pwp - > agmt="cn=masterAgreement1-ipa2.example.de-pki-tomcat" (ipa2:389) - > Replication bind with SIMPLE auth failed: LDAP error -11 (Connect error) > (error:14090086:SSL routines:ssl3_get_server_certificate:certificate > verify failed (self signed certificate in certificate chain)) > [23/Jun/2018:10:58:59.810189785 +0200] - ERR - nis-plugin - nis-plugin > tree scan will start in about 5 seconds! > [23/Jun/2018:10:58:59.814626534 +0200] - ERR - schema-compat-plugin - > schema-compat-plugin tree scan will start in about 5 seconds! > [23/Jun/2018:10:59:02.848795335 +0200] - ERR - slapi_ldap_bind - Error: > could not send startTLS request: error -11 (Connect error) > [23/Jun/2018:10:59:05.464588727 +0200] - ERR - schema-compat-plugin - > warning: no entries set up under cn=computers, cn=compat,dc=example,dc=de > [23/Jun/2018:10:59:05.477625182 +0200] - ERR - schema-compat-plugin - > Finished plugin initialization. > [23/Jun/2018:10:59:06.191245171 +0200] - ERR - nis-plugin - warning: no > entries in domain=example.de,map=ethers.byname > [23/Jun/2018:10:59:06.204461031 +0200] - ERR - nis-plugin - warning: no > entries in domain=example.de,map=ethers.byaddr > [23/Jun/2018:10:59:06.219354580 +0200] - ERR - nis-plugin - Finished > plugin initialization. > [23/Jun/2018:10:59:08.457412392 +0200] - ERR - slapi_ldap_bind - Error: > could not send startTLS request: error -11 (Connect error) > [23/Jun/2018:10:59:20.831326274 +0200] - ERR - slapi_ldap_bind - Error: > could not send startTLS request: error -11 (Connect error) > [23/Jun/2018:10:59:44.073335894 +0200] - ERR - slapi_ldap_bind - Error: > could not send startTLS request: error -11 (Connect error) > [23/Jun/2018:11:00:32.217779083 +0200] - ERR - slapi_ldap_bind - Error: > could not send startTLS request: error -11 (Connect error) > : > : > > Apparently certmonger is still not working: > > # systemctl status certmonger.service > * certmonger.service - Certificate monitoring and PKI enrollment > Loaded: loaded (/usr/lib/systemd/system/certmonger.service; enabled; > vendor preset: disabled) > Active: failed (Result: timeout) since Sat 2018-06-23 11:00:13 CEST; > 42min ago > Process: 340 ExecStart=/usr/sbin/certmonger -S -p > /var/run/certmonger.pid -n $OPTS (code=exited, status=0/SUCCESS) > Main PID: 340 (code=exited, status=0/SUCCESS) > > Jun 23 10:58:43 ipa1.aixigo.de systemd[1]: Starting Certificate > monitoring and PKI enrollment... > Jun 23 11:00:13 ipa1.aixigo.de systemd[1]: certmonger.service start > operation timed out. Terminating. > Jun 23 11:00:13 ipa1.aixigo.de systemd[1]: Failed to start Certificate > monitoring and PKI enrollment. > Jun 23 11:00:13 ipa1.aixigo.de systemd[1]: Unit certmonger.service > entered failed state. > Jun 23 11:00:13 ipa1.aixigo.de systemd[1]: certmonger.service failed. > > > I cannot stop or restart it either: > > [root@ipa1 pki-tomcat]# systemctl stop certmonger.service > Error getting authority: Error initializing authority: Could not > connect: Connection refused (g-io-error-quark, 39) > [root@ipa1 pki-tomcat]# systemctl restart certmonger.service > Error getting authority: Error initializing authority: Could not > connect: Connection refused (g-io-error-quark, 39) > Job for certmonger.service failed because a timeout was exceeded. See > "systemctl status certmonger.service" and "journalctl -xe" for details. > > > > "ps -ef --forest" shows a systemd-tty-ask-password-agent: > > root 343 1 0 10:58 ? 00:00:00 /usr/sbin/sshd -D > root 1150 343 0 10:59 ? 00:00:00 \_ sshd: root@pts/4 > root 1157 1150 0 10:59 pts/4 00:00:00 | \_ -bash > root 2725 1157 0 11:44 pts/4 00:00:00 | \_ systemctl > restart certmonger.service > root 2726 2725 0 11:44 pts/4 00:00:00 | \_ > /usr/bin/systemd-tty-ask-password-agent --watch > root 2727 2725 0 11:44 pts/4 00:00:00 | \_ > [pkttyagent] <defunct> > > > Whose password is it asking for? And why don't I see a prompt? I would > highly prefer if these freeipa host could reboot unattended.
We'd need to see what certs are being tracked, getcert list. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/T2QCBPX2RRY77CAWO5O3KISOESLJHAXH/
