Georg Seyerl via FreeIPA-users wrote:
> Hi IPA Team,
>
> after an IPA upgrade from version 4.9.6 to 4.9.8 I get the following error
> when I run ipa-server-upgrad manually:
>
> 2022-06-09T09:24:25Z DEBUG stderr=
> 2022-06-09T09:24:25Z DEBUG wait_for_open_ports: localhost [389] timeout 120
> 2022-06-09T09:24:25Z DEBUG waiting for port: 389
> 2022-06-09T09:24:25Z DEBUG Failed to connect to port 389 tcp on 127.0.0.1
> 2022-06-09T09:26:25Z ERROR IPA server upgrade failed: Inspect
> /var/log/ipaupgrade.log and run command ipa-server-upgrade manua
> lly.
> 2022-06-09T09:26:25Z DEBUG File
> "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in
> execute
> return_value = self.run()
> File
> "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py",
> line 54, in run
> server.upgrade()
> File
> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line
> 2011, in upgrade
> upgrade_configuration()
> File
> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line
> 1632, in upgrade_configuration
> ds.start(ds.serverid)
> File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py",
> line 643, in start
> instance_name, capture_output=capture_output, wait=wait
> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
> 524, in start
> self.service.start(instance_name, capture_output=capture_output,
> wait=wait)
> File "/usr/lib/python3.6/site-packages/ipaplatform/redhat/services.py",
> line 138, in start
> instance_name, capture_output=capture_output, wait=wait)
> File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line
> 317, in start
> self.wait_for_open_ports(self.service_instance(instance_name))
> File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line
> 286, in wait_for_open_ports
> self.api.env.startup_timeout)
> File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 1341, in
> wait_for_open_ports
> raise socket.timeout("Timeout exceeded")
>
> 2022-06-09T09:26:25Z DEBUG The ipa-server-upgrade command failed, exception:
> timeout: Timeout exceeded
> 2022-06-09T09:26:25Z ERROR Timeout exceeded
> 2022-06-09T09:26:25Z ERROR The ipa-server-upgrade command failed. See
> /var/log/ipaupgrade.log for more information
>
>
>
> A subset of the upgraded packages:
> Upgrade ipa-client-4.9.8-7.0.1.module+el8.6.0+20654+19b76db2.x86_64
> @ol8_x86_64_appstream
> Upgraded ipa-client-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.x86_64
> @@System
> Upgrade
> ipa-client-common-4.9.8-7.0.1.module+el8.6.0+20654+19b76db2.noarch
> @ol8_x86_64_appstream
> Upgraded
> ipa-client-common-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.noarch @@System
> Upgrade ipa-common-4.9.8-7.0.1.module+el8.6.0+20654+19b76db2.noarch
> @ol8_x86_64_appstream
> Upgraded ipa-common-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.noarch
> @@System
> Upgrade
> ipa-healthcheck-core-0.7-10.module+el8.6.0+20578+18b36d36.noarch
> @ol8_x86_64_appstream
> Upgraded
> ipa-healthcheck-core-0.7-6.module+el8.5.0+20379+1b4496cf.noarch @@System
> Upgrade ipa-selinux-4.9.8-7.0.1.module+el8.6.0+20654+19b76db2.noarch
> @ol8_x86_64_appstream
> Upgraded
> ipa-selinux-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.noarch @@System
> Upgrade ipa-server-4.9.8-7.0.1.module+el8.6.0+20654+19b76db2.x86_64
> @ol8_x86_64_appstream
> Upgraded ipa-server-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.x86_64
> @@System
> Upgrade
> ipa-server-common-4.9.8-7.0.1.module+el8.6.0+20654+19b76db2.noarch
> @ol8_x86_64_appstream
> Upgraded
> ipa-server-common-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.noarch @@System
> Upgrade
> ipa-server-trust-ad-4.9.8-7.0.1.module+el8.6.0+20654+19b76db2.x86_64
> @ol8_x86_64_appstream
> Upgraded
> ipa-server-trust-ad-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.x86_64 @@System
>
>
> We found the following error in the file /var/log/dirsrv/DOMAIN/errors
> [09/Jun/2022:11:30:45.658955068 +0200] - ERR - set_krb5_creds - Could not get
> initial credentials for principal [ldap/fqdn-host@MYDOMAIN] in keytab
> [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
> requested
> realm)
>
> In comparison with other IPA Servers the entries in the ds.keytab file looks
> fine.
That error is likely a red herring. The Kerberos master key is stored in
LDAP so it has to start first but then it can obtain a ticket for itself
because the KDC hasn't started yet. It's a transient issue.
Does ipactl start bring the services up? Is there nothing else unusual?
Can you manually start/restart dirsrv.target?
rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
