Hi again,
I used the ldapi from /etc/ipa/default.conf and I was able to get a different
reply:
ldapsearch -Y GSSAPI -H ldapi://%2fvar%2frun%2fslapd\-TNU\-COM\-UY.socket
<ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket>
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure. Minor code may provide more information (Ticket expired)
But if I try to renew the ticket, it fails:
kinit admin
kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting initial
credentials
The running DC is in 4.7 and it should reply to the kinit requests
I added the debug option to see if I can ge further information.
ipactl restart
IPA version error: data needs to be upgraded (expected version
'4.9.10-6.module_el8.7.0+1209+42bcbcde', current version
'4.7.1-11.module_el8.0.0+79+bbd20d7b')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
Be patient, this may take a few minutes.
Automatic upgrade failed: Error caught updating nsDS5ReplicatedAttributeList:
Server is unwilling to perform: Entry and attributes are managed by topology
plugin.No direct modifications allowed.
Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to
perform: Entry and attributes are managed by topology plugin.No direct
modifications allowed.
Update complete
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start',
'pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for
pki-tomcatd@pki-tomcat.service failed because the control process exited with
error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service" and
"journalctl -xe" for details.\n')
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
information
See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade
again
Stopping ipa-dnskeysyncd Service
Stopping ipa-otpd Service
Stopping pki-tomcatd Service
Stopping ipa-custodia Service
Stopping httpd Service
Stopping named Service
Stopping kadmin Service
Stopping krb5kdc Service
Stopping Directory Service
Aborting ipactl
Regards
> El 23 nov. 2022, a las 11:50, Rob Crittenden <rcrit...@redhat.com> escribió:
>
> Juan Pablo Lorier wrote:
>> Hi Rob,
>>
>> Thanks for the reply. As I didn’t know other way but to go back in time,
>> I just did it and now the server is running 100%.
>>
>> This was all part of an update from 4.7 to 4.9. According to the
>> documentation, it was just a matter to def update but it seems that is
>> not such a happy path.>
>> I updated the second server but it’s not able to finalize the update
>> process. DNS is failing to start:
>>
>> # systemctl status ipa-dnskeysyncd.service
>>
>>
>> *●*ipa-dnskeysyncd.service - IPA key daemon
>> Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service;
>> disabled; vendor preset: disabled)
>> Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h 14min ago
>> Main PID: 250496 (ipa-dnskeysyncd)
>> Tasks: 1 (limit: 23652)
>> Memory: 68.4M
>> CGroup: /system.slice/ipa-dnskeysyncd.service
>> └─250496 /usr/libexec/platform-python -I
>> /usr/libexec/ipa/ipa-dnskeysyncd
>>
>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 1
>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 2
>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipa-dnskeysyncd:
>> INFO Commencing sync process
>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]:
>> ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done,
>> sychronizing with ODS and BIND
>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
>> *Configuration.cpp(96): Missing log.level in configuration. Using
>> default value: INFO*
>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
>> *Configuration.cpp(96): Missing slots.mechanisms in configuration. Using
>> default value: ALL*
>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
>> *Configuration.cpp(124): Missing slots.removable in configuration. Using
>> default value: false*
>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1
>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1
>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
>>
>>
>>
>> GSSAPI client step 1
>> [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service
>>
>>
>> -- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22
>> 12:40:17 -03. --
>> Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon.
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing all plugin modules in ipaserver.plugins...
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.aci
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.automember
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.automount
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.baseldap
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG ipaserver.plugins.baseldap is not a valid plugin module
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.baseuser
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.batch
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.ca
>> <http://ipaserver.plugins.ca <http://ipaserver.plugins.ca/>>
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.caacl
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.cert
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.certmap
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.certprofile
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.config
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.delegation
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.dns
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.dnsserver
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.dogtag
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.domainlevel
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.group
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.hbac
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG ipaserver.plugins.hbac is not a valid plugin module
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.hbacrule
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.hbacsvc
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.hbactest
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.host
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.hostgroup
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.idrange
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.idviews
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.internal
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.join
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.krbtpolicy
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.ldap2
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.location
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.migration
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.misc
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.netgroup
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.otp
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG ipaserver.plugins.otp is not a valid plugin module
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.otpconfig
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.otptoken
>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable:
>> DEBUG importing plugin module ipaserver.plugins.passwd
>
> There should be quite a bit more after that.
>
>>
>> #less /var/log/dirsrv/slapd-*/access
>>
>> [22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 tag=101
>> nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290
>> [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH
>> base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0
>> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
>> krbMaxRenewab
>> leAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge"
>> [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 tag=101
>> nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403
>> [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn=""
>> method=sasl version=3 mech=GSSAPI
>> [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 tag=97
>> nentries=0 wtime=0.000071973 optime=0.002531582 etime=0.002602416, SASL
>> bind in progress
>> [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn=""
>> method=sasl version=3 mech=GSSAPI
>> [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 tag=97
>> nentries=0 wtime=0.000058962 optime=0.001451477 etime=0.001509337, SASL
>> bind in progress
>> [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn=""
>> method=sasl version=3 mech=GSSAPI
>> [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 tag=97
>> nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026
>> dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=
>> com,dc=uy"
>> [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH
>> base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2
>> filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))"
>> attrs="objectClass cn fqdn serverHostN
>> ame memberOf ipaSshPubKey ipaUniqueID"
>> [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 tag=101
>> nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994
>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1
>> [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH
>> base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy"
>> scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU
>> niqueID"
>> [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 tag=101
>> nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094
>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1
>> [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH
>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2
>> filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))"
>> attrs="objectClass ipaUniqueID cn memb
>> er entryusn"
>> [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 tag=101
>> nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481
>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1
>> [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH
>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2
>> filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC
>> ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro
>> ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))"
>> attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs
>> ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU
>> ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory
>> userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory
>> ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e
>> xternalUser entryusn"
>> [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 tag=101
>> nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132
>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1
>> [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT
>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
>> [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT
>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
>> [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0
>> tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 etime=0.000956734
>> [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0
>> tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 etime=0.001489204
>> [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT
>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop"
>> [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0
>> tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 etime=0.003098843
>> [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT
>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop"
>> [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0
>> tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 etime=0.002897696
>> [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT
>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
>> [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT
>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
>> [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0
>> tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 etime=0.001372435
>> [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0
>> tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 etime=0.001748601
>> [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT
>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop"
>> [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0
>> tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 etime=0.015402108
>>
>>
>> I see that after the update, the files were changed:
>>
>>
>> [root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY*
>> /etc/dirsrv/slapd-TNU-COM-UY:
>> total 4208
>> -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem
>> -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem
>> -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 TNU.COM.UY20IPA20CA.pem
>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db
>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig
>> -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf
>> -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif
>> -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak
>> -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55
>> dse.ldif.ipa.1cf1fe204fd69494
>> -rw-------. 1 dirsrv root 202234 Nov 21 14:01
>> dse.ldif.ipa.1dd1d38cbd8d26ae
>> -rw-------. 1 dirsrv root 208355 Nov 22 11:26
>> dse.ldif.ipa.21662457cb42c116
>> -rw-------. 1 dirsrv root 208355 Nov 22 10:47
>> dse.ldif.ipa.256a5d66e550a957
>> -rw-------. 1 dirsrv root 195350 Nov 21 13:35
>> dse.ldif.ipa.274744b10eed3d9b
>> -rw-------. 1 dirsrv root 203050 Nov 21 19:09
>> dse.ldif.ipa.385fb48f5462219c
>> -rw-------. 1 dirsrv root 156705 Jan 9 2020
>> dse.ldif.ipa.6b71b47d73ca452a
>> -rw-------. 1 dirsrv root 202234 Nov 21 13:38
>> dse.ldif.ipa.767aba4a82811822
>> -rw-------. 1 dirsrv root 208355 Nov 21 21:07
>> dse.ldif.ipa.814a4de587fc22ec
>> -rw-------. 1 dirsrv root 208355 Nov 22 10:49
>> dse.ldif.ipa.889036fc0907e7de
>> -rw-------. 1 dirsrv root 202234 Nov 21 13:47
>> dse.ldif.ipa.8fd2b7413b99dfa3
>> -rw-------. 1 dirsrv root 202234 Nov 21 13:42
>> dse.ldif.ipa.958ca3a96922f2fd
>> -rw-------. 1 dirsrv root 202234 Nov 21 14:48
>> dse.ldif.ipa.bacd6d1d200348bf
>> -rw-------. 1 dirsrv root 208355 Nov 22 11:24
>> dse.ldif.ipa.bfadc14f0e609072
>> -rw-------. 1 dirsrv root 202234 Nov 21 14:23
>> dse.ldif.ipa.f1e864261a119b6c
>> -rw-------. 1 dirsrv root 202234 Nov 21 15:42
>> dse.ldif.ipa.fa918bf07c17e2e8
>> -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 dse.ldif.modified.out
>> -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK
>> -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif
>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db
>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig
>> -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt
>> -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt
>> -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig
>> -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt
>> -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig
>> drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema
>> drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak
>> -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 slapd-collations.conf
>>
>>
>> I can’t connect to the LDAP service:
>>
>> # ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket
>> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>
> You have to escape the socket path:
> ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket
> <ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket>
>
>> # less /var/log/ipaupgrade.log
>>
>> Server built: Jun 29 2021 22:00:15 UTC
>> Server number: 9.0.30.0
>> OS Name: Linux
>> OS Version: 4.18.0-348.7.1.el8_5.x86_64
>> Architecture: amd64
>> JVM Version: 1.8.0_322-b06
>> JVM Vendor: Red Hat, Inc.
>>
>> 2022-11-22T14:26:56Z DEBUG stderr=
>> 2022-11-22T14:26:56Z DEBUG Starting external process
>> 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', 'kra']
>> 2022-11-22T14:26:56Z DEBUG Process finished, return code=1
>> 2022-11-22T14:26:56Z DEBUG stdout=
>> 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in
>> instance pki-tomcat.
>>
>> 2022-11-22T14:26:56Z DEBUG Starting external process
>> 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start',
>> 'pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>
>> <mailto:pki-tomcatd@pki-tomcat.service
>> <mailto:pki-tomcatd@pki-tomcat.service>>']
>> 2022-11-22T14:26:57Z DEBUG Process finished, return code=1
>> 2022-11-22T14:26:57Z DEBUG stdout=
>> 2022-11-22T14:26:57Z DEBUG stderr=Job for pki-tomcatd@pki-tomcat.service
>> <mailto:pki-tomcatd@pki-tomcat.service>
>> <mailto:pki-tomcatd@pki-tomcat.service
>> <mailto:pki-tomcatd@pki-tomcat.service>> failed because the control
>> process exited with error code.
>> See "systemctl status pki-tomcatd@pki-tomcat.service
>> <mailto:pki-tomcatd@pki-tomcat.service>
>> <mailto:pki-tomcatd@pki-tomcat.service
>> <mailto:pki-tomcatd@pki-tomcat.service>>" and "journalctl -xe" for details.
>>
>> 2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect
>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>> 2022-11-22T14:26:57Z DEBUG File
>> "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in
>> execute
>> return_value = self.run()
>> File
>> "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py",
>> line 54, in run
>> server.upgrade()
>> File
>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
>> line 2055, in upgrade
>> upgrade_configuration()
>> File
>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
>> line 1783, in upgrade_configuration
>> ca.start('pki-tomcat')
>> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
>> line 524, in start
>> self.service.start(instance_name, capture_output=capture_output,
>> wait=wait)
>> File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py",
>> line 306, in start
>> skip_output=not capture_output)
>> File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line
>> 600, in run
>> p.returncode, arg_string, output_log, error_log
>>
>> 2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed,
>> exception: CalledProcessError: CalledProcessError(Command
>> ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service
>> <mailto:pki-tomcatd@pki-tomcat.service>
>> <mailto:pki-tomcatd@pki-tomcat.service
>> <mailto:pki-tomcatd@pki-tomcat.service>>'] returned non-zero exit status
>> 1: 'Job for pki-tomcatd@pki-tomcat.service
>> <mailto:pki-tomcatd@pki-tomcat.service>
>> <mailto:pki-tomcatd@pki-tomcat.service
>> <mailto:pki-tomcatd@pki-tomcat.service>> failed because the control
>> process exited with error code.\nSee "systemctl status
>> pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>
>> <mailto:pki-tomcatd@pki-tomcat.service
>> <mailto:pki-tomcatd@pki-tomcat.service>>"
>> and "journalctl -xe" for details.\n')
>> 2022-11-22T14:26:57Z ERROR Unexpected error - see
>> /var/log/ipaupgrade.log for details:
>> CalledProcessError: CalledProcessError(Command ['/bin/systemctl',
>> 'start', 'pki-tomcatd@pki-tomcat.service
>> <mailto:pki-tomcatd@pki-tomcat.service>
>> <mailto:pki-tomcatd@pki-tomcat.service
>> <mailto:pki-tomcatd@pki-tomcat.service>>'] returned non-zero exit status
>> 1: 'Job for pki-tomcatd@pki-tomcat.service
>> <mailto:pki-tomcatd@pki-tomcat.service>
>> <mailto:pki-tomcatd@pki-tomcat.service
>> <mailto:pki-tomcatd@pki-tomcat.service>> failed because the control
>> process exited with error code.\nSee "systemctl status
>> pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>
>> <mailto:pki-tomcatd@pki-tomcat.service
>> <mailto:pki-tomcatd@pki-tomcat.service>>"
>> and "journalctl -xe" for details.\n')
>> 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See
>> /var/log/ipaupgrade.log for more information
>> (END)
>
> The CA failed to start. This is often due to expired certificates that
> get exposed when an upgrade is done. Check that out.
>
>> #ipactl status
>>
>> Directory Service: RUNNING
>> krb5kdc Service: RUNNING
>> kadmin Service: RUNNING
>> named Service: STOPPED
>> httpd Service: RUNNING
>> ipa-custodia Service: RUNNING
>> pki-tomcatd Service: STOPPED
>> ipa-otpd Service: RUNNING
>> ipa-dnskeysyncd Service: RUNNING
>> 2 service(s) are not running
>>
>>
>> Thanks
>>
>>> El 22 nov. 2022, a las 11:43, Rob Crittenden <rcrit...@redhat.com
>>> <mailto:rcrit...@redhat.com>
>>> <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> escribió:
>>>
>>> Juan Pablo Lorier via FreeIPA-users wrote:
>>>> Hi,
>>>>
>>>> I have a production server that was not maintained and I see that the
>>>> HTTP certificate has expired long ago. I tried to renew it but I'm
>>>> not being agle to get it right.
>>>>
>>>> The initial status was:
>>>>
>>>> Request ID '20191219011208':
>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>>>> stuck: yes
>>>> key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key'
>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
>>>>
>>>> Then following this thread
>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/GLFHCL2DW4LD2GQTTAZRYSXUGQQXD67Q/
>>>>
>>>> I got it to this state:
>>>>
>>>> Request ID '20191219011208':
>>>> status: MONITORING
>>>> ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request,
>>>> will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed.
>>>> libcurl failed even to execute the HTTP transaction, explaining:
>>>> SSL certificate problem: certificate has expired).
>>>> stuck: no
>>>> key pair storage:
>>>> type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA'
>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
>>>>
>>>> The post indicates that I have to put an old date in the server to
>>>> get it renewed, but as the server is in production, it means that all
>>>> clients will fail to log to the server. Evenmore, what time should I
>>>> return to, before the certificate expiration or right after?
>>>> Thanks in advanc
>>>
>>> I'd guess that this affects a lot more than just the web server cert.
>>> getcert list will tell you.
>>>
>>> Depending on that outcome affect the suggested remediation.
>>>
>>> As for going back in time, you'd need a server outage to do this and it
>>> only would be backwards in time for a short time. Just long enough so
>>> the services could start with non-expired certificates to get them
>>> renewed. But there are other ways to do this that don't require fiddling
>>> with time.
>>>
>>> rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
