On 06/29/2017 02:12 PM, dntosas--- via FreeIPA-users wrote:
Hello World!
I got an installation with FreeIPA server 4.2.4 in Fedora 23 and all worked fine
I decided to upgrade to Fedora 25 via dnf-upgrade-plugin
All the upgrade proc goes smooth and as a result my freeipa rpm packages also
upgraded (from 4.2.4 to 4.4.4)
Now, the problem is that nothing works now.
The command "ipa-server-upgrade" shows:
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
ipa-server-upgrade manually.
Timeout exceeded
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
information
I attach the appropriate logs:
/var/log/ipaupgrade.log
2017-06-29T14:55:06Z DEBUG duration: 0 seconds
2017-06-29T14:55:06Z DEBUG [10/10]: starting directory server
2017-06-29T14:55:06Z DEBUG Starting external process
2017-06-29T14:55:06Z DEBUG args=/bin/systemctl start dirsrv@xxx.service
2017-06-29T14:55:09Z DEBUG Process finished, return code=0
2017-06-29T14:55:09Z DEBUG stdout=
2017-06-29T14:55:09Z DEBUG stderr=
2017-06-29T14:55:09Z DEBUG Starting external process
2017-06-29T14:55:09Z DEBUG args=/bin/systemctl is-active dirsrv@xxx.service
2017-06-29T14:55:09Z DEBUG Process finished, return code=0
2017-06-29T14:55:09Z DEBUG stdout=active
2017-06-29T14:55:09Z DEBUG stderr=
2017-06-29T14:55:09Z DEBUG wait_for_open_ports: localhost [389] timeout 300
/var/log/dirsrv/.../errors.log
[29/Jun/2017:17:57:21.091850887 +0300] slapi_ldap_bind - Error: could not send
startTLS request: error -1 (Can't contact LDAP server) errno 110 (Connection
timed out)
[29/Jun/2017:17:58:18.114145058 +0300] slapi_ldap_bind - Error: could not send
startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport
endpoint is not connected)
[29/Jun/2017:17:58:42.135719951 +0300] slapi_ldap_bind - Error: could not send
startTLS request: error -1 (Can't contact LDAP server) errno 110 (Connection
timed out)
[29/Jun/2017:18:01:30.160763487 +0300] slapi_ldap_bind - Error: could not send
startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport
endpoint is not connected)
[29/Jun/2017:18:01:54.183552684 +0300] slapi_ldap_bind - Error: could not send
startTLS request: error -1 (Can't contact LDAP server) errno 110 (Connection
timed out)
/var/log/krb5kdc.log
Jun 29 17:54:08 ipa1.srv.xxx.com krb5kdc[1335](info): AS_REQ (6 etypes {18 17
16 23 25 26}) x.x.x.x: ISSUE: authtime 1498748048, etypes {rep=18 tkt=18
ses=18}, ldap/ipa1.srv.xxx....@srv.xxx.com for krbtgt/srv.xxx....@srv.xxx.com
Jun 29 17:54:08 ipa1.srv.xxx.com krb5kdc[1335](info): closing down fd 4
Jun 29 17:55:08 ipa1.srv.xxx.com krb5kdc[1335](info): AS_REQ (6 etypes {18 17
16 23 25 26}) x.x.x.x: LOOKING_UP_CLIENT: ldap/ipa1.srv.xxx....@srv.xxx.com for
krbtgt/srv.xxx....@srv.xxx.com, Server error
Jun 29 17:55:08 ipa1.srv.xxx.com krb5kdc[1335](info): closing down fd 4
Jun 29 17:55:08 ipa1.srv.xxx.com krb5kdc[1335](info): AS_REQ (6 etypes {18 17
16 23 25 26}) x.x.x.x: LOOKING_UP_CLIENT: ldap/ipa1.srv.xxx....@srv.xxx.com for
krbtgt/srv.xxx....@srv.xxx.com, Server error
Jun 29 17:55:08 ipa1.srv.xxx.com krb5kdc[1335](info): closing down fd 4
Jun 29 17:55:24 ipa1.srv.xxx.com krb5kdc[1335](info): AS_REQ (6 etypes {18 17
16 23 25 26}) x.x.x.x: NEEDED_PREAUTH: ldap/ipa1.srv.xxx....@srv.xxx.com for
krbtgt/srv.xxx....@srv.xxx.com, Additional pre-authentication required
Jun 29 17:55:24 ipa1.srv.xxx.com krb5kdc[1335](info): closing down fd 4
Jun 29 17:55:24 ipa1.srv.xxx.com krb5kdc[1335](info): AS_REQ (6 etypes {18 17
16 23 25 26}) x.x.x.x: ISSUE: authtime 1498748124, etypes {rep=18 tkt=18
ses=18}, ldap/ipa1.srv.xxx....@srv.xxx.com for krbtgt/srv.xxx....@srv.xxx.com
Jun 29 17:55:24 ipa1.srv.xxx.com krb5kdc[1335](info): closing down fd 4
I have tried different ways of making command "ipa-server-upgrade" complete its
job but nothing worked.
Any Ideas ? :(
Hi,
the log shows that the Directory Server started but does not answer
StartTLS request on port 389. Can you check:
1/ if the Directory Server is still answering on port 389 (without
StartTLS):
ldapsearch -h `hostname` -p 389 -x -b "" -s base namingcontexts
2/ if the Directory server is answering on port 389 with StartTLS:
ldapsearch -h `hostname` -p 389 -Z -x -b "" -s base namingcontexts
3/ if the Directory Server certificate is still valid (replace
IPADOMAIN-COM with appropriate directory):
sudo getcert list -d /etc/dirsrv/slapd-IPADOMAIN-DOM | grep expires
If the certificate is expired, you can temporarily allow the services to
run with expired certificates by following the instructions in [1], but
you will need to fix the issue and renew certs.
More information on Certificates renewal can be found here [2].
HTH,
Flo.
[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/expired-certs.html
[2]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/cert-renewal.html
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
