Hi again,
I used the ldapi from /etc/ipa/default.conf and I was able to get a different reply:
ldapsearch -Y GSSAPI -H ldapi://%2fvar%2frun%2fslapd-TNU-COM-UY.socket ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)
But if I try to renew the ticket, it fails:
kinit admin kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting initial credentials
The running DC is in 4.7 and it should reply to the kinit requests
I added the debug option to see if I can ge further information.
ipactl restart IPA version error: data needs to be upgraded (expected version '4.9.10-6.module_el8.7.0+1209+42bcbcde', current version '4.7.1-11.module_el8.0.0+79+bbd20d7b') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n') The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Stopping ipa-dnskeysyncd Service Stopping ipa-otpd Service Stopping pki-tomcatd Service Stopping ipa-custodia Service Stopping httpd Service Stopping named Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service Aborting ipactl
Regards
El 23 nov. 2022, a las 11:50, Rob Crittenden rcritten@redhat.com escribió:
Juan Pablo Lorier wrote:
Hi Rob,
Thanks for the reply. As I didn’t know other way but to go back in time, I just did it and now the server is running 100%.
This was all part of an update from 4.7 to 4.9. According to the documentation, it was just a matter to def update but it seems that is not such a happy path.> I updated the second server but it’s not able to finalize the update process. DNS is failing to start:
# systemctl status ipa-dnskeysyncd.service
*●*ipa-dnskeysyncd.service - IPA key daemon Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; disabled; vendor preset: disabled) Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h 14min ago Main PID: 250496 (ipa-dnskeysyncd) Tasks: 1 (limit: 23652) Memory: 68.4M CGroup: /system.slice/ipa-dnskeysyncd.service └─250496 /usr/libexec/platform-python -I /usr/libexec/ipa/ipa-dnskeysyncd
Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 1 Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 2 Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipa-dnskeysyncd: INFO Commencing sync process Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(96): Missing log.level in configuration. Using default value: INFO* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(96): Missing slots.mechanisms in configuration. Using default value: ALL* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(124): Missing slots.removable in configuration. Using default value: false* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
GSSAPI client step 1 [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service
-- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 12:40:17 -03. -- Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing all plugin modules in ipaserver.plugins... Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.aci Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.automember Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.automount Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseldap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.baseldap is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseuser Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.batch Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ca <http://ipaserver.plugins.ca http://ipaserver.plugins.ca/> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.caacl Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.cert Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certmap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certprofile Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.config Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.delegation Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dns Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dnsserver Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dogtag Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.domainlevel Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.group Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbac Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.hbac is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacrule Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbactest Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.host Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hostgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idrange Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idviews Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.internal Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.join Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.krbtpolicy Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ldap2 Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.location Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.migration Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.misc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.netgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otp Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.otp is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otpconfig Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otptoken Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.passwd
There should be quite a bit more after that.
#less /var/log/dirsrv/slapd-*/access
[22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 tag=101 nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewab leAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge" [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 tag=101 nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 tag=97 nentries=0 wtime=0.000071973 optime=0.002531582 etime=0.002602416, SASL bind in progress [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 tag=97 nentries=0 wtime=0.000058962 optime=0.001451477 etime=0.001509337, SASL bind in progress [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 tag=97 nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= com,dc=uy" [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" attrs="objectClass cn fqdn serverHostN ame memberOf ipaSshPubKey ipaUniqueID" [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU niqueID" [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 tag=101 nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" attrs="objectClass ipaUniqueID cn memb er entryusn" [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 tag=101 nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e xternalUser entryusn" [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 tag=101 nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 etime=0.000956734 [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 etime=0.001489204 [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 etime=0.003098843 [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 etime=0.002897696 [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 etime=0.001372435 [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 etime=0.001748601 [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 etime=0.015402108
I see that after the update, the files were changed:
[root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* /etc/dirsrv/slapd-TNU-COM-UY: total 4208 -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 TNU.COM.UY20IPA20CA.pem -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 dse.ldif.ipa.1cf1fe204fd69494 -rw-------. 1 dirsrv root 202234 Nov 21 14:01 dse.ldif.ipa.1dd1d38cbd8d26ae -rw-------. 1 dirsrv root 208355 Nov 22 11:26 dse.ldif.ipa.21662457cb42c116 -rw-------. 1 dirsrv root 208355 Nov 22 10:47 dse.ldif.ipa.256a5d66e550a957 -rw-------. 1 dirsrv root 195350 Nov 21 13:35 dse.ldif.ipa.274744b10eed3d9b -rw-------. 1 dirsrv root 203050 Nov 21 19:09 dse.ldif.ipa.385fb48f5462219c -rw-------. 1 dirsrv root 156705 Jan 9 2020 dse.ldif.ipa.6b71b47d73ca452a -rw-------. 1 dirsrv root 202234 Nov 21 13:38 dse.ldif.ipa.767aba4a82811822 -rw-------. 1 dirsrv root 208355 Nov 21 21:07 dse.ldif.ipa.814a4de587fc22ec -rw-------. 1 dirsrv root 208355 Nov 22 10:49 dse.ldif.ipa.889036fc0907e7de -rw-------. 1 dirsrv root 202234 Nov 21 13:47 dse.ldif.ipa.8fd2b7413b99dfa3 -rw-------. 1 dirsrv root 202234 Nov 21 13:42 dse.ldif.ipa.958ca3a96922f2fd -rw-------. 1 dirsrv root 202234 Nov 21 14:48 dse.ldif.ipa.bacd6d1d200348bf -rw-------. 1 dirsrv root 208355 Nov 22 11:24 dse.ldif.ipa.bfadc14f0e609072 -rw-------. 1 dirsrv root 202234 Nov 21 14:23 dse.ldif.ipa.f1e864261a119b6c -rw-------. 1 dirsrv root 202234 Nov 21 15:42 dse.ldif.ipa.fa918bf07c17e2e8 -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 dse.ldif.modified.out -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 slapd-collations.conf
I can’t connect to the LDAP service:
# ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
You have to escape the socket path: ldapi://%2fvar%2frun%2fslapd-EXAMPLE-TEST.socket ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket
# less /var/log/ipaupgrade.log
Server built: Jun 29 2021 22:00:15 UTC Server number: 9.0.30.0 OS Name: Linux OS Version: 4.18.0-348.7.1.el8_5.x86_64 Architecture: amd64 JVM Version: 1.8.0_322-b06 JVM Vendor: Red Hat, Inc.
2022-11-22T14:26:56Z DEBUG stderr= 2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 2022-11-22T14:26:56Z DEBUG stdout= 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 2022-11-22T14:26:57Z DEBUG stdout= 2022-11-22T14:26:57Z DEBUG stderr=Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code. See "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.
2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2022-11-22T14:26:57Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2055, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1783, in upgrade_configuration ca.start('pki-tomcat') File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 524, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line 306, in start skip_output=not capture_output) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in run p.returncode, arg_string, output_log, error_log
2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information (END)
The CA failed to start. This is often due to expired certificates that get exposed when an upgrade is done. Check that out.
#ipactl status
Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 2 service(s) are not running
Thanks
El 22 nov. 2022, a las 11:43, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com <mailto:rcritten@redhat.com mailto:rcritten@redhat.com>> escribió:
Juan Pablo Lorier via FreeIPA-users wrote:
Hi,
I have a production server that was not maintained and I see that the HTTP certificate has expired long ago. I tried to renew it but I'm not being agle to get it right.
The initial status was:
Request ID '20191219011208': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
Then following this thread https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I got it to this state:
Request ID '20191219011208': status: MONITORING ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
The post indicates that I have to put an old date in the server to get it renewed, but as the server is in production, it means that all clients will fail to log to the server. Evenmore, what time should I return to, before the certificate expiration or right after? Thanks in advanc
I'd guess that this affects a lot more than just the web server cert. getcert list will tell you.
Depending on that outcome affect the suggested remediation.
As for going back in time, you'd need a server outage to do this and it only would be backwards in time for a short time. Just long enough so the services could start with non-expired certificates to get them renewed. But there are other ways to do this that don't require fiddling with time.
rob