I’m adding more information:
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@dc2 ~]# ipa-server-upgrade
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/11]: stopping directory server
[2/11]: saving configuration
[3/11]: disabling listeners
[4/11]: enabling DS global lock
[5/11]: disabling Schema Compat
[6/11]: starting directory server
[7/11]: updating schema
[8/11]: upgrading server
Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry
and attributes are managed by topology plugin.No direct modifications allowed.
Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform:
Entry and attributes are managed by topology plugin.No direct modifications allowed.
[9/11]: stopping directory server
[10/11]: restoring configuration
[11/11]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
Disabled p11-kit-proxy
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating HTTPD service IPA WSGI configuration]
Nothing to do for configure_httpd_wsgi_conf
[Migrating from mod_nss to mod_ssl]
Already migrated to mod_ssl
[Moving HTTPD service keytab to gssproxy]
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
dnssec-validation yes
[Add missing CA DNS records]
IPA CA DNS records already processed
named user config '/etc/named/ipa-ext.conf' already exists
named user config '/etc/named/ipa-options-ext.conf' already exists
named user config '/etc/named/ipa-logging-ext.conf' already exists
[Upgrading CA schema]
CA schema update complete
[Update certmonger certificate renewal configuration]
Certmonger certificate renewal configuration already up-to-date
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
[Disabling cert publishing]
pki-tomcat configuration changed, restart pki-tomcat
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
Migrating profile 'acmeServerCert'
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
NetworkError: cannot connect to
'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
El 30 nov. 2022, a las 16:21, Rob Crittenden
<rcritten(a)redhat.com> escribió:
Juan Pablo Lorier wrote:
> Hi,
>
> Rob, the problem with ipactl --ignore-service-failures is that it always
> try to upgrade from 4.7 to 4.9 first and it fails for that reason.
$ man 8 ipactl
--skip-version-check Skip version check
rob
>
> I were able to move forward and get poi-tomcat running but I still can’t
> finish the upgrade process.
> Here are some more logs to see if you can see a lead to help me.
> Regards
>
> */var/log/ipaupgrade.log*
>
> 022-11-30T16:07:49Z DEBUG Profile 'AdminCert' is already in LDAP and
> enabled; skipping
> 2022-11-30T16:07:49Z DEBUG Profile 'DomainController' is already in LDAP
> and enabled; skipping
> 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and
> enabled; skipping
> 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert'
> 2022-11-30T16:07:49Z DEBUG request GET
>
https://dc2.tnu.com.uy:8443/ca/rest/account/login
> 2022-11-30T16:07:49Z DEBUG request body ''
> 2022-11-30T16:07:54Z DEBUG httplib request failed:
> Traceback (most recent call last):
> File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 271,
> in _httplib_request
> conn.request(method, path, body=request_body, headers=headers)
> File "/usr/lib64/python3.6/http/client.py", line 1273, in request
> self._send_request(method, url, body, headers, encode_chunked)
> File "/usr/lib64/python3.6/http/client.py", line 1319, in _send_request
> self.endheaders(body, encode_chunked=encode_chunked)
> File "/usr/lib64/python3.6/http/client.py", line 1268, in endheaders
> self._send_output(message_body, encode_chunked=encode_chunked)
> File "/usr/lib64/python3.6/http/client.py", line 1044, in _send_output
> self.send(msg)
> File "/usr/lib64/python3.6/http/client.py", line 982, in send
> self.connect()
> File "/usr/lib64/python3.6/http/client.py", line 1441, in connect
> server_hostname=server_hostname)
> File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket
> _context=self, _session=session)
> File "/usr/lib64/python3.6/ssl.py", line 776, in __init__
> self.do_handshake()
> File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake
> self._sslobj.do_handshake()
> File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake
> self._sslobj.do_handshake()
> OSError: [Errno 0] Error
> 2022-11-30T16:07:54Z ERROR IPA server upgrade failed: Inspect
> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
> 2022-11-30T16:07:54Z DEBUG File
> "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in
> execute
> return_value = self.run()
> File
>
"/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py",
> line 54, in run
> server.upgrade()
> File
> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
> line 2055, in upgrade
> upgrade_configuration()
> File
> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
> line 1908, in upgrade_configuration
> ca_enable_ldap_profile_subsystem(ca)
> File
> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
> line 458, in ca_enable_ldap_profile_subsystem
> cainstance.migrate_profiles_to_ldap()
> File
> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line
> 2111, in migrate_profiles_to_ldap
> _create_dogtag_profile(profile_id, profile_data, overwrite=False)
> File
> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line
> 2165, in _create_dogtag_profile
> with api.Backend.ra_certprofile as profile_api:
> File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py",
> line 1207, in __enter__
> method='GET'
> File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 218,
> in https_request
> method=method, headers=headers)
> File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 280,
> in _httplib_request
> raise NetworkError(uri=uri, error=str(e))
>
> 2022-11-30T16:07:54Z DEBUG The ipa-server-upgrade command failed,
> exception: NetworkError: cannot connect to
> 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error
> 2022-11-30T16:07:54Z ERROR Unexpected error - see
> /var/log/ipaupgrade.log for details:
> NetworkError: cannot connect to
> 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error
> 2022-11-30T16:07:54Z ERROR The ipa-server-upgrade command failed. See
> /var/log/ipaupgrade.log for more information
>
>
> *dirsrv/slapd-TNU-COM-UY/errors*
>
> [30/Nov/2022:13:07:31.005266795 -0300] - WARN - NSACLPlugin - acl_parse
> - The ACL target cn=vaults,cn=kra,dc=tnu,dc=com,dc=uy does not exist
> [30/Nov/2022:13:07:31.013396086 -0300] - WARN - NSACLPlugin - acl_parse
> - The ACL target cn=ad,cn=etc,dc=tnu,dc=com,dc=uy does not exist
> [30/Nov/2022:13:07:31.146541285 -0300] - WARN - NSACLPlugin - acl_parse
> - The ACL target cn=automember rebuild membership,cn=tasks,cn=config
> does not exist
> [30/Nov/2022:13:07:31.157746196 -0300] - INFO - slapi_vattrspi_regattr -
> Because krbPwdPolicyReference is a new registered virtual attribute ,
> nsslapd-ignore-virtual-attrs was set to 'off'
> [30/Nov/2022:13:07:31.220942729 -0300] - ERR - set_krb5_creds - Could
> not get initial credentials for principal
> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>>]
> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
> KDC for requested realm)
> [30/Nov/2022:13:07:31.228987499 -0300] - ERR - schema-compat-plugin -
> schema-compat-plugin tree scan will start in about 5 seconds!
> [30/Nov/2022:13:07:31.239215782 -0300] - INFO - slapd_daemon - slapd
> started. Listening on All Interfaces port 389 for LDAP requests
> [30/Nov/2022:13:07:31.243799999 -0300] - INFO - slapd_daemon - Listening
> on All Interfaces port 636 for LDAPS requests
> [30/Nov/2022:13:07:31.247843022 -0300] - INFO - slapd_daemon - Listening
> on /var/run/slapd-TNU-COM-UY.socket for LDAPI requests
> [30/Nov/2022:13:07:34.247399548 -0300] - ERR - set_krb5_creds - Could
> not get initial credentials for principal
> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>>]
> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
> KDC for requested realm)
> [30/Nov/2022:13:07:37.394441196 -0300] - ERR - schema-compat-plugin -
> Finished plugin initialization.
> [30/Nov/2022:13:07:40.289201853 -0300] - ERR - set_krb5_creds - Could
> not get initial credentials for principal
> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>>]
> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
> KDC for requested realm)
> [30/Nov/2022:13:07:52.558168008 -0300] - ERR - set_krb5_creds - Could
> not get initial credentials for principal
> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>>]
> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
> KDC for requested realm)
> [30/Nov/2022:13:08:15.688392872 -0300] - ERR - set_krb5_creds - Could
> not get initial credentials for principal
> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>>]
> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
> KDC for requested realm)
> [30/Nov/2022:13:09:03.721670435 -0300] - ERR - set_krb5_creds - Could
> not get initial credentials for principal
> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>>]
> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
> KDC for requested realm)
> [30/Nov/2022:13:10:39.764158267 -0300] - ERR - set_krb5_creds - Could
> not get initial credentials for principal
> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>>]
> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
> KDC for requested realm)
> [30/Nov/2022:13:13:51.830095186 -0300] - ERR - set_krb5_creds - Could
> not get initial credentials for principal
> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>>]
> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
> KDC for requested realm)
> [30/Nov/2022:13:18:51.938679815 -0300] - ERR - set_krb5_creds - Could
> not get initial credentials for principal
> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>>]
> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
> KDC for requested realm)
> [30/Nov/2022:13:23:52.045235332 -0300] - ERR - set_krb5_creds - Could
> not get initial credentials for principal
> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>>]
> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
> KDC for requested realm)
> [30/Nov/2022:13:28:52.149932619 -0300] - ERR - set_krb5_creds - Could
> not get initial credentials for principal
> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>>]
> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
> KDC for requested realm)
>
> *localhost_access_log.2022-11-30.txt*
>
> 127.0.0.1 - - [30/Nov/2022:13:07:54 -0300] "-" 400 -
> XXX - - [30/Nov/2022:13:10:51 -0300] "POST /ca/admin/ca/getStatus
> HTTP/1.1" 200 193
> XXX - - [30/Nov/2022:14:19:14 -0300] "GET /ca/rest/account/login
> HTTP/1.1" 401 669
>
>
>> El 23 nov. 2022, a las 18:42, Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>
>> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
escribió:
>>
>> Run "ipactl --ignore-service-failures" and it should bring up all the
>> services it can.
>>
>> rob
>>
>> Juan Pablo Lorier wrote:
>>> Hi again,
>>>
>>> I used the ldapi from /etc/ipa/default.conf and I was able to get a
>>> different reply:
>>>
>>> ldapsearch -Y GSSAPI -H
>>> ldapi://%2fvar%2frun%2fslapd\-TNU\-COM\-UY.socket
<ldapi://%2fvar%2frun%2fslapd\-TNU\-COM\-UY.socket>
>>> <ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket
<ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket>>
>>>
>>> SASL/GSSAPI authentication started
>>> ldap_sasl_interactive_bind_s: Local error (-2)
>>> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
>>> GSS failure. Minor code may provide more information (Ticket expired)
>>>
>>> But if I try to renew the ticket, it fails:
>>>
>>> kinit admin
>>> kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting
>>> initial credentials
>>>
>>> The running DC is in 4.7 and it should reply to the kinit requests
>>>
>>>
>>> I added the debug option to see if I can ge further information.
>>>
>>> ipactl restart
>>> IPA version error: data needs to be upgraded (expected version
>>> '4.9.10-6.module_el8.7.0+1209+42bcbcde', current version
>>> '4.7.1-11.module_el8.0.0+79+bbd20d7b')
>>> Automatically running upgrade, for details see /var/log/ipaupgrade.log
>>> Be patient, this may take a few minutes.
>>> Automatic upgrade failed: Error caught updating
>>> nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and
>>> attributes are managed by topology plugin.No direct modifications
>>> allowed.
>>> Error caught updating nsDS5ReplicatedAttributeListTotal: Server is
>>> unwilling to perform: Entry and attributes are managed by topology
>>> plugin.No direct modifications allowed.
>>> Update complete
>>> Upgrading the configuration of the IPA services
>>> [Verifying that root certificate is published]
>>> [Migrate CRL publish directory]
>>> CRL tree already moved
>>> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
>>> command ipa-server-upgrade manually.
>>> Unexpected error - see /var/log/ipaupgrade.log for details:
>>> CalledProcessError: CalledProcessError(Command ['/bin/systemctl',
>>> 'start', 'pki-tomcatd(a)pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>
>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>
>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>'] returned non-zero exit status
>>> 1: 'Job for pki-tomcatd(a)pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>
>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>
>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>> failed because the control
>>> process exited with error code.\nSee "systemctl status
>>> pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>
>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>
<mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>"
>>> and "journalctl -xe" for details.\n')
>>> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
>>> more information
>>>
>>> See the upgrade log for more details and/or run
>>> /usr/sbin/ipa-server-upgrade again
>>> Stopping ipa-dnskeysyncd Service
>>> Stopping ipa-otpd Service
>>> Stopping pki-tomcatd Service
>>> Stopping ipa-custodia Service
>>> Stopping httpd Service
>>> Stopping named Service
>>> Stopping kadmin Service
>>> Stopping krb5kdc Service
>>> Stopping Directory Service
>>> Aborting ipactl
>>>
>>> Regards
>>>
>>>
>>>> El 23 nov. 2022, a las 11:50, Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>
>>>> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
>>>> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
escribió:
>>>>
>>>> Juan Pablo Lorier wrote:
>>>>> Hi Rob,
>>>>>
>>>>> Thanks for the reply. As I didn’t know other way but to go back in
>>>>> time,
>>>>> I just did it and now the server is running 100%.
>>>>>
>>>>> This was all part of an update from 4.7 to 4.9. According to the
>>>>> documentation, it was just a matter to def update but it seems that
is
>>>>> not such a happy path.>
>>>>> I updated the second server but it’s not able to finalize the update
>>>>> process. DNS is failing to start:
>>>>>
>>>>> # systemctl status ipa-dnskeysyncd.service
>>>>>
>>>>>
>>>>> *●*ipa-dnskeysyncd.service - IPA key daemon
>>>>> Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service;
>>>>> disabled; vendor preset: disabled)
>>>>> Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h
>>>>> 14min ago
>>>>> Main PID: 250496 (ipa-dnskeysyncd)
>>>>> Tasks: 1 (limit: 23652)
>>>>> Memory: 68.4M
>>>>> CGroup: /system.slice/ipa-dnskeysyncd.service
>>>>> └─250496 /usr/libexec/platform-python -I
>>>>> /usr/libexec/ipa/ipa-dnskeysyncd
>>>>>
>>>>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI
client
>>>>> step 1
>>>>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI
client
>>>>> step 2
>>>>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]:
>>>>> ipa-dnskeysyncd:
>>>>> INFO Commencing sync process
>>>>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]:
>>>>> ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done,
>>>>> sychronizing with ODS and BIND
>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
>>>>> *Configuration.cpp(96): Missing log.level in configuration. Using
>>>>> default value: INFO*
>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
>>>>> *Configuration.cpp(96): Missing slots.mechanisms in configuration.
>>>>> Using
>>>>> default value: ALL*
>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
>>>>> *Configuration.cpp(124): Missing slots.removable in configuration.
>>>>> Using
>>>>> default value: false*
>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI
client
>>>>> step 1
>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI
client
>>>>> step 1
>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
>>>>>
>>>>>
>>>>>
>>>>> GSSAPI client step 1
>>>>> [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service
>>>>>
>>>>>
>>>>> -- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22
>>>>> 12:40:17 -03. --
>>>>> Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon.
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing all plugin modules in ipaserver.plugins...
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.aci
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.automember
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.automount
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.baseldap
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG ipaserver.plugins.baseldap is not a valid plugin module
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.baseuser
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.batch
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.ca
<
http://ipaserver.plugins.ca/>
>>>>> <
http://ipaserver.plugins.ca/
<
http://ipaserver.plugins.ca/>>
>>>>> <
http://ipaserver.plugins.ca <
http://ipaserver.plugins.ca/>
<
http://ipaserver.plugins.ca/ <
http://ipaserver.plugins.ca/>>>
>>>>> <
http://ipaserver.plugins.ca <
http://ipaserver.plugins.ca/>
>>>>> <
http://ipaserver.plugins.ca/
<
http://ipaserver.plugins.ca/>> <
http://ipaserver.plugins.ca/
<
http://ipaserver.plugins.ca/>>>
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.caacl
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.cert
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.certmap
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.certprofile
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.config
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.delegation
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.dns
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.dnsserver
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.dogtag
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.domainlevel
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.group
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.hbac
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG ipaserver.plugins.hbac is not a valid plugin module
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.hbacrule
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.hbacsvc
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.hbactest
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.host
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.hostgroup
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.idrange
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.idviews
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.internal
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.join
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.krbtpolicy
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.ldap2
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.location
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.migration
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.misc
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.netgroup
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.otp
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG ipaserver.plugins.otp is not a valid plugin module
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.otpconfig
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.otptoken
>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
>>>>> DEBUG importing plugin module ipaserver.plugins.passwd
>>>>
>>>> There should be quite a bit more after that.
>>>>
>>>>>
>>>>> #less /var/log/dirsrv/slapd-*/access
>>>>>
>>>>> [22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0
>>>>> tag=101
>>>>> nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290
>>>>> [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH
>>>>> base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy"
scope=0
>>>>> filter="(objectClass=krbticketpolicyaux)"
attrs="krbMaxTicketLife
>>>>> krbMaxRenewab
>>>>> leAge krbTicketFlags krbAuthIndMaxTicketLife
krbAuthIndMaxRenewableAge"
>>>>> [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0
>>>>> tag=101
>>>>> nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403
>>>>> [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND
dn=""
>>>>> method=sasl version=3 mech=GSSAPI
>>>>> [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14
>>>>> tag=97
>>>>> nentries=0 wtime=0.000071973 optime=0.002531582 etime=0.002602416,
SASL
>>>>> bind in progress
>>>>> [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND
dn=""
>>>>> method=sasl version=3 mech=GSSAPI
>>>>> [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14
>>>>> tag=97
>>>>> nentries=0 wtime=0.000058962 optime=0.001451477 etime=0.001509337,
SASL
>>>>> bind in progress
>>>>> [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND
dn=""
>>>>> method=sasl version=3 mech=GSSAPI
>>>>> [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0
tag=97
>>>>> nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026
>>>>> dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=
>>>>> com,dc=uy"
>>>>> [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH
>>>>> base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2
>>>>> filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))"
>>>>> attrs="objectClass cn fqdn serverHostN
>>>>> ame memberOf ipaSshPubKey ipaUniqueID"
>>>>> [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0
>>>>> tag=101
>>>>> nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994
>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1
>>>>> [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH
>>>>>
base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy"
>>>>> scope=0 filter="(objectClass=*)" attrs="objectClass cn
memberOf ipaU
>>>>> niqueID"
>>>>> [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0
>>>>> tag=101
>>>>> nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094
>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1
>>>>> [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH
>>>>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2
>>>>>
filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))"
>>>>> attrs="objectClass ipaUniqueID cn memb
>>>>> er entryusn"
>>>>> [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0
>>>>> tag=101
>>>>> nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481
>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1
>>>>> [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH
>>>>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2
>>>>>
filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC
>>>>>
ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro
>>>>> ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))"
>>>>> attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt
>>>>> ipaSudoRunAs
>>>>> ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU
>>>>> ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory
>>>>> userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory
>>>>> ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e
>>>>> xternalUser entryusn"
>>>>> [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0
>>>>> tag=101
>>>>> nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132
>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1
>>>>> [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT
>>>>> oid="2.16.840.1.113730.3.5.12"
name="replication-multimaster-extop"
>>>>> [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT
>>>>> oid="2.16.840.1.113730.3.5.12"
name="replication-multimaster-extop"
>>>>> [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0
>>>>> tag=120 nentries=0 wtime=0.000194721 optime=0.000766071
>>>>> etime=0.000956734
>>>>> [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0
>>>>> tag=120 nentries=0 wtime=0.000326560 optime=0.001178137
>>>>> etime=0.001489204
>>>>> [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT
>>>>> oid="2.16.840.1.113730.3.5.5"
name="replication-multimaster-extop"
>>>>> [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0
>>>>> tag=120 nentries=0 wtime=0.000133089 optime=0.002969180
>>>>> etime=0.003098843
>>>>> [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT
>>>>> oid="2.16.840.1.113730.3.5.5"
name="replication-multimaster-extop"
>>>>> [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0
>>>>> tag=120 nentries=0 wtime=0.000131720 optime=0.002769639
>>>>> etime=0.002897696
>>>>> [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT
>>>>> oid="2.16.840.1.113730.3.5.12"
name="replication-multimaster-extop"
>>>>> [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT
>>>>> oid="2.16.840.1.113730.3.5.12"
name="replication-multimaster-extop"
>>>>> [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0
>>>>> tag=120 nentries=0 wtime=0.000245657 optime=0.001129708
>>>>> etime=0.001372435
>>>>> [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0
>>>>> tag=120 nentries=0 wtime=0.000293789 optime=0.001457836
>>>>> etime=0.001748601
>>>>> [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT
>>>>> oid="2.16.840.1.113730.3.5.5"
name="replication-multimaster-extop"
>>>>> [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0
>>>>> tag=120 nentries=0 wtime=0.010809128 optime=0.004600843
>>>>> etime=0.015402108
>>>>>
>>>>>
>>>>> I see that after the update, the files were changed:
>>>>>
>>>>>
>>>>> [root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY*
>>>>> /etc/dirsrv/slapd-TNU-COM-UY:
>>>>> total 4208
>>>>> -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem
>>>>> -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem
>>>>> -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022
TNU.COM.UY20IPA20CA.pem
>>>>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db
>>>>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig
>>>>> -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf
>>>>> -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif
>>>>> -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak
>>>>> -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55
>>>>> dse.ldif.ipa.1cf1fe204fd69494
>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:01
>>>>> dse.ldif.ipa.1dd1d38cbd8d26ae
>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 11:26
>>>>> dse.ldif.ipa.21662457cb42c116
>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 10:47
>>>>> dse.ldif.ipa.256a5d66e550a957
>>>>> -rw-------. 1 dirsrv root 195350 Nov 21 13:35
>>>>> dse.ldif.ipa.274744b10eed3d9b
>>>>> -rw-------. 1 dirsrv root 203050 Nov 21 19:09
>>>>> dse.ldif.ipa.385fb48f5462219c
>>>>> -rw-------. 1 dirsrv root 156705 Jan 9 2020
>>>>> dse.ldif.ipa.6b71b47d73ca452a
>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:38
>>>>> dse.ldif.ipa.767aba4a82811822
>>>>> -rw-------. 1 dirsrv root 208355 Nov 21 21:07
>>>>> dse.ldif.ipa.814a4de587fc22ec
>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 10:49
>>>>> dse.ldif.ipa.889036fc0907e7de
>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:47
>>>>> dse.ldif.ipa.8fd2b7413b99dfa3
>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:42
>>>>> dse.ldif.ipa.958ca3a96922f2fd
>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:48
>>>>> dse.ldif.ipa.bacd6d1d200348bf
>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 11:24
>>>>> dse.ldif.ipa.bfadc14f0e609072
>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:23
>>>>> dse.ldif.ipa.f1e864261a119b6c
>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 15:42
>>>>> dse.ldif.ipa.fa918bf07c17e2e8
>>>>> -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26
dse.ldif.modified.out
>>>>> -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK
>>>>> -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif
>>>>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db
>>>>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig
>>>>> -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt
>>>>> -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt
>>>>> -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig
>>>>> -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt
>>>>> -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig
>>>>> drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema
>>>>> drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak
>>>>> -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59
slapd-collations.conf
>>>>>
>>>>>
>>>>> I can’t connect to the LDAP service:
>>>>>
>>>>> # ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket
<ldapi://var/run/slapd-TNU-COM-UY.socket>
>>>>> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>>>>
>>>> You have to escape the socket path:
>>>> ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket
<ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket>
>>>>
>>>>> # less /var/log/ipaupgrade.log
>>>>>
>>>>> Server built: Jun 29 2021 22:00:15 UTC
>>>>> Server number: 9.0.30.0
>>>>> OS Name: Linux
>>>>> OS Version: 4.18.0-348.7.1.el8_5.x86_64
>>>>> Architecture: amd64
>>>>> JVM Version: 1.8.0_322-b06
>>>>> JVM Vendor: Red Hat, Inc.
>>>>>
>>>>> 2022-11-22T14:26:56Z DEBUG stderr=
>>>>> 2022-11-22T14:26:56Z DEBUG Starting external process
>>>>> 2022-11-22T14:26:56Z DEBUG args=['pki-server',
'subsystem-show', 'kra']
>>>>> 2022-11-22T14:26:56Z DEBUG Process finished, return code=1
>>>>> 2022-11-22T14:26:56Z DEBUG stdout=
>>>>> 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in
>>>>> instance pki-tomcat.
>>>>>
>>>>> 2022-11-22T14:26:56Z DEBUG Starting external process
>>>>> 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl',
'start',
>>>>> 'pki-tomcatd(a)pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>
>>>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>
<mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>']
>>>>> 2022-11-22T14:26:57Z DEBUG Process finished, return code=1
>>>>> 2022-11-22T14:26:57Z DEBUG stdout=
>>>>> 2022-11-22T14:26:57Z DEBUG stderr=Job
>>>>> for pki-tomcatd(a)pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>
>>>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>
>>>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>
>>>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>> failed because the control
>>>>> process exited with error code.
>>>>> See "systemctl status pki-tomcatd(a)pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>
>>>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>
>>>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>
>>>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>" and "journalctl -xe"
for
>>>>> details.
>>>>>
>>>>> 2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect
>>>>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>>>>> 2022-11-22T14:26:57Z DEBUG File
>>>>> "/usr/lib/python3.6/site-packages/ipapython/admintool.py",
line 180, in
>>>>> execute
>>>>> return_value = self.run()
>>>>> File
>>>>>
"/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py",
>>>>> line 54, in run
>>>>> server.upgrade()
>>>>> File
>>>>>
"/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
>>>>> line 2055, in upgrade
>>>>> upgrade_configuration()
>>>>> File
>>>>>
"/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
>>>>> line 1783, in upgrade_configuration
>>>>> ca.start('pki-tomcat')
>>>>> File
"/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
>>>>> line 524, in start
>>>>> self.service.start(instance_name, capture_output=capture_output,
>>>>> wait=wait)
>>>>> File
"/usr/lib/python3.6/site-packages/ipaplatform/base/services.py",
>>>>> line 306, in start
>>>>> skip_output=not capture_output)
>>>>> File
"/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line
>>>>> 600, in run
>>>>> p.returncode, arg_string, output_log, error_log
>>>>>
>>>>> 2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed,
>>>>> exception: CalledProcessError: CalledProcessError(Command
>>>>> ['/bin/systemctl', 'start',
'pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>
>>>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>
>>>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>
>>>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>'] returned non-zero exit status
>>>>> 1: 'Job for pki-tomcatd(a)pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>
>>>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>
>>>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>
>>>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>> failed because the control
>>>>> process exited with error code.\nSee "systemctl status
>>>>> pki-tomcatd(a)pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>
>>>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>
<mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>"
>>>>> and "journalctl -xe" for details.\n')
>>>>> 2022-11-22T14:26:57Z ERROR Unexpected error - see
>>>>> /var/log/ipaupgrade.log for details:
>>>>> CalledProcessError: CalledProcessError(Command
['/bin/systemctl',
>>>>> 'start', 'pki-tomcatd(a)pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>
>>>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>
>>>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>
>>>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>'] returned non-zero exit status
>>>>> 1: 'Job for pki-tomcatd(a)pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>
>>>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>
>>>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>
>>>>> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>> failed because the control
>>>>> process exited with error code.\nSee "systemctl status
>>>>> pki-tomcatd(a)pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>>
>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>"
>>>>> and "journalctl -xe" for details.\n')
>>>>> 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed.
See
>>>>> /var/log/ipaupgrade.log for more information
>>>>> (END)
>>>>
>>>> The CA failed to start. This is often due to expired certificates that
>>>> get exposed when an upgrade is done. Check that out.
>>>>
>>>>> #ipactl status
>>>>>
>>>>> Directory Service: RUNNING
>>>>> krb5kdc Service: RUNNING
>>>>> kadmin Service: RUNNING
>>>>> named Service: STOPPED
>>>>> httpd Service: RUNNING
>>>>> ipa-custodia Service: RUNNING
>>>>> pki-tomcatd Service: STOPPED
>>>>> ipa-otpd Service: RUNNING
>>>>> ipa-dnskeysyncd Service: RUNNING
>>>>> 2 service(s) are not running
>>>>>
>>>>>
>>>>> Thanks
>>>>>
>>>>>> El 22 nov. 2022, a las 11:43, Rob Crittenden
<rcritten(a)redhat.com <mailto:rcritten@redhat.com>
>>>>>> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
>>>>>> <mailto:rcritten@redhat.com>
>>>>>> <mailto:rcritten@redhat.com>> escribió:
>>>>>>
>>>>>> Juan Pablo Lorier via FreeIPA-users wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I have a production server that was not maintained and I see
that the
>>>>>>> HTTP certificate has expired long ago. I tried to renew it
but I'm
>>>>>>> not being agle to get it right.
>>>>>>>
>>>>>>> The initial status was:
>>>>>>>
>>>>>>> Request ID '20191219011208':
>>>>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>>>>>>> stuck: yes
>>>>>>> key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key'
>>>>>>> certificate:
type=FILE,location='/var/lib/ipa/certs/httpd.crt'
>>>>>>>
>>>>>>> Then following this thread
>>>>>>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>>>>>>
>>>>>>> I got it to this state:
>>>>>>>
>>>>>>> Request ID '20191219011208':
>>>>>>> status: MONITORING
>>>>>>> ca-error: Server at
https://dc1.tnu.com.uy/ipa/xml failed
request,
>>>>>>> will retry: -504 (HTTP POST to URL
'https://XXXX/ipa/xml' failed.
>>>>>>> libcurl failed even to execute the HTTP transaction,
explaining:
>>>>>>> SSL certificate problem: certificate has expired).
>>>>>>> stuck: no
>>>>>>> key pair storage:
>>>>>>>
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA'
>>>>>>> certificate:
type=FILE,location='/var/lib/ipa/certs/httpd.crt'
>>>>>>>
>>>>>>> The post indicates that I have to put an old date in the
server to
>>>>>>> get it renewed, but as the server is in production, it means
that all
>>>>>>> clients will fail to log to the server. Evenmore, what time
should I
>>>>>>> return to, before the certificate expiration or right after?
>>>>>>> Thanks in advanc
>>>>>>
>>>>>> I'd guess that this affects a lot more than just the web
server cert.
>>>>>> getcert list will tell you.
>>>>>>
>>>>>> Depending on that outcome affect the suggested remediation.
>>>>>>
>>>>>> As for going back in time, you'd need a server outage to do
this
>>>>>> and it
>>>>>> only would be backwards in time for a short time. Just long
enough so
>>>>>> the services could start with non-expired certificates to get
them
>>>>>> renewed. But there are other ways to do this that don't
require
>>>>>> fiddling
>>>>>> with time.
>>>>>>
>>>>>> rob