Hello World!
I got an installation with FreeIPA server 4.2.4 in Fedora 23 and all worked fine
I decided to upgrade to Fedora 25 via dnf-upgrade-plugin
All the upgrade proc goes smooth and as a result my freeipa rpm packages also upgraded
(from 4.2.4 to 4.4.4)
Now, the problem is that nothing works now.
The command "ipa-server-upgrade" shows:
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
ipa-server-upgrade manually.
Timeout exceeded
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
I attach the appropriate logs:
/var/log/ipaupgrade.log
2017-06-29T14:55:06Z DEBUG duration: 0 seconds
2017-06-29T14:55:06Z DEBUG [10/10]: starting directory server
2017-06-29T14:55:06Z DEBUG Starting external process
2017-06-29T14:55:06Z DEBUG args=/bin/systemctl start dirsrv(a)xxx.service
2017-06-29T14:55:09Z DEBUG Process finished, return code=0
2017-06-29T14:55:09Z DEBUG stdout=
2017-06-29T14:55:09Z DEBUG stderr=
2017-06-29T14:55:09Z DEBUG Starting external process
2017-06-29T14:55:09Z DEBUG args=/bin/systemctl is-active dirsrv(a)xxx.service
2017-06-29T14:55:09Z DEBUG Process finished, return code=0
2017-06-29T14:55:09Z DEBUG stdout=active
2017-06-29T14:55:09Z DEBUG stderr=
2017-06-29T14:55:09Z DEBUG wait_for_open_ports: localhost [389] timeout 300
/var/log/dirsrv/.../errors.log
[29/Jun/2017:17:57:21.091850887 +0300] slapi_ldap_bind - Error: could not send startTLS
request: error -1 (Can't contact LDAP server) errno 110 (Connection timed out)
[29/Jun/2017:17:58:18.114145058 +0300] slapi_ldap_bind - Error: could not send startTLS
request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not
connected)
[29/Jun/2017:17:58:42.135719951 +0300] slapi_ldap_bind - Error: could not send startTLS
request: error -1 (Can't contact LDAP server) errno 110 (Connection timed out)
[29/Jun/2017:18:01:30.160763487 +0300] slapi_ldap_bind - Error: could not send startTLS
request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not
connected)
[29/Jun/2017:18:01:54.183552684 +0300] slapi_ldap_bind - Error: could not send startTLS
request: error -1 (Can't contact LDAP server) errno 110 (Connection timed out)
/var/log/krb5kdc.log
Jun 29 17:54:08
ipa1.srv.xxx.com krb5kdc[1335](info): AS_REQ (6 etypes {18 17 16 23 25
26}) x.x.x.x: ISSUE: authtime 1498748048, etypes {rep=18 tkt=18 ses=18},
ldap/ipa1.srv.xxx.com(a)SRV.xxx.COM for krbtgt/SRV.xxx.COM(a)SRV.xxx.COM
Jun 29 17:54:08
ipa1.srv.xxx.com krb5kdc[1335](info): closing down fd 4
Jun 29 17:55:08
ipa1.srv.xxx.com krb5kdc[1335](info): AS_REQ (6 etypes {18 17 16 23 25
26}) x.x.x.x: LOOKING_UP_CLIENT: ldap/ipa1.srv.xxx.com(a)SRV.xxx.COM for
krbtgt/SRV.xxx.COM(a)SRV.xxx.COM, Server error
Jun 29 17:55:08
ipa1.srv.xxx.com krb5kdc[1335](info): closing down fd 4
Jun 29 17:55:08
ipa1.srv.xxx.com krb5kdc[1335](info): AS_REQ (6 etypes {18 17 16 23 25
26}) x.x.x.x: LOOKING_UP_CLIENT: ldap/ipa1.srv.xxx.com(a)SRV.xxx.COM for
krbtgt/SRV.xxx.COM(a)SRV.xxx.COM, Server error
Jun 29 17:55:08
ipa1.srv.xxx.com krb5kdc[1335](info): closing down fd 4
Jun 29 17:55:24
ipa1.srv.xxx.com krb5kdc[1335](info): AS_REQ (6 etypes {18 17 16 23 25
26}) x.x.x.x: NEEDED_PREAUTH: ldap/ipa1.srv.xxx.com(a)SRV.xxx.COM for
krbtgt/SRV.xxx.COM(a)SRV.xxx.COM, Additional pre-authentication required
Jun 29 17:55:24
ipa1.srv.xxx.com krb5kdc[1335](info): closing down fd 4
Jun 29 17:55:24
ipa1.srv.xxx.com krb5kdc[1335](info): AS_REQ (6 etypes {18 17 16 23 25
26}) x.x.x.x: ISSUE: authtime 1498748124, etypes {rep=18 tkt=18 ses=18},
ldap/ipa1.srv.xxx.com(a)SRV.xxx.COM for krbtgt/SRV.xxx.COM(a)SRV.xxx.COM
Jun 29 17:55:24
ipa1.srv.xxx.com krb5kdc[1335](info): closing down fd 4
I have tried different ways of making command "ipa-server-upgrade" complete its
job but nothing worked.
Any Ideas ? :(
Hi,
the log shows that the Directory Server started but does not answer
StartTLS request on port 389. Can you check:
1/ if the Directory Server is still answering on port 389 (without
StartTLS):
ldapsearch -h `hostname` -p 389 -x -b "" -s base namingcontexts
2/ if the Directory server is answering on port 389 with StartTLS:
ldapsearch -h `hostname` -p 389 -Z -x -b "" -s base namingcontexts
3/ if the Directory Server certificate is still valid (replace
IPADOMAIN-COM with appropriate directory):
sudo getcert list -d /etc/dirsrv/slapd-IPADOMAIN-DOM | grep expires
If the certificate is expired, you can temporarily allow the services to
run with expired certificates by following the instructions in [1], but
you will need to fix the issue and renew certs.
More information on Certificates renewal can be found here [2].
HTH,
Flo.
[1]
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org