Hi,
I'm trying to upgrade FreeIPA through ipa-server-upgrade from 4.4 to 4.5. The command fails with an "ACIError: Insufficient access:" . I find in the kdc log that it complains about " Database module does not match KDC version - while initializing database for realm..."
Does anybody know how to fix this?
Some more info: $ cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core)
$ tail /var/log/krb5kdc.log krb5kdc: Server error - while fetching master key K/M for realm XXX krb5kdc: Database module does not match KDC version - while initializing database for realm XXX
$ sudo less /var/log/ipaupgrade.log 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG duration: 0 seconds 2017-10-16T13:04:13Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2017-10-16T13:04:14Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1896, in upgrade data_upgrade.create_instance() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 124, in create_instance runtime=90) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 96, in __start api.Backend.ldap2.connect() File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 190, in create_connection client_controls=clientctrls) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1111, in external_bind '', auth_tokens, server_controls, client_controls) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1007, in error_handler raise errors.ACIError(info=info)
2017-10-16T13:04:14Z DEBUG The ipa-server-upgrade command failed, exception: ACIError: Insufficient access: 2017-10-16T13:04:14Z ERROR Insufficient access: 2017-10-16T13:04:14Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
$ sudo less /var/log/yum.log Oct 16 05:36:02 Updated: ipa-common-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:36:02 Updated: ipa-client-common-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:36:25 Updated: libipa_hbac-1.15.2-50.el7_4.2.x86_64 Oct 16 05:36:53 Updated: python-libipa_hbac-1.15.2-50.el7_4.2.x86_64 Oct 16 05:36:55 Updated: python2-ipalib-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:36:55 Updated: python2-ipaclient-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:37:23 Updated: ipa-python-compat-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:38:43 Updated: ipa-server-common-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:38:44 Updated: python2-ipaserver-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:38:44 Updated: sssd-ipa-1.15.2-50.el7_4.2.x86_64 Oct 16 05:39:01 Installed: ipa-client-4.5.0-21.el7.centos.1.2.x86_64 Oct 16 05:39:28 Updated: ipsilon-tools-ipa-2.0.2-5.el7.centos.noarch Oct 16 05:39:29 Updated: ipa-server-4.5.0-21.el7.centos.1.2.x86_64 Oct 16 05:40:48 Erased: ipa-admintools-4.4.0-14.el7.centos.7.noarch Oct 16 05:19:30 Updated: krb5-libs-1.15.1-8.el7.x86_64 Oct 16 05:19:30 Updated: krb5-workstation-1.15.1-8.el7.x86_64 Oct 16 05:19:31 Updated: krb5-server-1.15.1-8.el7.x86_64 Oct 16 05:19:31 Updated: krb5-pkinit-1.15.1-8.el7.x86_64 Oct 16 05:38:22 Updated: sssd-krb5-common-1.15.2-50.el7_4.2.x86_64 Oct 16 05:38:57 Updated: sssd-krb5-1.15.2-50.el7_4.2.x86_64
Cheers,
Johannes
On ti, 17 loka 2017, Johannes Brandstetter via FreeIPA-users wrote:
Hi,
I'm trying to upgrade FreeIPA through ipa-server-upgrade from 4.4 to 4.5. The command fails with an "ACIError: Insufficient access:" . I find in the kdc log that it complains about " Database module does not match KDC version - while initializing database for realm..."
Does anybody know how to fix this?
You should make sure your system is fully upgraded. Not just 'yum install freeipa-server' to upgrade but all related packages too. In particular, MIT Kerberos has database driver version that may change with a version update and we have to rebuild FreeIPA driver against it.
Some more info: $ cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core)
$ tail /var/log/krb5kdc.log krb5kdc: Server error - while fetching master key K/M for realm XXX krb5kdc: Database module does not match KDC version - while initializing database for realm XXX
$ sudo less /var/log/ipaupgrade.log 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG duration: 0 seconds 2017-10-16T13:04:13Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2017-10-16T13:04:14Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1896, in upgrade data_upgrade.create_instance() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 124, in create_instance runtime=90) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 96, in __start api.Backend.ldap2.connect() File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 190, in create_connection client_controls=clientctrls) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1111, in external_bind '', auth_tokens, server_controls, client_controls) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1007, in error_handler raise errors.ACIError(info=info)
2017-10-16T13:04:14Z DEBUG The ipa-server-upgrade command failed, exception: ACIError: Insufficient access: 2017-10-16T13:04:14Z ERROR Insufficient access: 2017-10-16T13:04:14Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
$ sudo less /var/log/yum.log Oct 16 05:36:02 Updated: ipa-common-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:36:02 Updated: ipa-client-common-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:36:25 Updated: libipa_hbac-1.15.2-50.el7_4.2.x86_64 Oct 16 05:36:53 Updated: python-libipa_hbac-1.15.2-50.el7_4.2.x86_64 Oct 16 05:36:55 Updated: python2-ipalib-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:36:55 Updated: python2-ipaclient-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:37:23 Updated: ipa-python-compat-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:38:43 Updated: ipa-server-common-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:38:44 Updated: python2-ipaserver-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:38:44 Updated: sssd-ipa-1.15.2-50.el7_4.2.x86_64 Oct 16 05:39:01 Installed: ipa-client-4.5.0-21.el7.centos.1.2.x86_64 Oct 16 05:39:28 Updated: ipsilon-tools-ipa-2.0.2-5.el7.centos.noarch Oct 16 05:39:29 Updated: ipa-server-4.5.0-21.el7.centos.1.2.x86_64 Oct 16 05:40:48 Erased: ipa-admintools-4.4.0-14.el7.centos.7.noarch Oct 16 05:19:30 Updated: krb5-libs-1.15.1-8.el7.x86_64 Oct 16 05:19:30 Updated: krb5-workstation-1.15.1-8.el7.x86_64 Oct 16 05:19:31 Updated: krb5-server-1.15.1-8.el7.x86_64 Oct 16 05:19:31 Updated: krb5-pkinit-1.15.1-8.el7.x86_64 Oct 16 05:38:22 Updated: sssd-krb5-common-1.15.2-50.el7_4.2.x86_64 Oct 16 05:38:57 Updated: sssd-krb5-1.15.2-50.el7_4.2.x86_64
Cheers,
Johannes _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On ti, 17 loka 2017, Alexander Bokovoy via FreeIPA-users wrote:
On ti, 17 loka 2017, Johannes Brandstetter via FreeIPA-users wrote:
Hi,
I'm trying to upgrade FreeIPA through ipa-server-upgrade from 4.4 to 4.5. The command fails with an "ACIError: Insufficient access:" . I find in the kdc log that it complains about " Database module does not match KDC version - while initializing database for realm..."
Does anybody know how to fix this?
You should make sure your system is fully upgraded. Not just 'yum install freeipa-server' to upgrade but all related packages too. In particular, MIT Kerberos has database driver version that may change with a version update and we have to rebuild FreeIPA driver against it.
Some more info: $ cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core)
$ tail /var/log/krb5kdc.log krb5kdc: Server error - while fetching master key K/M for realm XXX krb5kdc: Database module does not match KDC version - while initializing database for realm XXX
$ sudo less /var/log/ipaupgrade.log 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG duration: 0 seconds 2017-10-16T13:04:13Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2017-10-16T13:04:14Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1896, in upgrade data_upgrade.create_instance() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 124, in create_instance runtime=90) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 96, in __start api.Backend.ldap2.connect() File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 190, in create_connection client_controls=clientctrls) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1111, in external_bind '', auth_tokens, server_controls, client_controls) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1007, in error_handler raise errors.ACIError(info=info)
2017-10-16T13:04:14Z DEBUG The ipa-server-upgrade command failed, exception: ACIError: Insufficient access: 2017-10-16T13:04:14Z ERROR Insufficient access: 2017-10-16T13:04:14Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
$ sudo less /var/log/yum.log Oct 16 05:36:02 Updated: ipa-common-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:36:02 Updated: ipa-client-common-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:36:25 Updated: libipa_hbac-1.15.2-50.el7_4.2.x86_64 Oct 16 05:36:53 Updated: python-libipa_hbac-1.15.2-50.el7_4.2.x86_64 Oct 16 05:36:55 Updated: python2-ipalib-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:36:55 Updated: python2-ipaclient-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:37:23 Updated: ipa-python-compat-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:38:43 Updated: ipa-server-common-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:38:44 Updated: python2-ipaserver-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:38:44 Updated: sssd-ipa-1.15.2-50.el7_4.2.x86_64 Oct 16 05:39:01 Installed: ipa-client-4.5.0-21.el7.centos.1.2.x86_64 Oct 16 05:39:28 Updated: ipsilon-tools-ipa-2.0.2-5.el7.centos.noarch Oct 16 05:39:29 Updated: ipa-server-4.5.0-21.el7.centos.1.2.x86_64 Oct 16 05:40:48 Erased: ipa-admintools-4.4.0-14.el7.centos.7.noarch Oct 16 05:19:30 Updated: krb5-libs-1.15.1-8.el7.x86_64 Oct 16 05:19:30 Updated: krb5-workstation-1.15.1-8.el7.x86_64 Oct 16 05:19:31 Updated: krb5-server-1.15.1-8.el7.x86_64 Oct 16 05:19:31 Updated: krb5-pkinit-1.15.1-8.el7.x86_64 Oct 16 05:38:22 Updated: sssd-krb5-common-1.15.2-50.el7_4.2.x86_64 Oct 16 05:38:57 Updated: sssd-krb5-1.15.2-50.el7_4.2.x86_64
According to this log, ipa-server was updated before krb5-server was updated, so if upgrade code did run before krb5-server upgrade, the error message and a failure can be explained by that.
I'm not sure what is your actual timezone and how these times in ipaupgrade.log and yum.log can be co-related though.
You may want to run ipa-server-upgrade directly.
Hi,
it was all done in one yum upgrade session. I just grepped the output for ipa and krb and didn't bother to put them back in the correct order.
If I run ipa-server-upgrade directly I get the following output which leads to the log entry stated above:
[jbrandstetter@ip-172-29-1-184 ~]$ sudo ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/8]: saving configuration [2/8]: disabling listeners [3/8]: enabling DS global lock [4/8]: starting directory server [error] ACIError: Insufficient access: [cleanup]: stopping directory server [cleanup]: restoring configuration IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Insufficient access: The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
Cheers,
Johannes
On ti, 17 loka 2017, Johannes Brandstetter via FreeIPA-users wrote:
Hi,
it was all done in one yum upgrade session. I just grepped the output for ipa and krb and didn't bother to put them back in the correct order.
If I run ipa-server-upgrade directly I get the following output which leads to the log entry stated above:
[jbrandstetter@ip-172-29-1-184 ~]$ sudo ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/8]: saving configuration [2/8]: disabling listeners [3/8]: enabling DS global lock [4/8]: starting directory server [error] ACIError: Insufficient access: [cleanup]: stopping directory server [cleanup]: restoring configuration IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Insufficient access: The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
what do you have in /var/log/dirsrv/slapd-$INSTANCE/errors ?
[17/Oct/2017:04:15:07.895680200 +0000] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. [17/Oct/2017:04:15:07.901635774 +0000] - INFO - Security Initialization - SSL info: Enabling default cipher set. [17/Oct/2017:04:15:07.904597449 +0000] - INFO - Security Initialization - SSL info: Configured NSS Ciphers [17/Oct/2017:04:15:07.908676932 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [17/Oct/2017:04:15:07.914619071 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [17/Oct/2017:04:15:07.918711184 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [17/Oct/2017:04:15:07.922188082 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled [17/Oct/2017:04:15:07.925705727 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [17/Oct/2017:04:15:07.928951599 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [17/Oct/2017:04:15:07.933094418 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [17/Oct/2017:04:15:07.937219183 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [17/Oct/2017:04:15:07.938938509 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [17/Oct/2017:04:15:07.942369175 +0000] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [17/Oct/2017:04:15:07.945127590 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [17/Oct/2017:04:15:07.948679956 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [17/Oct/2017:04:15:07.952511577 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [17/Oct/2017:04:15:07.956519881 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [17/Oct/2017:04:15:07.960004200 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [17/Oct/2017:04:15:07.961410725 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [17/Oct/2017:04:15:07.963576251 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [17/Oct/2017:04:15:07.965149796 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [17/Oct/2017:04:15:07.968188865 +0000] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [17/Oct/2017:04:15:07.970678447 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [17/Oct/2017:04:15:07.972819595 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [17/Oct/2017:04:15:07.976585917 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [17/Oct/2017:04:15:07.977963593 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [17/Oct/2017:04:15:07.980765706 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [17/Oct/2017:04:15:07.982822399 +0000] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [17/Oct/2017:04:15:07.984100976 +0000] - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled [17/Oct/2017:04:15:07.986608371 +0000] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled [17/Oct/2017:04:15:07.990063097 +0000] - INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled [17/Oct/2017:04:15:08.001170916 +0000] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.2 [17/Oct/2017:04:15:08.005667838 +0000] - INFO - main - 389-Directory/1.3.6.1 B2017.249.1616 starting up [17/Oct/2017:04:15:08.020017949 +0000] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 [17/Oct/2017:04:15:08.038101811 +0000] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match [17/Oct/2017:04:15:08.045327240 +0000] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 [17/Oct/2017:04:15:08.054350703 +0000] - NOTICE - ldbm_back_start - found 3688396k physical memory [17/Oct/2017:04:15:08.056339877 +0000] - NOTICE - ldbm_back_start - found 3095684k available [17/Oct/2017:04:15:08.058704865 +0000] - NOTICE - ldbm_back_start - cache autosizing: db cache: 147535k [17/Oct/2017:04:15:08.061620477 +0000] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (2 total): 131072k [17/Oct/2017:04:15:08.068068900 +0000] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (2 total): 131072k [17/Oct/2017:04:15:08.078251383 +0000] - NOTICE - ldbm_back_start - changelog: entry cache size 134217728 B is less than db size 524238848 B; We recommend to increase the entry cache size nsslapd-cachememsize. [17/Oct/2017:04:15:08.080864569 +0000] - NOTICE - ldbm_back_start - total cache size: 410268336 B; [17/Oct/2017:04:15:08.083534530 +0000] - NOTICE - dblayer_start - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [17/Oct/2017:04:15:08.405630829 +0000] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [17/Oct/2017:04:15:08.438689140 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.440031965 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.441266737 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.442479570 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.443705518 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.445145877 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.446377174 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.448025963 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.449256010 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.450481973 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.451831638 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.453080135 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.454249171 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.455465936 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.456692096 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.457922900 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.459153955 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.460330623 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.461564502 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.462824971 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.464265829 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.473470631 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ad,cn=etc,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.477128448 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.478381209 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=xxx,dc=tv does not exist [17/Oct/2017:04:15:08.677159832 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [17/Oct/2017:04:15:08.745387763 +0000] - ERR - NSMMReplicationPlugin - changelog program - _cl5NewDBFile - PR_DeleteSemaphore: /var/lib/dirsrv/slapd-XXX-TV/cldb/48893613-408111e7-bf36aa60-e3e22fc1.sema; NSPR error - -5943 [17/Oct/2017:04:17:31.266642375 +0000] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding the replication changelog RUV, this may take several minutes... [17/Oct/2017:04:19:52.187161950 +0000] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding replication changelog RUV complete . Result 0 (Success) [17/Oct/2017:04:19:52.201344309 +0000] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding the replication changelog RUV, this may take several minutes... [17/Oct/2017:04:22:18.030161222 +0000] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding replication changelog RUV complete. Result 0 (Success) [17/Oct/2017:04:22:19.164061620 +0000] - WARN - NSMMReplicationPlugin - replica_check_for_data_reload - Disorderly shutdown for replica dc=xxx,dc=tv. Check if DB RUV needs to be updated [17/Oct/2017:04:22:19.166339670 +0000] - NOTICE - NSMMReplicationPlugin - Force update of database RUV (from CL RUV) -> 59e4aee8000100120000 [17/Oct/2017:04:22:19.181840079 +0000] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/auth9.xxx.tv@XXX.TV] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [17/Oct/2017:04:22:19.185496743 +0000] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/auth9.xxx.tv@XXX.TV] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [17/Oct/2017:04:22:19.187251880 +0000] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/auth9.xxx.tv@XXX.TV] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [17/Oct/2017:04:22:19.188872570 +0000] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/auth9.xxx.tv@XXX.TV] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [17/Oct/2017:04:22:19.199262355 +0000] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [17/Oct/2017:04:22:19.213156293 +0000] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [17/Oct/2017:04:22:19.214429909 +0000] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [17/Oct/2017:04:22:19.215755947 +0000] - INFO - slapd_daemon - Listening on /var/run/slapd-XXX-TV.socket for LDAPI requests [17/Oct/2017:04:22:22.383197028 +0000] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/auth9.xxx.tv@XXX.TV] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [17/Oct/2017:04:22:22.401094264 +0000] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/auth9.xxx.tv@XXX.TV] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [17/Oct/2017:04:22:22.416866388 +0000] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/auth9.xxx.tv@XXX.TV] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [17/Oct/2017:04:22:22.453579433 +0000] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/auth9.xxx.tv@XXX.TV] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [17/Oct/2017:04:22:25.164872316 +0000] - ERR - schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=xxx,dc=tv [17/Oct/2017:04:22:28.524264627 +0000] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/auth9.xxx.tv@XXX.TV] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [17/Oct/2017:04:22:28.538148537 +0000] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/auth9.xxx.tv@XXX.TV] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [17/Oct/2017:04:22:28.552351775 +0000] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/auth9.xxx.tv@XXX.TV] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [17/Oct/2017:04:22:28.575781016 +0000] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/auth9.xxx.tv@XXX.TV] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [17/Oct/2017:04:22:28.675487843 +0000] - INFO - op_thread_cleanup - slapd shutting down - signaling operation threads - op stack size 3 max work q size 1 max work q stack size 1 [17/Oct/2017:04:22:28.690376454 +0000] - INFO - slapd_daemon - slapd shutting down - closing down internal subsystems and plugins [17/Oct/2017:09:20:22.339036248 +0000] - NOTICE - config_set_port - Non-Secure Port Disabled [17/Oct/2017:09:20:22.490875454 +0000] - INFO - main - 389-Directory/1.3.6.1 B2017.249.1616 starting up [17/Oct/2017:09:20:22.510868158 +0000] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 [17/Oct/2017:09:20:22.515316298 +0000] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match [17/Oct/2017:09:20:22.520093881 +0000] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 [17/Oct/2017:09:20:22.535357215 +0000] - NOTICE - ldbm_back_start - found 3688396k physical memory [17/Oct/2017:09:20:22.536518524 +0000] - NOTICE - ldbm_back_start - found 3103476k available [17/Oct/2017:09:20:22.537641718 +0000] - NOTICE - ldbm_back_start - cache autosizing: db cache: 147535k [17/Oct/2017:09:20:22.538826013 +0000] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (2 total): 131072k [17/Oct/2017:09:20:22.541753236 +0000] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (2 total): 131072k [17/Oct/2017:09:20:22.544572974 +0000] - NOTICE - ldbm_back_start - changelog: entry cache size 134217728 B is less than db size 524238848 B; We recommend to increase the entry cache size nsslapd-cachememsize. [17/Oct/2017:09:20:22.549834421 +0000] - NOTICE - ldbm_back_start - total cache size: 410268336 B; [17/Oct/2017:09:20:22.552304837 +0000] - NOTICE - dblayer_start - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [17/Oct/2017:09:20:23.019667207 +0000] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [17/Oct/2017:09:20:23.050793783 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.052199614 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=keys,cn=sec,cn=dns,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.053738773 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.054934179 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.056197341 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.057451952 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.058789883 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.060128879 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.065331715 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.066651288 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.067862084 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.069052967 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.070511564 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.071879014 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.073205809 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.074543225 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.075713495 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.076939179 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.078143768 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.079365914 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.080623479 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=dns,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.087673744 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=ad,cn=etc,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.092184355 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.094592783 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=xxx,dc=tv does not exist [17/Oct/2017:09:20:23.294642382 +0000] - ERR - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [17/Oct/2017:09:20:23.372230971 +0000] - ERR - NSMMReplicationPlugin - changelog program - _cl5NewDBFile - PR_DeleteSemaphore: /var/lib/dirsrv/slapd-XXX-TV/cldb/48893613-408111e7-bf36aa60-e3e22fc1.sema; NSPR error - -5943 [17/Oct/2017:09:22:45.998792249 +0000] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding the replication changelog RUV, this may take several minutes... [17/Oct/2017:09:25:16.899893855 +0000] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding replication changelog RUV complete. Result 0 (Success) [17/Oct/2017:09:25:18.037583552 +0000] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding the replication changelog RUV, this may take several minutes... [17/Oct/2017:09:27:44.693843084 +0000] - NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV - Rebuilding replication changelog RUV complete. Result 0 (Success) [17/Oct/2017:09:27:45.194785996 +0000] - WARN - NSMMReplicationPlugin - replica_check_for_data_reload - Disorderly shutdown for replica dc=xxx,dc=tv. Check if DB RUV needs to be updated [17/Oct/2017:09:27:45.196215926 +0000] - NOTICE - NSMMReplicationPlugin - Force update of database RUV (from CL RUV) -> 59e58616000100120000 [17/Oct/2017:09:27:45.212274784 +0000] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/auth9.xxx.tv@XXX.TV] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [17/Oct/2017:09:27:45.215286764 +0000] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/auth9.xxx.tv@XXX.TV] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [17/Oct/2017:09:27:45.217038161 +0000] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/auth9.xxx.tv@XXX.TV] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [17/Oct/2017:09:27:45.219236710 +0000] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/auth9.xxx.tv@XXX.TV] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [17/Oct/2017:09:27:45.234712987 +0000] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [17/Oct/2017:09:27:45.249338302 +0000] - INFO - slapd_daemon - slapd started. Listening on /var/run/slapd-XXX-TV.socket for LDAPI requests [17/Oct/2017:09:27:45.343412485 +0000] - INFO - op_thread_cleanup - slapd shutting down - signaling operation threads - op stack size 1 max work q size 1 max work q stack size 1 [17/Oct/2017:09:27:45.345871392 +0000] - INFO - slapd_daemon - slapd shutting down - closing down internal subsystems and plugins
Alexander Bokovoy freeipa-users@lists.fedorahosted.org writes:
On ti, 17 loka 2017, Johannes Brandstetter via FreeIPA-users wrote:
I'm trying to upgrade FreeIPA through ipa-server-upgrade from 4.4 to 4.5. The command fails with an "ACIError: Insufficient access:" . I find in the kdc log that it complains about " Database module does not match KDC version - while initializing database for realm..."
You should make sure your system is fully upgraded. Not just 'yum install freeipa-server' to upgrade but all related packages too. In particular, MIT Kerberos has database driver version that may change with a version update and we have to rebuild FreeIPA driver against it.
We have some packaging logic coming in to prevent krb5 mismatch (in Fedora), but it's not in RHEL right now.
Thanks, --Robbie
I've rebuilt the RPM from the src.rpm and installed that but it didn't help. Any other ideas on how to solve the mismatch?
So I finally reverted to a snapshot with version 4.4 before the inadvertent update. After some 15min of no output the instance came back up again.
Hi, have you found resolution here?
I get same/similar error while troubleshooting expired certificates, for example going back in time when all certs are valid and restarting certmonger, then I see this error.
freeipa-users@lists.fedorahosted.org