Hi there, I appear to be stuck in a failing upgrade.
On Rocky Linux 8.6. The server is one of 2 replicas, both CA and DNS servers. It all started with pki-tomcat being down on a running server ( ipa02.hq.spinque.com): ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 1 service(s) are not running and unable to go up again, with these errors: ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for url: http://ipa02.hq.spinque.com:8080/ca/admin/ca/getStatus SEVERE: LdapBoundConnFactory: Unable to connect to LDAP server: Authentication failed netscape.ldap.LDAPException: Authentication failed (48) Having read something about a similar issue being caused by nss 3.67 (the one installed in the system), I ran a dnf update (4.9.8-8 installed). This actually complicated things, because now it still fails, but also it tries to upgrade every time it starts, failing the upgrade. As far as I can see in the upgrade log, The actual upgrade succeeds, but starting the services at the end fails, which makes the whole procedure fail. So running ipactl restart --ignore-service-failures does not help, because the automatic upgrade fails and that stops all the services as a last step. I'm not sure how I could continue, some pointer would be appreciated. Errors I see now: ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/[email protected]] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) ldap_child[2130]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Cannot contact any KDC for realm 'HQ.SPINQUE.COM'. Unable to create GSSAPI-encrypted LDAP connection. Thanks for your help, Roberto
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
