Correction: After ipa-server-upgrade fails, dirsrv service is up (the only one):
$ systemctl status dirsrv@HQ-SPINQUE-COM -l ● [email protected] - 389 Directory Server HQ-SPINQUE-COM. Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled; vendor preset: disabled) Drop-In: /usr/lib/systemd/system/[email protected] └─custom.conf /etc/systemd/system/[email protected] └─ipa-env.conf Active: active (running) since Tue 2022-11-15 16:45:01 CET; 1h 11min ago Main PID: 4590 (ns-slapd) Status: "slapd started: Ready to process requests" Tasks: 35 (limit: 24866) Memory: 105.8M CGroup: /system.slice/system-dirsrv.slice/[email protected] └─4590 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-HQ-SPINQUE-COM -i /run/dirsrv/slapd-HQ-SPINQUE-COM.pid Nov 15 17:51:19 ipa02.hq.spinque.com ns-slapd[4590]: [15/Nov/2022:17:51:19.375860350 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ [email protected]] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765> Nov 15 17:51:23 ipa02.hq.spinque.com ns-slapd[4590]: [15/Nov/2022:17:51:23.385663283 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ [email protected]] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765> Nov 15 17:51:24 ipa02.hq.spinque.com ns-slapd[4590]: GSSAPI client step 1 Nov 15 17:51:24 ipa02.hq.spinque.com ns-slapd[4590]: GSSAPI client step 1 Nov 15 17:51:24 ipa02.hq.spinque.com ns-slapd[4590]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for realm 'HQ.SPINQUE.COM') Nov 15 17:51:27 ipa02.hq.spinque.com ns-slapd[4590]: [15/Nov/2022:17:51:27.604045400 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ [email protected]] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765> Nov 15 17:51:28 ipa02.hq.spinque.com ns-slapd[4590]: [15/Nov/2022:17:51:28.642136900 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/ [email protected]] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765> Nov 15 17:51:29 ipa02.hq.spinque.com ns-slapd[4590]: GSSAPI client step 1 Nov 15 17:51:29 ipa02.hq.spinque.com ns-slapd[4590]: GSSAPI client step 1 Nov 15 17:51:29 ipa02.hq.spinque.com ns-slapd[4590]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for realm 'HQ.SPINQUE.COM') On Tue, 15 Nov 2022 at 17:42, Roberto Cornacchia < [email protected]> wrote: > Hi there, > > I appear to be stuck in a failing upgrade. > > On Rocky Linux 8.6. The server is one of 2 replicas, both CA and DNS > servers. > > It all started with pki-tomcat being down on a running server ( > ipa02.hq.spinque.com): > > ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: RUNNING > httpd Service: RUNNING > ipa-custodia Service: RUNNING > pki-tomcatd Service: STOPPED > ipa-otpd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > 1 service(s) are not running > > and unable to go up again, with these errors: > > ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: for > url: http://ipa02.hq.spinque.com:8080/ca/admin/ca/getStatus > > SEVERE: LdapBoundConnFactory: Unable to connect to LDAP server: > Authentication failed > netscape.ldap.LDAPException: Authentication failed (48) > > Having read something about a similar issue being caused by nss 3.67 (the > one installed in the system), I ran a dnf update (4.9.8-8 installed). > > This actually complicated things, because now it still fails, but also it > tries to upgrade every time it starts, failing the upgrade. As far as I can > see in the upgrade log, The actual upgrade succeeds, but starting the > services at the end fails, which makes the whole procedure fail. > > So running ipactl restart --ignore-service-failures does not help, because > the automatic upgrade fails and that stops all the services as a last step. > > I'm not sure how I could continue, some pointer would be appreciated. > > Errors I see now: > > ERR - set_krb5_creds - Could not get initial credentials for principal > [ldap/[email protected]] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > > ldap_child[2130]: Failed to initialize credentials using keytab > [MEMORY:/etc/krb5.keytab]: Cannot contact any KDC for realm ' > HQ.SPINQUE.COM'. Unable to create GSSAPI-encrypted LDAP connection. > > Thanks for your help, > Roberto >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
