Trond Strømme via FreeIPA-users wrote:
> Hi,
>
> We experienced the same where we now only see direct memberships.
> During the wee hours of Dec 7. We saw a crash in our IPA server, running
> Centos 7
>
>
>
> (were using nss-pam-ldapd on our hosts, which are running OEL7)
>
> Theyve gotten indirect/nested memberships without any problems previously.
>
>
>
> From our yum logs we can see that the last few days weve got the
> following updated packages:
>
> Nov 22 05:24:29 Installed: kernel.x86_64 3.10.0-1160.80.1.el7
>
> Nov 22 05:25:27 Updated: microcode_ctl.x86_64 2:2.1-73.15.el7_9
>
> Dec 01 05:22:47 Updated: krb5-libs.x86_64 1.15.1-55.el7_9
>
> Dec 01 05:22:47 Updated: libkadm5.x86_64 1.15.1-55.el7_9
>
> Dec 01 05:22:47 Updated: krb5-workstation.x86_64 1.15.1-55.el7_9
>
> Dec 01 05:22:47 Updated: krb5-devel.x86_64 1.15.1-55.el7_9
>
> Dec 01 05:22:48 Updated: krb5-server.x86_64 1.15.1-55.el7_9
>
> Dec 01 05:22:48 Updated: krb5-pkinit.x86_64 1.15.1-55.el7_9
>
> Dec 01 05:22:50 Updated: tzdata.noarch 2022f-1.el7
>
> Dec 01 05:22:50 Updated: hsqldb.noarch 1:1.8.1.3-15.el7_9
>
> Dec 01 05:22:51 Updated: tzdata-java.noarch 2022f-1.el7
>
> Dec 01 05:22:51 Updated: kpartx.x86_64 0.4.9-136.el7_9
>
>
> We did see the Derectory Service being in a STOPPED state, on `ipactl start`
>
> We get the following:
>
> [root@ipa slapd-REDACTED-REDACTEDSOMEMORE]# ipactl start
>
> IPA version error: data needs to be upgraded (expected version
> '4.6.8-5.el7.centos.12', current version '4.6.8-5.el7.centos.11')
>
> Automatically running upgrade, fordetails see /var/log/ipaupgrade.log
>
> Be patient, thismay take a few minutes.
>
> [76068899.913648] ns-slapd[6185]: segfault at 10 ip 00007f997c761460 sp
> 00007f99886cc760 error 4 in libcos-plugin.so[7f997c75e000+a000]
A crash is bad though probably not related to nesting. I'd suggest
opening a bug against your package provider, Oracle I presume, and/or
against the 389-ds project. You'll want to install the debuginfo
packages and reproduce the crash so you can get a stack trace which may
show what is going on.
rob
>
> Starting Directory Service
>
> Starting krb5kdc Service
>
> Starting kadmin Service
>
> Starting named Service
>
> Starting httpd Service
>
> Starting ipa-custodia Service
>
> Starting ntpd Service
>
> Starting pki-tomcatd Service
>
> Starting ipa-otpd Service
>
> Starting ipa-dnskeysyncd Service
>
> ipa: INFO: The ipactl command was successful
>
> from the ipaupgrade.log
>
> 2022-12-07T03:07:58Z ERROR Introspect error on
> :1.25883111:/org/fedorahosted/certmonger: dbus.exceptions.DBusException:
> org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible
> causes include: the remote application did not send a reply, the message
> bus security policy blocked the reply, the reply timeout expired, or the
> network connection was broken.
>
> 2022-12-07T03:07:58Z DEBUG Executing introspect queue due to error
>
> 2022-12-07T03:08:23Z ERROR IPA server upgrade failed: Inspect
> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>
> 2022-12-07T03:08:23Z DEBUG File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
> execute
>
> return_value = self.run()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
> line 54, in run
>
> server.upgrade()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 2190, in upgrade
>
> upgrade_configuration()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1930, in upgrade_configuration
>
> http.configure_certmonger_renewal_guard()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py",
> line 335, in configure_certmonger_renewal_guard
>
> path = iface.find_ca_by_nickname('IPA')
>
> File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 70, in
> __call__
>
> returnself._proxy_method(*args, **keywords)
>
> File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145,
> in __call__
>
> **keywords)
>
> File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line
> 651, in call_blocking
>
> message, timeout)
>
>
>
> 2022-12-07T03:08:23Z DEBUG The ipa-server-upgrade command failed,
> exception: DBusException: org.freedesktop.DBus.Error.NoReply: Did not
> receive a reply. Possible causes include: the remote application did not
> send a reply, the message bus security policy blocked the reply, the
> reply timeout expired, or the network connection was broken.
>
> 2022-12-07T03:08:23Z ERROR Unexpected error - see
> /var/log/ipaupgrade.log fordetails:
>
> DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a
> reply. Possible causes include: the remote application did not send a
> reply, the message bus security policy blocked the reply, the reply
> timeout expired, or the network connection was broken.
>
> And
>
> 2022-12-07T07:05:05Z DEBUG stderr=certutil: Could not find cert: ipaCert
>
> : PR_FILE_NOT_FOUND_ERROR: File not found
>
> The upgrade log can be provided if needed
>
>
>
> Best Regards
>
> Trond Strømme
>
> "This email with attachments is solely for the use of the individual or
> entity to which it is addressed. It may contain confidential or
> privileged information. If you are not the addressee, please notify the
> sender and delete this message and all attachments from your files."
>
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
