Hello, on the errors log I show this error every 5 min: [01/May/2018:15:59:25.956271320 +0200] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/[email protected]] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
I have started the krb5kdc Service and now it doesn't complain. On the access log I have thousands of lines with (op value is increasing by 1 every log): [01/May/2018:16:49:11.011904150 +0200] conn=5 op=23845 SRCH base="cn=indextask_description_137444551994158920_5958,cn=index,cn=tasks,cn=config" scope=0 filter="(objectClass=*)" attrs="nstaskstatus nstaskexitcode" [01/May/2018:16:49:11.012135091 +0200] conn=5 op=23845 RESULT err=0 tag=101 nentries=1 etime=1.0001333670 rigth now I have the folloging services up: # ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: STOPPED named Service: STOPPED httpd Service: STOPPED ipa-custodia Service: STOPPED ntpd Service: RUNNING pki-tomcatd Service: STOPPED smb Service: STOPPED winbind Service: STOPPED ipa-otpd Service: STOPPED ipa-dnskeysyncd Service: STOPPED ipa: INFO: The ipactl command was successful I haven't tried to start all services because I don't know if it would affect the upgrade. The /var/log/ipaupgrade.log doen't have any new log for the last 7 hours, the last one is what I posted on the previous email. Should I still wait, or should I start all services? Thanks & Regards. ______________________________ -----Original Message----- From: Rob Crittenden <[email protected]> Sent: Tuesday, May 01, 2018 15:18 To: FreeIPA users list <[email protected]> Cc: SOLER SANGUESA Miguel <[email protected]> Subject: Re: [Freeipa-users] Re: Problem on dirsrv when updating from 4.5.0 (RHEL 7.4) to 4.5.4 (RHEL 7.5) SOLER SANGUESA Miguel via FreeIPA-users wrote: > Hello, > > Thank you for your answer, now dirsrv can start, but after running the " > [email protected] " it hungs: > > # ipa-server-upgrade > > Upgrading IPA:. Estimated time: 1 minute 30 seconds > > [1/8]: saving configuration > > [2/8]: disabling listeners > > [3/8]: enabling DS global lock > > [4/8]: starting directory server > > [5/8]: updating schema > > [6/8]: upgrading server > > The latest messages on the log is (there are no logs on the lasts 2h): > > 2018-05-01T08:13:14Z DEBUG > --------------------------------------------- > > 2018-05-01T08:13:14Z DEBUG Final value after applying updates > > 2018-05-01T08:13:14Z DEBUG dn: > cn=description,cn=index,cn=userroot,cn=ldbm > database,cn=plugins,cn=config > > 2018-05-01T08:13:14Z DEBUG objectclass: > > 2018-05-01T08:13:14Z DEBUG top > > 2018-05-01T08:13:14Z DEBUG nsindex > > 2018-05-01T08:13:14Z DEBUG nsindextype: > > 2018-05-01T08:13:14Z DEBUG eq > > 2018-05-01T08:13:14Z DEBUG sub > > 2018-05-01T08:13:14Z DEBUG cn: > > 2018-05-01T08:13:14Z DEBUG description > > 2018-05-01T08:13:14Z DEBUG nssystemindex: > > 2018-05-01T08:13:14Z DEBUG false > > 2018-05-01T08:13:19Z DEBUG Creating task to index attribute: > description > > 2018-05-01T08:13:19Z DEBUG Task id: > cn=indextask_description_137444551994158920_5958,cn=index,cn=tasks,cn= > config > > If I check the ipa services, dirsrv is the only one running: > > # ipactl status > > Directory Service: RUNNING > > krb5kdc Service: STOPPED > > kadmin Service: STOPPED > > named Service: STOPPED > > httpd Service: STOPPED > > ipa-custodia Service: STOPPED > > ntpd Service: RUNNING > > pki-tomcatd Service: STOPPED > > smb Service: STOPPED > > winbind Service: STOPPED > > ipa-otpd Service: STOPPED > > ipa-dnskeysyncd Service: STOPPED > > ipa: INFO: The ipactl command was successful > > Should I stop the ipa-server-upgrade and start ipa services? It depends on how many entries you have. This is an indexing task and while 2 hours seems a bit excessive, it depends on how much work it has to do. The 389-ds access and/or error logs may provide details. rob > > Thanks. > > -----Original Message----- > From: Alexander Bokovoy <[email protected]> > Sent: Tuesday, May 01, 2018 9:56 > To: FreeIPA users list <[email protected]> > Cc: SOLER SANGUESA Miguel <[email protected]> > Subject: Re: [Freeipa-users] Problem on dirsrv when updating from > 4.5.0 (RHEL 7.4) to 4.5.4 (RHEL 7.5) > > On ti, 01 touko 2018, SOLER SANGUESA Miguel via FreeIPA-users wrote: > > >hello, > > > > > >I have an IPA master that updated from 4.5.0 (RHEL 7.4) to 4.5.4 > (RHEL 7.5). An hour later I tried to do the same with the unique > replica I have, but after update dirsrv is not starting. > > >It says it is needed run "ipa-server-upgrade", but it also fails: > > ># ipactl start > > >Upgrade required: please run ipa-server-upgrade command Aborting > ipactl > > > > > ># ipa-server-upgrade > > >Upgrading IPA:. Estimated time: 1 minute 30 seconds > > > [1/8]: saving configuration > > > [2/8]: disabling listeners > > > [3/8]: enabling DS global lock > > > [4/8]: starting directory server > > > [error] CalledProcessError: Command '/bin/systemctl start > > >[email protected] > <mailto:[email protected]>' returned non-zero exit status > 1 > > > [cleanup]: stopping directory server > > > [cleanup]: restoring configuration > > >IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run > command ipa-server-upgrade manually. > > >Unexpected error - see /var/log/ipaupgrade.log for details: > > >CalledProcessError: Command '/bin/systemctl start > > >[email protected] > <mailto:[email protected]>' returned non-zero exit status > 1 The > > >ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for > more > > >information > > > > > >On the log I can see: > > >2018-04-30T14:36:15Z DEBUG Starting external process > > >2018-04-30T14:36:15Z DEBUG args=/bin/systemctl is-active > > >[email protected] > <mailto:[email protected]> > 2018-04-30T14:36:15Z DEBUG Process > > >finished, return code=3 2018-04-30T14:36:15Z DEBUG stdout=failed ... > > >2018-04-30T14:36:15Z DEBUG [4/8]: starting directory server > > >2018-04-30T14:36:15Z DEBUG Starting external process > > >2018-04-30T14:36:15Z DEBUG args=/bin/systemctl start > > >[email protected] > <mailto:[email protected]> > 2018-04-30T14:36:15Z DEBUG Process > > >finished, return code=1 2018-04-30T14:36:15Z DEBUG stdout= > > >2018-04-30T14:36:15Z DEBUG stderr=Job for > [email protected] <mailto:[email protected]> > failed because the control process exited with error code. See > "systemctl status [email protected] > <mailto:[email protected]>" and "journalctl -xe" for details. > > > > > >2018-04-30T14:36:15Z DEBUG Traceback (most recent call last): > > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 504, in start_creation > > > run_step(full_msg, method) > > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 494, in run_step > > > method() > > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py > ", > line 95, in __start > > > srv.start(self.serverid, ldapi=True) > > > File > "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", > line 161, in start > > > instance_name, capture_output=capture_output, wait=wait) > > > File > "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line > 294, in start > > > skip_output=not capture_output) > > > File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line > 542, in run > > > raise CalledProcessError(p.returncode, arg_string, str(output)) > > >CalledProcessError: Command '/bin/systemctl start > > >[email protected] > <mailto:[email protected]>' returned non-zero exit status > 1 > > > > > >2018-04-30T14:36:15Z DEBUG [error] CalledProcessError: Command > '/bin/systemctl start [email protected] > <mailto:[email protected]>' returned non-zero exit status > 1 > > > > > >Checking /var/log/dirsrv/slapd-IPA-EXAMPLE-ORG/errors I show: > > >[30/Apr/2018:16:04:52.584220922 +0200] - ERR - > slapd_bootstrap_config > - The default password storage scheme could not be read or was not > found in the file /etc/dirsrv/slapd-IPA-EXAMPLE-ORG/dse.ldif. It is mandatory. > > > > > >Checking on internet I show that "dse.ldif" could be corrupted, so I > changed with "dse.ldif.startOK" without any change and then I changed > with "dse.ldif.bak". The problem persist but the error has changed: > > >[30/Apr/2018:16:32:13.435210918 +0200] - NOTICE - config_set_port - > > >Non-Secure Port Disabled > > >[30/Apr/2018:16:32:13.556581301 +0200] - ERR - symload_report_error > - > > >Netscape Portable Runtime error -5975: > > >/usr/lib64/dirsrv/plugins/libreplication-plugin.so: undefined symbol: > > >replication_legacy_plugin_init > > >[30/Apr/2018:16:32:13.561590553 +0200] - ERR - symload_report_error > - > > >Could not load symbol "replication_legacy_plugin_init" from > > >"/usr/lib64/dirsrv/plugins/libreplication-plugin.so" for plugin > Legacy > > >Replication Plugin > > >[30/Apr/2018:16:32:13.564590264 +0200] - ERR - load_plugin_entry - > Unable to load plugin "cn=Legacy Replication Plugin,cn=plugins,cn=config" > > > > > >I saw a bug about this problem, but it is still opened: > > >https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=1529442 > > > > > >Any idea how to fix the issue? > > > > > >If it is not possible to fix it, can I remove the replica from IPA > and install it again with the same name? > > A quick fix could be to remove an entry for cn=Legacy Replication > Plugin,cn=plugins,cn=config from > /etc/dirsrv/slapd-IPA-EXAMPLE-ORG/dse/ldif > > when dirsrv is down. > > -- > > / Alexander Bokovoy > > Sr. Principal Software Engineer > > Security / Identity Management Engineering Red Hat Limited, Finland > > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to > [email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
