Hello,
my FreeIPA installation was working well on Fedora 30. After upgrading to F31, though, it fails to start:
---- # ipactl start IPA version error: data needs to be upgraded (expected version '4.8.1-4.fc31', current version '4.8.1-1.fc30') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n') The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Aborting ipactl ----
Logs:
ipaupgrade.log: https://mailstation.de/ipa-logs/ipaupgrade.log pki-tomcatd@pki-tomcat log: https://mailstation.de/ipa-logs/pki-tomcatd@pki-tomcat.log pki-tomcat-ca-debug log: https://mailstation.de/ipa-logs/pki-tomcat-ca-debug.2019-11-02.log
So it looks like the LDAP server isn't reachable but its log says it's running: https://mailstation.de/ipa-logs/dirsrv@MAILSTATION-DE.log
There's nothing listening on ports 389 and 636, though.
Help would be highly appreciated.
Best regards, Wulf
Hello Wulf,
I am having the same problem about three days ago. Related thread in: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Looks like the problem is related to https://pagure.io/dogtagpki/issue/3111 I am waiting for the bugfix or new rpm.
Best regards, Patrick
On Sat, Nov 2, 2019 at 8:47 PM Wulf C. Krueger via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hello,
my FreeIPA installation was working well on Fedora 30. After upgrading to F31, though, it fails to start:
# ipactl start IPA version error: data needs to be upgraded (expected version '4.8.1-4.fc31', current version '4.8.1-1.fc30') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n') The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Aborting ipactl
Logs:
ipaupgrade.log: https://mailstation.de/ipa-logs/ipaupgrade.log pki-tomcatd@pki-tomcat log: https://mailstation.de/ipa-logs/pki-tomcatd@pki-tomcat.log pki-tomcat-ca-debug log: https://mailstation.de/ipa-logs/pki-tomcat-ca-debug.2019-11-02.log
So it looks like the LDAP server isn't reachable but its log says it's running: https://mailstation.de/ipa-logs/dirsrv@MAILSTATION-DE.log
There's nothing listening on ports 389 and 636, though.
Help would be highly appreciated.
Best regards, Wulf _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On la, 02 marras 2019, Wulf C. Krueger via FreeIPA-users wrote:
Hello,
my FreeIPA installation was working well on Fedora 30. After upgrading to F31, though, it fails to start:
# ipactl start IPA version error: data needs to be upgraded (expected version '4.8.1-4.fc31', current version '4.8.1-1.fc30') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n') The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Aborting ipactl
Logs:
ipaupgrade.log: https://mailstation.de/ipa-logs/ipaupgrade.log pki-tomcatd@pki-tomcat log: https://mailstation.de/ipa-logs/pki-tomcatd@pki-tomcat.log pki-tomcat-ca-debug log: https://mailstation.de/ipa-logs/pki-tomcat-ca-debug.2019-11-02.log
So it looks like the LDAP server isn't reachable but its log says it's running: https://mailstation.de/ipa-logs/dirsrv@MAILSTATION-DE.log
There's nothing listening on ports 389 and 636, though.
Help would be highly appreciated.
This looks like https://bugzilla.redhat.com/show_bug.cgi?id=1766451 Do you have updates-testing repository enabled? It should provide an update for jss package.
Hello Alexander,
On 2019-11-03 10:08, Alexander Bokovoy via FreeIPA-users wrote:
This looks like https://bugzilla.redhat.com/show_bug.cgi?id=1766451 Do you have updates-testing repository enabled? It should provide an update for jss package.
Thanks for the suggestion! Unfortunately, updating to the newer jss (jss-4.6.2-2.fc31.x86_64) didn't fix my issue.
Reading 1766451 it seems to be different from what I'm seeing.
Best regards, Wulf
Hello Patrick,
On 2019-11-02 20:54, Patrick Dung via FreeIPA-users wrote:
I am having the same problem about three days ago. Related thread in: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Thanks, I saw that thread while searching but (possibly wrongly) thought it was a similar but ultimately different problem because as you write there "I am able to connect to my ldap server port 636 with TLS without problem." - which I most certainly am not. There's not even anything listening on 636.
And the stack traces seem different as well.
A rather huge difference as well: In the pagure issue, the PKI server is running whereas mine at least consistently refuses to start.
Best regards, Wulf
Hello Wulf,
Oh yes, in your case, the slapd directory server is started but seems not listening on 389/636, according to the log file. On another further look, yes, you are right, the stack trace looks different from the one in Pagure.
As a side node, I had tried to install the jss rpm from updates-testing channel (according to Bugzilla #1766451). One of the replica server can complete the ipa-server-upgrade but the pki-tomcat failed to function properly. I had mentioned it in another mail: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Best regards,
Patrick
On Sun, Nov 3, 2019 at 6:16 PM Wulf C. Krueger wk@mailstation.de wrote:
Hello Patrick,
On 2019-11-02 20:54, Patrick Dung via FreeIPA-users wrote:
I am having the same problem about three days ago. Related thread in:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Thanks, I saw that thread while searching but (possibly wrongly) thought it was a similar but ultimately different problem because as you write there "I am able to connect to my ldap server port 636 with TLS without problem." - which I most certainly am not. There's not even anything listening on 636.
And the stack traces seem different as well.
A rather huge difference as well: In the pagure issue, the PKI server is running whereas mine at least consistently refuses to start.
Best regards, Wulf
----- Original Message -----
From: "Alexander Bokovoy via FreeIPA-users" freeipa-users@lists.fedorahosted.org To: "FreeIPA users list" freeipa-users@lists.fedorahosted.org Cc: "Wulf C. Krueger" wk@mailstation.de, "Alexander Bokovoy" abokovoy@redhat.com Sent: Sunday, November 3, 2019 4:08:09 AM Subject: [Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start
On la, 02 marras 2019, Wulf C. Krueger via FreeIPA-users wrote:
Hello,
my FreeIPA installation was working well on Fedora 30. After upgrading to F31, though, it fails to start:
# ipactl start IPA version error: data needs to be upgraded (expected version '4.8.1-4.fc31', current version '4.8.1-1.fc30') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n') The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Aborting ipactl
Logs:
ipaupgrade.log: https://mailstation.de/ipa-logs/ipaupgrade.log pki-tomcatd@pki-tomcat log: https://mailstation.de/ipa-logs/pki-tomcatd@pki-tomcat.log pki-tomcat-ca-debug log: https://mailstation.de/ipa-logs/pki-tomcat-ca-debug.2019-11-02.log
So it looks like the LDAP server isn't reachable but its log says it's running: https://mailstation.de/ipa-logs/dirsrv@MAILSTATION-DE.log
There's nothing listening on ports 389 and 636, though.
Help would be highly appreciated.
This looks like https://bugzilla.redhat.com/show_bug.cgi?id=1766451 Do you have updates-testing repository enabled? It should provide an update for jss package.
Alexander,
I don't think this is that bug at all. That bug (#1766451) was an issue in JSS with a stacktrace ending in the NativeProxy class, caused by an improvement in NativeProxy. That lead to a member used in the equals(...) comparator to be NULL, which is less than ideal.
These backtraces from Wulf don't end in JSS at all. In fact, JSS seems to initalize just fine around 2019-11-02 11:55:34 in the Tomcat debug log. This seems like a bug in the LDAPProfileSubsystem of Dogtag.
My 2c.
- Alex
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On ma, 04 marras 2019, Alex Scheel wrote:
----- Original Message -----
From: "Alexander Bokovoy via FreeIPA-users" freeipa-users@lists.fedorahosted.org To: "FreeIPA users list" freeipa-users@lists.fedorahosted.org Cc: "Wulf C. Krueger" wk@mailstation.de, "Alexander Bokovoy" abokovoy@redhat.com Sent: Sunday, November 3, 2019 4:08:09 AM Subject: [Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start
On la, 02 marras 2019, Wulf C. Krueger via FreeIPA-users wrote:
Hello,
my FreeIPA installation was working well on Fedora 30. After upgrading to F31, though, it fails to start:
# ipactl start IPA version error: data needs to be upgraded (expected version '4.8.1-4.fc31', current version '4.8.1-1.fc30') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n') The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Aborting ipactl
Logs:
ipaupgrade.log: https://mailstation.de/ipa-logs/ipaupgrade.log pki-tomcatd@pki-tomcat log: https://mailstation.de/ipa-logs/pki-tomcatd@pki-tomcat.log pki-tomcat-ca-debug log: https://mailstation.de/ipa-logs/pki-tomcat-ca-debug.2019-11-02.log
So it looks like the LDAP server isn't reachable but its log says it's running: https://mailstation.de/ipa-logs/dirsrv@MAILSTATION-DE.log
There's nothing listening on ports 389 and 636, though.
Help would be highly appreciated.
This looks like https://bugzilla.redhat.com/show_bug.cgi?id=1766451 Do you have updates-testing repository enabled? It should provide an update for jss package.
Alexander,
I don't think this is that bug at all. That bug (#1766451) was an issue in JSS with a stacktrace ending in the NativeProxy class, caused by an improvement in NativeProxy. That lead to a member used in the equals(...) comparator to be NULL, which is less than ideal.
These backtraces from Wulf don't end in JSS at all. In fact, JSS seems to initalize just fine around 2019-11-02 11:55:34 in the Tomcat debug log. This seems like a bug in the LDAPProfileSubsystem of Dogtag.
Thanks, Alex. I hope you can help then with debugging it?
As to #1766451, we seem to hit it in FreeIPA CI regularly. I hope https://bodhi.fedoraproject.org/updates/FEDORA-2019-4129cdf50b will get pushed soon...
Hello Alex,
On 2019-11-04 16:49, Alex Scheel via FreeIPA-users wrote:
These backtraces from Wulf don't end in JSS at all. In fact, JSS seems to initalize just fine around 2019-11-02 11:55:34 in the Tomcat debug log. This seems like a bug in the LDAPProfileSubsystem of Dogtag.
Thanks for chiming in - any suggestions on how to proceed?
I'm wondering why the LDAP server *only* seems to be listening on that socket (cf. log) instead of (or in addition to) ports 389/636.
Best regards, Wulf
On ma, 04 marras 2019, Wulf C. Krueger wrote:
Hello Alex,
On 2019-11-04 16:49, Alex Scheel via FreeIPA-users wrote:
These backtraces from Wulf don't end in JSS at all. In fact, JSS seems to initalize just fine around 2019-11-02 11:55:34 in the Tomcat debug log. This seems like a bug in the LDAPProfileSubsystem of Dogtag.
Thanks for chiming in - any suggestions on how to proceed?
I'm wondering why the LDAP server *only* seems to be listening on that socket (cf. log) instead of (or in addition to) ports 389/636.
I think it is a red herring. ipa-server-upgrade switches off 389/636 during upgrade to prevent inconsistency leaking out for replication. If something unexpected happens during the upgrade when these ports were disabled, they might be left disabled. The question is why it was left in a state it was left in.
Wulf,
Along these lines -- in ipaupgrade.log, I see:
2019-11-02T10:55:29Z DEBUG args=['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service'] 2019-11-02T10:57:00Z DEBUG Process finished, return code=1 2019-11-02T10:57:00Z DEBUG stdout= 2019-11-02T10:57:00Z DEBUG stderr=Job for pki-tomcatd@pki-tomcat.service failed because a timeout was exceeded. See "systemctl status pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.
However, the pki-tomcat-ca-debug.2019-11-02.log you posted doesn't have any entries from around this time.
Additionally, though perhaps a red herring, I see:
2019-11-02T10:55:29Z DEBUG Failed to check CA status: cannot connect to 'http://ipa.mailstation.de:8080/ca/admin/ca/getStatus': [Errno 111] Connection refused
So perhaps the Tomcat debug logs from 10:50 -> 11:00 might be a good place to start? Maybe there's an hour shift in there, but I assume the logs would have similar timestamps since they're on the same system.
- Alex
----- Original Message -----
From: "Alexander Bokovoy via FreeIPA-users" freeipa-users@lists.fedorahosted.org To: "Wulf C. Krueger" wk@mailstation.de Cc: "FreeIPA users list" freeipa-users@lists.fedorahosted.org, "Alex Scheel" ascheel@redhat.com, "Alexander Bokovoy" abokovoy@redhat.com Sent: Monday, November 4, 2019 11:50:41 AM Subject: [Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start
On ma, 04 marras 2019, Wulf C. Krueger wrote:
Hello Alex,
On 2019-11-04 16:49, Alex Scheel via FreeIPA-users wrote:
These backtraces from Wulf don't end in JSS at all. In fact, JSS seems to initalize just fine around 2019-11-02 11:55:34 in the Tomcat debug log. This seems like a bug in the LDAPProfileSubsystem of Dogtag.
Thanks for chiming in - any suggestions on how to proceed?
I'm wondering why the LDAP server *only* seems to be listening on that socket (cf. log) instead of (or in addition to) ports 389/636.
I think it is a red herring. ipa-server-upgrade switches off 389/636 during upgrade to prevent inconsistency leaking out for replication. If something unexpected happens during the upgrade when these ports were disabled, they might be left disabled. The question is why it was left in a state it was left in.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hello Alex,
On 2019-11-04 18:20, Alex Scheel via FreeIPA-users wrote:
2019-11-02T10:57:00Z DEBUG stderr=Job for pki-tomcatd@pki-tomcat.service failed because a timeout was exceeded. See "systemctl status pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details. However, the pki-tomcat-ca-debug.2019-11-02.log you posted doesn't have any entries from around this time.
That's weird - it should have been in there. Maybe I've missed a log; in order to fix that, I've tried starting FreeIPA again and have uploaded the resulting new logs: https://mailstation.de/ipa-logs/new/
Unfortunately, I basically only understand that the connection to LDAP fails but I don't understand why.
Best regards, Wulf
On 2019-11-05 13:47, Wulf C. Krueger via FreeIPA-users wrote:
I've tried starting FreeIPA again and have uploaded the resulting new logs: https://mailstation.de/ipa-logs/new/
Well, since there don't seem to be any ideas how to salvage that installation (logs still available in the location mentioned above), is there a way to at least recover its data and move that to a new installation?
Best regards, Wulf
On 2019-11-02 13:47, Wulf C. Krueger wrote:
my FreeIPA installation was working well on Fedora 30. After upgrading to F31, though, it fails to start:
For posterity's sake as well as that of anyone facing the same issue:
For some reason, the IP of the host FreeIPA runs on, changed which, admittedly, can upset the most mild-mannered server. Especially if the local DNS doesn't get updated either.
I didn't notice it because the FreeIPA host is behind a reverse proxy.
Best regards, Wulf
----- Original Message -----
From: "Wulf C. Krueger via FreeIPA-users" freeipa-users@lists.fedorahosted.org To: freeipa-users@lists.fedorahosted.org Cc: "Wulf C. Krueger" wk@mailstation.de Sent: Sunday, November 10, 2019 10:02:08 AM Subject: [Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start
On 2019-11-02 13:47, Wulf C. Krueger wrote:
my FreeIPA installation was working well on Fedora 30. After upgrading to F31, though, it fails to start:
For posterity's sake as well as that of anyone facing the same issue:
For some reason, the IP of the host FreeIPA runs on, changed which, admittedly, can upset the most mild-mannered server. Especially if the local DNS doesn't get updated either.
I didn't notice it because the FreeIPA host is behind a reverse proxy.
Sorry we couldn't be of more help, but glad you figured it out. :)
Does this mean you had IPA and LDAP running on separate servers? Seems weird that it'd fail in Dogtag with:
2019-11-05 11:19:33 [main] FINE: LdapBoundConnection: Connecting to ipa.mailstation.de:636 with client cert auth 2019-11-05 11:19:33 [main] FINE: ldapconn/PKISocketFactory.makeSSLSocket: begins 2019-11-05 11:19:33 [main] SEVERE: Unable to create socket: java.net.ConnectException: Connection refused (Connection refused)
If the IP changed and you were connecting to IPA via that DNS entry.
- Alex
Best regards, Wulf _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I suffer the exact same problem and already tried to upgrade twice but every time the update fails.
The ldap server does not listen when I check with ss or netstat. I reverted back to Fedora 30 with snapshots every time.
Can someone help me to work this around. The OP writes of an IP that changed but mine didn't. Where can I find a clue why ldap does not listen?
Jochen
On 1/20/20 9:39 AM, Jochen Demmer via FreeIPA-users wrote:
I suffer the exact same problem and already tried to upgrade twice but every time the update fails.
The ldap server does not listen when I check with ss or netstat. I reverted back to Fedora 30 with snapshots every time.
Hi,
can you paste the logs from /var/logs/ipaupgrade.log? We would need the full logs as the error may differ between a first run and a second run. When the packages are upgraded, the script ipa-server-upgrade is called and starts by disabling the LDAP server ports to avoid any LDAP operation during the upgrade. Then the script performs its duty, and re-enables the port. If there is an untrapped failure before the ports are re-enabled, or the user repeatedly presses CTRL-C, we sometimes end up in a situation where the ports are still disabled (please see ticket https://pagure.io/freeipa/issue/7534) after the ipa-server-upgrade script exits. If the user re-runs ipa-server-upgrade at this point, the script output will be completely different but will not give us any hint related to the original failure root cause. That's why we need the full logs.
If you are in a situation where the LDAP server isn't listening: 0. stop IPA with ipactl stop 1. edit /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif 2. set nsslapd-port to 389 3. set nsslapd-security to on 4. set nsslapd-global-backend-lock to off (if you have this attribute at all) 5. restart IPA with ipactl start
If the services are able to restart at this point, try to run ipa-server-upgrade and provide full logs.
HTH, flo
Can someone help me to work this around. The OP writes of an IP that changed but mine didn't. Where can I find a clue why ldap does not listen?
Jochen _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi,
after quite some time I gave it another try.
1. Upgrade to Fedora 31 2. After Reboot service won't come up [root@srv107 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: STOPPED kadmin Service: STOPPED named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: STOPPED pki-tomcatd Service: STOPPED ipa-otpd Service: STOPPED ipa-dnskeysyncd Service: STOPPED ipa: INFO: The ipactl command was successful
[root@srv107 ipa]# systemctl restart ipa Job for ipa.service failed because the control process exited with error code. See "systemctl status ipa.service" and "journalctl -xe" for details.
ipa-server-upgrade [...] [Disabling cert publishing] [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
The full ipaupgrade.log is quite large with 20 MB, this is the last part of it:
{loginShell}', 'uid=%{uid}', '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")', '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")', 'ipaanchoruuid=%{ipaanchoruuid}', '%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")'] 2020-01-30T22:44:04Z DEBUG --------------------------------------------- 2020-01-30T22:44:04Z DEBUG Final value after applying updates 2020-01-30T22:44:04Z DEBUG dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG cn: 2020-01-30T22:44:04Z DEBUG users 2020-01-30T22:44:04Z DEBUG objectClass: 2020-01-30T22:44:04Z DEBUG top 2020-01-30T22:44:04Z DEBUG extensibleObject 2020-01-30T22:44:04Z DEBUG schema-compat-container-group: 2020-01-30T22:44:04Z DEBUG cn=compat, dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-container-rdn: 2020-01-30T22:44:04Z DEBUG cn=users 2020-01-30T22:44:04Z DEBUG schema-compat-entry-attribute: 2020-01-30T22:44:04Z DEBUG cn=%{cn} 2020-01-30T22:44:04Z DEBUG objectclass=posixAccount 2020-01-30T22:44:04Z DEBUG gidNumber=%{gidNumber} 2020-01-30T22:44:04Z DEBUG gecos=%{cn} 2020-01-30T22:44:04Z DEBUG homeDirectory=%{homeDirectory} 2020-01-30T22:44:04Z DEBUG uidNumber=%{uidNumber} 2020-01-30T22:44:04Z DEBUG loginShell=%{loginShell} 2020-01-30T22:44:04Z DEBUG uid=%{uid} 2020-01-30T22:44:04Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") 2020-01-30T22:44:04Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","") 2020-01-30T22:44:04Z DEBUG ipaanchoruuid=%{ipaanchoruuid} 2020-01-30T22:44:04Z DEBUG %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") 2020-01-30T22:44:04Z DEBUG schema-compat-entry-rdn: 2020-01-30T22:44:04Z DEBUG uid=%first("%{uid}") 2020-01-30T22:44:04Z DEBUG schema-compat-ignore-subtree: 2020-01-30T22:44:04Z DEBUG cn=dna,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG cn=topology,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-restrict-subtree: 2020-01-30T22:44:04Z DEBUG cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-search-base: 2020-01-30T22:44:04Z DEBUG cn=users, cn=accounts, dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-search-filter: 2020-01-30T22:44:04Z DEBUG objectclass=posixAccount 2020-01-30T22:44:04Z DEBUG [] 2020-01-30T22:44:04Z DEBUG Updated 0 2020-01-30T22:44:04Z DEBUG Done 2020-01-30T22:44:04Z DEBUG Updating existing entry: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG --------------------------------------------- 2020-01-30T22:44:04Z DEBUG Initial value 2020-01-30T22:44:04Z DEBUG dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG cn: 2020-01-30T22:44:04Z DEBUG groups 2020-01-30T22:44:04Z DEBUG objectClass: 2020-01-30T22:44:04Z DEBUG top 2020-01-30T22:44:04Z DEBUG extensibleObject 2020-01-30T22:44:04Z DEBUG schema-compat-container-group: 2020-01-30T22:44:04Z DEBUG cn=compat, dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-container-rdn: 2020-01-30T22:44:04Z DEBUG cn=groups 2020-01-30T22:44:04Z DEBUG schema-compat-entry-attribute: 2020-01-30T22:44:04Z DEBUG gidNumber=%{gidNumber} 2020-01-30T22:44:04Z DEBUG %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") 2020-01-30T22:44:04Z DEBUG memberUid=%deref_r("member","uid") 2020-01-30T22:44:04Z DEBUG ipaanchoruuid=%{ipaanchoruuid} 2020-01-30T22:44:04Z DEBUG objectclass=posixGroup 2020-01-30T22:44:04Z DEBUG memberUid=%{memberUid} 2020-01-30T22:44:04Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") 2020-01-30T22:44:04Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","") 2020-01-30T22:44:04Z DEBUG objectclass=ipaexternalgroup 2020-01-30T22:44:04Z DEBUG ipaexternalmember=%deref_r("member","ipaexternalmember") 2020-01-30T22:44:04Z DEBUG schema-compat-entry-rdn: 2020-01-30T22:44:04Z DEBUG cn=%{cn} 2020-01-30T22:44:04Z DEBUG schema-compat-ignore-subtree: 2020-01-30T22:44:04Z DEBUG cn=dna,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG cn=topology,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-restrict-subtree: 2020-01-30T22:44:04Z DEBUG cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-search-base: 2020-01-30T22:44:04Z DEBUG cn=groups, cn=accounts, dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-search-filter: 2020-01-30T22:44:04Z DEBUG objectclass=posixGroup 2020-01-30T22:44:04Z DEBUG add: '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")' to schema-compat-entry-attribute, current value ['gidNumber=%{gidNumber}', '%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")', 'memberUid=%deref_r("member","uid")', 'ipaanchoruuid=%{ipaanchoruuid}', 'objectclass=posixGroup', 'memberUid=%{memberUid}', '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")', '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")', 'objectclass=ipaexternalgroup', 'ipaexternalmember=%deref_r("member","ipaexternalmember")'] 2020-01-30T22:44:04Z DEBUG add: updated value ['gidNumber=%{gidNumber}', '%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")', 'memberUid=%deref_r("member","uid")', 'ipaanchoruuid=%{ipaanchoruuid}', 'objectclass=posixGroup', 'memberUid=%{memberUid}', '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")', 'objectclass=ipaexternalgroup', 'ipaexternalmember=%deref_r("member","ipaexternalmember")', '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")'] 2020-01-30T22:44:04Z DEBUG add: '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")' to schema-compat-entry-attribute, current value ['gidNumber=%{gidNumber}', '%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")', 'memberUid=%deref_r("member","uid")', 'ipaanchoruuid=%{ipaanchoruuid}', 'objectclass=posixGroup', 'memberUid=%{memberUid}', '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")', 'objectclass=ipaexternalgroup', 'ipaexternalmember=%deref_r("member","ipaexternalmember")', '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")'] 2020-01-30T22:44:04Z DEBUG add: updated value ['gidNumber=%{gidNumber}', '%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")', 'memberUid=%deref_r("member","uid")', 'ipaanchoruuid=%{ipaanchoruuid}', 'objectclass=posixGroup', 'memberUid=%{memberUid}', 'objectclass=ipaexternalgroup', 'ipaexternalmember=%deref_r("member","ipaexternalmember")', '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")', '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")'] 2020-01-30T22:44:04Z DEBUG add: 'ipaanchoruuid=%{ipaanchoruuid}' to schema-compat-entry-attribute, current value ['gidNumber=%{gidNumber}', '%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")', 'memberUid=%deref_r("member","uid")', 'ipaanchoruuid=%{ipaanchoruuid}', 'objectclass=posixGroup', 'memberUid=%{memberUid}', 'objectclass=ipaexternalgroup', 'ipaexternalmember=%deref_r("member","ipaexternalmember")', '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")', '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")'] 2020-01-30T22:44:04Z DEBUG add: updated value ['gidNumber=%{gidNumber}', '%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")', 'memberUid=%deref_r("member","uid")', 'objectclass=posixGroup', 'memberUid=%{memberUid}', 'objectclass=ipaexternalgroup', 'ipaexternalmember=%deref_r("member","ipaexternalmember")', '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")', '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")', 'ipaanchoruuid=%{ipaanchoruuid}'] 2020-01-30T22:44:04Z DEBUG add: '%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")' to schema-compat-entry-attribute, current value ['gidNumber=%{gidNumber}', '%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")', 'memberUid=%deref_r("member","uid")', 'objectclass=posixGroup', 'memberUid=%{memberUid}', 'objectclass=ipaexternalgroup', 'ipaexternalmember=%deref_r("member","ipaexternalmember")', '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")', '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")', 'ipaanchoruuid=%{ipaanchoruuid}'] 2020-01-30T22:44:04Z DEBUG add: updated value ['gidNumber=%{gidNumber}', 'memberUid=%deref_r("member","uid")', 'objectclass=posixGroup', 'memberUid=%{memberUid}', 'objectclass=ipaexternalgroup', 'ipaexternalmember=%deref_r("member","ipaexternalmember")', '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")', '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")', 'ipaanchoruuid=%{ipaanchoruuid}', '%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")'] 2020-01-30T22:44:04Z DEBUG --------------------------------------------- 2020-01-30T22:44:04Z DEBUG Final value after applying updates 2020-01-30T22:44:04Z DEBUG dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG cn: 2020-01-30T22:44:04Z DEBUG groups 2020-01-30T22:44:04Z DEBUG objectClass: 2020-01-30T22:44:04Z DEBUG top 2020-01-30T22:44:04Z DEBUG extensibleObject 2020-01-30T22:44:04Z DEBUG schema-compat-container-group: 2020-01-30T22:44:04Z DEBUG cn=compat, dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-container-rdn: 2020-01-30T22:44:04Z DEBUG cn=groups 2020-01-30T22:44:04Z DEBUG schema-compat-entry-attribute: 2020-01-30T22:44:04Z DEBUG gidNumber=%{gidNumber} 2020-01-30T22:44:04Z DEBUG memberUid=%deref_r("member","uid") 2020-01-30T22:44:04Z DEBUG objectclass=posixGroup 2020-01-30T22:44:04Z DEBUG memberUid=%{memberUid} 2020-01-30T22:44:04Z DEBUG objectclass=ipaexternalgroup 2020-01-30T22:44:04Z DEBUG ipaexternalmember=%deref_r("member","ipaexternalmember") 2020-01-30T22:44:04Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") 2020-01-30T22:44:04Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","") 2020-01-30T22:44:04Z DEBUG ipaanchoruuid=%{ipaanchoruuid} 2020-01-30T22:44:04Z DEBUG %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") 2020-01-30T22:44:04Z DEBUG schema-compat-entry-rdn: 2020-01-30T22:44:04Z DEBUG cn=%{cn} 2020-01-30T22:44:04Z DEBUG schema-compat-ignore-subtree: 2020-01-30T22:44:04Z DEBUG cn=dna,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG cn=topology,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-restrict-subtree: 2020-01-30T22:44:04Z DEBUG cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-search-base: 2020-01-30T22:44:04Z DEBUG cn=groups, cn=accounts, dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-search-filter: 2020-01-30T22:44:04Z DEBUG objectclass=posixGroup 2020-01-30T22:44:04Z DEBUG [] 2020-01-30T22:44:04Z DEBUG Updated 0 2020-01-30T22:44:04Z DEBUG Done 2020-01-30T22:44:04Z DEBUG Updating existing entry: cn=users,cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG --------------------------------------------- 2020-01-30T22:44:04Z DEBUG Initial value 2020-01-30T22:44:04Z DEBUG dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG cn: 2020-01-30T22:44:04Z DEBUG users 2020-01-30T22:44:04Z DEBUG objectClass: 2020-01-30T22:44:04Z DEBUG top 2020-01-30T22:44:04Z DEBUG extensibleObject 2020-01-30T22:44:04Z DEBUG schema-compat-container-group: 2020-01-30T22:44:04Z DEBUG cn=compat, dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-container-rdn: 2020-01-30T22:44:04Z DEBUG cn=users 2020-01-30T22:44:04Z DEBUG schema-compat-entry-attribute: 2020-01-30T22:44:04Z DEBUG %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") 2020-01-30T22:44:04Z DEBUG cn=%{cn} 2020-01-30T22:44:04Z DEBUG objectclass=posixAccount 2020-01-30T22:44:04Z DEBUG gidNumber=%{gidNumber} 2020-01-30T22:44:04Z DEBUG gecos=%{cn} 2020-01-30T22:44:04Z DEBUG ipaanchoruuid=%{ipaanchoruuid} 2020-01-30T22:44:04Z DEBUG homeDirectory=%{homeDirectory} 2020-01-30T22:44:04Z DEBUG uidNumber=%{uidNumber} 2020-01-30T22:44:04Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") 2020-01-30T22:44:04Z DEBUG loginShell=%{loginShell} 2020-01-30T22:44:04Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","") 2020-01-30T22:44:04Z DEBUG uid=%{uid} 2020-01-30T22:44:04Z DEBUG schema-compat-entry-rdn: 2020-01-30T22:44:04Z DEBUG uid=%first("%{uid}") 2020-01-30T22:44:04Z DEBUG schema-compat-ignore-subtree: 2020-01-30T22:44:04Z DEBUG cn=dna,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG cn=topology,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-restrict-subtree: 2020-01-30T22:44:04Z DEBUG cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-search-base: 2020-01-30T22:44:04Z DEBUG cn=users, cn=accounts, dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-search-filter: 2020-01-30T22:44:04Z DEBUG objectclass=posixAccount 2020-01-30T22:44:04Z DEBUG add: 'uid=%{uid}' to schema-compat-entry-attribute, current value ['%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")', 'cn=%{cn}', 'objectclass=posixAccount', 'gidNumber=%{gidNumber}', 'gecos=%{cn}', 'ipaanchoruuid=%{ipaanchoruuid}', 'homeDirectory=%{homeDirectory}', 'uidNumber=%{uidNumber}', '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")', 'loginShell=%{loginShell}', '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")', 'uid=%{uid}'] 2020-01-30T22:44:04Z DEBUG add: updated value ['%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")', 'cn=%{cn}', 'objectclass=posixAccount', 'gidNumber=%{gidNumber}', 'gecos=%{cn}', 'ipaanchoruuid=%{ipaanchoruuid}', 'homeDirectory=%{homeDirectory}', 'uidNumber=%{uidNumber}', '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")', 'loginShell=%{loginShell}', '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")', 'uid=%{uid}'] 2020-01-30T22:44:04Z DEBUG replace: uid=%{uid} not found, skipping 2020-01-30T22:44:04Z DEBUG --------------------------------------------- 2020-01-30T22:44:04Z DEBUG Final value after applying updates 2020-01-30T22:44:04Z DEBUG dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG cn: 2020-01-30T22:44:04Z DEBUG users 2020-01-30T22:44:04Z DEBUG objectClass: 2020-01-30T22:44:04Z DEBUG top 2020-01-30T22:44:04Z DEBUG extensibleObject 2020-01-30T22:44:04Z DEBUG schema-compat-container-group: 2020-01-30T22:44:04Z DEBUG cn=compat, dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-container-rdn: 2020-01-30T22:44:04Z DEBUG cn=users 2020-01-30T22:44:04Z DEBUG schema-compat-entry-attribute: 2020-01-30T22:44:04Z DEBUG %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") 2020-01-30T22:44:04Z DEBUG cn=%{cn} 2020-01-30T22:44:04Z DEBUG objectclass=posixAccount 2020-01-30T22:44:04Z DEBUG gidNumber=%{gidNumber} 2020-01-30T22:44:04Z DEBUG gecos=%{cn} 2020-01-30T22:44:04Z DEBUG ipaanchoruuid=%{ipaanchoruuid} 2020-01-30T22:44:04Z DEBUG homeDirectory=%{homeDirectory} 2020-01-30T22:44:04Z DEBUG uidNumber=%{uidNumber} 2020-01-30T22:44:04Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") 2020-01-30T22:44:04Z DEBUG loginShell=%{loginShell} 2020-01-30T22:44:04Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","") 2020-01-30T22:44:04Z DEBUG uid=%{uid} 2020-01-30T22:44:04Z DEBUG schema-compat-entry-rdn: 2020-01-30T22:44:04Z DEBUG uid=%first("%{uid}") 2020-01-30T22:44:04Z DEBUG schema-compat-ignore-subtree: 2020-01-30T22:44:04Z DEBUG cn=dna,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG cn=topology,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-restrict-subtree: 2020-01-30T22:44:04Z DEBUG cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-search-base: 2020-01-30T22:44:04Z DEBUG cn=users, cn=accounts, dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-search-filter: 2020-01-30T22:44:04Z DEBUG objectclass=posixAccount 2020-01-30T22:44:04Z DEBUG [] 2020-01-30T22:44:04Z DEBUG Updated 0 2020-01-30T22:44:04Z DEBUG Done 2020-01-30T22:44:04Z DEBUG LDAP update duration: /usr/share/ipa/updates/80-schema_compat.update 1.146 sec 2020-01-30T22:44:04Z DEBUG Parsing update file '/usr/share/ipa/updates/90-post_upgrade_plugins.update' 2020-01-30T22:44:04Z DEBUG Executing upgrade plugin: update_ca_topology 2020-01-30T22:44:04Z DEBUG raw: update_ca_topology 2020-01-30T22:44:04Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:04Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:44:04Z DEBUG importing all plugin modules in ipaserver.plugins... 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.aci 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.automember 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.automount 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.baseldap 2020-01-30T22:44:04Z DEBUG ipaserver.plugins.baseldap is not a valid plugin module 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.baseuser 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.batch 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.ca 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.caacl 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.cert 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.certmap 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.certprofile 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.config 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.delegation 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.dns 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.dnsserver 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.dogtag 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.domainlevel 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.group 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.hbac 2020-01-30T22:44:04Z DEBUG ipaserver.plugins.hbac is not a valid plugin module 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.hbacrule 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.hbacsvc 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.hbactest 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.host 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.hostgroup 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.idrange 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.idviews 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.internal 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.join 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.krbtpolicy 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.ldap2 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.location 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.migration 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.misc 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.netgroup 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.otp 2020-01-30T22:44:04Z DEBUG ipaserver.plugins.otp is not a valid plugin module 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.otpconfig 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.otptoken 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.passwd 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.permission 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.ping 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.pkinit 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.privilege 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.pwpolicy 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.rabase 2020-01-30T22:44:04Z DEBUG ipaserver.plugins.rabase is not a valid plugin module 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.radiusproxy 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.realmdomains 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.role 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.schema 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.selfservice 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.selinuxusermap 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.server 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.serverrole 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.serverroles 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.service 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.servicedelegation 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.session 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.stageuser 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.sudo 2020-01-30T22:44:04Z DEBUG ipaserver.plugins.sudo is not a valid plugin module 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.sudocmd 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.sudocmdgroup 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.sudorule 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.topology 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.trust 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.user 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.vault 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.virtual 2020-01-30T22:44:04Z DEBUG ipaserver.plugins.virtual is not a valid plugin module 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.whoami 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2020-01-30T22:44:04Z DEBUG importing all plugin modules in ipaserver.install.plugins... 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.adtrust 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.ca_renewal_master 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.dns 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.fix_kra_people_entry 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.fix_replica_agreements 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.rename_managed 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_ca_topology 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_dna_shared_config 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_fix_duplicate_cacrt_in_ldap 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_idranges 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_ldap_server_list 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_managed_permissions 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_nis 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_pacs 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_passsync 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_ra_cert_store 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_referint 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_services 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_unhashed_password 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt 2020-01-30T22:44:07Z DEBUG Created connection context.ldap2_140295363379856 2020-01-30T22:44:07Z DEBUG Destroyed connection context.ldap2_140295363379856 2020-01-30T22:44:07Z DEBUG Created connection context.ldap2_140295363379856 2020-01-30T22:44:07Z DEBUG Parsing update file '/usr/share/ipa/ca-topology.uldif' 2020-01-30T22:44:07Z DEBUG flushing ldapi://%2Fvar%2Frun%2Fslapd-UNIX-domain.net-NET.socket from SchemaCache 2020-01-30T22:44:07Z DEBUG retrieving schema for SchemaCache url=ldapi://%2Fvar%2Frun%2Fslapd-UNIX-domain.net-NET.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f990ebba690> 2020-01-30T22:44:07Z DEBUG Updating existing entry: cn=srv107.domain.net,cn=masters,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:07Z DEBUG --------------------------------------------- 2020-01-30T22:44:07Z DEBUG Initial value 2020-01-30T22:44:07Z DEBUG dn: cn=srv107.domain.net,cn=masters,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:07Z DEBUG cn: 2020-01-30T22:44:07Z DEBUG srv107.domain.net 2020-01-30T22:44:07Z DEBUG ipaMaxDomainLevel: 2020-01-30T22:44:07Z DEBUG 1 2020-01-30T22:44:07Z DEBUG ipaMinDomainLevel: 2020-01-30T22:44:07Z DEBUG 1 2020-01-30T22:44:07Z DEBUG ipaReplTopoManagedSuffix: 2020-01-30T22:44:07Z DEBUG dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:07Z DEBUG o=ipaca 2020-01-30T22:44:07Z DEBUG objectClass: 2020-01-30T22:44:07Z DEBUG top 2020-01-30T22:44:07Z DEBUG nsContainer 2020-01-30T22:44:07Z DEBUG ipaReplTopoManagedServer 2020-01-30T22:44:07Z DEBUG ipaConfigObject 2020-01-30T22:44:07Z DEBUG ipaSupportedDomainLevelConfig 2020-01-30T22:44:07Z DEBUG add: 'ipaReplTopoManagedServer' to objectclass, current value ['top', 'nsContainer', 'ipaReplTopoManagedServer', 'ipaConfigObject', 'ipaSupportedDomainLevelConfig'] 2020-01-30T22:44:07Z DEBUG add: updated value ['top', 'nsContainer', 'ipaConfigObject', 'ipaSupportedDomainLevelConfig', 'ipaReplTopoManagedServer'] 2020-01-30T22:44:07Z DEBUG add: 'o=ipaca' to ipaReplTopoManagedSuffix, current value ['dc=unix,dc=domain.net,dc=net', 'o=ipaca'] 2020-01-30T22:44:07Z DEBUG add: updated value ['dc=unix,dc=domain.net,dc=net', 'o=ipaca'] 2020-01-30T22:44:07Z DEBUG --------------------------------------------- 2020-01-30T22:44:07Z DEBUG Final value after applying updates 2020-01-30T22:44:07Z DEBUG dn: cn=srv107.domain.net,cn=masters,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:07Z DEBUG cn: 2020-01-30T22:44:07Z DEBUG srv107.domain.net 2020-01-30T22:44:07Z DEBUG ipaMaxDomainLevel: 2020-01-30T22:44:07Z DEBUG 1 2020-01-30T22:44:07Z DEBUG ipaMinDomainLevel: 2020-01-30T22:44:07Z DEBUG 1 2020-01-30T22:44:07Z DEBUG ipaReplTopoManagedSuffix: 2020-01-30T22:44:07Z DEBUG dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:07Z DEBUG o=ipaca 2020-01-30T22:44:07Z DEBUG objectClass: 2020-01-30T22:44:07Z DEBUG top 2020-01-30T22:44:07Z DEBUG nsContainer 2020-01-30T22:44:07Z DEBUG ipaConfigObject 2020-01-30T22:44:07Z DEBUG ipaSupportedDomainLevelConfig 2020-01-30T22:44:07Z DEBUG ipaReplTopoManagedServer 2020-01-30T22:44:07Z DEBUG [] 2020-01-30T22:44:07Z DEBUG Updated 0 2020-01-30T22:44:07Z DEBUG Done 2020-01-30T22:44:07Z DEBUG Updating existing entry: cn=ca,cn=topology,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:07Z DEBUG --------------------------------------------- 2020-01-30T22:44:07Z DEBUG Initial value 2020-01-30T22:44:07Z DEBUG dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:07Z DEBUG cn: 2020-01-30T22:44:07Z DEBUG ca 2020-01-30T22:44:07Z DEBUG ipaReplTopoConfRoot: 2020-01-30T22:44:07Z DEBUG o=ipaca 2020-01-30T22:44:07Z DEBUG objectClass: 2020-01-30T22:44:07Z DEBUG top 2020-01-30T22:44:07Z DEBUG iparepltopoconf 2020-01-30T22:44:07Z DEBUG --------------------------------------------- 2020-01-30T22:44:07Z DEBUG Final value after applying updates 2020-01-30T22:44:07Z DEBUG dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:07Z DEBUG cn: 2020-01-30T22:44:07Z DEBUG ca 2020-01-30T22:44:07Z DEBUG ipaReplTopoConfRoot: 2020-01-30T22:44:07Z DEBUG o=ipaca 2020-01-30T22:44:07Z DEBUG objectClass: 2020-01-30T22:44:07Z DEBUG top 2020-01-30T22:44:07Z DEBUG iparepltopoconf 2020-01-30T22:44:07Z DEBUG [] 2020-01-30T22:44:07Z DEBUG Updated 0 2020-01-30T22:44:07Z DEBUG Done 2020-01-30T22:44:07Z DEBUG Updating existing entry: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2020-01-30T22:44:07Z DEBUG --------------------------------------------- 2020-01-30T22:44:07Z DEBUG Initial value 2020-01-30T22:44:07Z DEBUG dn: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2020-01-30T22:44:07Z DEBUG cn: 2020-01-30T22:44:07Z DEBUG replica 2020-01-30T22:44:07Z DEBUG nsDS5Flags: 2020-01-30T22:44:07Z DEBUG 1 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaBindDN: 2020-01-30T22:44:07Z DEBUG cn=replication manager,cn=config 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaBindDNGroup: 2020-01-30T22:44:07Z DEBUG cn=replication managers,cn=sysaccounts,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaBindDnGroupCheckInterval: 2020-01-30T22:44:07Z DEBUG 60 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaId: 2020-01-30T22:44:07Z DEBUG 10 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaName: 2020-01-30T22:44:07Z DEBUG 1a150602-989311e8-a96ae1e4-db67e289 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaRoot: 2020-01-30T22:44:07Z DEBUG o=ipaca 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaType: 2020-01-30T22:44:07Z DEBUG 3 2020-01-30T22:44:07Z DEBUG nsState: 2020-01-30T22:44:07Z DEBUG CgAAAAAAAAD3TjNeAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA== 2020-01-30T22:44:07Z DEBUG nsds5ReplicaBackoffMax: 2020-01-30T22:44:07Z DEBUG 300 2020-01-30T22:44:07Z DEBUG nsds5ReplicaLegacyConsumer: 2020-01-30T22:44:07Z DEBUG off 2020-01-30T22:44:07Z DEBUG nsds5ReplicaReleaseTimeout: 2020-01-30T22:44:07Z DEBUG 60 2020-01-30T22:44:07Z DEBUG objectClass: 2020-01-30T22:44:07Z DEBUG top 2020-01-30T22:44:07Z DEBUG nsds5replica 2020-01-30T22:44:07Z DEBUG extensibleobject 2020-01-30T22:44:07Z DEBUG nsds5ReplicaChangeCount: 2020-01-30T22:44:07Z DEBUG 711 2020-01-30T22:44:07Z DEBUG nsds5replicareapactive: 2020-01-30T22:44:07Z DEBUG 0 2020-01-30T22:44:07Z DEBUG onlyifexist: 'cn=replication managers,cn=sysaccounts,cn=etc,dc=unix,dc=domain.net,dc=net' to nsds5replicabinddngroup, current value ['cn=replication managers,cn=sysaccounts,cn=etc,dc=unix,dc=domain.net,dc=net'] 2020-01-30T22:44:07Z DEBUG onlyifexist: set nsds5replicabinddngroup to ['cn=replication managers,cn=sysaccounts,cn=etc,dc=unix,dc=domain.net,dc=net'] 2020-01-30T22:44:07Z DEBUG --------------------------------------------- 2020-01-30T22:44:07Z DEBUG Final value after applying updates 2020-01-30T22:44:07Z DEBUG dn: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2020-01-30T22:44:07Z DEBUG cn: 2020-01-30T22:44:07Z DEBUG replica 2020-01-30T22:44:07Z DEBUG nsDS5Flags: 2020-01-30T22:44:07Z DEBUG 1 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaBindDN: 2020-01-30T22:44:07Z DEBUG cn=replication manager,cn=config 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaBindDNGroup: 2020-01-30T22:44:07Z DEBUG cn=replication managers,cn=sysaccounts,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaBindDnGroupCheckInterval: 2020-01-30T22:44:07Z DEBUG 60 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaId: 2020-01-30T22:44:07Z DEBUG 10 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaName: 2020-01-30T22:44:07Z DEBUG 1a150602-989311e8-a96ae1e4-db67e289 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaRoot: 2020-01-30T22:44:07Z DEBUG o=ipaca 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaType: 2020-01-30T22:44:07Z DEBUG 3 2020-01-30T22:44:07Z DEBUG nsState: 2020-01-30T22:44:07Z DEBUG CgAAAAAAAAD3TjNeAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA== 2020-01-30T22:44:07Z DEBUG nsds5ReplicaBackoffMax: 2020-01-30T22:44:07Z DEBUG 300 2020-01-30T22:44:07Z DEBUG nsds5ReplicaLegacyConsumer: 2020-01-30T22:44:07Z DEBUG off 2020-01-30T22:44:07Z DEBUG nsds5ReplicaReleaseTimeout: 2020-01-30T22:44:07Z DEBUG 60 2020-01-30T22:44:07Z DEBUG objectClass: 2020-01-30T22:44:07Z DEBUG top 2020-01-30T22:44:07Z DEBUG nsds5replica 2020-01-30T22:44:07Z DEBUG extensibleobject 2020-01-30T22:44:07Z DEBUG nsds5ReplicaChangeCount: 2020-01-30T22:44:07Z DEBUG 711 2020-01-30T22:44:07Z DEBUG nsds5replicareapactive: 2020-01-30T22:44:07Z DEBUG 0 2020-01-30T22:44:07Z DEBUG [] 2020-01-30T22:44:07Z DEBUG Updated 0 2020-01-30T22:44:07Z DEBUG Done 2020-01-30T22:44:07Z DEBUG LDAP update duration: /usr/share/ipa/ca-topology.uldif 0.510 sec 2020-01-30T22:44:07Z DEBUG Destroyed connection context.ldap2_140295363379856 2020-01-30T22:44:07Z DEBUG Executing upgrade plugin: update_ipaconfigstring_dnsversion_to_ipadnsversion 2020-01-30T22:44:07Z DEBUG raw: update_ipaconfigstring_dnsversion_to_ipadnsversion 2020-01-30T22:44:07Z DEBUG Executing upgrade plugin: update_dnszones 2020-01-30T22:44:07Z DEBUG raw: update_dnszones 2020-01-30T22:44:07Z DEBUG raw: dnszone_find(None, all=True, version='2.235') 2020-01-30T22:44:07Z DEBUG dnszone_find(None, forward_only=False, all=True, raw=False, version='2.235', pkey_only=False) 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_dns_limits 2020-01-30T22:44:08Z DEBUG raw: update_dns_limits 2020-01-30T22:44:08Z DEBUG DNS: limits for service krbprincipalname=DNS/srv107.domain.net@UNIX.domain.net,cn=services,cn=accounts,dc=unix,dc=domain.net,dc=net already set 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_sigden_extdom_broken_config 2020-01-30T22:44:08Z DEBUG raw: update_sigden_extdom_broken_config 2020-01-30T22:44:08Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:44:08Z DEBUG Already done, skipping 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_sids 2020-01-30T22:44:08Z DEBUG raw: update_sids 2020-01-30T22:44:08Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:44:08Z DEBUG SIDs do not need to be generated 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_default_range 2020-01-30T22:44:08Z DEBUG raw: update_default_range 2020-01-30T22:44:08Z DEBUG default_range: ipaDomainIDRange entry found, skip plugin 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_default_trust_view 2020-01-30T22:44:08Z DEBUG raw: update_default_trust_view 2020-01-30T22:44:08Z DEBUG raw: adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG AD Trusts are not enabled on this server 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_tdo_gidnumber 2020-01-30T22:44:08Z DEBUG raw: update_tdo_gidnumber 2020-01-30T22:44:08Z DEBUG raw: adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG AD Trusts are not enabled on this server 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_tdo_to_new_layout 2020-01-30T22:44:08Z DEBUG raw: update_tdo_to_new_layout 2020-01-30T22:44:08Z DEBUG raw: adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG AD Trusts are not enabled on this server 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_host_cifs_keytabs 2020-01-30T22:44:08Z DEBUG raw: update_host_cifs_keytabs 2020-01-30T22:44:08Z DEBUG raw: adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG AD Trusts are not enabled on this server 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_tdo_default_read_keys_permissions 2020-01-30T22:44:08Z DEBUG raw: update_tdo_default_read_keys_permissions 2020-01-30T22:44:08Z DEBUG raw: adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG AD Trusts are not enabled on this server 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_adtrust_agents_members 2020-01-30T22:44:08Z DEBUG raw: update_adtrust_agents_members 2020-01-30T22:44:08Z DEBUG raw: adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG AD Trusts are not enabled on this server 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_ca_renewal_master 2020-01-30T22:44:08Z DEBUG raw: update_ca_renewal_master 2020-01-30T22:44:08Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:08Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:44:08Z DEBUG found CA renewal master srv107.domain.net 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_idrange_type 2020-01-30T22:44:08Z DEBUG raw: update_idrange_type 2020-01-30T22:44:08Z DEBUG update_idrange_type: search for ID ranges with no type set 2020-01-30T22:44:08Z DEBUG update_idrange_type: no ID range without type set found 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_pacs 2020-01-30T22:44:08Z DEBUG raw: update_pacs 2020-01-30T22:44:08Z DEBUG PAC for nfs is already set, not adding nfs:NONE. 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_service_principalalias 2020-01-30T22:44:08Z DEBUG raw: update_service_principalalias 2020-01-30T22:44:08Z DEBUG update_service_principalalias: search for affected services 2020-01-30T22:44:08Z DEBUG update_service_principalalias: no service to update found 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_fix_duplicate_cacrt_in_ldap 2020-01-30T22:44:08Z DEBUG raw: update_fix_duplicate_cacrt_in_ldap 2020-01-30T22:44:08Z DEBUG raw: ca_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG ca_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG Found 1 entrie(s) for IPA CA in LDAP 2020-01-30T22:44:08Z DEBUG Destroyed connection context.ldap2_140295362935568 2020-01-30T22:44:08Z DEBUG Restarting directory server to apply updates 2020-01-30T22:44:08Z DEBUG Destroyed connection context.ldap2_140295386233872 2020-01-30T22:44:08Z DEBUG Starting external process 2020-01-30T22:44:08Z DEBUG args=['/bin/systemctl', 'restart', 'dirsrv@UNIX-domain.net-NET.service'] 2020-01-30T22:44:21Z DEBUG Process finished, return code=0 2020-01-30T22:44:21Z DEBUG stdout= 2020-01-30T22:44:21Z DEBUG stderr= 2020-01-30T22:44:21Z DEBUG Restart of dirsrv@UNIX-domain.net-NET.service complete 2020-01-30T22:44:21Z DEBUG Created connection context.ldap2_140295386233872 2020-01-30T22:44:21Z DEBUG Created connection context.ldap2_140295362935568 2020-01-30T22:44:21Z DEBUG Executing upgrade plugin: update_upload_cacrt 2020-01-30T22:44:21Z DEBUG raw: update_upload_cacrt 2020-01-30T22:44:21Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:44:21Z DEBUG raw: ca_is_enabled(version='2.235') 2020-01-30T22:44:21Z DEBUG ca_is_enabled(version='2.235') 2020-01-30T22:44:21Z DEBUG flushing ldapi://%2Fvar%2Frun%2Fslapd-UNIX-domain.net-NET.socket from SchemaCache 2020-01-30T22:44:21Z DEBUG retrieving schema for SchemaCache url=ldapi://%2Fvar%2Frun%2Fslapd-UNIX-domain.net-NET.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f99100db190> 2020-01-30T22:44:21Z DEBUG Starting external process 2020-01-30T22:44:21Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-UNIX-domain.net-NET/', '-L', '-f', '/etc/dirsrv/slapd-UNIX-domain.net-NET/pwdfile.txt'] 2020-01-30T22:44:22Z DEBUG Process finished, return code=0 2020-01-30T22:44:22Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
UNIX.domain.net IPA CA CT,C,C Server-Cert u,u,u
2020-01-30T22:44:22Z DEBUG stderr= 2020-01-30T22:44:22Z DEBUG Starting external process 2020-01-30T22:44:22Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-UNIX-domain.net-NET/', '-L', '-n', 'UNIX.domain.net IPA CA', '-a', '-f', '/etc/dirsrv/slapd-UNIX-domain.net-NET/pwdfile.txt'] 2020-01-30T22:44:22Z DEBUG Process finished, return code=0 2020-01-30T22:44:22Z DEBUG stdout=-----BEGIN CERTIFICATE----- MIIDkjCCAnqgAwIBAgIBATANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklY LkdPU0lYLk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2 MDcyODE0MTE1MFoXDTM2MDcyODE0MTE1MFowOTEXMBUGA1UECgwOVU5JWC5HT1NJ WC5ORVQxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAJZI3H0WpgJ73700eJfXyShqK3IKtuiKSwh8 f8K7IP2wb9B+bykpuhn/LqQnuM9IgJ6SQ+E88UyJ7iySf5lWlxa6AC8k2RF1s5Sa 1YdAVgPfY/8ONNkIdq8T7ejbaBXI4dRhOHBXcP8Qs0GE5gJT0E+zHYqXhMtW+AS5 hjskU/rMk3Nk5iwlTQ/imeZwVI9tuh0zLxYG+KtV9DIEau3p3eHgMpxcoiyX9Kq8 1TiXigixkapDdBJCw16YPhmV/n4y0ojOyc7B+UBsQN4q+UrxdKuUve0bct/YA6dV 4saEoLTOr917IdzphHeZjuJ83gDgdUdJjrTfu+8eSOqxKO8RDL0CAwEAAaOBpDCB oTAfBgNVHSMEGDAWgBROuje6JvS5f3aN0Qk0DRDGjOWHRjAPBgNVHRMBAf8EBTAD AQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUTro3uib0uX92jdEJNA0Qxozl h0YwPgYIKwYBBQUHAQEEMjAwMC4GCCsGAQUFBzABhiJodHRwOi8vc3J2MTA3Lmdv c2l4Lm5ldDo4MC9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBAQAODbsHAEw6WqDH +/knc3EJr82eBA2Obi9rZrIYgprfOyUd8Es5fuAbJRAtpG17iPnK0MNsTUZKa8bl bdhMOV3pTQuD3WaLqv1rA2gofAF3y91oie1mz2BZtNTVI5gH+rUxvwHhDl4tztrI NZVYudE24McIFIwjNKPCnt3n0TqhXYHS7OAYaWyUsqOUztbVa7PXI7m7FmBh024N yyc7T/6TBOuA7b0A7d181fneUMxEBpHe4rdyLxIfFfSjNqLM/8AR7SlDlUxM+igw DnTidt8otMhwSRBt4oc3pti5r9w+51Ez3GUo1ni4RmBhV8CHXWJPUh5UyTo846iW hCF7FdfM -----END CERTIFICATE-----
2020-01-30T22:44:22Z DEBUG stderr= 2020-01-30T22:44:22Z DEBUG Executing upgrade plugin: update_ra_cert_store 2020-01-30T22:44:22Z DEBUG raw: update_ra_cert_store 2020-01-30T22:44:22Z DEBUG raw: ca_is_enabled(version='2.235') 2020-01-30T22:44:22Z DEBUG ca_is_enabled(version='2.235') 2020-01-30T22:44:22Z DEBUG Executing upgrade plugin: update_mapping_Guests_to_nobody 2020-01-30T22:44:22Z DEBUG raw: update_mapping_Guests_to_nobody 2020-01-30T22:44:22Z DEBUG raw: adtrust_is_enabled(version='2.235') 2020-01-30T22:44:22Z DEBUG adtrust_is_enabled(version='2.235') 2020-01-30T22:44:22Z DEBUG AD Trusts are not enabled on this server 2020-01-30T22:44:22Z DEBUG Executing upgrade plugin: fix_kra_people_entry 2020-01-30T22:44:22Z DEBUG raw: fix_kra_people_entry 2020-01-30T22:44:22Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:22Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:44:22Z DEBUG Executing upgrade plugin: update_master_to_dnsforwardzones 2020-01-30T22:44:22Z DEBUG raw: update_master_to_dnsforwardzones 2020-01-30T22:44:22Z DEBUG raw: dnsconfig_show(all=True, version='2.235') 2020-01-30T22:44:22Z DEBUG dnsconfig_show(rights=False, all=True, raw=False, version='2.235') 2020-01-30T22:44:22Z DEBUG Executing upgrade plugin: update_dnsforward_emptyzones 2020-01-30T22:44:22Z DEBUG raw: update_dnsforward_emptyzones 2020-01-30T22:44:22Z DEBUG raw: dnsconfig_show(all=True, version='2.235') 2020-01-30T22:44:22Z DEBUG dnsconfig_show(rights=False, all=True, raw=False, version='2.235') 2020-01-30T22:44:22Z DEBUG Executing upgrade plugin: update_managed_post 2020-01-30T22:44:22Z DEBUG raw: update_managed_post 2020-01-30T22:44:22Z DEBUG Executing upgrade plugin: update_managed_permissions 2020-01-30T22:44:22Z DEBUG raw: update_managed_permissions 2020-01-30T22:44:22Z DEBUG Anonymous ACI not found 2020-01-30T22:44:22Z DEBUG Updating managed permissions for automember 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Automember Definitions 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Automember Definitions 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Automember Rules 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Automember Rules 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Automember Tasks 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Automember Tasks 2020-01-30T22:44:22Z DEBUG Updating managed permissions for automountkey 2020-01-30T22:44:22Z DEBUG Legacy permission Add Automount keys not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Automount Keys 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Automount Keys 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Automount keys not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Automount Keys 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Automount Keys 2020-01-30T22:44:22Z DEBUG Legacy permission Remove Automount keys not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Automount Keys 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Automount Keys 2020-01-30T22:44:22Z DEBUG Updating managed permissions for automountlocation 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Automount Locations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Automount Locations 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Automount Configuration 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Automount Configuration 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Automount Locations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Automount Locations 2020-01-30T22:44:22Z DEBUG Updating managed permissions for automountmap 2020-01-30T22:44:22Z DEBUG Legacy permission Add Automount maps not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Automount Maps 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Automount Maps 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Automount maps not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Automount Maps 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Automount Maps 2020-01-30T22:44:22Z DEBUG Legacy permission Remove Automount maps not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Automount Maps 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Automount Maps 2020-01-30T22:44:22Z DEBUG Updating managed permissions for ca 2020-01-30T22:44:22Z DEBUG Legacy permission Add CA not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add CA 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add CA 2020-01-30T22:44:22Z DEBUG Legacy permission Delete CA not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Delete CA 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Delete CA 2020-01-30T22:44:22Z DEBUG Legacy permission Modify CA not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify CA 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify CA 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read CAs 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read CAs 2020-01-30T22:44:22Z DEBUG Updating managed permissions for caacl 2020-01-30T22:44:22Z DEBUG Legacy permission Add CA ACL not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add CA ACL 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add CA ACL 2020-01-30T22:44:22Z DEBUG Legacy permission Delete CA ACL not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Delete CA ACL 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Delete CA ACL 2020-01-30T22:44:22Z DEBUG Legacy permission Manage CA ACL membership not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage CA ACL Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage CA ACL Membership 2020-01-30T22:44:22Z DEBUG Legacy permission Modify CA ACL not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify CA ACL 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify CA ACL 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read CA ACLs 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read CA ACLs 2020-01-30T22:44:22Z DEBUG Updating managed permissions for certmapconfig 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Certmap Configuration 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Certmap Configuration 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Certmap Configuration 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Certmap Configuration 2020-01-30T22:44:22Z DEBUG Updating managed permissions for certmaprule 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Certmap Rules 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Certmap Rules 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Delete Certmap Rules 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Delete Certmap Rules 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Certmap Rules 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Certmap Rules 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Certmap Rules 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Certmap Rules 2020-01-30T22:44:22Z DEBUG Updating managed permissions for certprofile 2020-01-30T22:44:22Z DEBUG Legacy permission Delete Certificate Profile not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Delete Certificate Profile 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Delete Certificate Profile 2020-01-30T22:44:22Z DEBUG Legacy permission Import Certificate Profile not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Import Certificate Profile 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Import Certificate Profile 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Certificate Profile not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Certificate Profile 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Certificate Profile 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Certificate Profiles 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Certificate Profiles 2020-01-30T22:44:22Z DEBUG Updating managed permissions for config 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Global Configuration 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Global Configuration 2020-01-30T22:44:22Z DEBUG Updating managed permissions for cosentry 2020-01-30T22:44:22Z DEBUG Legacy permission Add Group Password Policy costemplate not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Group Password Policy costemplate 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Group Password Policy costemplate 2020-01-30T22:44:22Z DEBUG Legacy permission Delete Group Password Policy costemplate not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Delete Group Password Policy costemplate 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Delete Group Password Policy costemplate 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Group Password Policy costemplate not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Group Password Policy costemplate 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Group Password Policy costemplate 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Group Password Policy costemplate 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Group Password Policy costemplate 2020-01-30T22:44:22Z DEBUG Updating managed permissions for dnsconfig 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read DNS Configuration 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read DNS Configuration 2020-01-30T22:44:22Z DEBUG Legacy permission Write DNS Configuration not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Write DNS Configuration 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Write DNS Configuration 2020-01-30T22:44:22Z DEBUG Updating managed permissions for dnsserver 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify DNS Servers Configuration 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify DNS Servers Configuration 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read DNS Servers Configuration 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read DNS Servers Configuration 2020-01-30T22:44:22Z DEBUG Updating managed permissions for dnszone 2020-01-30T22:44:22Z DEBUG Legacy permission add dns entries not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add DNS Entries 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add DNS Entries 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage DNSSEC keys 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage DNSSEC keys 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage DNSSEC metadata 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage DNSSEC metadata 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read DNS Entries 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read DNS Entries 2020-01-30T22:44:22Z DEBUG Legacy permission 'Read DNS Entries' not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read DNSSEC metadata 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read DNSSEC metadata 2020-01-30T22:44:22Z DEBUG Legacy permission remove dns entries not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove DNS Entries 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove DNS Entries 2020-01-30T22:44:22Z DEBUG Legacy permission update dns entries not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Update DNS Entries 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Update DNS Entries 2020-01-30T22:44:22Z DEBUG Updating managed permissions for group 2020-01-30T22:44:22Z DEBUG Legacy permission Add Groups not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Groups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Groups 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify External Group Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify External Group Membership 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Group membership not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Group Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Group Membership 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Groups not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Groups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Groups 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read External Group Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read External Group Membership 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Group Compat Tree 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Group Compat Tree 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Group Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Group Membership 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Group Views Compat Tree 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Group Views Compat Tree 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Groups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Groups 2020-01-30T22:44:22Z DEBUG Legacy permission Remove Groups not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Groups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Groups 2020-01-30T22:44:22Z DEBUG Updating managed permissions for hbacrule 2020-01-30T22:44:22Z DEBUG Legacy permission Add HBAC rule not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add HBAC Rule 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add HBAC Rule 2020-01-30T22:44:22Z DEBUG Legacy permission Delete HBAC rule not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Delete HBAC Rule 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Delete HBAC Rule 2020-01-30T22:44:22Z DEBUG Legacy permission Manage HBAC rule membership not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage HBAC Rule Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage HBAC Rule Membership 2020-01-30T22:44:22Z DEBUG Legacy permission Modify HBAC rule not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify HBAC Rule 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify HBAC Rule 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read HBAC Rules 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read HBAC Rules 2020-01-30T22:44:22Z DEBUG Updating managed permissions for hbacsvc 2020-01-30T22:44:22Z DEBUG Legacy permission Add HBAC services not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add HBAC Services 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add HBAC Services 2020-01-30T22:44:22Z DEBUG Legacy permission Delete HBAC services not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Delete HBAC Services 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Delete HBAC Services 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read HBAC Services 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read HBAC Services 2020-01-30T22:44:22Z DEBUG Updating managed permissions for hbacsvcgroup 2020-01-30T22:44:22Z DEBUG Legacy permission Add HBAC service groups not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add HBAC Service Groups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add HBAC Service Groups 2020-01-30T22:44:22Z DEBUG Legacy permission Delete HBAC service groups not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Delete HBAC Service Groups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Delete HBAC Service Groups 2020-01-30T22:44:22Z DEBUG Legacy permission Manage HBAC service group membership not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage HBAC Service Group Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage HBAC Service Group Membership 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read HBAC Service Groups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read HBAC Service Groups 2020-01-30T22:44:22Z DEBUG Updating managed permissions for host 2020-01-30T22:44:22Z DEBUG Legacy permission Add Hosts not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Hosts 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Hosts 2020-01-30T22:44:22Z DEBUG Legacy permission Add krbPrincipalName to a host not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add krbPrincipalName to a Host 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add krbPrincipalName to a Host 2020-01-30T22:44:22Z DEBUG Legacy permission Enroll a host not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Enroll a Host 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Enroll a Host 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage Host Certificates 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage Host Certificates 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage Host Enrollment Password 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage Host Enrollment Password 2020-01-30T22:44:22Z DEBUG Legacy permission Manage host keytab not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage Host Keytab 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage Host Keytab 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage Host Keytab Permissions 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage Host Keytab Permissions 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage Host Principals 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage Host Principals 2020-01-30T22:44:22Z DEBUG Legacy permission Manage Host SSH Public Keys not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage Host SSH Public Keys 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage Host SSH Public Keys 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Hosts not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Hosts 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Hosts 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Host Compat Tree 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Host Compat Tree 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Host Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Host Membership 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Hosts 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Hosts 2020-01-30T22:44:22Z DEBUG Legacy permission Remove Hosts not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Hosts 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Hosts 2020-01-30T22:44:22Z DEBUG Updating managed permissions for hostgroup 2020-01-30T22:44:22Z DEBUG Legacy permission Add Hostgroups not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Hostgroups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Hostgroups 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Hostgroup membership not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Hostgroup Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Hostgroup Membership 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Hostgroups not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Hostgroups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Hostgroups 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Hostgroup Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Hostgroup Membership 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Hostgroups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Hostgroups 2020-01-30T22:44:22Z DEBUG Legacy permission Remove Hostgroups not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Hostgroups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Hostgroups 2020-01-30T22:44:22Z DEBUG Updating managed permissions for idoverridegroup 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Group ID Overrides 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Group ID Overrides 2020-01-30T22:44:22Z DEBUG Updating managed permissions for idoverrideuser 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read User ID Overrides 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read User ID Overrides 2020-01-30T22:44:22Z DEBUG Updating managed permissions for idrange 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read ID Ranges 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read ID Ranges 2020-01-30T22:44:22Z DEBUG Updating managed permissions for idview 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read ID Views 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read ID Views 2020-01-30T22:44:22Z DEBUG Updating managed permissions for krbtpolicy 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Default Kerberos Ticket Policy 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Default Kerberos Ticket Policy 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read User Kerberos Ticket Policy 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read User Kerberos Ticket Policy 2020-01-30T22:44:22Z DEBUG Updating managed permissions for location 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add IPA Locations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add IPA Locations 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify IPA Locations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify IPA Locations 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read IPA Locations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read IPA Locations 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove IPA Locations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove IPA Locations 2020-01-30T22:44:22Z DEBUG Updating managed permissions for netgroup 2020-01-30T22:44:22Z DEBUG Legacy permission Add netgroups not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Netgroups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Netgroups 2020-01-30T22:44:22Z DEBUG Legacy permission Modify netgroup membership not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Netgroup Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Netgroup Membership 2020-01-30T22:44:22Z DEBUG Legacy permission Modify netgroups not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Netgroups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Netgroups 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Netgroup Compat Tree 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Netgroup Compat Tree 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Netgroup Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Netgroup Membership 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Netgroups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Netgroups 2020-01-30T22:44:22Z DEBUG Legacy permission Remove netgroups not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Netgroups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Netgroups 2020-01-30T22:44:22Z DEBUG Updating managed permissions for otpconfig 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read OTP Configuration 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read OTP Configuration 2020-01-30T22:44:22Z DEBUG Updating managed permissions for permission 2020-01-30T22:44:22Z DEBUG Legacy permission Modify privilege membership not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Privilege Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Privilege Membership 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read ACIs 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read ACIs 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Permissions 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Permissions 2020-01-30T22:44:22Z DEBUG Updating managed permissions for privilege 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Privileges 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Privileges 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Privileges 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Privileges 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Privileges 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Privileges 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Privileges 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Privileges 2020-01-30T22:44:22Z DEBUG Updating managed permissions for pwpolicy 2020-01-30T22:44:22Z DEBUG Legacy permission Add Group Password Policy not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Group Password Policy 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Group Password Policy 2020-01-30T22:44:22Z DEBUG Legacy permission Delete Group Password Policy not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Delete Group Password Policy 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Delete Group Password Policy 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Group Password Policy not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Group Password Policy 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Group Password Policy 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Group Password Policy 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Group Password Policy 2020-01-30T22:44:22Z DEBUG Updating managed permissions for radiusproxy 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Radius Servers 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Radius Servers 2020-01-30T22:44:22Z DEBUG Updating managed permissions for realmdomains 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Realm Domains 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Realm Domains 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Realm Domains 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Realm Domains 2020-01-30T22:44:22Z DEBUG Updating managed permissions for role 2020-01-30T22:44:22Z DEBUG Legacy permission Add Roles not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Roles 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Roles 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Role membership not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Role Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Role Membership 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Roles not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Roles 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Roles 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Roles 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Roles 2020-01-30T22:44:22Z DEBUG Legacy permission Remove Roles not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Roles 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Roles 2020-01-30T22:44:22Z DEBUG Updating managed permissions for selinuxusermap 2020-01-30T22:44:22Z DEBUG Legacy permission Add SELinux User Maps not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add SELinux User Maps 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add SELinux User Maps 2020-01-30T22:44:22Z DEBUG Legacy permission Modify SELinux User Maps not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify SELinux User Maps 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify SELinux User Maps 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read SELinux User Maps 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read SELinux User Maps 2020-01-30T22:44:22Z DEBUG Legacy permission Remove SELinux User Maps not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove SELinux User Maps 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove SELinux User Maps 2020-01-30T22:44:22Z DEBUG Updating managed permissions for server 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Locations of IPA Servers 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Locations of IPA Servers 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Status of Services on IPA Servers 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Status of Services on IPA Servers 2020-01-30T22:44:22Z DEBUG Updating managed permissions for service 2020-01-30T22:44:22Z DEBUG Legacy permission Add Services not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Services 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Services 2020-01-30T22:44:22Z DEBUG Legacy permission Manage service keytab not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage Service Keytab 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage Service Keytab 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage Service Keytab Permissions 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage Service Keytab Permissions 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage Service Principals 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage Service Principals 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Services not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Services 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Services 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read POSIX details of SMB services 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read POSIX details of SMB services 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Services 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Services 2020-01-30T22:44:22Z DEBUG Legacy permission Remove Services not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Services 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Services 2020-01-30T22:44:22Z DEBUG Updating managed permissions for servicedelegationrule 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Service Delegations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Service Delegations 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Service Delegation Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Service Delegation Membership 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Service Delegations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Service Delegations 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Service Delegations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Service Delegations 2020-01-30T22:44:22Z DEBUG Updating managed permissions for servicedelegationtarget 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Service Delegations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Service Delegations 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Service Delegation Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Service Delegation Membership 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Service Delegations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Service Delegations 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Service Delegations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Service Delegations 2020-01-30T22:44:22Z DEBUG Updating managed permissions for stageuser 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Stage User 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Stage User 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Preserved Users 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Preserved Users 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Stage User 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Stage User 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify User RDN 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify User RDN 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Preserve User 2020-01-30T22:44:22Z DEBUG Updating ACI for managed permission: System: Preserve User 2020-01-30T22:44:22Z DEBUG Removing ACI '(target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=unix,dc=domain.net,dc=net")(target_from = "ldap:///cn=users,cn=accounts,dc=unix,dc=domain.net,dc=net")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Preserve User";allow (moddn) groupdn = "ldap:///cn=System: Preserve User,cn=permissions,cn=pbac,dc=unix,dc=domain.net,dc=net";)' from dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:22Z DEBUG Adding ACI '(target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=unix,dc=domain.net,dc=net")(target_from = "ldap:///cn=users,cn=accounts,dc=unix,dc=domain.net,dc=net")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Preserve User";allow (moddn) groupdn = "ldap:///cn=System: Preserve User,cn=permissions,cn=pbac,dc=unix,dc=domain.net,dc=net";)' to dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:22Z DEBUG No changes to ACI 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Preserved Users 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Preserved Users 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Stage User password 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Stage User password 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Stage Users 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Stage Users 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Stage User 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Remove Stage User 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Remove preserved User 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Remove preserved User 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Reset Preserved User password 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Reset Preserved User password 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Undelete User 2020-01-30T22:44:23Z DEBUG Updating ACI for managed permission: System: Undelete User 2020-01-30T22:44:23Z DEBUG Removing ACI '(target_to = "ldap:///cn=users,cn=accounts,dc=unix,dc=domain.net,dc=net")(target_from = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=unix,dc=domain.net,dc=net")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Undelete User";allow (moddn) groupdn = "ldap:///cn=System: Undelete User,cn=permissions,cn=pbac,dc=unix,dc=domain.net,dc=net";)' from dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:23Z DEBUG Adding ACI '(target_to = "ldap:///cn=users,cn=accounts,dc=unix,dc=domain.net,dc=net")(target_from = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=unix,dc=domain.net,dc=net")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Undelete User";allow (moddn) groupdn = "ldap:///cn=System: Undelete User,cn=permissions,cn=pbac,dc=unix,dc=domain.net,dc=net";)' to dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:23Z DEBUG No changes to ACI 2020-01-30T22:44:23Z DEBUG Updating managed permissions for sudocmd 2020-01-30T22:44:23Z DEBUG Legacy permission Add Sudo command not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Add Sudo Command 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Add Sudo Command 2020-01-30T22:44:23Z DEBUG Legacy permission Delete Sudo command not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Delete Sudo Command 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Delete Sudo Command 2020-01-30T22:44:23Z DEBUG Legacy permission Modify Sudo command not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Modify Sudo Command 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Modify Sudo Command 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read Sudo Commands 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read Sudo Commands 2020-01-30T22:44:23Z DEBUG Updating managed permissions for sudocmdgroup 2020-01-30T22:44:23Z DEBUG Legacy permission Add Sudo command group not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Add Sudo Command Group 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Add Sudo Command Group 2020-01-30T22:44:23Z DEBUG Legacy permission Delete Sudo command group not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Delete Sudo Command Group 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Delete Sudo Command Group 2020-01-30T22:44:23Z DEBUG Legacy permission Manage Sudo command group membership not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Manage Sudo Command Group Membership 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Manage Sudo Command Group Membership 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Modify Sudo Command Group 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Modify Sudo Command Group 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read Sudo Command Groups 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read Sudo Command Groups 2020-01-30T22:44:23Z DEBUG Updating managed permissions for sudorule 2020-01-30T22:44:23Z DEBUG Legacy permission Add Sudo rule not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Add Sudo rule 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Add Sudo rule 2020-01-30T22:44:23Z DEBUG Legacy permission Delete Sudo rule not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Delete Sudo rule 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Delete Sudo rule 2020-01-30T22:44:23Z DEBUG Legacy permission Modify Sudo rule not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Modify Sudo rule 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Modify Sudo rule 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read Sudo Rules 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read Sudo Rules 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read Sudoers compat tree 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read Sudoers compat tree 2020-01-30T22:44:23Z DEBUG Updating managed permissions for trust 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read Trust Information 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read Trust Information 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read system trust accounts 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read system trust accounts 2020-01-30T22:44:23Z DEBUG Updating managed permissions for user 2020-01-30T22:44:23Z DEBUG Legacy permission Add user to default group not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Add User to default group 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Add User to default group 2020-01-30T22:44:23Z DEBUG Legacy permission Add Users not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Add Users 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Add Users 2020-01-30T22:44:23Z DEBUG Legacy permission Change a user password not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Change User password 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Change User password 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Manage User Certificate Mappings 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Manage User Certificate Mappings 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Manage User Certificates 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Manage User Certificates 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Manage User Principals 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Manage User Principals 2020-01-30T22:44:23Z DEBUG Legacy permission Manage User SSH Public Keys not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Manage User SSH Public Keys 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Manage User SSH Public Keys 2020-01-30T22:44:23Z DEBUG Legacy permission Modify Users not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Modify Users 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Modify Users 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read UPG Definition 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read UPG Definition 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read User Addressbook Attributes 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read User Addressbook Attributes 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read User Compat Tree 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read User Compat Tree 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read User IPA Attributes 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read User IPA Attributes 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read User Kerberos Attributes 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read User Kerberos Attributes 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read User Kerberos Login Attributes 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read User Kerberos Login Attributes 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read User Membership 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read User Membership 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read User NT Attributes 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read User NT Attributes 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read User Standard Attributes 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read User Standard Attributes 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read User Views Compat Tree 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read User Views Compat Tree 2020-01-30T22:44:23Z DEBUG Legacy permission Remove Users not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Remove Users 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Remove Users 2020-01-30T22:44:23Z DEBUG Legacy permission Unlock user accounts not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Unlock User 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Unlock User 2020-01-30T22:44:23Z DEBUG Updating managed permissions for vault 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Add Vaults 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Add Vaults 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Delete Vaults 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Delete Vaults 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Manage Vault Membership 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Manage Vault Membership 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Manage Vault Ownership 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Manage Vault Ownership 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Modify Vaults 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Modify Vaults 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read Vaults 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read Vaults 2020-01-30T22:44:23Z DEBUG Updating managed permissions for vaultcontainer 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Add Vault Containers 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Add Vault Containers 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Delete Vault Containers 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Delete Vault Containers 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Manage Vault Container Ownership 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Manage Vault Container Ownership 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Modify Vault Containers 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Modify Vault Containers 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read Vault Containers 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read Vault Containers 2020-01-30T22:44:23Z DEBUG Updating non-object managed permissions 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Add CA Certificate For Renewal 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Add CA Certificate For Renewal 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Add Certificate Store Entry 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Add Certificate Store Entry 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Compat Tree ID View targets 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Compat Tree ID View targets 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Modify CA Certificate 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Modify CA Certificate 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Modify CA Certificate For Renewal 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Modify CA Certificate For Renewal 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Modify Certificate Store Entry 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Modify Certificate Store Entry 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read AD Domains 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read AD Domains 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read CA Certificate 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read CA Certificate 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read CA Renewal Information 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read CA Renewal Information 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read Certificate Store Entries 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read Certificate Store Entries 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read DNA Configuration 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read DNA Configuration 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read DUA Profile 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read DUA Profile 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read Domain Level 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read Domain Level 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read IPA Masters 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read IPA Masters 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read Replication Information 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read Replication Information 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Remove Certificate Store Entry 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Remove Certificate Store Entry 2020-01-30T22:44:23Z DEBUG Deleting obsolete permission System: Read Timestamp and USN Operational Attributes 2020-01-30T22:44:23Z DEBUG raw: permission_del(('System: Read Timestamp and USN Operational Attributes',), force=True, version='2.101') 2020-01-30T22:44:23Z DEBUG permission_del(('System: Read Timestamp and USN Operational Attributes',), continue=False, force=True, version='2.101') 2020-01-30T22:44:23Z DEBUG Obsolete permission not found 2020-01-30T22:44:23Z DEBUG Deleting obsolete permission System: Read Creator and Modifier Operational Attributes 2020-01-30T22:44:23Z DEBUG raw: permission_del(('System: Read Creator and Modifier Operational Attributes',), force=True, version='2.101') 2020-01-30T22:44:23Z DEBUG permission_del(('System: Read Creator and Modifier Operational Attributes',), continue=False, force=True, version='2.101') 2020-01-30T22:44:23Z DEBUG Obsolete permission not found 2020-01-30T22:44:23Z DEBUG Executing upgrade plugin: update_read_replication_agreements_permission 2020-01-30T22:44:23Z DEBUG raw: update_read_replication_agreements_permission 2020-01-30T22:44:23Z DEBUG Old permission not found 2020-01-30T22:44:23Z DEBUG Executing upgrade plugin: update_idrange_baserid 2020-01-30T22:44:23Z DEBUG raw: update_idrange_baserid 2020-01-30T22:44:23Z DEBUG update_idrange_baserid: search for ipa-ad-trust-posix ID ranges with ipaBaseRID != 0 2020-01-30T22:44:23Z DEBUG update_idrange_baserid: no AD domain range with posix attributes found 2020-01-30T22:44:23Z DEBUG Executing upgrade plugin: update_passync_privilege_update 2020-01-30T22:44:23Z DEBUG raw: update_passync_privilege_update 2020-01-30T22:44:23Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:44:23Z DEBUG PassSync privilege update not needed 2020-01-30T22:44:23Z DEBUG Executing upgrade plugin: update_dnsserver_configuration_into_ldap 2020-01-30T22:44:23Z DEBUG raw: update_dnsserver_configuration_into_ldap 2020-01-30T22:44:23Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:44:23Z DEBUG upgrade is not needed 2020-01-30T22:44:23Z DEBUG Executing upgrade plugin: update_ldap_server_list 2020-01-30T22:44:23Z DEBUG raw: update_ldap_server_list 2020-01-30T22:44:23Z DEBUG Executing upgrade plugin: update_dna_shared_config 2020-01-30T22:44:23Z DEBUG raw: update_dna_shared_config 2020-01-30T22:44:23Z DEBUG 2 entries dnaHostname=srv107.domain.net under cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net. One expected 2020-01-30T22:44:23Z DEBUG Executing upgrade plugin: update_unhashed_password 2020-01-30T22:44:23Z DEBUG raw: update_unhashed_password 2020-01-30T22:44:23Z DEBUG Upgrading unhashed password configuration 2020-01-30T22:44:23Z DEBUG Unhashed password this is not a winsync deployment 2020-01-30T22:44:23Z DEBUG LDAP update duration: /usr/share/ipa/updates/90-post_upgrade_plugins.update 18.773 sec 2020-01-30T22:44:23Z DEBUG Destroyed connection context.ldap2_140295362935568 2020-01-30T22:44:23Z DEBUG step duration: dirsrv __upgrade 27.81 sec 2020-01-30T22:44:23Z DEBUG [9/11]: stopping directory server 2020-01-30T22:44:23Z DEBUG Destroyed connection context.ldap2_140295386233872 2020-01-30T22:44:23Z DEBUG Starting external process 2020-01-30T22:44:23Z DEBUG args=['/bin/systemctl', 'stop', 'dirsrv@UNIX-domain.net-NET.service'] 2020-01-30T22:44:26Z DEBUG Process finished, return code=0 2020-01-30T22:44:26Z DEBUG stdout= 2020-01-30T22:44:26Z DEBUG stderr= 2020-01-30T22:44:26Z DEBUG Stop of dirsrv@UNIX-domain.net-NET.service complete 2020-01-30T22:44:26Z DEBUG step duration: dirsrv __stop_instance 3.24 sec 2020-01-30T22:44:26Z DEBUG [10/11]: restoring configuration 2020-01-30T22:44:26Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:26Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:26Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:26Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:26Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:26Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:26Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:26Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:26Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:26Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:26Z DEBUG step duration: dirsrv __restore_config 0.09 sec 2020-01-30T22:44:26Z DEBUG [11/11]: starting directory server 2020-01-30T22:44:26Z DEBUG Starting external process 2020-01-30T22:44:26Z DEBUG args=['/bin/systemctl', 'start', 'dirsrv@UNIX-domain.net-NET.service'] 2020-01-30T22:44:39Z DEBUG Process finished, return code=0 2020-01-30T22:44:39Z DEBUG stdout= 2020-01-30T22:44:39Z DEBUG stderr= 2020-01-30T22:44:39Z DEBUG Start of dirsrv@UNIX-domain.net-NET.service complete 2020-01-30T22:44:39Z DEBUG Created connection context.ldap2_140295386233872 2020-01-30T22:44:39Z DEBUG step duration: dirsrv __start 13.00 sec 2020-01-30T22:44:39Z DEBUG Done. 2020-01-30T22:44:39Z DEBUG service duration: dirsrv 67.87 sec 2020-01-30T22:44:39Z INFO Update complete 2020-01-30T22:44:39Z INFO Upgrading the configuration of the IPA services 2020-01-30T22:44:39Z DEBUG IPA version 4.8.4-2.fc31 2020-01-30T22:44:39Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:44:39Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:39Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:44:39Z DEBUG Starting external process 2020-01-30T22:44:39Z DEBUG args=['/bin/systemctl', 'is-active', 'dirsrv@UNIX-domain.net-NET.service'] 2020-01-30T22:44:39Z DEBUG Process finished, return code=0 2020-01-30T22:44:39Z DEBUG stdout=active
2020-01-30T22:44:39Z DEBUG stderr= 2020-01-30T22:44:39Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:44:39Z DEBUG Starting external process 2020-01-30T22:44:39Z DEBUG args=['/usr/sbin/selinuxenabled'] 2020-01-30T22:44:39Z DEBUG Process finished, return code=0 2020-01-30T22:44:39Z DEBUG stdout= 2020-01-30T22:44:39Z DEBUG stderr= 2020-01-30T22:44:39Z DEBUG Starting external process 2020-01-30T22:44:39Z DEBUG args=['/sbin/restorecon', '/etc/pkcs11/modules/softhsm2.module'] 2020-01-30T22:44:39Z DEBUG Process finished, return code=0 2020-01-30T22:44:39Z DEBUG stdout= 2020-01-30T22:44:39Z DEBUG stderr= 2020-01-30T22:44:39Z DEBUG Created PKCS#11 module config '/etc/pkcs11/modules/softhsm2.module'. 2020-01-30T22:44:39Z INFO [Verifying that root certificate is published] 2020-01-30T22:44:39Z DEBUG Certificate file exists 2020-01-30T22:44:39Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:39Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:44:39Z DEBUG Trying to find certificate subject base in sysupgrade 2020-01-30T22:44:39Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:44:39Z DEBUG Found certificate subject base in sysupgrade: O=UNIX.domain.net 2020-01-30T22:44:39Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:44:39Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:44:39Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:39Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:44:39Z DEBUG request POST http://srv107.domain.net:8080/ca/admin/ca/getStatus 2020-01-30T22:44:39Z DEBUG request body '' 2020-01-30T22:44:39Z DEBUG response status 500 2020-01-30T22:44:39Z DEBUG response headers Content-Type: text/html;charset=utf-8 Content-Language: de Content-Length: 2021 Date: Thu, 30 Jan 2020 22:44:39 GMT Connection: close
2020-01-30T22:44:39Z DEBUG response body (decoded): b'<!doctype html><html lang="de"><head><title>HTTP Status 500 \xe2\x80\x93 Internal Server Error</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 \xe2\x80\x93 Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Subsystem unavailable</p><p><b>Beschreibung</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:150)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:530)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)\n\torg.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)\n\torg.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)\n\torg.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)\n\torg.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre><p><b>Hinweis</b> Der komplette Stacktrace der Ursache ist in den Server logs zu finden</p><hr class="line" /><h3>Apache Tomcat/9.0.30</h3></body></html>' 2020-01-30T22:44:39Z DEBUG Failed to check CA status: Retrieving CA status failed with status 500 2020-01-30T22:44:39Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:39Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:44:39Z DEBUG Ensuring that service pki-tomcatd@pki-tomcat is not running while the next set of commands is being executed. 2020-01-30T22:44:39Z DEBUG Starting external process 2020-01-30T22:44:39Z DEBUG args=['/bin/systemctl', 'is-active', 'pki-tomcatd@pki-tomcat.service'] 2020-01-30T22:44:39Z DEBUG Process finished, return code=0 2020-01-30T22:44:39Z DEBUG stdout=active
2020-01-30T22:44:39Z DEBUG stderr= 2020-01-30T22:44:39Z DEBUG Stopping pki-tomcatd@pki-tomcat. 2020-01-30T22:44:39Z DEBUG Starting external process 2020-01-30T22:44:39Z DEBUG args=['/bin/systemctl', 'stop', 'pki-tomcatd@pki-tomcat.service'] 2020-01-30T22:44:41Z DEBUG Process finished, return code=0 2020-01-30T22:44:41Z DEBUG stdout= 2020-01-30T22:44:41Z DEBUG stderr= 2020-01-30T22:44:41Z DEBUG Stop of pki-tomcatd@pki-tomcat.service complete 2020-01-30T22:44:41Z DEBUG Starting external process 2020-01-30T22:44:41Z DEBUG args=['/bin/systemctl', 'is-active', 'pki-tomcatd@pki-tomcat.service'] 2020-01-30T22:44:41Z DEBUG Process finished, return code=3 2020-01-30T22:44:41Z DEBUG stdout=inactive
2020-01-30T22:44:41Z DEBUG stderr= 2020-01-30T22:44:41Z INFO [Migrate CRL publish directory] 2020-01-30T22:44:41Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:44:41Z INFO CRL tree already moved 2020-01-30T22:44:41Z DEBUG Starting pki-tomcatd@pki-tomcat. 2020-01-30T22:44:41Z DEBUG Starting external process 2020-01-30T22:44:41Z DEBUG args=['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service'] 2020-01-30T22:44:44Z DEBUG Process finished, return code=0 2020-01-30T22:44:44Z DEBUG stdout= 2020-01-30T22:44:44Z DEBUG stderr= 2020-01-30T22:44:44Z DEBUG Starting external process 2020-01-30T22:44:44Z DEBUG args=['/bin/systemctl', 'is-active', 'pki-tomcatd@pki-tomcat.service'] 2020-01-30T22:44:44Z DEBUG Process finished, return code=0 2020-01-30T22:44:44Z DEBUG stdout=active
2020-01-30T22:44:44Z DEBUG stderr= 2020-01-30T22:44:44Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 120 2020-01-30T22:44:44Z DEBUG waiting for port: 8080 2020-01-30T22:44:44Z DEBUG Failed to connect to port 8080 tcp on ::1 2020-01-30T22:44:44Z DEBUG Failed to connect to port 8080 tcp on 127.0.0.1 2020-01-30T22:44:47Z DEBUG SUCCESS: port: 8080 2020-01-30T22:44:47Z DEBUG waiting for port: 8443 2020-01-30T22:44:47Z DEBUG SUCCESS: port: 8443 2020-01-30T22:44:47Z DEBUG Start of pki-tomcatd@pki-tomcat.service complete 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout= 2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/bin/systemctl', 'is-active', 'pki-tomcatd@pki-tomcat.service'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout=active
2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 120 2020-01-30T22:44:47Z DEBUG waiting for port: 8080 2020-01-30T22:44:47Z DEBUG SUCCESS: port: 8080 2020-01-30T22:44:47Z DEBUG waiting for port: 8443 2020-01-30T22:44:47Z DEBUG SUCCESS: port: 8443 2020-01-30T22:44:47Z DEBUG Start of pki-tomcatd@pki-tomcat.service complete 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/bin/systemctl', 'is-active', 'certmonger.service'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout=active
2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z INFO [Verifying that KDC configuration is using ipa-kdb backend] 2020-01-30T22:44:47Z DEBUG dbmodules already updated in /etc/krb5.conf 2020-01-30T22:44:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:44:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:44:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/usr/sbin/selinuxenabled'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout= 2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/usr/sbin/getsebool', 'httpd_can_network_connect'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout=httpd_can_network_connect --> on
2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/usr/sbin/getsebool', 'httpd_manage_ipa'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout=httpd_manage_ipa --> on
2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/usr/sbin/getsebool', 'httpd_run_ipa'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout=httpd_run_ipa --> on
2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/usr/sbin/getsebool', 'httpd_dbus_sssd'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout=httpd_dbus_sssd --> on
2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/bin/systemctl', 'is-active', 'certmonger.service'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout=active
2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/bin/systemctl', 'is-active', 'oddjobd.service'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout=active
2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/bin/systemctl', 'is-enabled', 'oddjobd.service'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout=enabled
2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/bin/systemctl', 'enable', 'oddjobd.service'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout= 2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/bin/systemctl', 'start', 'oddjobd.service'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout= 2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/bin/systemctl', 'is-active', 'oddjobd.service'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout=active
2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Start of oddjobd.service complete 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/usr/sbin/selinuxenabled'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout= 2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/sbin/restorecon', '/etc/systemd/system/dirsrv@UNIX-domain.net-NET.service.d/ipa-env.conf'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout= 2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/bin/systemctl', '--system', 'daemon-reload'] 2020-01-30T22:44:48Z DEBUG Process finished, return code=0 2020-01-30T22:44:48Z DEBUG stdout= 2020-01-30T22:44:48Z DEBUG stderr= 2020-01-30T22:44:48Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-UNIX-domain.net-NET.socket from SchemaCache 2020-01-30T22:44:48Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-UNIX-domain.net-NET.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f990ebc3450> 2020-01-30T22:44:48Z DEBUG Destroyed connection context.ldap2_140295386233872 2020-01-30T22:44:48Z DEBUG Starting external process 2020-01-30T22:44:48Z DEBUG args=['/bin/systemctl', 'stop', 'dirsrv@UNIX-domain.net-NET.service'] 2020-01-30T22:44:50Z DEBUG Process finished, return code=0 2020-01-30T22:44:50Z DEBUG stdout= 2020-01-30T22:44:50Z DEBUG stderr= 2020-01-30T22:44:50Z DEBUG Stop of dirsrv@UNIX-domain.net-NET.service complete 2020-01-30T22:44:50Z INFO [Fix DS schema file syntax] 2020-01-30T22:44:50Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:44:50Z INFO Syntax already fixed 2020-01-30T22:44:50Z INFO [Removing RA cert from DS NSS database] 2020-01-30T22:44:50Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:44:50Z INFO RA cert already removed 2020-01-30T22:44:50Z DEBUG Starting external process 2020-01-30T22:44:50Z DEBUG args=['/bin/systemctl', 'start', 'dirsrv@UNIX-domain.net-NET.service'] 2020-01-30T22:45:02Z DEBUG Process finished, return code=0 2020-01-30T22:45:02Z DEBUG stdout= 2020-01-30T22:45:02Z DEBUG stderr= 2020-01-30T22:45:02Z DEBUG Starting external process 2020-01-30T22:45:02Z DEBUG args=['/bin/systemctl', 'is-active', 'dirsrv@UNIX-domain.net-NET.service'] 2020-01-30T22:45:02Z DEBUG Process finished, return code=0 2020-01-30T22:45:02Z DEBUG stdout=active
2020-01-30T22:45:02Z DEBUG stderr= 2020-01-30T22:45:02Z DEBUG wait_for_open_ports: localhost [389] timeout 120 2020-01-30T22:45:02Z DEBUG waiting for port: 389 2020-01-30T22:45:02Z DEBUG SUCCESS: port: 389 2020-01-30T22:45:02Z DEBUG Start of dirsrv@UNIX-domain.net-NET.service complete 2020-01-30T22:45:02Z DEBUG Created connection context.ldap2_140295386233872 2020-01-30T22:45:02Z INFO [Enable sidgen and extdom plugins by default] 2020-01-30T22:45:02Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:02Z DEBUG sidgen and extdom plugins are enabled already 2020-01-30T22:45:02Z DEBUG Starting external process 2020-01-30T22:45:02Z DEBUG args=['/bin/systemctl', 'stop', 'httpd.service'] 2020-01-30T22:45:04Z DEBUG Process finished, return code=0 2020-01-30T22:45:04Z DEBUG stdout= 2020-01-30T22:45:04Z DEBUG stderr= 2020-01-30T22:45:04Z DEBUG Stop of httpd.service complete 2020-01-30T22:45:04Z INFO [Updating HTTPD service IPA configuration] 2020-01-30T22:45:04Z DEBUG Starting external process 2020-01-30T22:45:04Z DEBUG args=['/usr/sbin/selinuxenabled'] 2020-01-30T22:45:04Z DEBUG Process finished, return code=0 2020-01-30T22:45:04Z DEBUG stdout= 2020-01-30T22:45:04Z DEBUG stderr= 2020-01-30T22:45:04Z DEBUG Starting external process 2020-01-30T22:45:04Z DEBUG args=['/sbin/restorecon', '/etc/systemd/system/httpd.service.d/ipa.conf'] 2020-01-30T22:45:04Z DEBUG Process finished, return code=0 2020-01-30T22:45:04Z DEBUG stdout= 2020-01-30T22:45:04Z DEBUG stderr= 2020-01-30T22:45:04Z DEBUG Starting external process 2020-01-30T22:45:04Z DEBUG args=['/bin/systemctl', '--system', 'daemon-reload'] 2020-01-30T22:45:04Z DEBUG Process finished, return code=0 2020-01-30T22:45:04Z DEBUG stdout= 2020-01-30T22:45:04Z DEBUG stderr= 2020-01-30T22:45:04Z INFO [Updating HTTPD service IPA WSGI configuration] 2020-01-30T22:45:04Z DEBUG Starting external process 2020-01-30T22:45:04Z DEBUG args=['/usr/sbin/selinuxenabled'] 2020-01-30T22:45:04Z DEBUG Process finished, return code=0 2020-01-30T22:45:04Z DEBUG stdout= 2020-01-30T22:45:04Z DEBUG stderr= 2020-01-30T22:45:04Z DEBUG Starting external process 2020-01-30T22:45:04Z DEBUG args=['/sbin/restorecon', '/etc/httpd/conf.modules.d/02-ipa-wsgi.conf'] 2020-01-30T22:45:04Z DEBUG Process finished, return code=0 2020-01-30T22:45:04Z DEBUG stdout= 2020-01-30T22:45:04Z DEBUG stderr= 2020-01-30T22:45:04Z INFO [Migrating from mod_nss to mod_ssl] 2020-01-30T22:45:04Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:04Z INFO Already migrated to mod_ssl 2020-01-30T22:45:04Z INFO [Moving HTTPD service keytab to gssproxy] 2020-01-30T22:45:04Z DEBUG Starting external process 2020-01-30T22:45:04Z DEBUG args=['/usr/sbin/selinuxenabled'] 2020-01-30T22:45:04Z DEBUG Process finished, return code=0 2020-01-30T22:45:04Z DEBUG stdout= 2020-01-30T22:45:04Z DEBUG stderr= 2020-01-30T22:45:04Z DEBUG Starting external process 2020-01-30T22:45:04Z DEBUG args=['/sbin/restorecon', '/etc/gssproxy/10-ipa.conf'] 2020-01-30T22:45:04Z DEBUG Process finished, return code=0 2020-01-30T22:45:04Z DEBUG stdout= 2020-01-30T22:45:04Z DEBUG stderr= 2020-01-30T22:45:04Z DEBUG Starting external process 2020-01-30T22:45:04Z DEBUG args=['/bin/systemctl', 'restart', 'gssproxy.service'] 2020-01-30T22:45:04Z DEBUG Process finished, return code=0 2020-01-30T22:45:04Z DEBUG stdout= 2020-01-30T22:45:04Z DEBUG stderr= 2020-01-30T22:45:04Z DEBUG Starting external process 2020-01-30T22:45:04Z DEBUG args=['/bin/systemctl', 'is-active', 'gssproxy.service'] 2020-01-30T22:45:05Z DEBUG Process finished, return code=0 2020-01-30T22:45:05Z DEBUG stdout=active
2020-01-30T22:45:05Z DEBUG stderr= 2020-01-30T22:45:05Z DEBUG Restart of gssproxy.service complete 2020-01-30T22:45:05Z DEBUG Starting external process 2020-01-30T22:45:05Z DEBUG args=['/bin/systemctl', 'start', 'httpd.service'] 2020-01-30T22:45:06Z DEBUG Process finished, return code=0 2020-01-30T22:45:06Z DEBUG stdout= 2020-01-30T22:45:06Z DEBUG stderr= 2020-01-30T22:45:06Z DEBUG Starting external process 2020-01-30T22:45:06Z DEBUG args=['/bin/systemctl', 'is-active', 'httpd.service'] 2020-01-30T22:45:06Z DEBUG Process finished, return code=0 2020-01-30T22:45:06Z DEBUG stdout=active
2020-01-30T22:45:06Z DEBUG stderr= 2020-01-30T22:45:06Z DEBUG Start of httpd.service complete 2020-01-30T22:45:06Z INFO [Removing self-signed CA] 2020-01-30T22:45:06Z DEBUG Self-signed CA is not installed 2020-01-30T22:45:06Z INFO [Removing Dogtag 9 CA] 2020-01-30T22:45:06Z DEBUG Dogtag is version 10 or above 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:45:06Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:45:06Z INFO [Checking for deprecated KDC configuration files] 2020-01-30T22:45:06Z INFO [Checking for deprecated backups of Samba configuration files] 2020-01-30T22:45:06Z DEBUG raw: ca_is_enabled(version='2.235') 2020-01-30T22:45:06Z DEBUG ca_is_enabled(version='2.235') 2020-01-30T22:45:06Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-UNIX-domain.net-NET.socket from SchemaCache 2020-01-30T22:45:06Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-UNIX-domain.net-NET.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f990eb07c10> 2020-01-30T22:45:06Z DEBUG raw: kra_is_enabled(version='2.235') 2020-01-30T22:45:06Z DEBUG kra_is_enabled(version='2.235') 2020-01-30T22:45:06Z DEBUG Cleaning up after pkispawn for the CA subsystem 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:45:06Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:45:06Z DEBUG Removing /root/.dogtag/pki-tomcat/ca 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:45:06Z DEBUG Starting external process 2020-01-30T22:45:06Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service'] 2020-01-30T22:45:06Z DEBUG Process finished, return code=3 2020-01-30T22:45:06Z DEBUG stdout=inactive
2020-01-30T22:45:06Z DEBUG stderr= 2020-01-30T22:45:06Z DEBUG Starting external process 2020-01-30T22:45:06Z DEBUG args=['/bin/systemctl', 'start', 'named-pkcs11.service'] 2020-01-30T22:45:06Z DEBUG Process finished, return code=0 2020-01-30T22:45:06Z DEBUG stdout= 2020-01-30T22:45:06Z DEBUG stderr= 2020-01-30T22:45:06Z DEBUG Starting external process 2020-01-30T22:45:06Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service'] 2020-01-30T22:45:06Z DEBUG Process finished, return code=0 2020-01-30T22:45:06Z DEBUG stdout=active
2020-01-30T22:45:06Z DEBUG stderr= 2020-01-30T22:45:06Z DEBUG Start of named-pkcs11.service complete 2020-01-30T22:45:06Z INFO [Add missing CA DNS records] 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z INFO IPA CA DNS records already processed 2020-01-30T22:45:06Z INFO [Removing deprecated DNS configuration options] 2020-01-30T22:45:06Z DEBUG No changes made 2020-01-30T22:45:06Z INFO [Ensuring minimal number of connections] 2020-01-30T22:45:06Z DEBUG No changes made 2020-01-30T22:45:06Z INFO [Updating GSSAPI configuration in DNS] 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Skip GSSAPI configuration check 2020-01-30T22:45:06Z INFO [Updating pid-file configuration in DNS] 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Skip pid-file configuration check 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG dnssec-enabled in /etc/named.conf 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG dnssec-validate already configured in /etc/named.conf 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Skip bindkey-file configuration check 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Skip managed-keys-directory configuration check 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Skip root key configuration check 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:45:06Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:45:06Z INFO [Checking global forwarding policy in named.conf to avoid conflicts with automatic empty zones] 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:45:06Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z INFO Changes to named.conf have been made, restart named 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:45:06Z DEBUG Starting external process 2020-01-30T22:45:06Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service'] 2020-01-30T22:45:06Z DEBUG Process finished, return code=0 2020-01-30T22:45:06Z DEBUG stdout=active
2020-01-30T22:45:06Z DEBUG stderr= 2020-01-30T22:45:06Z DEBUG Starting external process 2020-01-30T22:45:06Z DEBUG args=['/bin/systemctl', 'restart', 'named-pkcs11.service'] 2020-01-30T22:45:07Z DEBUG Process finished, return code=0 2020-01-30T22:45:07Z DEBUG stdout= 2020-01-30T22:45:07Z DEBUG stderr= 2020-01-30T22:45:07Z DEBUG Starting external process 2020-01-30T22:45:07Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service'] 2020-01-30T22:45:07Z DEBUG Process finished, return code=0 2020-01-30T22:45:07Z DEBUG stdout=active
2020-01-30T22:45:07Z DEBUG stderr= 2020-01-30T22:45:07Z DEBUG Restart of named-pkcs11.service complete 2020-01-30T22:45:07Z DEBUG Starting external process 2020-01-30T22:45:07Z DEBUG args=['/bin/systemctl', 'stop', 'named-pkcs11.service'] 2020-01-30T22:45:07Z DEBUG Process finished, return code=0 2020-01-30T22:45:07Z DEBUG stdout= 2020-01-30T22:45:07Z DEBUG stderr= 2020-01-30T22:45:07Z DEBUG Stop of named-pkcs11.service complete 2020-01-30T22:45:07Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:45:07Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:45:07Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:07Z INFO [Upgrading CA schema] 2020-01-30T22:45:07Z DEBUG Processing schema LDIF file /usr/share/pki/server/conf/schema-certProfile.ldif 2020-01-30T22:45:07Z DEBUG Processing schema LDIF file /usr/share/pki/server/conf/schema-authority.ldif 2020-01-30T22:45:07Z DEBUG Not updating schema 2020-01-30T22:45:07Z INFO CA schema update complete (no changes) 2020-01-30T22:45:07Z INFO [Verifying that CA audit signing cert has 2 year validity] 2020-01-30T22:45:07Z DEBUG caSignedLogCert.cfg profile validity range is 720 2020-01-30T22:45:07Z INFO [Update certmonger certificate renewal configuration] 2020-01-30T22:45:07Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:45:07Z DEBUG Starting external process 2020-01-30T22:45:07Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-UNIX-domain.net-NET/', '-L', '-n', 'Server-Cert', '-a', '-f', '/etc/dirsrv/slapd-UNIX-domain.net-NET/pwdfile.txt'] 2020-01-30T22:45:07Z DEBUG Process finished, return code=0 2020-01-30T22:45:07Z DEBUG stdout=-----BEGIN CERTIFICATE----- MIIEoTCCA4mgAwIBAgIBFjANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklY LkdPU0lYLk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE4 MDcwMTE0MTMwOVoXDTIwMDcwMTE0MTMwOVowNDEXMBUGA1UECgwOVU5JWC5HT1NJ WC5ORVQxGTAXBgNVBAMMEHNydjEwNy5nb3NpeC5uZXQwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQCpb6gniD1PvTp5Qtyo+7sHclupff/upYnO0tJRaPZr dMIn8T6zfiQTG8ZE5ruNo2TIz875frtmY4UqAN6uUEgwFVgA421I0LBnZiK8Er+o fU9oAVuahCc4qZJW9b6M17U6Sjc+Ex15qUt9ZuKOnepSzxOLRGVaLIbncoT1t4t3 +86S9EZN7bokMRMR9Jj9yE+z8w1l4/BuxRMwVS9LE4s37bW71oo62D/ragF7Uuaz 0a0ObhN+IITBPt92OoXx0iDInL2JCDpzv2n/oqfVJJXxtXrvC9o5+tp7Qr5xydQL YBz9OHPQW6D7i3R+7osjBsOV+YnE73rBycEBLPt+g6WtAgMBAAGjggG3MIIBszAf BgNVHSMEGDAWgBROuje6JvS5f3aN0Qk0DRDGjOWHRjBABggrBgEFBQcBAQQ0MDIw MAYIKwYBBQUHMAGGJGh0dHA6Ly9pcGEtY2EudW5peC5nb3NpeC5uZXQvY2Evb2Nz cDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC MHkGA1UdHwRyMHAwbqA2oDSGMmh0dHA6Ly9pcGEtY2EudW5peC5nb3NpeC5uZXQv aXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwG A1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBQ8XfItMfrYfJAd GaPbmz/p8BfxCjCBhAYDVR0RBH0we6A0BgorBgEEAYI3FAIDoCYMJGxkYXAvc3J2 MTA3Lmdvc2l4Lm5ldEBVTklYLkdPU0lYLk5FVKBDBgYrBgEFAgKgOTA3oBAbDlVO SVguR09TSVguTkVUoSMwIaADAgEBoRowGBsEbGRhcBsQc3J2MTA3Lmdvc2l4Lm5l dDANBgkqhkiG9w0BAQsFAAOCAQEAaphn2qhE+QmdH8o4Hbwk1Bh7xr2OHPW82BBb isvEheox3MTuBTU+kViHPOIYaTo8ZGhRmZa6STzYQb8Q/tjuY7vBnlvk/v8GUMud m8Iqo6NfO2BsNk21eweLiRzZtgN6a/JpETOi5Osis6FiSav9u+u5pMhnOkn5y9iA PeQmU1VvR71UZ5IkZ+SShaxH2sz7htgZCdnky8ipbsNR+sRsklubbLJyWM3TCWSR rLq0WU+7ORe3gZ03TCItiebZhlBtBRQUbNzxB97ZUZNp7V68k5Gi8BIky+m3KEw7 +JqRVk/Slav2LBEskFC/ICHXp3K68JzCv+LBGnAoFB82+n59Pg== -----END CERTIFICATE-----
2020-01-30T22:45:07Z DEBUG stderr= 2020-01-30T22:45:07Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:45:07Z DEBUG Starting external process 2020-01-30T22:45:07Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] 2020-01-30T22:45:07Z DEBUG Process finished, return code=0 2020-01-30T22:45:07Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-ca CTu,Cu,Cu ocspSigningCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu subsystemCert cert-pki-ca u,u,u
2020-01-30T22:45:07Z DEBUG stderr= 2020-01-30T22:45:08Z INFO Certmonger certificate renewal configuration already up-to-date 2020-01-30T22:45:08Z INFO [Enable PKIX certificate path discovery and validation] 2020-01-30T22:45:08Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:08Z INFO PKIX already enabled 2020-01-30T22:45:08Z INFO [Authorizing RA Agent to modify profiles] 2020-01-30T22:45:08Z INFO [Authorizing RA Agent to manage lightweight CAs] 2020-01-30T22:45:08Z INFO [Ensuring Lightweight CAs container exists in Dogtag database] 2020-01-30T22:45:08Z DEBUG Created connection context.ldap2_140295338427216 2020-01-30T22:45:08Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-UNIX-domain.net-NET.socket from SchemaCache 2020-01-30T22:45:08Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-UNIX-domain.net-NET.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f990dda6ed0> 2020-01-30T22:45:08Z DEBUG Destroyed connection context.ldap2_140295338427216 2020-01-30T22:45:08Z INFO [Adding default OCSP URI configuration] 2020-01-30T22:45:08Z INFO [Disabling cert publishing] 2020-01-30T22:45:08Z INFO [Ensuring CA is using LDAPProfileSubsystem] 2020-01-30T22:45:08Z INFO [Migrating certificate profiles to LDAP] 2020-01-30T22:45:08Z DEBUG Created connection context.ldap2_140295344329552 2020-01-30T22:45:08Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-UNIX-domain.net-NET.socket from SchemaCache 2020-01-30T22:45:08Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-UNIX-domain.net-NET.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f990dc02d90> 2020-01-30T22:45:08Z DEBUG Destroyed connection context.ldap2_140295344329552 2020-01-30T22:45:08Z DEBUG request GET https://srv107.domain.net:8443/ca/rest/account/login 2020-01-30T22:45:08Z DEBUG request body '' 2020-01-30T22:45:09Z DEBUG response status 500 2020-01-30T22:45:09Z DEBUG response headers Content-Type: text/html;charset=utf-8 Content-Language: de Content-Length: 2021 Date: Thu, 30 Jan 2020 22:45:09 GMT Connection: close
2020-01-30T22:45:09Z DEBUG response body (decoded): b'<!doctype html><html lang="de"><head><title>HTTP Status 500 \xe2\x80\x93 Internal Server Error</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 \xe2\x80\x93 Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Subsystem unavailable</p><p><b>Beschreibung</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:150)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:530)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)\n\torg.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)\n\torg.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)\n\torg.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)\n\torg.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre><p><b>Hinweis</b> Der komplette Stacktrace der Ursache ist in den Server logs zu finden</p><hr class="line" /><h3>Apache Tomcat/9.0.30</h3></body></html>' 2020-01-30T22:45:09Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2020-01-30T22:45:09Z DEBUG File "/usr/lib/python3.7/site-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.7/site-packages/ipaserver/install/server/upgrade.py", line 2270, in upgrade upgrade_configuration() File "/usr/lib/python3.7/site-packages/ipaserver/install/server/upgrade.py", line 2139, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python3.7/site-packages/ipaserver/install/server/upgrade.py", line 414, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python3.7/site-packages/ipaserver/install/cainstance.py", line 1941, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python3.7/site-packages/ipaserver/install/cainstance.py", line 1947, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python3.7/site-packages/ipaserver/plugins/dogtag.py", line 1315, in __enter__ raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API'))
2020-01-30T22:45:09Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API 2020-01-30T22:45:09Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API 2020-01-30T22:45:09Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
[root@srv107 ipa]# getcert list Number of certificates and requests being tracked: 9. Request ID '20171212100014': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=srv107.domain.net,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-10-17 12:00:24 CEST principal name: krbtgt/UNIX.domain.net@UNIX.domain.net certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20190904114922': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=CA Audit,O=UNIX.domain.net expires: 2020-06-09 16:12:06 CEST key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114923': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=OCSP Subsystem,O=UNIX.domain.net expires: 2020-06-09 16:12:03 CEST eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114924': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=CA Subsystem,O=UNIX.domain.net expires: 2020-06-09 16:12:05 CEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114925': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=Certificate Authority,O=UNIX.domain.net expires: 2036-07-28 16:11:50 CEST key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114926': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-06-09 16:12:14 CEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114927': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=IPA RA,O=UNIX.domain.net expires: 2020-06-09 16:12:52 CEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190904114928': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-UNIX-domain.net-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-domain.net-NET/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-UNIX-domain.net-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-07-01 16:13:09 CEST principal name: ldap/srv107.domain.net@UNIX.domain.net key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv UNIX-domain.net-NET track: yes auto-renew: yes Request ID '20190904114929': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/srv107.domain.net-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-07-01 16:18:01 CEST principal name: HTTP/srv107.domain.net@UNIX.domain.net key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
Thank you if you maybe find something I've overlooked.
Jochen
On Monday, January 20, 2020 13:15 CET, Florence Blanc-Renaud flo@redhat.com wrote: On 1/20/20 9:39 AM, Jochen Demmer via FreeIPA-users wrote:
I suffer the exact same problem and already tried to upgrade twice but every time the update fails.
The ldap server does not listen when I check with ss or netstat. I reverted back to Fedora 30 with snapshots every time.
Hi,
can you paste the logs from /var/logs/ipaupgrade.log? We would need the full logs as the error may differ between a first run and a second run. When the packages are upgraded, the script ipa-server-upgrade is called and starts by disabling the LDAP server ports to avoid any LDAP operation during the upgrade. Then the script performs its duty, and re-enables the port. If there is an untrapped failure before the ports are re-enabled, or the user repeatedly presses CTRL-C, we sometimes end up in a situation where the ports are still disabled (please see ticket https://pagure.io/freeipa/issue/7534) after the ipa-server-upgrade script exits. If the user re-runs ipa-server-upgrade at this point, the script output will be completely different but will not give us any hint related to the original failure root cause. That's why we need the full logs.
If you are in a situation where the LDAP server isn't listening: 0. stop IPA with ipactl stop 1. edit /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif 2. set nsslapd-port to 389 3. set nsslapd-security to on 4. set nsslapd-global-backend-lock to off (if you have this attribute at all) 5. restart IPA with ipactl start
If the services are able to restart at this point, try to run ipa-server-upgrade and provide full logs.
HTH, flo
Can someone help me to work this around. The OP writes of an IP that changed but mine didn't. Where can I find a clue why ldap does not listen?
Jochen _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 1/31/20 12:00 AM, Jochen Demmer wrote:
Hi,
after quite some time I gave it another try.
- Upgrade to Fedora 31
- After Reboot service won't come up
[root@srv107 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: STOPPED kadmin Service: STOPPED named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: STOPPED pki-tomcatd Service: STOPPED ipa-otpd Service: STOPPED ipa-dnskeysyncd Service: STOPPED ipa: INFO: The ipactl command was successful
[root@srv107 ipa]# systemctl restart ipa Job for ipa.service failed because the control process exited with error code. See "systemctl status ipa.service" and "journalctl -xe" for details.
ipa-server-upgrade [...] [Disabling cert publishing] [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
The full ipaupgrade.log is quite large with 20 MB, this is the last part of it:
{loginShell}', 'uid=%{uid}', '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")', '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")', 'ipaanchoruuid=%{ipaanchoruuid}', '%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")'] 2020-01-30T22:44:04Z DEBUG --------------------------------------------- 2020-01-30T22:44:04Z DEBUG Final value after applying updates 2020-01-30T22:44:04Z DEBUG dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG cn: 2020-01-30T22:44:04Z DEBUG users 2020-01-30T22:44:04Z DEBUG objectClass: 2020-01-30T22:44:04Z DEBUG top 2020-01-30T22:44:04Z DEBUG extensibleObject 2020-01-30T22:44:04Z DEBUG schema-compat-container-group: 2020-01-30T22:44:04Z DEBUG cn=compat, dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-container-rdn: 2020-01-30T22:44:04Z DEBUG cn=users 2020-01-30T22:44:04Z DEBUG schema-compat-entry-attribute: 2020-01-30T22:44:04Z DEBUG cn=%{cn} 2020-01-30T22:44:04Z DEBUG objectclass=posixAccount 2020-01-30T22:44:04Z DEBUG gidNumber=%{gidNumber} 2020-01-30T22:44:04Z DEBUG gecos=%{cn} 2020-01-30T22:44:04Z DEBUG homeDirectory=%{homeDirectory} 2020-01-30T22:44:04Z DEBUG uidNumber=%{uidNumber} 2020-01-30T22:44:04Z DEBUG loginShell=%{loginShell} 2020-01-30T22:44:04Z DEBUG uid=%{uid} 2020-01-30T22:44:04Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") 2020-01-30T22:44:04Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","") 2020-01-30T22:44:04Z DEBUG ipaanchoruuid=%{ipaanchoruuid} 2020-01-30T22:44:04Z DEBUG %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") 2020-01-30T22:44:04Z DEBUG schema-compat-entry-rdn: 2020-01-30T22:44:04Z DEBUG uid=%first("%{uid}") 2020-01-30T22:44:04Z DEBUG schema-compat-ignore-subtree: 2020-01-30T22:44:04Z DEBUG cn=dna,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG cn=topology,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-restrict-subtree: 2020-01-30T22:44:04Z DEBUG cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-search-base: 2020-01-30T22:44:04Z DEBUG cn=users, cn=accounts, dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-search-filter: 2020-01-30T22:44:04Z DEBUG objectclass=posixAccount 2020-01-30T22:44:04Z DEBUG [] 2020-01-30T22:44:04Z DEBUG Updated 0 2020-01-30T22:44:04Z DEBUG Done 2020-01-30T22:44:04Z DEBUG Updating existing entry: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG --------------------------------------------- 2020-01-30T22:44:04Z DEBUG Initial value 2020-01-30T22:44:04Z DEBUG dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG cn: 2020-01-30T22:44:04Z DEBUG groups 2020-01-30T22:44:04Z DEBUG objectClass: 2020-01-30T22:44:04Z DEBUG top 2020-01-30T22:44:04Z DEBUG extensibleObject 2020-01-30T22:44:04Z DEBUG schema-compat-container-group: 2020-01-30T22:44:04Z DEBUG cn=compat, dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-container-rdn: 2020-01-30T22:44:04Z DEBUG cn=groups 2020-01-30T22:44:04Z DEBUG schema-compat-entry-attribute: 2020-01-30T22:44:04Z DEBUG gidNumber=%{gidNumber} 2020-01-30T22:44:04Z DEBUG %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") 2020-01-30T22:44:04Z DEBUG memberUid=%deref_r("member","uid") 2020-01-30T22:44:04Z DEBUG ipaanchoruuid=%{ipaanchoruuid} 2020-01-30T22:44:04Z DEBUG objectclass=posixGroup 2020-01-30T22:44:04Z DEBUG memberUid=%{memberUid} 2020-01-30T22:44:04Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") 2020-01-30T22:44:04Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","") 2020-01-30T22:44:04Z DEBUG objectclass=ipaexternalgroup 2020-01-30T22:44:04Z DEBUG ipaexternalmember=%deref_r("member","ipaexternalmember") 2020-01-30T22:44:04Z DEBUG schema-compat-entry-rdn: 2020-01-30T22:44:04Z DEBUG cn=%{cn} 2020-01-30T22:44:04Z DEBUG schema-compat-ignore-subtree: 2020-01-30T22:44:04Z DEBUG cn=dna,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG cn=topology,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-restrict-subtree: 2020-01-30T22:44:04Z DEBUG cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-search-base: 2020-01-30T22:44:04Z DEBUG cn=groups, cn=accounts, dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-search-filter: 2020-01-30T22:44:04Z DEBUG objectclass=posixGroup 2020-01-30T22:44:04Z DEBUG add: '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")' to schema-compat-entry-attribute, current value ['gidNumber=%{gidNumber}', '%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")', 'memberUid=%deref_r("member","uid")', 'ipaanchoruuid=%{ipaanchoruuid}', 'objectclass=posixGroup', 'memberUid=%{memberUid}', '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")', '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")', 'objectclass=ipaexternalgroup', 'ipaexternalmember=%deref_r("member","ipaexternalmember")'] 2020-01-30T22:44:04Z DEBUG add: updated value ['gidNumber=%{gidNumber}', '%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")', 'memberUid=%deref_r("member","uid")', 'ipaanchoruuid=%{ipaanchoruuid}', 'objectclass=posixGroup', 'memberUid=%{memberUid}', '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")', 'objectclass=ipaexternalgroup', 'ipaexternalmember=%deref_r("member","ipaexternalmember")', '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")'] 2020-01-30T22:44:04Z DEBUG add: '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")' to schema-compat-entry-attribute, current value ['gidNumber=%{gidNumber}', '%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")', 'memberUid=%deref_r("member","uid")', 'ipaanchoruuid=%{ipaanchoruuid}', 'objectclass=posixGroup', 'memberUid=%{memberUid}', '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")', 'objectclass=ipaexternalgroup', 'ipaexternalmember=%deref_r("member","ipaexternalmember")', '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")'] 2020-01-30T22:44:04Z DEBUG add: updated value ['gidNumber=%{gidNumber}', '%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")', 'memberUid=%deref_r("member","uid")', 'ipaanchoruuid=%{ipaanchoruuid}', 'objectclass=posixGroup', 'memberUid=%{memberUid}', 'objectclass=ipaexternalgroup', 'ipaexternalmember=%deref_r("member","ipaexternalmember")', '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")', '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")'] 2020-01-30T22:44:04Z DEBUG add: 'ipaanchoruuid=%{ipaanchoruuid}' to schema-compat-entry-attribute, current value ['gidNumber=%{gidNumber}', '%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")', 'memberUid=%deref_r("member","uid")', 'ipaanchoruuid=%{ipaanchoruuid}', 'objectclass=posixGroup', 'memberUid=%{memberUid}', 'objectclass=ipaexternalgroup', 'ipaexternalmember=%deref_r("member","ipaexternalmember")', '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")', '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")'] 2020-01-30T22:44:04Z DEBUG add: updated value ['gidNumber=%{gidNumber}', '%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")', 'memberUid=%deref_r("member","uid")', 'objectclass=posixGroup', 'memberUid=%{memberUid}', 'objectclass=ipaexternalgroup', 'ipaexternalmember=%deref_r("member","ipaexternalmember")', '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")', '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")', 'ipaanchoruuid=%{ipaanchoruuid}'] 2020-01-30T22:44:04Z DEBUG add: '%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")' to schema-compat-entry-attribute, current value ['gidNumber=%{gidNumber}', '%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")', 'memberUid=%deref_r("member","uid")', 'objectclass=posixGroup', 'memberUid=%{memberUid}', 'objectclass=ipaexternalgroup', 'ipaexternalmember=%deref_r("member","ipaexternalmember")', '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")', '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")', 'ipaanchoruuid=%{ipaanchoruuid}'] 2020-01-30T22:44:04Z DEBUG add: updated value ['gidNumber=%{gidNumber}', 'memberUid=%deref_r("member","uid")', 'objectclass=posixGroup', 'memberUid=%{memberUid}', 'objectclass=ipaexternalgroup', 'ipaexternalmember=%deref_r("member","ipaexternalmember")', '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")', '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")', 'ipaanchoruuid=%{ipaanchoruuid}', '%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")'] 2020-01-30T22:44:04Z DEBUG --------------------------------------------- 2020-01-30T22:44:04Z DEBUG Final value after applying updates 2020-01-30T22:44:04Z DEBUG dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG cn: 2020-01-30T22:44:04Z DEBUG groups 2020-01-30T22:44:04Z DEBUG objectClass: 2020-01-30T22:44:04Z DEBUG top 2020-01-30T22:44:04Z DEBUG extensibleObject 2020-01-30T22:44:04Z DEBUG schema-compat-container-group: 2020-01-30T22:44:04Z DEBUG cn=compat, dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-container-rdn: 2020-01-30T22:44:04Z DEBUG cn=groups 2020-01-30T22:44:04Z DEBUG schema-compat-entry-attribute: 2020-01-30T22:44:04Z DEBUG gidNumber=%{gidNumber} 2020-01-30T22:44:04Z DEBUG memberUid=%deref_r("member","uid") 2020-01-30T22:44:04Z DEBUG objectclass=posixGroup 2020-01-30T22:44:04Z DEBUG memberUid=%{memberUid} 2020-01-30T22:44:04Z DEBUG objectclass=ipaexternalgroup 2020-01-30T22:44:04Z DEBUG ipaexternalmember=%deref_r("member","ipaexternalmember") 2020-01-30T22:44:04Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") 2020-01-30T22:44:04Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","") 2020-01-30T22:44:04Z DEBUG ipaanchoruuid=%{ipaanchoruuid} 2020-01-30T22:44:04Z DEBUG %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") 2020-01-30T22:44:04Z DEBUG schema-compat-entry-rdn: 2020-01-30T22:44:04Z DEBUG cn=%{cn} 2020-01-30T22:44:04Z DEBUG schema-compat-ignore-subtree: 2020-01-30T22:44:04Z DEBUG cn=dna,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG cn=topology,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-restrict-subtree: 2020-01-30T22:44:04Z DEBUG cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-search-base: 2020-01-30T22:44:04Z DEBUG cn=groups, cn=accounts, dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-search-filter: 2020-01-30T22:44:04Z DEBUG objectclass=posixGroup 2020-01-30T22:44:04Z DEBUG [] 2020-01-30T22:44:04Z DEBUG Updated 0 2020-01-30T22:44:04Z DEBUG Done 2020-01-30T22:44:04Z DEBUG Updating existing entry: cn=users,cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG --------------------------------------------- 2020-01-30T22:44:04Z DEBUG Initial value 2020-01-30T22:44:04Z DEBUG dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG cn: 2020-01-30T22:44:04Z DEBUG users 2020-01-30T22:44:04Z DEBUG objectClass: 2020-01-30T22:44:04Z DEBUG top 2020-01-30T22:44:04Z DEBUG extensibleObject 2020-01-30T22:44:04Z DEBUG schema-compat-container-group: 2020-01-30T22:44:04Z DEBUG cn=compat, dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-container-rdn: 2020-01-30T22:44:04Z DEBUG cn=users 2020-01-30T22:44:04Z DEBUG schema-compat-entry-attribute: 2020-01-30T22:44:04Z DEBUG %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") 2020-01-30T22:44:04Z DEBUG cn=%{cn} 2020-01-30T22:44:04Z DEBUG objectclass=posixAccount 2020-01-30T22:44:04Z DEBUG gidNumber=%{gidNumber} 2020-01-30T22:44:04Z DEBUG gecos=%{cn} 2020-01-30T22:44:04Z DEBUG ipaanchoruuid=%{ipaanchoruuid} 2020-01-30T22:44:04Z DEBUG homeDirectory=%{homeDirectory} 2020-01-30T22:44:04Z DEBUG uidNumber=%{uidNumber} 2020-01-30T22:44:04Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") 2020-01-30T22:44:04Z DEBUG loginShell=%{loginShell} 2020-01-30T22:44:04Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","") 2020-01-30T22:44:04Z DEBUG uid=%{uid} 2020-01-30T22:44:04Z DEBUG schema-compat-entry-rdn: 2020-01-30T22:44:04Z DEBUG uid=%first("%{uid}") 2020-01-30T22:44:04Z DEBUG schema-compat-ignore-subtree: 2020-01-30T22:44:04Z DEBUG cn=dna,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG cn=topology,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-restrict-subtree: 2020-01-30T22:44:04Z DEBUG cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-search-base: 2020-01-30T22:44:04Z DEBUG cn=users, cn=accounts, dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-search-filter: 2020-01-30T22:44:04Z DEBUG objectclass=posixAccount 2020-01-30T22:44:04Z DEBUG add: 'uid=%{uid}' to schema-compat-entry-attribute, current value ['%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")', 'cn=%{cn}', 'objectclass=posixAccount', 'gidNumber=%{gidNumber}', 'gecos=%{cn}', 'ipaanchoruuid=%{ipaanchoruuid}', 'homeDirectory=%{homeDirectory}', 'uidNumber=%{uidNumber}', '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")', 'loginShell=%{loginShell}', '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")', 'uid=%{uid}'] 2020-01-30T22:44:04Z DEBUG add: updated value ['%ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","")', 'cn=%{cn}', 'objectclass=posixAccount', 'gidNumber=%{gidNumber}', 'gecos=%{cn}', 'ipaanchoruuid=%{ipaanchoruuid}', 'homeDirectory=%{homeDirectory}', 'uidNumber=%{uidNumber}', '%ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","")', 'loginShell=%{loginShell}', '%ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","")', 'uid=%{uid}'] 2020-01-30T22:44:04Z DEBUG replace: uid=%{uid} not found, skipping 2020-01-30T22:44:04Z DEBUG --------------------------------------------- 2020-01-30T22:44:04Z DEBUG Final value after applying updates 2020-01-30T22:44:04Z DEBUG dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG cn: 2020-01-30T22:44:04Z DEBUG users 2020-01-30T22:44:04Z DEBUG objectClass: 2020-01-30T22:44:04Z DEBUG top 2020-01-30T22:44:04Z DEBUG extensibleObject 2020-01-30T22:44:04Z DEBUG schema-compat-container-group: 2020-01-30T22:44:04Z DEBUG cn=compat, dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-container-rdn: 2020-01-30T22:44:04Z DEBUG cn=users 2020-01-30T22:44:04Z DEBUG schema-compat-entry-attribute: 2020-01-30T22:44:04Z DEBUG %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") 2020-01-30T22:44:04Z DEBUG cn=%{cn} 2020-01-30T22:44:04Z DEBUG objectclass=posixAccount 2020-01-30T22:44:04Z DEBUG gidNumber=%{gidNumber} 2020-01-30T22:44:04Z DEBUG gecos=%{cn} 2020-01-30T22:44:04Z DEBUG ipaanchoruuid=%{ipaanchoruuid} 2020-01-30T22:44:04Z DEBUG homeDirectory=%{homeDirectory} 2020-01-30T22:44:04Z DEBUG uidNumber=%{uidNumber} 2020-01-30T22:44:04Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") 2020-01-30T22:44:04Z DEBUG loginShell=%{loginShell} 2020-01-30T22:44:04Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:unix.domain.net:%{ipauniqueid}","") 2020-01-30T22:44:04Z DEBUG uid=%{uid} 2020-01-30T22:44:04Z DEBUG schema-compat-entry-rdn: 2020-01-30T22:44:04Z DEBUG uid=%first("%{uid}") 2020-01-30T22:44:04Z DEBUG schema-compat-ignore-subtree: 2020-01-30T22:44:04Z DEBUG cn=dna,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG cn=topology,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-restrict-subtree: 2020-01-30T22:44:04Z DEBUG cn=Schema Compatibility,cn=plugins,cn=config 2020-01-30T22:44:04Z DEBUG dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-search-base: 2020-01-30T22:44:04Z DEBUG cn=users, cn=accounts, dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:04Z DEBUG schema-compat-search-filter: 2020-01-30T22:44:04Z DEBUG objectclass=posixAccount 2020-01-30T22:44:04Z DEBUG [] 2020-01-30T22:44:04Z DEBUG Updated 0 2020-01-30T22:44:04Z DEBUG Done 2020-01-30T22:44:04Z DEBUG LDAP update duration: /usr/share/ipa/updates/80-schema_compat.update 1.146 sec 2020-01-30T22:44:04Z DEBUG Parsing update file '/usr/share/ipa/updates/90-post_upgrade_plugins.update' 2020-01-30T22:44:04Z DEBUG Executing upgrade plugin: update_ca_topology 2020-01-30T22:44:04Z DEBUG raw: update_ca_topology 2020-01-30T22:44:04Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:04Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:44:04Z DEBUG importing all plugin modules in ipaserver.plugins... 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.aci 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.automember 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.automount 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.baseldap 2020-01-30T22:44:04Z DEBUG ipaserver.plugins.baseldap is not a valid plugin module 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.baseuser 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.batch 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.ca 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.caacl 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.cert 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.certmap 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.certprofile 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.config 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.delegation 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.dns 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.dnsserver 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.dogtag 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.domainlevel 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.group 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.hbac 2020-01-30T22:44:04Z DEBUG ipaserver.plugins.hbac is not a valid plugin module 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.hbacrule 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.hbacsvc 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.hbactest 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.host 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.hostgroup 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.idrange 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.idviews 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.internal 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.join 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.krbtpolicy 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.ldap2 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.location 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.migration 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.misc 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.netgroup 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.otp 2020-01-30T22:44:04Z DEBUG ipaserver.plugins.otp is not a valid plugin module 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.otpconfig 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.otptoken 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.passwd 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.permission 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.ping 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.pkinit 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.privilege 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.pwpolicy 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.rabase 2020-01-30T22:44:04Z DEBUG ipaserver.plugins.rabase is not a valid plugin module 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.radiusproxy 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.realmdomains 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.role 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.schema 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.selfservice 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.selinuxusermap 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.server 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.serverrole 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.serverroles 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.service 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.servicedelegation 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.session 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.stageuser 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.sudo 2020-01-30T22:44:04Z DEBUG ipaserver.plugins.sudo is not a valid plugin module 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.sudocmd 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.sudocmdgroup 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.sudorule 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.topology 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.trust 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.user 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.vault 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.virtual 2020-01-30T22:44:04Z DEBUG ipaserver.plugins.virtual is not a valid plugin module 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.whoami 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.plugins.xmlserver 2020-01-30T22:44:04Z DEBUG importing all plugin modules in ipaserver.install.plugins... 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.adtrust 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.ca_renewal_master 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.dns 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.fix_kra_people_entry 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.fix_replica_agreements 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.rename_managed 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_ca_topology 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_dna_shared_config 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_fix_duplicate_cacrt_in_ldap 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_idranges 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_ldap_server_list 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_managed_permissions 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_nis 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_pacs 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_passsync 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_ra_cert_store 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_referint 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_services 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_unhashed_password 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness 2020-01-30T22:44:04Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt 2020-01-30T22:44:07Z DEBUG Created connection context.ldap2_140295363379856 2020-01-30T22:44:07Z DEBUG Destroyed connection context.ldap2_140295363379856 2020-01-30T22:44:07Z DEBUG Created connection context.ldap2_140295363379856 2020-01-30T22:44:07Z DEBUG Parsing update file '/usr/share/ipa/ca-topology.uldif' 2020-01-30T22:44:07Z DEBUG flushing ldapi://%2Fvar%2Frun%2Fslapd-UNIX-domain.net-NET.socket from SchemaCache 2020-01-30T22:44:07Z DEBUG retrieving schema for SchemaCache url=ldapi://%2Fvar%2Frun%2Fslapd-UNIX-domain.net-NET.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f990ebba690> 2020-01-30T22:44:07Z DEBUG Updating existing entry: cn=srv107.domain.net,cn=masters,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:07Z DEBUG --------------------------------------------- 2020-01-30T22:44:07Z DEBUG Initial value 2020-01-30T22:44:07Z DEBUG dn: cn=srv107.domain.net,cn=masters,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:07Z DEBUG cn: 2020-01-30T22:44:07Z DEBUG srv107.domain.net 2020-01-30T22:44:07Z DEBUG ipaMaxDomainLevel: 2020-01-30T22:44:07Z DEBUG 1 2020-01-30T22:44:07Z DEBUG ipaMinDomainLevel: 2020-01-30T22:44:07Z DEBUG 1 2020-01-30T22:44:07Z DEBUG ipaReplTopoManagedSuffix: 2020-01-30T22:44:07Z DEBUG dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:07Z DEBUG o=ipaca 2020-01-30T22:44:07Z DEBUG objectClass: 2020-01-30T22:44:07Z DEBUG top 2020-01-30T22:44:07Z DEBUG nsContainer 2020-01-30T22:44:07Z DEBUG ipaReplTopoManagedServer 2020-01-30T22:44:07Z DEBUG ipaConfigObject 2020-01-30T22:44:07Z DEBUG ipaSupportedDomainLevelConfig 2020-01-30T22:44:07Z DEBUG add: 'ipaReplTopoManagedServer' to objectclass, current value ['top', 'nsContainer', 'ipaReplTopoManagedServer', 'ipaConfigObject', 'ipaSupportedDomainLevelConfig'] 2020-01-30T22:44:07Z DEBUG add: updated value ['top', 'nsContainer', 'ipaConfigObject', 'ipaSupportedDomainLevelConfig', 'ipaReplTopoManagedServer'] 2020-01-30T22:44:07Z DEBUG add: 'o=ipaca' to ipaReplTopoManagedSuffix, current value ['dc=unix,dc=domain.net,dc=net', 'o=ipaca'] 2020-01-30T22:44:07Z DEBUG add: updated value ['dc=unix,dc=domain.net,dc=net', 'o=ipaca'] 2020-01-30T22:44:07Z DEBUG --------------------------------------------- 2020-01-30T22:44:07Z DEBUG Final value after applying updates 2020-01-30T22:44:07Z DEBUG dn: cn=srv107.domain.net,cn=masters,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:07Z DEBUG cn: 2020-01-30T22:44:07Z DEBUG srv107.domain.net 2020-01-30T22:44:07Z DEBUG ipaMaxDomainLevel: 2020-01-30T22:44:07Z DEBUG 1 2020-01-30T22:44:07Z DEBUG ipaMinDomainLevel: 2020-01-30T22:44:07Z DEBUG 1 2020-01-30T22:44:07Z DEBUG ipaReplTopoManagedSuffix: 2020-01-30T22:44:07Z DEBUG dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:07Z DEBUG o=ipaca 2020-01-30T22:44:07Z DEBUG objectClass: 2020-01-30T22:44:07Z DEBUG top 2020-01-30T22:44:07Z DEBUG nsContainer 2020-01-30T22:44:07Z DEBUG ipaConfigObject 2020-01-30T22:44:07Z DEBUG ipaSupportedDomainLevelConfig 2020-01-30T22:44:07Z DEBUG ipaReplTopoManagedServer 2020-01-30T22:44:07Z DEBUG [] 2020-01-30T22:44:07Z DEBUG Updated 0 2020-01-30T22:44:07Z DEBUG Done 2020-01-30T22:44:07Z DEBUG Updating existing entry: cn=ca,cn=topology,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:07Z DEBUG --------------------------------------------- 2020-01-30T22:44:07Z DEBUG Initial value 2020-01-30T22:44:07Z DEBUG dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:07Z DEBUG cn: 2020-01-30T22:44:07Z DEBUG ca 2020-01-30T22:44:07Z DEBUG ipaReplTopoConfRoot: 2020-01-30T22:44:07Z DEBUG o=ipaca 2020-01-30T22:44:07Z DEBUG objectClass: 2020-01-30T22:44:07Z DEBUG top 2020-01-30T22:44:07Z DEBUG iparepltopoconf 2020-01-30T22:44:07Z DEBUG --------------------------------------------- 2020-01-30T22:44:07Z DEBUG Final value after applying updates 2020-01-30T22:44:07Z DEBUG dn: cn=ca,cn=topology,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:07Z DEBUG cn: 2020-01-30T22:44:07Z DEBUG ca 2020-01-30T22:44:07Z DEBUG ipaReplTopoConfRoot: 2020-01-30T22:44:07Z DEBUG o=ipaca 2020-01-30T22:44:07Z DEBUG objectClass: 2020-01-30T22:44:07Z DEBUG top 2020-01-30T22:44:07Z DEBUG iparepltopoconf 2020-01-30T22:44:07Z DEBUG [] 2020-01-30T22:44:07Z DEBUG Updated 0 2020-01-30T22:44:07Z DEBUG Done 2020-01-30T22:44:07Z DEBUG Updating existing entry: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2020-01-30T22:44:07Z DEBUG --------------------------------------------- 2020-01-30T22:44:07Z DEBUG Initial value 2020-01-30T22:44:07Z DEBUG dn: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2020-01-30T22:44:07Z DEBUG cn: 2020-01-30T22:44:07Z DEBUG replica 2020-01-30T22:44:07Z DEBUG nsDS5Flags: 2020-01-30T22:44:07Z DEBUG 1 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaBindDN: 2020-01-30T22:44:07Z DEBUG cn=replication manager,cn=config 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaBindDNGroup: 2020-01-30T22:44:07Z DEBUG cn=replication managers,cn=sysaccounts,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaBindDnGroupCheckInterval: 2020-01-30T22:44:07Z DEBUG 60 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaId: 2020-01-30T22:44:07Z DEBUG 10 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaName: 2020-01-30T22:44:07Z DEBUG 1a150602-989311e8-a96ae1e4-db67e289 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaRoot: 2020-01-30T22:44:07Z DEBUG o=ipaca 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaType: 2020-01-30T22:44:07Z DEBUG 3 2020-01-30T22:44:07Z DEBUG nsState: 2020-01-30T22:44:07Z DEBUG CgAAAAAAAAD3TjNeAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA== 2020-01-30T22:44:07Z DEBUG nsds5ReplicaBackoffMax: 2020-01-30T22:44:07Z DEBUG 300 2020-01-30T22:44:07Z DEBUG nsds5ReplicaLegacyConsumer: 2020-01-30T22:44:07Z DEBUG off 2020-01-30T22:44:07Z DEBUG nsds5ReplicaReleaseTimeout: 2020-01-30T22:44:07Z DEBUG 60 2020-01-30T22:44:07Z DEBUG objectClass: 2020-01-30T22:44:07Z DEBUG top 2020-01-30T22:44:07Z DEBUG nsds5replica 2020-01-30T22:44:07Z DEBUG extensibleobject 2020-01-30T22:44:07Z DEBUG nsds5ReplicaChangeCount: 2020-01-30T22:44:07Z DEBUG 711 2020-01-30T22:44:07Z DEBUG nsds5replicareapactive: 2020-01-30T22:44:07Z DEBUG 0 2020-01-30T22:44:07Z DEBUG onlyifexist: 'cn=replication managers,cn=sysaccounts,cn=etc,dc=unix,dc=domain.net,dc=net' to nsds5replicabinddngroup, current value ['cn=replication managers,cn=sysaccounts,cn=etc,dc=unix,dc=domain.net,dc=net'] 2020-01-30T22:44:07Z DEBUG onlyifexist: set nsds5replicabinddngroup to ['cn=replication managers,cn=sysaccounts,cn=etc,dc=unix,dc=domain.net,dc=net'] 2020-01-30T22:44:07Z DEBUG --------------------------------------------- 2020-01-30T22:44:07Z DEBUG Final value after applying updates 2020-01-30T22:44:07Z DEBUG dn: cn=replica,cn=o=ipaca,cn=mapping tree,cn=config 2020-01-30T22:44:07Z DEBUG cn: 2020-01-30T22:44:07Z DEBUG replica 2020-01-30T22:44:07Z DEBUG nsDS5Flags: 2020-01-30T22:44:07Z DEBUG 1 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaBindDN: 2020-01-30T22:44:07Z DEBUG cn=replication manager,cn=config 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaBindDNGroup: 2020-01-30T22:44:07Z DEBUG cn=replication managers,cn=sysaccounts,cn=etc,dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaBindDnGroupCheckInterval: 2020-01-30T22:44:07Z DEBUG 60 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaId: 2020-01-30T22:44:07Z DEBUG 10 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaName: 2020-01-30T22:44:07Z DEBUG 1a150602-989311e8-a96ae1e4-db67e289 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaRoot: 2020-01-30T22:44:07Z DEBUG o=ipaca 2020-01-30T22:44:07Z DEBUG nsDS5ReplicaType: 2020-01-30T22:44:07Z DEBUG 3 2020-01-30T22:44:07Z DEBUG nsState: 2020-01-30T22:44:07Z DEBUG CgAAAAAAAAD3TjNeAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA== 2020-01-30T22:44:07Z DEBUG nsds5ReplicaBackoffMax: 2020-01-30T22:44:07Z DEBUG 300 2020-01-30T22:44:07Z DEBUG nsds5ReplicaLegacyConsumer: 2020-01-30T22:44:07Z DEBUG off 2020-01-30T22:44:07Z DEBUG nsds5ReplicaReleaseTimeout: 2020-01-30T22:44:07Z DEBUG 60 2020-01-30T22:44:07Z DEBUG objectClass: 2020-01-30T22:44:07Z DEBUG top 2020-01-30T22:44:07Z DEBUG nsds5replica 2020-01-30T22:44:07Z DEBUG extensibleobject 2020-01-30T22:44:07Z DEBUG nsds5ReplicaChangeCount: 2020-01-30T22:44:07Z DEBUG 711 2020-01-30T22:44:07Z DEBUG nsds5replicareapactive: 2020-01-30T22:44:07Z DEBUG 0 2020-01-30T22:44:07Z DEBUG [] 2020-01-30T22:44:07Z DEBUG Updated 0 2020-01-30T22:44:07Z DEBUG Done 2020-01-30T22:44:07Z DEBUG LDAP update duration: /usr/share/ipa/ca-topology.uldif 0.510 sec 2020-01-30T22:44:07Z DEBUG Destroyed connection context.ldap2_140295363379856 2020-01-30T22:44:07Z DEBUG Executing upgrade plugin: update_ipaconfigstring_dnsversion_to_ipadnsversion 2020-01-30T22:44:07Z DEBUG raw: update_ipaconfigstring_dnsversion_to_ipadnsversion 2020-01-30T22:44:07Z DEBUG Executing upgrade plugin: update_dnszones 2020-01-30T22:44:07Z DEBUG raw: update_dnszones 2020-01-30T22:44:07Z DEBUG raw: dnszone_find(None, all=True, version='2.235') 2020-01-30T22:44:07Z DEBUG dnszone_find(None, forward_only=False, all=True, raw=False, version='2.235', pkey_only=False) 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_dns_limits 2020-01-30T22:44:08Z DEBUG raw: update_dns_limits 2020-01-30T22:44:08Z DEBUG DNS: limits for service krbprincipalname=DNS/srv107.domain.net@UNIX.domain.net,cn=services,cn=accounts,dc=unix,dc=domain.net,dc=net already set 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_sigden_extdom_broken_config 2020-01-30T22:44:08Z DEBUG raw: update_sigden_extdom_broken_config 2020-01-30T22:44:08Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:44:08Z DEBUG Already done, skipping 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_sids 2020-01-30T22:44:08Z DEBUG raw: update_sids 2020-01-30T22:44:08Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:44:08Z DEBUG SIDs do not need to be generated 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_default_range 2020-01-30T22:44:08Z DEBUG raw: update_default_range 2020-01-30T22:44:08Z DEBUG default_range: ipaDomainIDRange entry found, skip plugin 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_default_trust_view 2020-01-30T22:44:08Z DEBUG raw: update_default_trust_view 2020-01-30T22:44:08Z DEBUG raw: adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG AD Trusts are not enabled on this server 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_tdo_gidnumber 2020-01-30T22:44:08Z DEBUG raw: update_tdo_gidnumber 2020-01-30T22:44:08Z DEBUG raw: adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG AD Trusts are not enabled on this server 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_tdo_to_new_layout 2020-01-30T22:44:08Z DEBUG raw: update_tdo_to_new_layout 2020-01-30T22:44:08Z DEBUG raw: adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG AD Trusts are not enabled on this server 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_host_cifs_keytabs 2020-01-30T22:44:08Z DEBUG raw: update_host_cifs_keytabs 2020-01-30T22:44:08Z DEBUG raw: adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG AD Trusts are not enabled on this server 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_tdo_default_read_keys_permissions 2020-01-30T22:44:08Z DEBUG raw: update_tdo_default_read_keys_permissions 2020-01-30T22:44:08Z DEBUG raw: adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG AD Trusts are not enabled on this server 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_adtrust_agents_members 2020-01-30T22:44:08Z DEBUG raw: update_adtrust_agents_members 2020-01-30T22:44:08Z DEBUG raw: adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG adtrust_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG AD Trusts are not enabled on this server 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_ca_renewal_master 2020-01-30T22:44:08Z DEBUG raw: update_ca_renewal_master 2020-01-30T22:44:08Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:08Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:44:08Z DEBUG found CA renewal master srv107.domain.net 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_idrange_type 2020-01-30T22:44:08Z DEBUG raw: update_idrange_type 2020-01-30T22:44:08Z DEBUG update_idrange_type: search for ID ranges with no type set 2020-01-30T22:44:08Z DEBUG update_idrange_type: no ID range without type set found 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_pacs 2020-01-30T22:44:08Z DEBUG raw: update_pacs 2020-01-30T22:44:08Z DEBUG PAC for nfs is already set, not adding nfs:NONE. 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_service_principalalias 2020-01-30T22:44:08Z DEBUG raw: update_service_principalalias 2020-01-30T22:44:08Z DEBUG update_service_principalalias: search for affected services 2020-01-30T22:44:08Z DEBUG update_service_principalalias: no service to update found 2020-01-30T22:44:08Z DEBUG Executing upgrade plugin: update_fix_duplicate_cacrt_in_ldap 2020-01-30T22:44:08Z DEBUG raw: update_fix_duplicate_cacrt_in_ldap 2020-01-30T22:44:08Z DEBUG raw: ca_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG ca_is_enabled(version='2.235') 2020-01-30T22:44:08Z DEBUG Found 1 entrie(s) for IPA CA in LDAP 2020-01-30T22:44:08Z DEBUG Destroyed connection context.ldap2_140295362935568 2020-01-30T22:44:08Z DEBUG Restarting directory server to apply updates 2020-01-30T22:44:08Z DEBUG Destroyed connection context.ldap2_140295386233872 2020-01-30T22:44:08Z DEBUG Starting external process 2020-01-30T22:44:08Z DEBUG args=['/bin/systemctl', 'restart', 'dirsrv@UNIX-domain.net-NET.service'] 2020-01-30T22:44:21Z DEBUG Process finished, return code=0 2020-01-30T22:44:21Z DEBUG stdout= 2020-01-30T22:44:21Z DEBUG stderr= 2020-01-30T22:44:21Z DEBUG Restart of dirsrv@UNIX-domain.net-NET.service complete 2020-01-30T22:44:21Z DEBUG Created connection context.ldap2_140295386233872 2020-01-30T22:44:21Z DEBUG Created connection context.ldap2_140295362935568 2020-01-30T22:44:21Z DEBUG Executing upgrade plugin: update_upload_cacrt 2020-01-30T22:44:21Z DEBUG raw: update_upload_cacrt 2020-01-30T22:44:21Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:44:21Z DEBUG raw: ca_is_enabled(version='2.235') 2020-01-30T22:44:21Z DEBUG ca_is_enabled(version='2.235') 2020-01-30T22:44:21Z DEBUG flushing ldapi://%2Fvar%2Frun%2Fslapd-UNIX-domain.net-NET.socket from SchemaCache 2020-01-30T22:44:21Z DEBUG retrieving schema for SchemaCache url=ldapi://%2Fvar%2Frun%2Fslapd-UNIX-domain.net-NET.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f99100db190> 2020-01-30T22:44:21Z DEBUG Starting external process 2020-01-30T22:44:21Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-UNIX-domain.net-NET/', '-L', '-f', '/etc/dirsrv/slapd-UNIX-domain.net-NET/pwdfile.txt'] 2020-01-30T22:44:22Z DEBUG Process finished, return code=0 2020-01-30T22:44:22Z DEBUG stdout= Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
UNIX.domain.net IPA CA CT,C,C Server-Cert u,u,u
2020-01-30T22:44:22Z DEBUG stderr= 2020-01-30T22:44:22Z DEBUG Starting external process 2020-01-30T22:44:22Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-UNIX-domain.net-NET/', '-L', '-n', 'UNIX.domain.net IPA CA', '-a', '-f', '/etc/dirsrv/slapd-UNIX-domain.net-NET/pwdfile.txt'] 2020-01-30T22:44:22Z DEBUG Process finished, return code=0 2020-01-30T22:44:22Z DEBUG stdout=-----BEGIN CERTIFICATE----- MIIDkjCCAnqgAwIBAgIBATANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklY LkdPU0lYLk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2 MDcyODE0MTE1MFoXDTM2MDcyODE0MTE1MFowOTEXMBUGA1UECgwOVU5JWC5HT1NJ WC5ORVQxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAJZI3H0WpgJ73700eJfXyShqK3IKtuiKSwh8 f8K7IP2wb9B+bykpuhn/LqQnuM9IgJ6SQ+E88UyJ7iySf5lWlxa6AC8k2RF1s5Sa 1YdAVgPfY/8ONNkIdq8T7ejbaBXI4dRhOHBXcP8Qs0GE5gJT0E+zHYqXhMtW+AS5 hjskU/rMk3Nk5iwlTQ/imeZwVI9tuh0zLxYG+KtV9DIEau3p3eHgMpxcoiyX9Kq8 1TiXigixkapDdBJCw16YPhmV/n4y0ojOyc7B+UBsQN4q+UrxdKuUve0bct/YA6dV 4saEoLTOr917IdzphHeZjuJ83gDgdUdJjrTfu+8eSOqxKO8RDL0CAwEAAaOBpDCB oTAfBgNVHSMEGDAWgBROuje6JvS5f3aN0Qk0DRDGjOWHRjAPBgNVHRMBAf8EBTAD AQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUTro3uib0uX92jdEJNA0Qxozl h0YwPgYIKwYBBQUHAQEEMjAwMC4GCCsGAQUFBzABhiJodHRwOi8vc3J2MTA3Lmdv c2l4Lm5ldDo4MC9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBAQAODbsHAEw6WqDH +/knc3EJr82eBA2Obi9rZrIYgprfOyUd8Es5fuAbJRAtpG17iPnK0MNsTUZKa8bl bdhMOV3pTQuD3WaLqv1rA2gofAF3y91oie1mz2BZtNTVI5gH+rUxvwHhDl4tztrI NZVYudE24McIFIwjNKPCnt3n0TqhXYHS7OAYaWyUsqOUztbVa7PXI7m7FmBh024N yyc7T/6TBOuA7b0A7d181fneUMxEBpHe4rdyLxIfFfSjNqLM/8AR7SlDlUxM+igw DnTidt8otMhwSRBt4oc3pti5r9w+51Ez3GUo1ni4RmBhV8CHXWJPUh5UyTo846iW hCF7FdfM -----END CERTIFICATE-----
2020-01-30T22:44:22Z DEBUG stderr= 2020-01-30T22:44:22Z DEBUG Executing upgrade plugin: update_ra_cert_store 2020-01-30T22:44:22Z DEBUG raw: update_ra_cert_store 2020-01-30T22:44:22Z DEBUG raw: ca_is_enabled(version='2.235') 2020-01-30T22:44:22Z DEBUG ca_is_enabled(version='2.235') 2020-01-30T22:44:22Z DEBUG Executing upgrade plugin: update_mapping_Guests_to_nobody 2020-01-30T22:44:22Z DEBUG raw: update_mapping_Guests_to_nobody 2020-01-30T22:44:22Z DEBUG raw: adtrust_is_enabled(version='2.235') 2020-01-30T22:44:22Z DEBUG adtrust_is_enabled(version='2.235') 2020-01-30T22:44:22Z DEBUG AD Trusts are not enabled on this server 2020-01-30T22:44:22Z DEBUG Executing upgrade plugin: fix_kra_people_entry 2020-01-30T22:44:22Z DEBUG raw: fix_kra_people_entry 2020-01-30T22:44:22Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:22Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:44:22Z DEBUG Executing upgrade plugin: update_master_to_dnsforwardzones 2020-01-30T22:44:22Z DEBUG raw: update_master_to_dnsforwardzones 2020-01-30T22:44:22Z DEBUG raw: dnsconfig_show(all=True, version='2.235') 2020-01-30T22:44:22Z DEBUG dnsconfig_show(rights=False, all=True, raw=False, version='2.235') 2020-01-30T22:44:22Z DEBUG Executing upgrade plugin: update_dnsforward_emptyzones 2020-01-30T22:44:22Z DEBUG raw: update_dnsforward_emptyzones 2020-01-30T22:44:22Z DEBUG raw: dnsconfig_show(all=True, version='2.235') 2020-01-30T22:44:22Z DEBUG dnsconfig_show(rights=False, all=True, raw=False, version='2.235') 2020-01-30T22:44:22Z DEBUG Executing upgrade plugin: update_managed_post 2020-01-30T22:44:22Z DEBUG raw: update_managed_post 2020-01-30T22:44:22Z DEBUG Executing upgrade plugin: update_managed_permissions 2020-01-30T22:44:22Z DEBUG raw: update_managed_permissions 2020-01-30T22:44:22Z DEBUG Anonymous ACI not found 2020-01-30T22:44:22Z DEBUG Updating managed permissions for automember 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Automember Definitions 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Automember Definitions 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Automember Rules 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Automember Rules 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Automember Tasks 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Automember Tasks 2020-01-30T22:44:22Z DEBUG Updating managed permissions for automountkey 2020-01-30T22:44:22Z DEBUG Legacy permission Add Automount keys not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Automount Keys 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Automount Keys 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Automount keys not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Automount Keys 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Automount Keys 2020-01-30T22:44:22Z DEBUG Legacy permission Remove Automount keys not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Automount Keys 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Automount Keys 2020-01-30T22:44:22Z DEBUG Updating managed permissions for automountlocation 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Automount Locations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Automount Locations 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Automount Configuration 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Automount Configuration 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Automount Locations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Automount Locations 2020-01-30T22:44:22Z DEBUG Updating managed permissions for automountmap 2020-01-30T22:44:22Z DEBUG Legacy permission Add Automount maps not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Automount Maps 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Automount Maps 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Automount maps not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Automount Maps 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Automount Maps 2020-01-30T22:44:22Z DEBUG Legacy permission Remove Automount maps not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Automount Maps 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Automount Maps 2020-01-30T22:44:22Z DEBUG Updating managed permissions for ca 2020-01-30T22:44:22Z DEBUG Legacy permission Add CA not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add CA 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add CA 2020-01-30T22:44:22Z DEBUG Legacy permission Delete CA not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Delete CA 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Delete CA 2020-01-30T22:44:22Z DEBUG Legacy permission Modify CA not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify CA 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify CA 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read CAs 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read CAs 2020-01-30T22:44:22Z DEBUG Updating managed permissions for caacl 2020-01-30T22:44:22Z DEBUG Legacy permission Add CA ACL not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add CA ACL 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add CA ACL 2020-01-30T22:44:22Z DEBUG Legacy permission Delete CA ACL not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Delete CA ACL 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Delete CA ACL 2020-01-30T22:44:22Z DEBUG Legacy permission Manage CA ACL membership not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage CA ACL Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage CA ACL Membership 2020-01-30T22:44:22Z DEBUG Legacy permission Modify CA ACL not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify CA ACL 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify CA ACL 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read CA ACLs 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read CA ACLs 2020-01-30T22:44:22Z DEBUG Updating managed permissions for certmapconfig 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Certmap Configuration 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Certmap Configuration 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Certmap Configuration 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Certmap Configuration 2020-01-30T22:44:22Z DEBUG Updating managed permissions for certmaprule 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Certmap Rules 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Certmap Rules 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Delete Certmap Rules 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Delete Certmap Rules 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Certmap Rules 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Certmap Rules 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Certmap Rules 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Certmap Rules 2020-01-30T22:44:22Z DEBUG Updating managed permissions for certprofile 2020-01-30T22:44:22Z DEBUG Legacy permission Delete Certificate Profile not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Delete Certificate Profile 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Delete Certificate Profile 2020-01-30T22:44:22Z DEBUG Legacy permission Import Certificate Profile not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Import Certificate Profile 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Import Certificate Profile 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Certificate Profile not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Certificate Profile 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Certificate Profile 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Certificate Profiles 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Certificate Profiles 2020-01-30T22:44:22Z DEBUG Updating managed permissions for config 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Global Configuration 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Global Configuration 2020-01-30T22:44:22Z DEBUG Updating managed permissions for cosentry 2020-01-30T22:44:22Z DEBUG Legacy permission Add Group Password Policy costemplate not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Group Password Policy costemplate 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Group Password Policy costemplate 2020-01-30T22:44:22Z DEBUG Legacy permission Delete Group Password Policy costemplate not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Delete Group Password Policy costemplate 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Delete Group Password Policy costemplate 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Group Password Policy costemplate not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Group Password Policy costemplate 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Group Password Policy costemplate 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Group Password Policy costemplate 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Group Password Policy costemplate 2020-01-30T22:44:22Z DEBUG Updating managed permissions for dnsconfig 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read DNS Configuration 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read DNS Configuration 2020-01-30T22:44:22Z DEBUG Legacy permission Write DNS Configuration not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Write DNS Configuration 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Write DNS Configuration 2020-01-30T22:44:22Z DEBUG Updating managed permissions for dnsserver 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify DNS Servers Configuration 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify DNS Servers Configuration 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read DNS Servers Configuration 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read DNS Servers Configuration 2020-01-30T22:44:22Z DEBUG Updating managed permissions for dnszone 2020-01-30T22:44:22Z DEBUG Legacy permission add dns entries not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add DNS Entries 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add DNS Entries 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage DNSSEC keys 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage DNSSEC keys 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage DNSSEC metadata 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage DNSSEC metadata 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read DNS Entries 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read DNS Entries 2020-01-30T22:44:22Z DEBUG Legacy permission 'Read DNS Entries' not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read DNSSEC metadata 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read DNSSEC metadata 2020-01-30T22:44:22Z DEBUG Legacy permission remove dns entries not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove DNS Entries 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove DNS Entries 2020-01-30T22:44:22Z DEBUG Legacy permission update dns entries not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Update DNS Entries 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Update DNS Entries 2020-01-30T22:44:22Z DEBUG Updating managed permissions for group 2020-01-30T22:44:22Z DEBUG Legacy permission Add Groups not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Groups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Groups 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify External Group Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify External Group Membership 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Group membership not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Group Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Group Membership 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Groups not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Groups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Groups 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read External Group Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read External Group Membership 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Group Compat Tree 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Group Compat Tree 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Group Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Group Membership 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Group Views Compat Tree 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Group Views Compat Tree 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Groups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Groups 2020-01-30T22:44:22Z DEBUG Legacy permission Remove Groups not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Groups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Groups 2020-01-30T22:44:22Z DEBUG Updating managed permissions for hbacrule 2020-01-30T22:44:22Z DEBUG Legacy permission Add HBAC rule not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add HBAC Rule 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add HBAC Rule 2020-01-30T22:44:22Z DEBUG Legacy permission Delete HBAC rule not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Delete HBAC Rule 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Delete HBAC Rule 2020-01-30T22:44:22Z DEBUG Legacy permission Manage HBAC rule membership not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage HBAC Rule Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage HBAC Rule Membership 2020-01-30T22:44:22Z DEBUG Legacy permission Modify HBAC rule not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify HBAC Rule 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify HBAC Rule 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read HBAC Rules 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read HBAC Rules 2020-01-30T22:44:22Z DEBUG Updating managed permissions for hbacsvc 2020-01-30T22:44:22Z DEBUG Legacy permission Add HBAC services not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add HBAC Services 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add HBAC Services 2020-01-30T22:44:22Z DEBUG Legacy permission Delete HBAC services not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Delete HBAC Services 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Delete HBAC Services 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read HBAC Services 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read HBAC Services 2020-01-30T22:44:22Z DEBUG Updating managed permissions for hbacsvcgroup 2020-01-30T22:44:22Z DEBUG Legacy permission Add HBAC service groups not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add HBAC Service Groups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add HBAC Service Groups 2020-01-30T22:44:22Z DEBUG Legacy permission Delete HBAC service groups not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Delete HBAC Service Groups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Delete HBAC Service Groups 2020-01-30T22:44:22Z DEBUG Legacy permission Manage HBAC service group membership not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage HBAC Service Group Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage HBAC Service Group Membership 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read HBAC Service Groups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read HBAC Service Groups 2020-01-30T22:44:22Z DEBUG Updating managed permissions for host 2020-01-30T22:44:22Z DEBUG Legacy permission Add Hosts not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Hosts 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Hosts 2020-01-30T22:44:22Z DEBUG Legacy permission Add krbPrincipalName to a host not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add krbPrincipalName to a Host 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add krbPrincipalName to a Host 2020-01-30T22:44:22Z DEBUG Legacy permission Enroll a host not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Enroll a Host 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Enroll a Host 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage Host Certificates 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage Host Certificates 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage Host Enrollment Password 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage Host Enrollment Password 2020-01-30T22:44:22Z DEBUG Legacy permission Manage host keytab not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage Host Keytab 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage Host Keytab 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage Host Keytab Permissions 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage Host Keytab Permissions 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage Host Principals 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage Host Principals 2020-01-30T22:44:22Z DEBUG Legacy permission Manage Host SSH Public Keys not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage Host SSH Public Keys 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage Host SSH Public Keys 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Hosts not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Hosts 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Hosts 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Host Compat Tree 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Host Compat Tree 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Host Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Host Membership 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Hosts 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Hosts 2020-01-30T22:44:22Z DEBUG Legacy permission Remove Hosts not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Hosts 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Hosts 2020-01-30T22:44:22Z DEBUG Updating managed permissions for hostgroup 2020-01-30T22:44:22Z DEBUG Legacy permission Add Hostgroups not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Hostgroups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Hostgroups 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Hostgroup membership not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Hostgroup Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Hostgroup Membership 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Hostgroups not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Hostgroups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Hostgroups 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Hostgroup Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Hostgroup Membership 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Hostgroups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Hostgroups 2020-01-30T22:44:22Z DEBUG Legacy permission Remove Hostgroups not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Hostgroups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Hostgroups 2020-01-30T22:44:22Z DEBUG Updating managed permissions for idoverridegroup 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Group ID Overrides 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Group ID Overrides 2020-01-30T22:44:22Z DEBUG Updating managed permissions for idoverrideuser 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read User ID Overrides 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read User ID Overrides 2020-01-30T22:44:22Z DEBUG Updating managed permissions for idrange 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read ID Ranges 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read ID Ranges 2020-01-30T22:44:22Z DEBUG Updating managed permissions for idview 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read ID Views 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read ID Views 2020-01-30T22:44:22Z DEBUG Updating managed permissions for krbtpolicy 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Default Kerberos Ticket Policy 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Default Kerberos Ticket Policy 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read User Kerberos Ticket Policy 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read User Kerberos Ticket Policy 2020-01-30T22:44:22Z DEBUG Updating managed permissions for location 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add IPA Locations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add IPA Locations 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify IPA Locations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify IPA Locations 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read IPA Locations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read IPA Locations 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove IPA Locations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove IPA Locations 2020-01-30T22:44:22Z DEBUG Updating managed permissions for netgroup 2020-01-30T22:44:22Z DEBUG Legacy permission Add netgroups not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Netgroups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Netgroups 2020-01-30T22:44:22Z DEBUG Legacy permission Modify netgroup membership not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Netgroup Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Netgroup Membership 2020-01-30T22:44:22Z DEBUG Legacy permission Modify netgroups not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Netgroups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Netgroups 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Netgroup Compat Tree 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Netgroup Compat Tree 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Netgroup Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Netgroup Membership 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Netgroups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Netgroups 2020-01-30T22:44:22Z DEBUG Legacy permission Remove netgroups not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Netgroups 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Netgroups 2020-01-30T22:44:22Z DEBUG Updating managed permissions for otpconfig 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read OTP Configuration 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read OTP Configuration 2020-01-30T22:44:22Z DEBUG Updating managed permissions for permission 2020-01-30T22:44:22Z DEBUG Legacy permission Modify privilege membership not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Privilege Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Privilege Membership 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read ACIs 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read ACIs 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Permissions 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Permissions 2020-01-30T22:44:22Z DEBUG Updating managed permissions for privilege 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Privileges 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Privileges 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Privileges 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Privileges 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Privileges 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Privileges 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Privileges 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Privileges 2020-01-30T22:44:22Z DEBUG Updating managed permissions for pwpolicy 2020-01-30T22:44:22Z DEBUG Legacy permission Add Group Password Policy not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Group Password Policy 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Group Password Policy 2020-01-30T22:44:22Z DEBUG Legacy permission Delete Group Password Policy not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Delete Group Password Policy 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Delete Group Password Policy 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Group Password Policy not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Group Password Policy 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Group Password Policy 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Group Password Policy 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Group Password Policy 2020-01-30T22:44:22Z DEBUG Updating managed permissions for radiusproxy 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Radius Servers 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Radius Servers 2020-01-30T22:44:22Z DEBUG Updating managed permissions for realmdomains 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Realm Domains 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Realm Domains 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Realm Domains 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Realm Domains 2020-01-30T22:44:22Z DEBUG Updating managed permissions for role 2020-01-30T22:44:22Z DEBUG Legacy permission Add Roles not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Roles 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Roles 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Role membership not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Role Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Role Membership 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Roles not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Roles 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Roles 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Roles 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Roles 2020-01-30T22:44:22Z DEBUG Legacy permission Remove Roles not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Roles 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Roles 2020-01-30T22:44:22Z DEBUG Updating managed permissions for selinuxusermap 2020-01-30T22:44:22Z DEBUG Legacy permission Add SELinux User Maps not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add SELinux User Maps 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add SELinux User Maps 2020-01-30T22:44:22Z DEBUG Legacy permission Modify SELinux User Maps not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify SELinux User Maps 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify SELinux User Maps 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read SELinux User Maps 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read SELinux User Maps 2020-01-30T22:44:22Z DEBUG Legacy permission Remove SELinux User Maps not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove SELinux User Maps 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove SELinux User Maps 2020-01-30T22:44:22Z DEBUG Updating managed permissions for server 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Locations of IPA Servers 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Locations of IPA Servers 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Status of Services on IPA Servers 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Status of Services on IPA Servers 2020-01-30T22:44:22Z DEBUG Updating managed permissions for service 2020-01-30T22:44:22Z DEBUG Legacy permission Add Services not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Services 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Services 2020-01-30T22:44:22Z DEBUG Legacy permission Manage service keytab not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage Service Keytab 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage Service Keytab 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage Service Keytab Permissions 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage Service Keytab Permissions 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Manage Service Principals 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Manage Service Principals 2020-01-30T22:44:22Z DEBUG Legacy permission Modify Services not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Services 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Services 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read POSIX details of SMB services 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read POSIX details of SMB services 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Services 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Services 2020-01-30T22:44:22Z DEBUG Legacy permission Remove Services not found 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Services 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Services 2020-01-30T22:44:22Z DEBUG Updating managed permissions for servicedelegationrule 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Service Delegations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Service Delegations 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Service Delegation Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Service Delegation Membership 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Service Delegations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Service Delegations 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Service Delegations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Service Delegations 2020-01-30T22:44:22Z DEBUG Updating managed permissions for servicedelegationtarget 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Service Delegations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Service Delegations 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Service Delegation Membership 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Service Delegation Membership 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Service Delegations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Service Delegations 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Service Delegations 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Remove Service Delegations 2020-01-30T22:44:22Z DEBUG Updating managed permissions for stageuser 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Add Stage User 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Add Stage User 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Preserved Users 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Preserved Users 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify Stage User 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify Stage User 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Modify User RDN 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Modify User RDN 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Preserve User 2020-01-30T22:44:22Z DEBUG Updating ACI for managed permission: System: Preserve User 2020-01-30T22:44:22Z DEBUG Removing ACI '(target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=unix,dc=domain.net,dc=net")(target_from = "ldap:///cn=users,cn=accounts,dc=unix,dc=domain.net,dc=net")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Preserve User";allow (moddn) groupdn = "ldap:///cn=System: Preserve User,cn=permissions,cn=pbac,dc=unix,dc=domain.net,dc=net";)' from dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:22Z DEBUG Adding ACI '(target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=unix,dc=domain.net,dc=net")(target_from = "ldap:///cn=users,cn=accounts,dc=unix,dc=domain.net,dc=net")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Preserve User";allow (moddn) groupdn = "ldap:///cn=System: Preserve User,cn=permissions,cn=pbac,dc=unix,dc=domain.net,dc=net";)' to dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:22Z DEBUG No changes to ACI 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Preserved Users 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Preserved Users 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Stage User password 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Stage User password 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Read Stage Users 2020-01-30T22:44:22Z DEBUG No changes to permission: System: Read Stage Users 2020-01-30T22:44:22Z DEBUG Updating managed permission: System: Remove Stage User 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Remove Stage User 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Remove preserved User 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Remove preserved User 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Reset Preserved User password 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Reset Preserved User password 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Undelete User 2020-01-30T22:44:23Z DEBUG Updating ACI for managed permission: System: Undelete User 2020-01-30T22:44:23Z DEBUG Removing ACI '(target_to = "ldap:///cn=users,cn=accounts,dc=unix,dc=domain.net,dc=net")(target_from = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=unix,dc=domain.net,dc=net")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Undelete User";allow (moddn) groupdn = "ldap:///cn=System: Undelete User,cn=permissions,cn=pbac,dc=unix,dc=domain.net,dc=net";)' from dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:23Z DEBUG Adding ACI '(target_to = "ldap:///cn=users,cn=accounts,dc=unix,dc=domain.net,dc=net")(target_from = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=unix,dc=domain.net,dc=net")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Undelete User";allow (moddn) groupdn = "ldap:///cn=System: Undelete User,cn=permissions,cn=pbac,dc=unix,dc=domain.net,dc=net";)' to dc=unix,dc=domain.net,dc=net 2020-01-30T22:44:23Z DEBUG No changes to ACI 2020-01-30T22:44:23Z DEBUG Updating managed permissions for sudocmd 2020-01-30T22:44:23Z DEBUG Legacy permission Add Sudo command not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Add Sudo Command 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Add Sudo Command 2020-01-30T22:44:23Z DEBUG Legacy permission Delete Sudo command not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Delete Sudo Command 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Delete Sudo Command 2020-01-30T22:44:23Z DEBUG Legacy permission Modify Sudo command not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Modify Sudo Command 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Modify Sudo Command 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read Sudo Commands 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read Sudo Commands 2020-01-30T22:44:23Z DEBUG Updating managed permissions for sudocmdgroup 2020-01-30T22:44:23Z DEBUG Legacy permission Add Sudo command group not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Add Sudo Command Group 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Add Sudo Command Group 2020-01-30T22:44:23Z DEBUG Legacy permission Delete Sudo command group not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Delete Sudo Command Group 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Delete Sudo Command Group 2020-01-30T22:44:23Z DEBUG Legacy permission Manage Sudo command group membership not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Manage Sudo Command Group Membership 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Manage Sudo Command Group Membership 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Modify Sudo Command Group 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Modify Sudo Command Group 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read Sudo Command Groups 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read Sudo Command Groups 2020-01-30T22:44:23Z DEBUG Updating managed permissions for sudorule 2020-01-30T22:44:23Z DEBUG Legacy permission Add Sudo rule not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Add Sudo rule 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Add Sudo rule 2020-01-30T22:44:23Z DEBUG Legacy permission Delete Sudo rule not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Delete Sudo rule 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Delete Sudo rule 2020-01-30T22:44:23Z DEBUG Legacy permission Modify Sudo rule not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Modify Sudo rule 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Modify Sudo rule 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read Sudo Rules 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read Sudo Rules 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read Sudoers compat tree 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read Sudoers compat tree 2020-01-30T22:44:23Z DEBUG Updating managed permissions for trust 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read Trust Information 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read Trust Information 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read system trust accounts 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read system trust accounts 2020-01-30T22:44:23Z DEBUG Updating managed permissions for user 2020-01-30T22:44:23Z DEBUG Legacy permission Add user to default group not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Add User to default group 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Add User to default group 2020-01-30T22:44:23Z DEBUG Legacy permission Add Users not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Add Users 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Add Users 2020-01-30T22:44:23Z DEBUG Legacy permission Change a user password not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Change User password 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Change User password 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Manage User Certificate Mappings 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Manage User Certificate Mappings 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Manage User Certificates 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Manage User Certificates 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Manage User Principals 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Manage User Principals 2020-01-30T22:44:23Z DEBUG Legacy permission Manage User SSH Public Keys not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Manage User SSH Public Keys 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Manage User SSH Public Keys 2020-01-30T22:44:23Z DEBUG Legacy permission Modify Users not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Modify Users 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Modify Users 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read UPG Definition 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read UPG Definition 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read User Addressbook Attributes 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read User Addressbook Attributes 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read User Compat Tree 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read User Compat Tree 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read User IPA Attributes 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read User IPA Attributes 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read User Kerberos Attributes 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read User Kerberos Attributes 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read User Kerberos Login Attributes 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read User Kerberos Login Attributes 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read User Membership 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read User Membership 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read User NT Attributes 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read User NT Attributes 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read User Standard Attributes 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read User Standard Attributes 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read User Views Compat Tree 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read User Views Compat Tree 2020-01-30T22:44:23Z DEBUG Legacy permission Remove Users not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Remove Users 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Remove Users 2020-01-30T22:44:23Z DEBUG Legacy permission Unlock user accounts not found 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Unlock User 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Unlock User 2020-01-30T22:44:23Z DEBUG Updating managed permissions for vault 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Add Vaults 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Add Vaults 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Delete Vaults 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Delete Vaults 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Manage Vault Membership 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Manage Vault Membership 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Manage Vault Ownership 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Manage Vault Ownership 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Modify Vaults 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Modify Vaults 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read Vaults 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read Vaults 2020-01-30T22:44:23Z DEBUG Updating managed permissions for vaultcontainer 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Add Vault Containers 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Add Vault Containers 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Delete Vault Containers 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Delete Vault Containers 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Manage Vault Container Ownership 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Manage Vault Container Ownership 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Modify Vault Containers 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Modify Vault Containers 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read Vault Containers 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read Vault Containers 2020-01-30T22:44:23Z DEBUG Updating non-object managed permissions 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Add CA Certificate For Renewal 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Add CA Certificate For Renewal 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Add Certificate Store Entry 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Add Certificate Store Entry 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Compat Tree ID View targets 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Compat Tree ID View targets 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Modify CA Certificate 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Modify CA Certificate 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Modify CA Certificate For Renewal 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Modify CA Certificate For Renewal 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Modify Certificate Store Entry 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Modify Certificate Store Entry 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read AD Domains 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read AD Domains 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read CA Certificate 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read CA Certificate 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read CA Renewal Information 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read CA Renewal Information 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read Certificate Store Entries 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read Certificate Store Entries 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read DNA Configuration 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read DNA Configuration 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read DUA Profile 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read DUA Profile 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read Domain Level 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read Domain Level 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read IPA Masters 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read IPA Masters 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Read Replication Information 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Read Replication Information 2020-01-30T22:44:23Z DEBUG Updating managed permission: System: Remove Certificate Store Entry 2020-01-30T22:44:23Z DEBUG No changes to permission: System: Remove Certificate Store Entry 2020-01-30T22:44:23Z DEBUG Deleting obsolete permission System: Read Timestamp and USN Operational Attributes 2020-01-30T22:44:23Z DEBUG raw: permission_del(('System: Read Timestamp and USN Operational Attributes',), force=True, version='2.101') 2020-01-30T22:44:23Z DEBUG permission_del(('System: Read Timestamp and USN Operational Attributes',), continue=False, force=True, version='2.101') 2020-01-30T22:44:23Z DEBUG Obsolete permission not found 2020-01-30T22:44:23Z DEBUG Deleting obsolete permission System: Read Creator and Modifier Operational Attributes 2020-01-30T22:44:23Z DEBUG raw: permission_del(('System: Read Creator and Modifier Operational Attributes',), force=True, version='2.101') 2020-01-30T22:44:23Z DEBUG permission_del(('System: Read Creator and Modifier Operational Attributes',), continue=False, force=True, version='2.101') 2020-01-30T22:44:23Z DEBUG Obsolete permission not found 2020-01-30T22:44:23Z DEBUG Executing upgrade plugin: update_read_replication_agreements_permission 2020-01-30T22:44:23Z DEBUG raw: update_read_replication_agreements_permission 2020-01-30T22:44:23Z DEBUG Old permission not found 2020-01-30T22:44:23Z DEBUG Executing upgrade plugin: update_idrange_baserid 2020-01-30T22:44:23Z DEBUG raw: update_idrange_baserid 2020-01-30T22:44:23Z DEBUG update_idrange_baserid: search for ipa-ad-trust-posix ID ranges with ipaBaseRID != 0 2020-01-30T22:44:23Z DEBUG update_idrange_baserid: no AD domain range with posix attributes found 2020-01-30T22:44:23Z DEBUG Executing upgrade plugin: update_passync_privilege_update 2020-01-30T22:44:23Z DEBUG raw: update_passync_privilege_update 2020-01-30T22:44:23Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:44:23Z DEBUG PassSync privilege update not needed 2020-01-30T22:44:23Z DEBUG Executing upgrade plugin: update_dnsserver_configuration_into_ldap 2020-01-30T22:44:23Z DEBUG raw: update_dnsserver_configuration_into_ldap 2020-01-30T22:44:23Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:44:23Z DEBUG upgrade is not needed 2020-01-30T22:44:23Z DEBUG Executing upgrade plugin: update_ldap_server_list 2020-01-30T22:44:23Z DEBUG raw: update_ldap_server_list 2020-01-30T22:44:23Z DEBUG Executing upgrade plugin: update_dna_shared_config 2020-01-30T22:44:23Z DEBUG raw: update_dna_shared_config 2020-01-30T22:44:23Z DEBUG 2 entries dnaHostname=srv107.domain.net under cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=unix,dc=domain.net,dc=net. One expected 2020-01-30T22:44:23Z DEBUG Executing upgrade plugin: update_unhashed_password 2020-01-30T22:44:23Z DEBUG raw: update_unhashed_password 2020-01-30T22:44:23Z DEBUG Upgrading unhashed password configuration 2020-01-30T22:44:23Z DEBUG Unhashed password this is not a winsync deployment 2020-01-30T22:44:23Z DEBUG LDAP update duration: /usr/share/ipa/updates/90-post_upgrade_plugins.update 18.773 sec 2020-01-30T22:44:23Z DEBUG Destroyed connection context.ldap2_140295362935568 2020-01-30T22:44:23Z DEBUG step duration: dirsrv __upgrade 27.81 sec 2020-01-30T22:44:23Z DEBUG [9/11]: stopping directory server 2020-01-30T22:44:23Z DEBUG Destroyed connection context.ldap2_140295386233872 2020-01-30T22:44:23Z DEBUG Starting external process 2020-01-30T22:44:23Z DEBUG args=['/bin/systemctl', 'stop', 'dirsrv@UNIX-domain.net-NET.service'] 2020-01-30T22:44:26Z DEBUG Process finished, return code=0 2020-01-30T22:44:26Z DEBUG stdout= 2020-01-30T22:44:26Z DEBUG stderr= 2020-01-30T22:44:26Z DEBUG Stop of dirsrv@UNIX-domain.net-NET.service complete 2020-01-30T22:44:26Z DEBUG step duration: dirsrv __stop_instance 3.24 sec 2020-01-30T22:44:26Z DEBUG [10/11]: restoring configuration 2020-01-30T22:44:26Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:26Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:26Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:26Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:26Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:26Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:26Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:26Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:26Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:26Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:26Z DEBUG step duration: dirsrv __restore_config 0.09 sec 2020-01-30T22:44:26Z DEBUG [11/11]: starting directory server 2020-01-30T22:44:26Z DEBUG Starting external process 2020-01-30T22:44:26Z DEBUG args=['/bin/systemctl', 'start', 'dirsrv@UNIX-domain.net-NET.service'] 2020-01-30T22:44:39Z DEBUG Process finished, return code=0 2020-01-30T22:44:39Z DEBUG stdout= 2020-01-30T22:44:39Z DEBUG stderr= 2020-01-30T22:44:39Z DEBUG Start of dirsrv@UNIX-domain.net-NET.service complete 2020-01-30T22:44:39Z DEBUG Created connection context.ldap2_140295386233872 2020-01-30T22:44:39Z DEBUG step duration: dirsrv __start 13.00 sec 2020-01-30T22:44:39Z DEBUG Done. 2020-01-30T22:44:39Z DEBUG service duration: dirsrv 67.87 sec 2020-01-30T22:44:39Z INFO Update complete 2020-01-30T22:44:39Z INFO Upgrading the configuration of the IPA services 2020-01-30T22:44:39Z DEBUG IPA version 4.8.4-2.fc31 2020-01-30T22:44:39Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:44:39Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:39Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:44:39Z DEBUG Starting external process 2020-01-30T22:44:39Z DEBUG args=['/bin/systemctl', 'is-active', 'dirsrv@UNIX-domain.net-NET.service'] 2020-01-30T22:44:39Z DEBUG Process finished, return code=0 2020-01-30T22:44:39Z DEBUG stdout=active
2020-01-30T22:44:39Z DEBUG stderr= 2020-01-30T22:44:39Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:44:39Z DEBUG Starting external process 2020-01-30T22:44:39Z DEBUG args=['/usr/sbin/selinuxenabled'] 2020-01-30T22:44:39Z DEBUG Process finished, return code=0 2020-01-30T22:44:39Z DEBUG stdout= 2020-01-30T22:44:39Z DEBUG stderr= 2020-01-30T22:44:39Z DEBUG Starting external process 2020-01-30T22:44:39Z DEBUG args=['/sbin/restorecon', '/etc/pkcs11/modules/softhsm2.module'] 2020-01-30T22:44:39Z DEBUG Process finished, return code=0 2020-01-30T22:44:39Z DEBUG stdout= 2020-01-30T22:44:39Z DEBUG stderr= 2020-01-30T22:44:39Z DEBUG Created PKCS#11 module config '/etc/pkcs11/modules/softhsm2.module'. 2020-01-30T22:44:39Z INFO [Verifying that root certificate is published] 2020-01-30T22:44:39Z DEBUG Certificate file exists 2020-01-30T22:44:39Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:39Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:44:39Z DEBUG Trying to find certificate subject base in sysupgrade 2020-01-30T22:44:39Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:44:39Z DEBUG Found certificate subject base in sysupgrade: O=UNIX.domain.net 2020-01-30T22:44:39Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:44:39Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:44:39Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:39Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:44:39Z DEBUG request POST http://srv107.domain.net:8080/ca/admin/ca/getStatus 2020-01-30T22:44:39Z DEBUG request body '' 2020-01-30T22:44:39Z DEBUG response status 500 2020-01-30T22:44:39Z DEBUG response headers Content-Type: text/html;charset=utf-8 Content-Language: de Content-Length: 2021 Date: Thu, 30 Jan 2020 22:44:39 GMT Connection: close
2020-01-30T22:44:39Z DEBUG response body (decoded): b'<!doctype html><html lang="de"><head><title>HTTP Status 500 \xe2\x80\x93 Internal Server Error</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 \xe2\x80\x93 Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Subsystem unavailable</p><p><b>Beschreibung</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:150)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:530)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)\n\torg.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)\n\torg.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)\n\torg.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)\n\torg.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre><p><b>Hinweis</b> Der komplette Stacktrace der Ursache ist in den Server logs zu finden</p><hr class="line" /><h3>Apache Tomcat/9.0.30</h3></body></html>' 2020-01-30T22:44:39Z DEBUG Failed to check CA status: Retrieving CA status failed with status 500 2020-01-30T22:44:39Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:39Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:44:39Z DEBUG Ensuring that service pki-tomcatd@pki-tomcat is not running while the next set of commands is being executed. 2020-01-30T22:44:39Z DEBUG Starting external process 2020-01-30T22:44:39Z DEBUG args=['/bin/systemctl', 'is-active', 'pki-tomcatd@pki-tomcat.service'] 2020-01-30T22:44:39Z DEBUG Process finished, return code=0 2020-01-30T22:44:39Z DEBUG stdout=active
2020-01-30T22:44:39Z DEBUG stderr= 2020-01-30T22:44:39Z DEBUG Stopping pki-tomcatd@pki-tomcat. 2020-01-30T22:44:39Z DEBUG Starting external process 2020-01-30T22:44:39Z DEBUG args=['/bin/systemctl', 'stop', 'pki-tomcatd@pki-tomcat.service'] 2020-01-30T22:44:41Z DEBUG Process finished, return code=0 2020-01-30T22:44:41Z DEBUG stdout= 2020-01-30T22:44:41Z DEBUG stderr= 2020-01-30T22:44:41Z DEBUG Stop of pki-tomcatd@pki-tomcat.service complete 2020-01-30T22:44:41Z DEBUG Starting external process 2020-01-30T22:44:41Z DEBUG args=['/bin/systemctl', 'is-active', 'pki-tomcatd@pki-tomcat.service'] 2020-01-30T22:44:41Z DEBUG Process finished, return code=3 2020-01-30T22:44:41Z DEBUG stdout=inactive
2020-01-30T22:44:41Z DEBUG stderr= 2020-01-30T22:44:41Z INFO [Migrate CRL publish directory] 2020-01-30T22:44:41Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:44:41Z INFO CRL tree already moved 2020-01-30T22:44:41Z DEBUG Starting pki-tomcatd@pki-tomcat. 2020-01-30T22:44:41Z DEBUG Starting external process 2020-01-30T22:44:41Z DEBUG args=['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service'] 2020-01-30T22:44:44Z DEBUG Process finished, return code=0 2020-01-30T22:44:44Z DEBUG stdout= 2020-01-30T22:44:44Z DEBUG stderr= 2020-01-30T22:44:44Z DEBUG Starting external process 2020-01-30T22:44:44Z DEBUG args=['/bin/systemctl', 'is-active', 'pki-tomcatd@pki-tomcat.service'] 2020-01-30T22:44:44Z DEBUG Process finished, return code=0 2020-01-30T22:44:44Z DEBUG stdout=active
2020-01-30T22:44:44Z DEBUG stderr= 2020-01-30T22:44:44Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 120 2020-01-30T22:44:44Z DEBUG waiting for port: 8080 2020-01-30T22:44:44Z DEBUG Failed to connect to port 8080 tcp on ::1 2020-01-30T22:44:44Z DEBUG Failed to connect to port 8080 tcp on 127.0.0.1 2020-01-30T22:44:47Z DEBUG SUCCESS: port: 8080 2020-01-30T22:44:47Z DEBUG waiting for port: 8443 2020-01-30T22:44:47Z DEBUG SUCCESS: port: 8443 2020-01-30T22:44:47Z DEBUG Start of pki-tomcatd@pki-tomcat.service complete 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout= 2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/bin/systemctl', 'is-active', 'pki-tomcatd@pki-tomcat.service'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout=active
2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 120 2020-01-30T22:44:47Z DEBUG waiting for port: 8080 2020-01-30T22:44:47Z DEBUG SUCCESS: port: 8080 2020-01-30T22:44:47Z DEBUG waiting for port: 8443 2020-01-30T22:44:47Z DEBUG SUCCESS: port: 8443 2020-01-30T22:44:47Z DEBUG Start of pki-tomcatd@pki-tomcat.service complete 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/bin/systemctl', 'is-active', 'certmonger.service'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout=active
2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z INFO [Verifying that KDC configuration is using ipa-kdb backend] 2020-01-30T22:44:47Z DEBUG dbmodules already updated in /etc/krb5.conf 2020-01-30T22:44:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:44:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:44:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/usr/sbin/selinuxenabled'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout= 2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/usr/sbin/getsebool', 'httpd_can_network_connect'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout=httpd_can_network_connect --> on
2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/usr/sbin/getsebool', 'httpd_manage_ipa'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout=httpd_manage_ipa --> on
2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/usr/sbin/getsebool', 'httpd_run_ipa'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout=httpd_run_ipa --> on
2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/usr/sbin/getsebool', 'httpd_dbus_sssd'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout=httpd_dbus_sssd --> on
2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/bin/systemctl', 'is-active', 'certmonger.service'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout=active
2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/bin/systemctl', 'is-active', 'oddjobd.service'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout=active
2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/bin/systemctl', 'is-enabled', 'oddjobd.service'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout=enabled
2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/bin/systemctl', 'enable', 'oddjobd.service'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout= 2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/bin/systemctl', 'start', 'oddjobd.service'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout= 2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/bin/systemctl', 'is-active', 'oddjobd.service'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout=active
2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Start of oddjobd.service complete 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/usr/sbin/selinuxenabled'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout= 2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/sbin/restorecon', '/etc/systemd/system/dirsrv@UNIX-domain.net-NET.service.d/ipa-env.conf'] 2020-01-30T22:44:47Z DEBUG Process finished, return code=0 2020-01-30T22:44:47Z DEBUG stdout= 2020-01-30T22:44:47Z DEBUG stderr= 2020-01-30T22:44:47Z DEBUG Starting external process 2020-01-30T22:44:47Z DEBUG args=['/bin/systemctl', '--system', 'daemon-reload'] 2020-01-30T22:44:48Z DEBUG Process finished, return code=0 2020-01-30T22:44:48Z DEBUG stdout= 2020-01-30T22:44:48Z DEBUG stderr= 2020-01-30T22:44:48Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-UNIX-domain.net-NET.socket from SchemaCache 2020-01-30T22:44:48Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-UNIX-domain.net-NET.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f990ebc3450> 2020-01-30T22:44:48Z DEBUG Destroyed connection context.ldap2_140295386233872 2020-01-30T22:44:48Z DEBUG Starting external process 2020-01-30T22:44:48Z DEBUG args=['/bin/systemctl', 'stop', 'dirsrv@UNIX-domain.net-NET.service'] 2020-01-30T22:44:50Z DEBUG Process finished, return code=0 2020-01-30T22:44:50Z DEBUG stdout= 2020-01-30T22:44:50Z DEBUG stderr= 2020-01-30T22:44:50Z DEBUG Stop of dirsrv@UNIX-domain.net-NET.service complete 2020-01-30T22:44:50Z INFO [Fix DS schema file syntax] 2020-01-30T22:44:50Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:44:50Z INFO Syntax already fixed 2020-01-30T22:44:50Z INFO [Removing RA cert from DS NSS database] 2020-01-30T22:44:50Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:44:50Z INFO RA cert already removed 2020-01-30T22:44:50Z DEBUG Starting external process 2020-01-30T22:44:50Z DEBUG args=['/bin/systemctl', 'start', 'dirsrv@UNIX-domain.net-NET.service'] 2020-01-30T22:45:02Z DEBUG Process finished, return code=0 2020-01-30T22:45:02Z DEBUG stdout= 2020-01-30T22:45:02Z DEBUG stderr= 2020-01-30T22:45:02Z DEBUG Starting external process 2020-01-30T22:45:02Z DEBUG args=['/bin/systemctl', 'is-active', 'dirsrv@UNIX-domain.net-NET.service'] 2020-01-30T22:45:02Z DEBUG Process finished, return code=0 2020-01-30T22:45:02Z DEBUG stdout=active
2020-01-30T22:45:02Z DEBUG stderr= 2020-01-30T22:45:02Z DEBUG wait_for_open_ports: localhost [389] timeout 120 2020-01-30T22:45:02Z DEBUG waiting for port: 389 2020-01-30T22:45:02Z DEBUG SUCCESS: port: 389 2020-01-30T22:45:02Z DEBUG Start of dirsrv@UNIX-domain.net-NET.service complete 2020-01-30T22:45:02Z DEBUG Created connection context.ldap2_140295386233872 2020-01-30T22:45:02Z INFO [Enable sidgen and extdom plugins by default] 2020-01-30T22:45:02Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:02Z DEBUG sidgen and extdom plugins are enabled already 2020-01-30T22:45:02Z DEBUG Starting external process 2020-01-30T22:45:02Z DEBUG args=['/bin/systemctl', 'stop', 'httpd.service'] 2020-01-30T22:45:04Z DEBUG Process finished, return code=0 2020-01-30T22:45:04Z DEBUG stdout= 2020-01-30T22:45:04Z DEBUG stderr= 2020-01-30T22:45:04Z DEBUG Stop of httpd.service complete 2020-01-30T22:45:04Z INFO [Updating HTTPD service IPA configuration] 2020-01-30T22:45:04Z DEBUG Starting external process 2020-01-30T22:45:04Z DEBUG args=['/usr/sbin/selinuxenabled'] 2020-01-30T22:45:04Z DEBUG Process finished, return code=0 2020-01-30T22:45:04Z DEBUG stdout= 2020-01-30T22:45:04Z DEBUG stderr= 2020-01-30T22:45:04Z DEBUG Starting external process 2020-01-30T22:45:04Z DEBUG args=['/sbin/restorecon', '/etc/systemd/system/httpd.service.d/ipa.conf'] 2020-01-30T22:45:04Z DEBUG Process finished, return code=0 2020-01-30T22:45:04Z DEBUG stdout= 2020-01-30T22:45:04Z DEBUG stderr= 2020-01-30T22:45:04Z DEBUG Starting external process 2020-01-30T22:45:04Z DEBUG args=['/bin/systemctl', '--system', 'daemon-reload'] 2020-01-30T22:45:04Z DEBUG Process finished, return code=0 2020-01-30T22:45:04Z DEBUG stdout= 2020-01-30T22:45:04Z DEBUG stderr= 2020-01-30T22:45:04Z INFO [Updating HTTPD service IPA WSGI configuration] 2020-01-30T22:45:04Z DEBUG Starting external process 2020-01-30T22:45:04Z DEBUG args=['/usr/sbin/selinuxenabled'] 2020-01-30T22:45:04Z DEBUG Process finished, return code=0 2020-01-30T22:45:04Z DEBUG stdout= 2020-01-30T22:45:04Z DEBUG stderr= 2020-01-30T22:45:04Z DEBUG Starting external process 2020-01-30T22:45:04Z DEBUG args=['/sbin/restorecon', '/etc/httpd/conf.modules.d/02-ipa-wsgi.conf'] 2020-01-30T22:45:04Z DEBUG Process finished, return code=0 2020-01-30T22:45:04Z DEBUG stdout= 2020-01-30T22:45:04Z DEBUG stderr= 2020-01-30T22:45:04Z INFO [Migrating from mod_nss to mod_ssl] 2020-01-30T22:45:04Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:04Z INFO Already migrated to mod_ssl 2020-01-30T22:45:04Z INFO [Moving HTTPD service keytab to gssproxy] 2020-01-30T22:45:04Z DEBUG Starting external process 2020-01-30T22:45:04Z DEBUG args=['/usr/sbin/selinuxenabled'] 2020-01-30T22:45:04Z DEBUG Process finished, return code=0 2020-01-30T22:45:04Z DEBUG stdout= 2020-01-30T22:45:04Z DEBUG stderr= 2020-01-30T22:45:04Z DEBUG Starting external process 2020-01-30T22:45:04Z DEBUG args=['/sbin/restorecon', '/etc/gssproxy/10-ipa.conf'] 2020-01-30T22:45:04Z DEBUG Process finished, return code=0 2020-01-30T22:45:04Z DEBUG stdout= 2020-01-30T22:45:04Z DEBUG stderr= 2020-01-30T22:45:04Z DEBUG Starting external process 2020-01-30T22:45:04Z DEBUG args=['/bin/systemctl', 'restart', 'gssproxy.service'] 2020-01-30T22:45:04Z DEBUG Process finished, return code=0 2020-01-30T22:45:04Z DEBUG stdout= 2020-01-30T22:45:04Z DEBUG stderr= 2020-01-30T22:45:04Z DEBUG Starting external process 2020-01-30T22:45:04Z DEBUG args=['/bin/systemctl', 'is-active', 'gssproxy.service'] 2020-01-30T22:45:05Z DEBUG Process finished, return code=0 2020-01-30T22:45:05Z DEBUG stdout=active
2020-01-30T22:45:05Z DEBUG stderr= 2020-01-30T22:45:05Z DEBUG Restart of gssproxy.service complete 2020-01-30T22:45:05Z DEBUG Starting external process 2020-01-30T22:45:05Z DEBUG args=['/bin/systemctl', 'start', 'httpd.service'] 2020-01-30T22:45:06Z DEBUG Process finished, return code=0 2020-01-30T22:45:06Z DEBUG stdout= 2020-01-30T22:45:06Z DEBUG stderr= 2020-01-30T22:45:06Z DEBUG Starting external process 2020-01-30T22:45:06Z DEBUG args=['/bin/systemctl', 'is-active', 'httpd.service'] 2020-01-30T22:45:06Z DEBUG Process finished, return code=0 2020-01-30T22:45:06Z DEBUG stdout=active
2020-01-30T22:45:06Z DEBUG stderr= 2020-01-30T22:45:06Z DEBUG Start of httpd.service complete 2020-01-30T22:45:06Z INFO [Removing self-signed CA] 2020-01-30T22:45:06Z DEBUG Self-signed CA is not installed 2020-01-30T22:45:06Z INFO [Removing Dogtag 9 CA] 2020-01-30T22:45:06Z DEBUG Dogtag is version 10 or above 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:45:06Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:45:06Z INFO [Checking for deprecated KDC configuration files] 2020-01-30T22:45:06Z INFO [Checking for deprecated backups of Samba configuration files] 2020-01-30T22:45:06Z DEBUG raw: ca_is_enabled(version='2.235') 2020-01-30T22:45:06Z DEBUG ca_is_enabled(version='2.235') 2020-01-30T22:45:06Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-UNIX-domain.net-NET.socket from SchemaCache 2020-01-30T22:45:06Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-UNIX-domain.net-NET.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f990eb07c10> 2020-01-30T22:45:06Z DEBUG raw: kra_is_enabled(version='2.235') 2020-01-30T22:45:06Z DEBUG kra_is_enabled(version='2.235') 2020-01-30T22:45:06Z DEBUG Cleaning up after pkispawn for the CA subsystem 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:45:06Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:45:06Z DEBUG Removing /root/.dogtag/pki-tomcat/ca 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:45:06Z DEBUG Starting external process 2020-01-30T22:45:06Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service'] 2020-01-30T22:45:06Z DEBUG Process finished, return code=3 2020-01-30T22:45:06Z DEBUG stdout=inactive
2020-01-30T22:45:06Z DEBUG stderr= 2020-01-30T22:45:06Z DEBUG Starting external process 2020-01-30T22:45:06Z DEBUG args=['/bin/systemctl', 'start', 'named-pkcs11.service'] 2020-01-30T22:45:06Z DEBUG Process finished, return code=0 2020-01-30T22:45:06Z DEBUG stdout= 2020-01-30T22:45:06Z DEBUG stderr= 2020-01-30T22:45:06Z DEBUG Starting external process 2020-01-30T22:45:06Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service'] 2020-01-30T22:45:06Z DEBUG Process finished, return code=0 2020-01-30T22:45:06Z DEBUG stdout=active
2020-01-30T22:45:06Z DEBUG stderr= 2020-01-30T22:45:06Z DEBUG Start of named-pkcs11.service complete 2020-01-30T22:45:06Z INFO [Add missing CA DNS records] 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z INFO IPA CA DNS records already processed 2020-01-30T22:45:06Z INFO [Removing deprecated DNS configuration options] 2020-01-30T22:45:06Z DEBUG No changes made 2020-01-30T22:45:06Z INFO [Ensuring minimal number of connections] 2020-01-30T22:45:06Z DEBUG No changes made 2020-01-30T22:45:06Z INFO [Updating GSSAPI configuration in DNS] 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Skip GSSAPI configuration check 2020-01-30T22:45:06Z INFO [Updating pid-file configuration in DNS] 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Skip pid-file configuration check 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG dnssec-enabled in /etc/named.conf 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG dnssec-validate already configured in /etc/named.conf 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Skip bindkey-file configuration check 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Skip managed-keys-directory configuration check 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Skip root key configuration check 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:45:06Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:45:06Z INFO [Checking global forwarding policy in named.conf to avoid conflicts with automatic empty zones] 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:45:06Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:06Z INFO Changes to named.conf have been made, restart named 2020-01-30T22:45:06Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:45:06Z DEBUG Starting external process 2020-01-30T22:45:06Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service'] 2020-01-30T22:45:06Z DEBUG Process finished, return code=0 2020-01-30T22:45:06Z DEBUG stdout=active
2020-01-30T22:45:06Z DEBUG stderr= 2020-01-30T22:45:06Z DEBUG Starting external process 2020-01-30T22:45:06Z DEBUG args=['/bin/systemctl', 'restart', 'named-pkcs11.service'] 2020-01-30T22:45:07Z DEBUG Process finished, return code=0 2020-01-30T22:45:07Z DEBUG stdout= 2020-01-30T22:45:07Z DEBUG stderr= 2020-01-30T22:45:07Z DEBUG Starting external process 2020-01-30T22:45:07Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service'] 2020-01-30T22:45:07Z DEBUG Process finished, return code=0 2020-01-30T22:45:07Z DEBUG stdout=active
2020-01-30T22:45:07Z DEBUG stderr= 2020-01-30T22:45:07Z DEBUG Restart of named-pkcs11.service complete 2020-01-30T22:45:07Z DEBUG Starting external process 2020-01-30T22:45:07Z DEBUG args=['/bin/systemctl', 'stop', 'named-pkcs11.service'] 2020-01-30T22:45:07Z DEBUG Process finished, return code=0 2020-01-30T22:45:07Z DEBUG stdout= 2020-01-30T22:45:07Z DEBUG stderr= 2020-01-30T22:45:07Z DEBUG Stop of named-pkcs11.service complete 2020-01-30T22:45:07Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2020-01-30T22:45:07Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:45:07Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:07Z INFO [Upgrading CA schema] 2020-01-30T22:45:07Z DEBUG Processing schema LDIF file /usr/share/pki/server/conf/schema-certProfile.ldif 2020-01-30T22:45:07Z DEBUG Processing schema LDIF file /usr/share/pki/server/conf/schema-authority.ldif 2020-01-30T22:45:07Z DEBUG Not updating schema 2020-01-30T22:45:07Z INFO CA schema update complete (no changes) 2020-01-30T22:45:07Z INFO [Verifying that CA audit signing cert has 2 year validity] 2020-01-30T22:45:07Z DEBUG caSignedLogCert.cfg profile validity range is 720 2020-01-30T22:45:07Z INFO [Update certmonger certificate renewal configuration] 2020-01-30T22:45:07Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:45:07Z DEBUG Starting external process 2020-01-30T22:45:07Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-UNIX-domain.net-NET/', '-L', '-n', 'Server-Cert', '-a', '-f', '/etc/dirsrv/slapd-UNIX-domain.net-NET/pwdfile.txt'] 2020-01-30T22:45:07Z DEBUG Process finished, return code=0 2020-01-30T22:45:07Z DEBUG stdout=-----BEGIN CERTIFICATE----- MIIEoTCCA4mgAwIBAgIBFjANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklY LkdPU0lYLk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE4 MDcwMTE0MTMwOVoXDTIwMDcwMTE0MTMwOVowNDEXMBUGA1UECgwOVU5JWC5HT1NJ WC5ORVQxGTAXBgNVBAMMEHNydjEwNy5nb3NpeC5uZXQwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQCpb6gniD1PvTp5Qtyo+7sHclupff/upYnO0tJRaPZr dMIn8T6zfiQTG8ZE5ruNo2TIz875frtmY4UqAN6uUEgwFVgA421I0LBnZiK8Er+o fU9oAVuahCc4qZJW9b6M17U6Sjc+Ex15qUt9ZuKOnepSzxOLRGVaLIbncoT1t4t3 +86S9EZN7bokMRMR9Jj9yE+z8w1l4/BuxRMwVS9LE4s37bW71oo62D/ragF7Uuaz 0a0ObhN+IITBPt92OoXx0iDInL2JCDpzv2n/oqfVJJXxtXrvC9o5+tp7Qr5xydQL YBz9OHPQW6D7i3R+7osjBsOV+YnE73rBycEBLPt+g6WtAgMBAAGjggG3MIIBszAf BgNVHSMEGDAWgBROuje6JvS5f3aN0Qk0DRDGjOWHRjBABggrBgEFBQcBAQQ0MDIw MAYIKwYBBQUHMAGGJGh0dHA6Ly9pcGEtY2EudW5peC5nb3NpeC5uZXQvY2Evb2Nz cDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC MHkGA1UdHwRyMHAwbqA2oDSGMmh0dHA6Ly9pcGEtY2EudW5peC5nb3NpeC5uZXQv aXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwG A1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBQ8XfItMfrYfJAd GaPbmz/p8BfxCjCBhAYDVR0RBH0we6A0BgorBgEEAYI3FAIDoCYMJGxkYXAvc3J2 MTA3Lmdvc2l4Lm5ldEBVTklYLkdPU0lYLk5FVKBDBgYrBgEFAgKgOTA3oBAbDlVO SVguR09TSVguTkVUoSMwIaADAgEBoRowGBsEbGRhcBsQc3J2MTA3Lmdvc2l4Lm5l dDANBgkqhkiG9w0BAQsFAAOCAQEAaphn2qhE+QmdH8o4Hbwk1Bh7xr2OHPW82BBb isvEheox3MTuBTU+kViHPOIYaTo8ZGhRmZa6STzYQb8Q/tjuY7vBnlvk/v8GUMud m8Iqo6NfO2BsNk21eweLiRzZtgN6a/JpETOi5Osis6FiSav9u+u5pMhnOkn5y9iA PeQmU1VvR71UZ5IkZ+SShaxH2sz7htgZCdnky8ipbsNR+sRsklubbLJyWM3TCWSR rLq0WU+7ORe3gZ03TCItiebZhlBtBRQUbNzxB97ZUZNp7V68k5Gi8BIky+m3KEw7 +JqRVk/Slav2LBEskFC/ICHXp3K68JzCv+LBGnAoFB82+n59Pg== -----END CERTIFICATE-----
2020-01-30T22:45:07Z DEBUG stderr= 2020-01-30T22:45:07Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2020-01-30T22:45:07Z DEBUG Starting external process 2020-01-30T22:45:07Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] 2020-01-30T22:45:07Z DEBUG Process finished, return code=0 2020-01-30T22:45:07Z DEBUG stdout= Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-ca CTu,Cu,Cu ocspSigningCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu subsystemCert cert-pki-ca u,u,u
2020-01-30T22:45:07Z DEBUG stderr= 2020-01-30T22:45:08Z INFO Certmonger certificate renewal configuration already up-to-date 2020-01-30T22:45:08Z INFO [Enable PKIX certificate path discovery and validation] 2020-01-30T22:45:08Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2020-01-30T22:45:08Z INFO PKIX already enabled 2020-01-30T22:45:08Z INFO [Authorizing RA Agent to modify profiles] 2020-01-30T22:45:08Z INFO [Authorizing RA Agent to manage lightweight CAs] 2020-01-30T22:45:08Z INFO [Ensuring Lightweight CAs container exists in Dogtag database] 2020-01-30T22:45:08Z DEBUG Created connection context.ldap2_140295338427216 2020-01-30T22:45:08Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-UNIX-domain.net-NET.socket from SchemaCache 2020-01-30T22:45:08Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-UNIX-domain.net-NET.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f990dda6ed0> 2020-01-30T22:45:08Z DEBUG Destroyed connection context.ldap2_140295338427216 2020-01-30T22:45:08Z INFO [Adding default OCSP URI configuration] 2020-01-30T22:45:08Z INFO [Disabling cert publishing] 2020-01-30T22:45:08Z INFO [Ensuring CA is using LDAPProfileSubsystem] 2020-01-30T22:45:08Z INFO [Migrating certificate profiles to LDAP] 2020-01-30T22:45:08Z DEBUG Created connection context.ldap2_140295344329552 2020-01-30T22:45:08Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-UNIX-domain.net-NET.socket from SchemaCache 2020-01-30T22:45:08Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-UNIX-domain.net-NET.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f990dc02d90> 2020-01-30T22:45:08Z DEBUG Destroyed connection context.ldap2_140295344329552 2020-01-30T22:45:08Z DEBUG request GET https://srv107.domain.net:8443/ca/rest/account/login 2020-01-30T22:45:08Z DEBUG request body '' 2020-01-30T22:45:09Z DEBUG response status 500 2020-01-30T22:45:09Z DEBUG response headers Content-Type: text/html;charset=utf-8 Content-Language: de Content-Length: 2021 Date: Thu, 30 Jan 2020 22:45:09 GMT Connection: close
2020-01-30T22:45:09Z DEBUG response body (decoded): b'<!doctype html><html lang="de"><head><title>HTTP Status 500 \xe2\x80\x93 Internal Server Error</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 \xe2\x80\x93 Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Subsystem unavailable</p><p><b>Beschreibung</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:150)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:530)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)\n\torg.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)\n\torg.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)\n\torg.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)\n\torg.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre><p><b>Hinweis</b> Der komplette Stacktrace der Ursache ist in den Server logs zu finden</p><hr class="line" /><h3>Apache Tomcat/9.0.30</h3></body></html>' 2020-01-30T22:45:09Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2020-01-30T22:45:09Z DEBUG File "/usr/lib/python3.7/site-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.7/site-packages/ipaserver/install/server/upgrade.py", line 2270, in upgrade upgrade_configuration() File "/usr/lib/python3.7/site-packages/ipaserver/install/server/upgrade.py", line 2139, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python3.7/site-packages/ipaserver/install/server/upgrade.py", line 414, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python3.7/site-packages/ipaserver/install/cainstance.py", line 1941, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python3.7/site-packages/ipaserver/install/cainstance.py", line 1947, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python3.7/site-packages/ipaserver/plugins/dogtag.py", line 1315, in __enter__ raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API'))
This error occurs when IPA framework tries to authenticate to Dogtag CA and it fails. It is using the certificate located in /var/lib/ipa/ra-agent.pem. According to your getcert output, the cert is valid. You will need to check if it is consistent with what is stored in LDAP. Note the values related to the actual certificate: $ cat /var/lib/ipa/ra-agent.pem -----BEGIN CERTIFICATE----- MII...NSF -----END CERTIFICATE-----
$ openssl x509 -noout -in /var/lib/ipa/ra-agent.pem -serial -subject -issuer -nameopt RFC2253 serial=<cert serial> subject= CN=IPA RA,O=<your domain> issuer= CN=Certificate Authority,O=<your domain>
Then compare the result with the ldapentry: $ ldapsearch -LLL -o ldif-wrap=no -x -D "cn=directory manager" -W \ -b uid=ipara,ou=people,o=ipaca dn description usercertificate Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca description: 2;23;CN=Certificate Authority,O=<your domain>;CN=IPA RA,O=<your domain> usercertificate:: MII..NSF usercertificate:: MII...tKR/c
1/ The usercertificate attribute may contain multiple values. Make sure that one of them corresponds to the value from the file /var/lib/ipa/ra-agent.pem. 2/ The description attribute must contain 2;<cert serial>;<cert issuer>;<cert subject> If it's not the case you can use ldapmodify to update the ldap entry with what is expected.
HTH, flo
2020-01-30T22:45:09Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API 2020-01-30T22:45:09Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API 2020-01-30T22:45:09Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
[root@srv107 ipa]# getcert list Number of certificates and requests being tracked: 9. Request ID '20171212100014': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=srv107.domain.net,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-10-17 12:00:24 CEST principal name: krbtgt/UNIX.domain.net@UNIX.domain.net certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20190904114922': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=CA Audit,O=UNIX.domain.net expires: 2020-06-09 16:12:06 CEST key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114923': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=OCSP Subsystem,O=UNIX.domain.net expires: 2020-06-09 16:12:03 CEST eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114924': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=CA Subsystem,O=UNIX.domain.net expires: 2020-06-09 16:12:05 CEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114925': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=Certificate Authority,O=UNIX.domain.net expires: 2036-07-28 16:11:50 CEST key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114926': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-06-09 16:12:14 CEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114927': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=IPA RA,O=UNIX.domain.net expires: 2020-06-09 16:12:52 CEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190904114928': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-UNIX-domain.net-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-domain.net-NET/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-UNIX-domain.net-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-07-01 16:13:09 CEST principal name: ldap/srv107.domain.net@UNIX.domain.net key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv UNIX-domain.net-NET track: yes auto-renew: yes Request ID '20190904114929': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/srv107.domain.net-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-07-01 16:18:01 CEST principal name: HTTP/srv107.domain.net@UNIX.domain.net key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
Thank you if you maybe find something I've overlooked.
Jochen
On Monday, January 20, 2020 13:15 CET, Florence Blanc-Renaud flo@redhat.com wrote:
On 1/20/20 9:39 AM, Jochen Demmer via FreeIPA-users wrote:
I suffer the exact same problem and already tried to upgrade twice but every time the update fails.
The ldap server does not listen when I check with ss or netstat. I reverted back to Fedora 30 with snapshots every time.
Hi,
can you paste the logs from /var/logs/ipaupgrade.log? We would need the full logs as the error may differ between a first run and a second run. When the packages are upgraded, the script ipa-server-upgrade is called and starts by disabling the LDAP server ports to avoid any LDAP operation during the upgrade. Then the script performs its duty, and re-enables the port. If there is an untrapped failure before the ports are re-enabled, or the user repeatedly presses CTRL-C, we sometimes end up in a situation where the ports are still disabled (please see ticket https://pagure.io/freeipa/issue/7534) after the ipa-server-upgrade script exits. If the user re-runs ipa-server-upgrade at this point, the script output will be completely different but will not give us any hint related to the original failure root cause. That's why we need the full logs.
If you are in a situation where the LDAP server isn't listening: 0. stop IPA with ipactl stop
- edit /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif
- set nsslapd-port to 389
- set nsslapd-security to on
- set nsslapd-global-backend-lock to off (if you have this attribute at
all) 5. restart IPA with ipactl start
If the services are able to restart at this point, try to run ipa-server-upgrade and provide full logs.
HTH, flo
Can someone help me to work this around. The OP writes of an IP that changed but mine didn't. Where can I find a clue why ldap does not
listen?
Jochen _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi,
this is the outputs: [root@srv107 ipa]# openssl x509 -noout -in /var/lib/ipa/ra-agent.pem -serial -subject -issuer -nameopt RFC2253 serial=15 subject=CN=IPA RA,O=UNIX.domain.NET issuer=CN=Certificate Authority,O=UNIX.domain.NET
[root@srv107 ipa]# openssl x509 -noout -in ra-agent.pem -serial -subject -issuer -nameopt RFC2253 serial=15 subject=CN=IPA RA,O=UNIX.domain.NET issuer=CN=Certificate Authority,O=UNIX.domain.NET [root@srv107 ipa]# ldapsearch -LLL -o ldif-wrap=no -x -D "cn=directory manager" -W -b uid=ipara,ou=people,o=ipaca dn description usercertificate Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca description: 2;21;CN=Certificate Authority,O=UNIX.domain.NET;CN=IPA RA,O=UNIX.domain.NET usercertificate:: MIIDccCCAlqgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklYLkdPU0lYLk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDcyODE0MTIyMFoXDTE4MDcxODE0MTIyMFowKjEXMBUGA1UECgwOVU5JWC5HT1NJWC5ORVQxDzANBfNVBAMMBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxnrp8441QA/vzIB/0a9kT5IAH9yACEx8lirOspAOmn8ziFYUvB4idMqd4wKpuIeFhl4LDMN++HJGsfAGbon7LQ0lvlxz16ntdMazfmqSCwgSycroDLJEBHZW0vC6NslOVI808nnc7D+xcrOaGFaisDbjWYFn9LQoBHOAACtgGHmLQWszsQyrZhg0zbhzHoBDfSu6UtyCIuDP4lQ3tZdnNygP1x8cEmCUrAzEl3wqY24aQHMF7RglAb+O7/9A8UURXMi6QwIkbyucPA3Wh+RdHy41xhqDI/bmcq7Nas814PIHjhZQJTT02tdEqYYDgmv/dNqfT/OkYUHNah2Jf8ZL0CAwEAAaOBkzCBkDAfBgNVHSMEGDAWgBROuje6JvS5f3aN0Qk0DRDGjOWHRjA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9zcnYxMDcuZ29zaXgubmV0OjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAg6wMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAi8CxlPVaFHi7XlT1sSY74WPy9BlZW/Dt9by94wDCs14pZeMalmwkY8iHkvQtTagoS7y/Nq0p7PTHbcr7y9CisiAP+DykYZHdIyBtjrQ37GIADjyXhbYJ+Y90O/J24M2q2t1X8xbSIhxqQ8eN4ICTDHqzBIn2YkAHxT1QkitNIZWlMSWdEImcpmQB5CIU1q8swaK6u1k5ksC4mNwUxkSzi1nr+ixuuIkSDjuC3f1kGOaJGV92fJRk+TbRvP6hxKMY9ITwy0upwcUvO/Sv8kdJ21pJ/VJmxfZDilHW6ZrZtME6zaMUmVCVmchxIV2jTvJ3PCAqly6fI41oOsEoPSYu1Q== usercertificate:: MIIadDCCAlygAwIBAgIBFTANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklYLkdPU0lYLk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE4MDYyMDE0MTI1MloXDTIwMDYwOTE0MTI1MlowKjEXMBUGA1UEChMOVU5JWC5HT1NJWC5ORVQxDzANBgNVBAMTBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxnrp8441QA/vzIB/0a9kT5IAH9yACEx8lirOspAOmn8ziFYUvB4idMqd4wKpuIeFhl4LDMN++HJGsfAGbon7LQ0lvlxz16ntdMazfmqSCwgSycroDLJEBHZW0vC6NslOVI808nnc7D+xcrOaGFaisDbjWYFn9LQoBHOAACtgGHmLQWszsQyrZhg0zbhzHoBDfSu6UtyCIuDP4lQ3tZdnNygP1x8cEmCUrAzEl3wqY24qQHMF7RglAb+O7/9A8UURXMi6QwIkbyucPA3Wh+RdHy41xhqDI/bmcq7Nas814PIHjhZQJTT02tdEqYYDgmv/dNqfT/OkYUHNah2Jf8ZL0CAwEAAaOBlTCBkjAfBgNVHSMEGDAWgBROuje6JvS5f3aN0Qk0DRDGjOWHRjBABggrBgEFBQcBAQQ0MDIwMAYIKwYBBQUHMAGGJGh0dHA6Ly9pcGEtY2EudW5peC5nb3NpeC5uZXQvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQB+WTlsE5LmEvbfEk/fOlKfwkNv187o/6AtwBxrjvC0D0QobfnxSIgd7R905haHf9fyONYsQKn8mlbghtY3URfGnfYNXJ9ez1pOqoCAlpy5Z5tvDlQMGvVVjk/9pSibTI90noZeMrUE+Tetq45c8ZjFXxcrH4R07xUDRXZg8AXviQMyclUSZbWKsIL7a979Hp13q8sJ8MAod1OhqdP6EOk84AOyRcQuRhv5uEdeDSN4k+4mMSZGnMlKO+0gKnhUIq63/TlW8wp7NhCE+kYdOkF4M0lBYOPE66d/4VdX45soMdp4WphjZMrirarhFJvHpHloUwdoiIFglPvOkvbWndbM
I can see that the serial is different but I cannot compare the usercertificate attributes since they are not given in the openssl command output.
Shall I just adjust the serial and try again?
Jochen
On Friday, January 31, 2020 10:29 CET, Florence Blanc-Renaud via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote: This error occurs when IPA framework tries to authenticate to Dogtag CA and it fails. It is using the certificate located in /var/lib/ipa/ra-agent.pem. According to your getcert output, the cert is valid. You will need to check if it is consistent with what is stored in LDAP. Note the values related to the actual certificate: $ cat /var/lib/ipa/ra-agent.pem -----BEGIN CERTIFICATE----- MII...NSF -----END CERTIFICATE-----
$ openssl x509 -noout -in /var/lib/ipa/ra-agent.pem -serial -subject -issuer -nameopt RFC2253 serial=<cert serial> subject= CN=IPA RA,O=<your domain> issuer= CN=Certificate Authority,O=<your domain>
Then compare the result with the ldapentry: $ ldapsearch -LLL -o ldif-wrap=no -x -D "cn=directory manager" -W \ -b uid=ipara,ou=people,o=ipaca dn description usercertificate Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca description: 2;23;CN=Certificate Authority,O=<your domain>;CN=IPA RA,O=<your domain> usercertificate:: MII..NSF usercertificate:: MII...tKR/c
1/ The usercertificate attribute may contain multiple values. Make sure that one of them corresponds to the value from the file /var/lib/ipa/ra-agent.pem. 2/ The description attribute must contain 2;<cert serial>;<cert issuer>;<cert subject> If it's not the case you can use ldapmodify to update the ldap entry with what is expected.
HTH, flo
2020-01-30T22:45:09Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API 2020-01-30T22:45:09Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API 2020-01-30T22:45:09Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
[root@srv107 ipa]# getcert list Number of certificates and requests being tracked: 9. Request ID '20171212100014': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=srv107.domain.net,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-10-17 12:00:24 CEST principal name: krbtgt/UNIX.domain.net@UNIX.domain.net certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20190904114922': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=CA Audit,O=UNIX.domain.net expires: 2020-06-09 16:12:06 CEST key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114923': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=OCSP Subsystem,O=UNIX.domain.net expires: 2020-06-09 16:12:03 CEST eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114924': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=CA Subsystem,O=UNIX.domain.net expires: 2020-06-09 16:12:05 CEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114925': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=Certificate Authority,O=UNIX.domain.net expires: 2036-07-28 16:11:50 CEST key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114926': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-06-09 16:12:14 CEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114927': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=IPA RA,O=UNIX.domain.net expires: 2020-06-09 16:12:52 CEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190904114928': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-UNIX-domain.net-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-domain.net-NET/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-UNIX-domain.net-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-07-01 16:13:09 CEST principal name: ldap/srv107.domain.net@UNIX.domain.net key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv UNIX-domain.net-NET track: yes auto-renew: yes Request ID '20190904114929': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/srv107.domain.net-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-07-01 16:18:01 CEST principal name: HTTP/srv107.domain.net@UNIX.domain.net key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
Thank you if you maybe find something I've overlooked.
Jochen
On Monday, January 20, 2020 13:15 CET, Florence Blanc-Renaud flo@redhat.com wrote:
On 1/20/20 9:39 AM, Jochen Demmer via FreeIPA-users wrote:
I suffer the exact same problem and already tried to upgrade twice but every time the update fails.
The ldap server does not listen when I check with ss or netstat. I reverted back to Fedora 30 with snapshots every time.
Hi,
can you paste the logs from /var/logs/ipaupgrade.log? We would need the full logs as the error may differ between a first run and a second run. When the packages are upgraded, the script ipa-server-upgrade is called and starts by disabling the LDAP server ports to avoid any LDAP operation during the upgrade. Then the script performs its duty, and re-enables the port. If there is an untrapped failure before the ports are re-enabled, or the user repeatedly presses CTRL-C, we sometimes end up in a situation where the ports are still disabled (please see ticket https://pagure.io/freeipa/issue/7534) after the ipa-server-upgrade script exits. If the user re-runs ipa-server-upgrade at this point, the script output will be completely different but will not give us any hint related to the original failure root cause. That's why we need the full logs.
If you are in a situation where the LDAP server isn't listening: 0. stop IPA with ipactl stop
- edit /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif
- set nsslapd-port to 389
- set nsslapd-security to on
- set nsslapd-global-backend-lock to off (if you have this attribute at
all) 5. restart IPA with ipactl start
If the services are able to restart at this point, try to run ipa-server-upgrade and provide full logs.
HTH, flo
Can someone help me to work this around. The OP writes of an IP that changed but mine didn't. Where can I find a clue why ldap does not
listen?
Jochen _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 2/2/20 11:30 PM, Jochen Demmer via FreeIPA-users wrote:
Hi,
this is the outputs: [root@srv107 ipa]# openssl x509 -noout -in /var/lib/ipa/ra-agent.pem -serial -subject -issuer -nameopt RFC2253 serial=15 subject=CN=IPA RA,O=UNIX.domain.NET issuer=CN=Certificate Authority,O=UNIX.domain.NET
[root@srv107 ipa]# openssl x509 -noout -in ra-agent.pem -serial -subject -issuer -nameopt RFC2253 serial=15 subject=CN=IPA RA,O=UNIX.domain.NET issuer=CN=Certificate Authority,O=UNIX.domain.NET [root@srv107 ipa]# ldapsearch -LLL -o ldif-wrap=no -x -D "cn=directory manager" -W -b uid=ipara,ou=people,o=ipaca dn description usercertificate Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca description: 2;21;CN=Certificate Authority,O=UNIX.domain.NET;CN=IPA RA,O=UNIX.domain.NET usercertificate:: MIIDccCCAlqgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklYLkdPU0lYLk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDcyODE0MTIyMFoXDTE4MDcxODE0MTIyMFowKjEXMBUGA1UECgwOVU5JWC5HT1NJWC5ORVQxDzANBfNVBAMMBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxnrp8441QA/vzIB/0a9kT5IAH9yACEx8lirOspAOmn8ziFYUvB4idMqd4wKpuIeFhl4LDMN++HJGsfAGbon7LQ0lvlxz16ntdMazfmqSCwgSycroDLJEBHZW0vC6NslOVI808nnc7D+xcrOaGFaisDbjWYFn9LQoBHOAACtgGHmLQWszsQyrZhg0zbhzHoBDfSu6UtyCIuDP4lQ3tZdnNygP1x8cEmCUrAzEl3wqY24aQHMF7RglAb+O7/9A8UURXMi6QwIkbyucPA3Wh+RdHy41xhqDI/bmcq7Nas814PIHjhZQJTT02tdEqYYDgmv/dNqfT/OkYUHNah2Jf8ZL0CAwEAAaOBkzCBkDAfBgNVHSMEGDAWgBROuje6JvS5f3aN0Qk0DRDGjOWHRjA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9zcnYxMDcuZ29zaXgubmV0OjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAg6wMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAi8CxlPVaFHi7XlT1sSY74WPy9BlZW/Dt9by94wDCs14pZeMalmwkY8iHkvQtTagoS7y/Nq0p7PTHbcr7y9CisiAP+DykYZHdIyBtjrQ37GIADjyXhbYJ+Y90O/J24M2q2t1X8xbSIhxqQ8eN4ICTDHqzBIn2YkAHxT1QkitNIZWlMSWdEImcpmQB5CIU1q8swaK6u1k5ksC4mNwUxkSzi1nr+ixuuIkSDjuC3f1kGOaJGV92fJRk+TbRvP6hxKMY9ITwy0upwcUvO/Sv8kdJ21pJ/VJmxfZDilHW6ZrZtME6zaMUmVCVmchxIV2jTvJ3PCAqly6fI41oOsEoPSYu1Q== usercertificate:: MIIadDCCAlygAwIBAgIBFTANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklYLkdPU0lYLk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE4MDYyMDE0MTI1MloXDTIwMDYwOTE0MTI1MlowKjEXMBUGA1UEChMOVU5JWC5HT1NJWC5ORVQxDzANBgNVBAMTBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxnrp8441QA/vzIB/0a9kT5IAH9yACEx8lirOspAOmn8ziFYUvB4idMqd4wKpuIeFhl4LDMN++HJGsfAGbon7LQ0lvlxz16ntdMazfmqSCwgSycroDLJEBHZW0vC6NslOVI808nnc7D+xcrOaGFaisDbjWYFn9LQoBHOAACtgGHmLQWszsQyrZhg0zbhzHoBDfSu6UtyCIuDP4lQ3tZdnNygP1x8cEmCUrAzEl3wqY24qQHMF7RglAb+O7/9A8UURXMi6QwIkbyucPA3Wh+RdHy41xhqDI/bmcq7Nas814PIHjhZQJTT02tdEqYYDgmv/dNqfT/OkYUHNah2Jf8ZL0CAwEAAaOBlTCBkjAfBgNVHSMEGDAWgBROuje6JvS5f3aN0Qk0DRDGjOWHRjBABggrBgEFBQcBAQQ0MDIwMAYIKwYBBQUHMAGGJGh0dHA6Ly9pcGEtY2EudW5peC5nb3NpeC5uZXQvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQB+WTlsE5LmEvbfEk/fOlKfwkNv187o/6AtwBxrjvC0D0QobfnxSIgd7R905haHf9fyONYsQKn8mlbghtY3URfGnfYNXJ9ez1pOqoCAlpy5Z5tvDlQMGvVVjk/9pSibTI90noZeMrUE+Tetq45c8ZjFXxcrH4R07xUDRXZg8AXviQMyclUSZbWKsIL7a979Hp13q8sJ8MAod1OhqdP6EOk84AOyRcQuRhv5uEdeDSN4k+4mMSZGnMlKO+0gKnhUIq63/TlW8wp7NhCE+kYdOkF4M0lBYOPE66d/4VdX45soMdp4WphjZMrirarhFJvHpHloUwdoiIFglPvOkvbWndbM
I can see that the serial is different but I cannot compare the usercertificate attributes since they are not given in the openssl command output.
Hi, Serial is 15 on the node srv107 but 21 in LDAP. This means that the cert was renewed but the local file didn't get updated. Can you check first which node is your CA renewal master? $ kinit admin $ ipa config-show | grep "CA renewal master" IPA CA renewal master: master.ipa.domain
On this node check that the file /var/lib/ipa/ra-agent.pem and the content in ldap are consistent. You can do just $ cat /var/lib/ipa/ra-agent.pem to compare the content of the cert with the usercertificate attribute of the ldap entry. If everything is OK on the renewal master, you can copy the file /var/lib/ipa/ra-agent.pem to the failing node srv107.
HTH, flo
Shall I just adjust the serial and try again?
Jochen
On Friday, January 31, 2020 10:29 CET, Florence Blanc-Renaud via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
This error occurs when IPA framework tries to authenticate to Dogtag CA and it fails. It is using the certificate located in /var/lib/ipa/ra-agent.pem. According to your getcert output, the cert is valid. You will need to check if it is consistent with what is stored in LDAP. Note the values related to the actual certificate: $ cat /var/lib/ipa/ra-agent.pem -----BEGIN CERTIFICATE----- MII...NSF -----END CERTIFICATE-----
$ openssl x509 -noout -in /var/lib/ipa/ra-agent.pem -serial -subject -issuer -nameopt RFC2253 serial=<cert serial> subject= CN=IPA RA,O=<your domain> issuer= CN=Certificate Authority,O=<your domain>
Then compare the result with the ldapentry: $ ldapsearch -LLL -o ldif-wrap=no -x -D "cn=directory manager" -W \ -b uid=ipara,ou=people,o=ipaca dn description usercertificate Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca description: 2;23;CN=Certificate Authority,O=<your domain>;CN=IPA RA,O=<your domain> usercertificate:: MII..NSF usercertificate:: MII...tKR/c
1/ The usercertificate attribute may contain multiple values. Make sure that one of them corresponds to the value from the file /var/lib/ipa/ra-agent.pem. 2/ The description attribute must contain 2;<cert serial>;<cert issuer>;<cert subject> If it's not the case you can use ldapmodify to update the ldap entry with what is expected.
HTH, flo
2020-01-30T22:45:09Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API 2020-01-30T22:45:09Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API 2020-01-30T22:45:09Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
[root@srv107 ipa]# getcert list Number of certificates and requests being tracked: 9. Request ID '20171212100014': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=srv107.domain.net,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-10-17 12:00:24 CEST principal name: krbtgt/UNIX.domain.net@UNIX.domain.net certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20190904114922': status: MONITORING stuck: no key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=CA Audit,O=UNIX.domain.net expires: 2020-06-09 16:12:06 CEST key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114923': status: MONITORING stuck: no key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
Certificate DB',pin set certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=OCSP Subsystem,O=UNIX.domain.net expires: 2020-06-09 16:12:03 CEST eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114924': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=CA Subsystem,O=UNIX.domain.net expires: 2020-06-09 16:12:05 CEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114925': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=Certificate Authority,O=UNIX.domain.net expires: 2036-07-28 16:11:50 CEST key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114926': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-06-09 16:12:14 CEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114927': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=IPA RA,O=UNIX.domain.net expires: 2020-06-09 16:12:52 CEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190904114928': status: MONITORING stuck: no key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-UNIX-domain.net-NET',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-UNIX-domain.net-NET/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-UNIX-domain.net-NET',nickname='Server-Cert',token='NSS
Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-07-01 16:13:09 CEST principal name: ldap/srv107.domain.net@UNIX.domain.net key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv UNIX-domain.net-NET track: yes auto-renew: yes Request ID '20190904114929': status: MONITORING stuck: no key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/srv107.domain.net-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-07-01 16:18:01 CEST principal name: HTTP/srv107.domain.net@UNIX.domain.net key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
Thank you if you maybe find something I've overlooked.
Jochen
On Monday, January 20, 2020 13:15 CET, Florence Blanc-Renaud flo@redhat.com wrote:
On 1/20/20 9:39 AM, Jochen Demmer via FreeIPA-users wrote:
I suffer the exact same problem and already tried to upgrade
twice but
every time the update fails.
The ldap server does not listen when I check with ss or netstat. I reverted back to Fedora 30 with snapshots every time.
Hi,
can you paste the logs from /var/logs/ipaupgrade.log? We would need the full logs as the error may differ between a first run and a second run. When the packages are upgraded, the script ipa-server-upgrade is called and starts by disabling the LDAP server ports to avoid any LDAP operation during the upgrade. Then the script performs its duty, and re-enables the port. If there is an untrapped failure before the ports are re-enabled,
or the
user repeatedly presses CTRL-C, we sometimes end up in a situation
where
the ports are still disabled (please see ticket https://pagure.io/freeipa/issue/7534) after the ipa-server-upgrade script exits. If the user re-runs ipa-server-upgrade at this point, the script output will be completely different but will not give us any
hint
related to the original failure root cause. That's why we need the full logs.
If you are in a situation where the LDAP server isn't listening: 0. stop IPA with ipactl stop
- edit /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif
- set nsslapd-port to 389
- set nsslapd-security to on
- set nsslapd-global-backend-lock to off (if you have this
attribute at
all) 5. restart IPA with ipactl start
If the services are able to restart at this point, try to run ipa-server-upgrade and provide full logs.
HTH, flo
Can someone help me to work this around. The OP writes of an IP that changed but mine didn't. Where can I find a clue why ldap does not
listen?
Jochen _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi,
unfortunately currently there's is no other node, which is why I'm trying to update to Fedora 31. I used to replicate between two machines but on got lost. I installed a new machine which is supposed to work as my new replica but this is being virtualized in bhyve / FreeNAS and this doesn't allow Fedora 30 to be installed so I'm stuck with Fedora 31. In the docs it's said that versions between replicas need to be consistent so I'm trying to update the only running FreeIPA node (srv107) to Fedora 31 first.
Jochen
On Monday, February 03, 2020 08:36 CET, Florence Blanc-Renaud via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote: On 2/2/20 11:30 PM, Jochen Demmer via FreeIPA-users wrote:
Hi,
this is the outputs: [root@srv107 ipa]# openssl x509 -noout -in /var/lib/ipa/ra-agent.pem -serial -subject -issuer -nameopt RFC2253 serial=15 subject=CN=IPA RA,O=UNIX.domain.NET issuer=CN=Certificate Authority,O=UNIX.domain.NET
[root@srv107 ipa]# openssl x509 -noout -in ra-agent.pem -serial -subject -issuer -nameopt RFC2253 serial=15 subject=CN=IPA RA,O=UNIX.domain.NET issuer=CN=Certificate Authority,O=UNIX.domain.NET [root@srv107 ipa]# ldapsearch -LLL -o ldif-wrap=no -x -D "cn=directory manager" -W -b uid=ipara,ou=people,o=ipaca dn description usercertificate Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca description: 2;21;CN=Certificate Authority,O=UNIX.domain.NET;CN=IPA RA,O=UNIX.domain.NET usercertificate:: MIIDccCCAlqgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklYLkdPU0lYLk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDcyODE0MTIyMFoXDTE4MDcxODE0MTIyMFowKjEXMBUGA1UECgwOVU5JWC5HT1NJWC5ORVQxDzANBfNVBAMMBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxnrp8441QA/vzIB/0a9kT5IAH9yACEx8lirOspAOmn8ziFYUvB4idMqd4wKpuIeFhl4LDMN++HJGsfAGbon7LQ0lvlxz16ntdMazfmqSCwgSycroDLJEBHZW0vC6NslOVI808nnc7D+xcrOaGFaisDbjWYFn9LQoBHOAACtgGHmLQWszsQyrZhg0zbhzHoBDfSu6UtyCIuDP4lQ3tZdnNygP1x8cEmCUrAzEl3wqY24aQHMF7RglAb+O7/9A8UURXMi6QwIkbyucPA3Wh+RdHy41xhqDI/bmcq7Nas814PIHjhZQJTT02tdEqYYDgmv/dNqfT/OkYUHNah2Jf8ZL0CAwEAAaOBkzCBkDAfBgNVHSMEGDAWgBROuje6JvS5f3aN0Qk0DRDGjOWHRjA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9zcnYxMDcuZ29zaXgubmV0OjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAg6wMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAi8CxlPVaFHi7XlT1sSY74WPy9BlZW/Dt9by94wDCs14pZeMalmwkY8iHkvQtTagoS7y/Nq0p7PTHbcr7y9CisiAP+DykYZHdIyBtjrQ37GIADjyXhbYJ+Y90O/J24M2q2t1X8xbSIhxqQ8eN4ICTDHqzBIn2YkAHxT1QkitNIZWlMSWdEImcpmQB5CIU1q8swaK6u1k5ksC4mNwUxkSzi1nr+ixuuIkSDjuC3f1kGOaJGV92fJRk+TbRvP6hxKMY9ITwy0upwcUvO/Sv8kdJ21pJ/VJmxfZDilHW6ZrZtME6zaMUmVCVmchxIV2jTvJ3PCAqly6fI41oOsEoPSYu1Q== usercertificate:: MIIadDCCAlygAwIBAgIBFTANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklYLkdPU0lYLk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE4MDYyMDE0MTI1MloXDTIwMDYwOTE0MTI1MlowKjEXMBUGA1UEChMOVU5JWC5HT1NJWC5ORVQxDzANBgNVBAMTBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxnrp8441QA/vzIB/0a9kT5IAH9yACEx8lirOspAOmn8ziFYUvB4idMqd4wKpuIeFhl4LDMN++HJGsfAGbon7LQ0lvlxz16ntdMazfmqSCwgSycroDLJEBHZW0vC6NslOVI808nnc7D+xcrOaGFaisDbjWYFn9LQoBHOAACtgGHmLQWszsQyrZhg0zbhzHoBDfSu6UtyCIuDP4lQ3tZdnNygP1x8cEmCUrAzEl3wqY24qQHMF7RglAb+O7/9A8UURXMi6QwIkbyucPA3Wh+RdHy41xhqDI/bmcq7Nas814PIHjhZQJTT02tdEqYYDgmv/dNqfT/OkYUHNah2Jf8ZL0CAwEAAaOBlTCBkjAfBgNVHSMEGDAWgBROuje6JvS5f3aN0Qk0DRDGjOWHRjBABggrBgEFBQcBAQQ0MDIwMAYIKwYBBQUHMAGGJGh0dHA6Ly9pcGEtY2EudW5peC5nb3NpeC5uZXQvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQB+WTlsE5LmEvbfEk/fOlKfwkNv187o/6AtwBxrjvC0D0QobfnxSIgd7R905haHf9fyONYsQKn8mlbghtY3URfGnfYNXJ9ez1pOqoCAlpy5Z5tvDlQMGvVVjk/9pSibTI90noZeMrUE+Tetq45c8ZjFXxcrH4R07xUDRXZg8AXviQMyclUSZbWKsIL7a979Hp13q8sJ8MAod1OhqdP6EOk84AOyRcQuRhv5uEdeDSN4k+4mMSZGnMlKO+0gKnhUIq63/TlW8wp7NhCE+kYdOkF4M0lBYOPE66d/4VdX45soMdp4WphjZMrirarhFJvHpHloUwdoiIFglPvOkvbWndbM
I can see that the serial is different but I cannot compare the usercertificate attributes since they are not given in the openssl command output.
Hi, Serial is 15 on the node srv107 but 21 in LDAP. This means that the cert was renewed but the local file didn't get updated. Can you check first which node is your CA renewal master? $ kinit admin $ ipa config-show | grep "CA renewal master" IPA CA renewal master: master.ipa.domain
On this node check that the file /var/lib/ipa/ra-agent.pem and the content in ldap are consistent. You can do just $ cat /var/lib/ipa/ra-agent.pem to compare the content of the cert with the usercertificate attribute of the ldap entry. If everything is OK on the renewal master, you can copy the file /var/lib/ipa/ra-agent.pem to the failing node srv107.
HTH, flo
Shall I just adjust the serial and try again?
Jochen
On Friday, January 31, 2020 10:29 CET, Florence Blanc-Renaud via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
This error occurs when IPA framework tries to authenticate to Dogtag CA and it fails. It is using the certificate located in /var/lib/ipa/ra-agent.pem. According to your getcert output, the cert is valid. You will need to check if it is consistent with what is stored in LDAP. Note the values related to the actual certificate: $ cat /var/lib/ipa/ra-agent.pem -----BEGIN CERTIFICATE----- MII...NSF -----END CERTIFICATE-----
$ openssl x509 -noout -in /var/lib/ipa/ra-agent.pem -serial -subject -issuer -nameopt RFC2253 serial=<cert serial> subject= CN=IPA RA,O=<your domain> issuer= CN=Certificate Authority,O=<your domain>
Then compare the result with the ldapentry: $ ldapsearch -LLL -o ldif-wrap=no -x -D "cn=directory manager" -W \ -b uid=ipara,ou=people,o=ipaca dn description usercertificate Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca description: 2;23;CN=Certificate Authority,O=<your domain>;CN=IPA RA,O=<your domain> usercertificate:: MII..NSF usercertificate:: MII...tKR/c
1/ The usercertificate attribute may contain multiple values. Make sure that one of them corresponds to the value from the file /var/lib/ipa/ra-agent.pem. 2/ The description attribute must contain 2;<cert serial>;<cert issuer>;<cert subject> If it's not the case you can use ldapmodify to update the ldap entry with what is expected.
HTH, flo
2020-01-30T22:45:09Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API 2020-01-30T22:45:09Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API 2020-01-30T22:45:09Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
[root@srv107 ipa]# getcert list Number of certificates and requests being tracked: 9. Request ID '20171212100014': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=srv107.domain.net,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-10-17 12:00:24 CEST principal name: krbtgt/UNIX.domain.net@UNIX.domain.net certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20190904114922': status: MONITORING stuck: no key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=CA Audit,O=UNIX.domain.net expires: 2020-06-09 16:12:06 CEST key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114923': status: MONITORING stuck: no key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
Certificate DB',pin set certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=OCSP Subsystem,O=UNIX.domain.net expires: 2020-06-09 16:12:03 CEST eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114924': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=CA Subsystem,O=UNIX.domain.net expires: 2020-06-09 16:12:05 CEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114925': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=Certificate Authority,O=UNIX.domain.net expires: 2036-07-28 16:11:50 CEST key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114926': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-06-09 16:12:14 CEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114927': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=IPA RA,O=UNIX.domain.net expires: 2020-06-09 16:12:52 CEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190904114928': status: MONITORING stuck: no key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-UNIX-domain.net-NET',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-UNIX-domain.net-NET/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-UNIX-domain.net-NET',nickname='Server-Cert',token='NSS
Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-07-01 16:13:09 CEST principal name: ldap/srv107.domain.net@UNIX.domain.net key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv UNIX-domain.net-NET track: yes auto-renew: yes Request ID '20190904114929': status: MONITORING stuck: no key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/srv107.domain.net-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-07-01 16:18:01 CEST principal name: HTTP/srv107.domain.net@UNIX.domain.net key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
Thank you if you maybe find something I've overlooked.
Jochen
On Monday, January 20, 2020 13:15 CET, Florence Blanc-Renaud flo@redhat.com wrote:
On 1/20/20 9:39 AM, Jochen Demmer via FreeIPA-users wrote:
I suffer the exact same problem and already tried to upgrade
twice but
every time the update fails.
The ldap server does not listen when I check with ss or netstat. I reverted back to Fedora 30 with snapshots every time.
Hi,
can you paste the logs from /var/logs/ipaupgrade.log? We would need the full logs as the error may differ between a first run and a second run. When the packages are upgraded, the script ipa-server-upgrade is called and starts by disabling the LDAP server ports to avoid any LDAP operation during the upgrade. Then the script performs its duty, and re-enables the port. If there is an untrapped failure before the ports are re-enabled,
or the
user repeatedly presses CTRL-C, we sometimes end up in a situation
where
the ports are still disabled (please see ticket https://pagure.io/freeipa/issue/7534) after the ipa-server-upgrade script exits. If the user re-runs ipa-server-upgrade at this point, the script output will be completely different but will not give us any
hint
related to the original failure root cause. That's why we need the full logs.
If you are in a situation where the LDAP server isn't listening: 0. stop IPA with ipactl stop
- edit /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif
- set nsslapd-port to 389
- set nsslapd-security to on
- set nsslapd-global-backend-lock to off (if you have this
attribute at
all) 5. restart IPA with ipactl start
If the services are able to restart at this point, try to run ipa-server-upgrade and provide full logs.
HTH, flo
Can someone help me to work this around. The OP writes of an IP that changed but mine didn't. Where can I find a clue why ldap does not
listen?
Jochen _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 2/3/20 9:07 AM, Jochen Demmer via FreeIPA-users wrote:
Hi,
unfortunately currently there's is no other node, which is why I'm trying to update to Fedora 31. I used to replicate between two machines but on got lost. I installed a new machine which is supposed to work as my new replica but this is being virtualized in bhyve / FreeNAS and this doesn't allow Fedora 30 to be installed so I'm stuck with Fedora 31. In the docs it's said that versions between replicas need to be consistent so I'm trying to update the only running FreeIPA node (srv107) to Fedora 31 first.
Ok, so in this case we need to work on this single node...
Jochen
On Monday, February 03, 2020 08:36 CET, Florence Blanc-Renaud via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On 2/2/20 11:30 PM, Jochen Demmer via FreeIPA-users wrote:
Hi,
this is the outputs: [root@srv107 ipa]# openssl x509 -noout -in /var/lib/ipa/ra-agent.pem -serial -subject -issuer -nameopt RFC2253 serial=15 subject=CN=IPA RA,O=UNIX.domain.NET issuer=CN=Certificate Authority,O=UNIX.domain.NET
[root@srv107 ipa]# openssl x509 -noout -in ra-agent.pem -serial -subject -issuer -nameopt RFC2253 serial=15 subject=CN=IPA RA,O=UNIX.domain.NET issuer=CN=Certificate Authority,O=UNIX.domain.NET [root@srv107 ipa]# ldapsearch -LLL -o ldif-wrap=no -x -D "cn=directory manager" -W -b uid=ipara,ou=people,o=ipaca dn description
usercertificate
Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca description: 2;21;CN=Certificate Authority,O=UNIX.domain.NET;CN=IPA RA,O=UNIX.domain.NET
We can see that there is an inconsistency between the /var/lib/ipa/ra-agent.pem file and the LDAP content. You need to choose which one to pick as the source of truth and update the other one.
If the cert in /var/lib/ipa/ra-agent.pem is still valid, you can use this one. To check the validity: $ openssl x509 -noout -text -in /var/lib/ipa/ra-agent.pem
Look for the lines: Validity Not Before: <date> Not After : <date>
If the cert is valid, use this one as source of truth and update the ldap entry with ldapmodify (the description attribute and the usercertificate attribute).
If the cert is not valid, you need to find which one in the ldap entry corresponds to the serial 21. I did not manage to read the content of the usercertificate attribute, did you cut the ldapsearch output? I tried with $ openssl x509 -noout -text -----BEGIN CERTIFICATE----- MII... -----END CERTIFICATE-----
but the 2 certs in the usercertificate attribute failed with "unable to load certificate".
flo
usercertificate::
MIIDccCCAlqgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklYLkdPU0lYLk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDcyODE0MTIyMFoXDTE4MDcxODE0MTIyMFowKjEXMBUGA1UECgwOVU5JWC5HT1NJWC5ORVQxDzANBfNVBAMMBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxnrp8441QA/vzIB/0a9kT5IAH9yACEx8lirOspAOmn8ziFYUvB4idMqd4wKpuIeFhl4LDMN++HJGsfAGbon7LQ0lvlxz16ntdMazfmqSCwgSycroDLJEBHZW0vC6NslOVI808nnc7D+xcrOaGFaisDbjWYFn9LQoBHOAACtgGHmLQWszsQyrZhg0zbhzHoBDfSu6UtyCIuDP4lQ3tZdnNygP1x8cEmCUrAzEl3wqY24aQHMF7RglAb+O7/9A8UURXMi6QwIkbyucPA3Wh+RdHy41xhqDI/bmcq7Nas814PIHjhZQJTT02tdEqYYDgmv/dNqfT/OkYUHNah2Jf8ZL0CAwEAAaOBkzCBkDAfBgNVHSMEGDAWgBROuje6JvS5f3aN0Qk0DRDGjOWHRjA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9zcnYxMDcuZ29zaXgubmV0OjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAg6wMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAi8CxlPVaFHi7XlT1sSY74WPy9BlZW/Dt9by94wDCs14pZeMalmwkY8iHkvQtTagoS7y/Nq0p7PTHbcr7y9CisiAP+DykYZHdIyBtjrQ37GIADjyXhbYJ+Y90O/J24M2q2t1X8xbSIhxqQ8eN4ICTDHqzBIn2YkAHxT1QkitNIZWlMSWdEImcpmQB5CIU1q8swaK6u1k5ksC4mNwUxkSzi1nr+ixuuIkSDjuC3f1kGOaJGV92fJRk+TbRvP6hxKMY9ITwy0upwcUvO/Sv8kdJ21pJ/VJmxfZDilHW6ZrZtME6zaMUmVCVmchxIV2jTvJ3PCAqly6fI41oOsEoPSYu1Q==
usercertificate::
MIIadDCCAlygAwIBAgIBFTANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5VTklYLkdPU0lYLk5FVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE4MDYyMDE0MTI1MloXDTIwMDYwOTE0MTI1MlowKjEXMBUGA1UEChMOVU5JWC5HT1NJWC5ORVQxDzANBgNVBAMTBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxnrp8441QA/vzIB/0a9kT5IAH9yACEx8lirOspAOmn8ziFYUvB4idMqd4wKpuIeFhl4LDMN++HJGsfAGbon7LQ0lvlxz16ntdMazfmqSCwgSycroDLJEBHZW0vC6NslOVI808nnc7D+xcrOaGFaisDbjWYFn9LQoBHOAACtgGHmLQWszsQyrZhg0zbhzHoBDfSu6UtyCIuDP4lQ3tZdnNygP1x8cEmCUrAzEl3wqY24qQHMF7RglAb+O7/9A8UURXMi6QwIkbyucPA3Wh+RdHy41xhqDI/bmcq7Nas814PIHjhZQJTT02tdEqYYDgmv/dNqfT/OkYUHNah2Jf8ZL0CAwEAAaOBlTCBkjAfBgNVHSMEGDAWgBROuje6JvS5f3aN0Qk0DRDGjOWHRjBABggrBgEFBQcBAQQ0MDIwMAYIKwYBBQUHMAGGJGh0dHA6Ly9pcGEtY2EudW5peC5nb3NpeC5uZXQvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQB+WTlsE5LmEvbfEk/fOlKfwkNv187o/6AtwBxrjvC0D0QobfnxSIgd7R905haHf9fyONYsQKn8mlbghtY3URfGnfYNXJ9ez1pOqoCAlpy5Z5tvDlQMGvVVjk/9pSibTI90noZeMrUE+Tetq45c8ZjFXxcrH4R07xUDRXZg8AXviQMyclUSZbWKsIL7a979Hp13q8sJ8MAod1OhqdP6EOk84AOyRcQuRhv5uEdeDSN4k+4mMSZGnMlKO+0gKnhUIq63/TlW8wp7NhCE+kYdOkF4M0lBYOPE66d/4VdX45soMdp4WphjZMrirarhFJvHpHloUwdoiIFglPvOkvbWndbM
I can see that the serial is different but I cannot compare the usercertificate attributes since they are not given in the openssl command output.
Hi, Serial is 15 on the node srv107 but 21 in LDAP. This means that the cert was renewed but the local file didn't get updated. Can you check first which node is your CA renewal master? $ kinit admin $ ipa config-show | grep "CA renewal master" IPA CA renewal master: master.ipa.domain
On this node check that the file /var/lib/ipa/ra-agent.pem and the content in ldap are consistent. You can do just $ cat /var/lib/ipa/ra-agent.pem to compare the content of the cert with the usercertificate attribute of the ldap entry. If everything is OK on the renewal master, you can copy the file /var/lib/ipa/ra-agent.pem to the failing node srv107.
HTH, flo
Shall I just adjust the serial and try again?
Jochen
On Friday, January 31, 2020 10:29 CET, Florence Blanc-Renaud via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
This error occurs when IPA framework tries to authenticate to Dogtag CA and it fails. It is using the certificate located in /var/lib/ipa/ra-agent.pem. According to your getcert output, the cert is valid. You will need to check if it is consistent with what is stored in LDAP. Note the values related to the actual certificate: $ cat /var/lib/ipa/ra-agent.pem -----BEGIN CERTIFICATE----- MII...NSF -----END CERTIFICATE-----
$ openssl x509 -noout -in /var/lib/ipa/ra-agent.pem -serial -subject -issuer -nameopt RFC2253 serial=<cert serial> subject= CN=IPA RA,O=<your domain> issuer= CN=Certificate Authority,O=<your domain>
Then compare the result with the ldapentry: $ ldapsearch -LLL -o ldif-wrap=no -x -D "cn=directory manager" -W \ -b uid=ipara,ou=people,o=ipaca dn description usercertificate Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca description: 2;23;CN=Certificate Authority,O=<your domain>;CN=IPA RA,O=<your domain> usercertificate:: MII..NSF usercertificate:: MII...tKR/c
1/ The usercertificate attribute may contain multiple values. Make sure that one of them corresponds to the value from the file /var/lib/ipa/ra-agent.pem. 2/ The description attribute must contain 2;<cert serial>;<cert issuer>;<cert subject> If it's not the case you can use ldapmodify to update the ldap entry with what is expected.
HTH, flo
2020-01-30T22:45:09Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API 2020-01-30T22:45:09Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API 2020-01-30T22:45:09Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
[root@srv107 ipa]# getcert list Number of certificates and requests being tracked: 9. Request ID '20171212100014': status: MONITORING stuck: no key pair storage:
type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=srv107.domain.net,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-10-17 12:00:24 CEST principal name: krbtgt/UNIX.domain.net@UNIX.domain.net certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20190904114922': status: MONITORING stuck: no key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=CA Audit,O=UNIX.domain.net expires: 2020-06-09 16:12:06 CEST key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114923': status: MONITORING stuck: no key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS
Certificate DB',pin set certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS
Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=OCSP Subsystem,O=UNIX.domain.net expires: 2020-06-09 16:12:03 CEST eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114924': status: MONITORING stuck: no key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=CA Subsystem,O=UNIX.domain.net expires: 2020-06-09 16:12:05 CEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114925': status: MONITORING stuck: no key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=Certificate Authority,O=UNIX.domain.net expires: 2036-07-28 16:11:50 CEST key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114926': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-06-09 16:12:14 CEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190904114927': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=IPA RA,O=UNIX.domain.net expires: 2020-06-09 16:12:52 CEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190904114928': status: MONITORING stuck: no key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-UNIX-domain.net-NET',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-UNIX-domain.net-NET/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-UNIX-domain.net-NET',nickname='Server-Cert',token='NSS
Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-07-01 16:13:09 CEST principal name: ldap/srv107.domain.net@UNIX.domain.net key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv UNIX-domain.net-NET track: yes auto-renew: yes Request ID '20190904114929': status: MONITORING stuck: no key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/srv107.domain.net-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=UNIX.domain.net subject: CN=srv107.domain.net,O=UNIX.domain.net expires: 2020-07-01 16:18:01 CEST principal name: HTTP/srv107.domain.net@UNIX.domain.net key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
Thank you if you maybe find something I've overlooked.
Jochen
On Monday, January 20, 2020 13:15 CET, Florence Blanc-Renaud flo@redhat.com wrote:
On 1/20/20 9:39 AM, Jochen Demmer via FreeIPA-users wrote: > I suffer the exact same problem and already tried to upgrade
twice but
> every time the update fails. > > The ldap server does not listen when I check with ss or netstat. > I reverted back to Fedora 30 with snapshots every time. > Hi,
can you paste the logs from /var/logs/ipaupgrade.log? We would
need the
full logs as the error may differ between a first run and a
second run.
When the packages are upgraded, the script ipa-server-upgrade is
called
and starts by disabling the LDAP server ports to avoid any LDAP operation during the upgrade. Then the script performs its duty, and re-enables the port. If there is an untrapped failure before the ports are re-enabled,
or the
user repeatedly presses CTRL-C, we sometimes end up in a situation
where
the ports are still disabled (please see ticket https://pagure.io/freeipa/issue/7534) after the ipa-server-upgrade script exits. If the user re-runs ipa-server-upgrade at this
point, the
script output will be completely different but will not give us any
hint
related to the original failure root cause. That's why we need
the full
logs.
If you are in a situation where the LDAP server isn't listening: 0. stop IPA with ipactl stop
- edit /etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif
- set nsslapd-port to 389
- set nsslapd-security to on
- set nsslapd-global-backend-lock to off (if you have this
attribute at
all) 5. restart IPA with ipactl start
If the services are able to restart at this point, try to run ipa-server-upgrade and provide full logs.
HTH, flo
> Can someone help me to work this around. The OP writes of an
IP that
> changed but mine didn't. Where can I find a clue why ldap does not listen? > > Jochen > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: >
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Yeah I actually modified the PEM outputs because I wasn't sure if it was sensible. The second attribute userCertificate has the serial 21. What about the ra-agent.key? When I put the certificate from the LDAP to the file named ra-agent.pem, does the .key file need to be updated, too?
Thank you so much. I'm looking forward to a working upgrade, soon ;-)
Jochen
Am Dienstag, 4. Februar 2020 17:47:05 CET schrieb Florence Blanc-Renaud:
On 2/3/20 9:07 AM, Jochen Demmer via FreeIPA-users wrote:
Hi,
unfortunately currently there's is no other node, which is why I'm trying to update to Fedora 31. I used to replicate between two machines but on got lost. I installed a new machine which is supposed to work as my new replica but this is being virtualized in bhyve / FreeNAS and this doesn't allow Fedora 30 to be installed so I'm stuck with Fedora 31. In the docs it's said that versions between replicas need to be consistent so I'm trying to update the only running FreeIPA node (srv107) to Fedora 31 first.
Ok, so in this case we need to work on this single node...
Jochen
On Monday, February 03, 2020 08:36 CET, Florence Blanc-Renaud via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote: ...
We can see that there is an inconsistency between the /var/lib/ipa/ra-agent.pem file and the LDAP content. You need to choose which one to pick as the source of truth and update the other one.
If the cert in /var/lib/ipa/ra-agent.pem is still valid, you can use this one. To check the validity: $ openssl x509 -noout -text -in /var/lib/ipa/ra-agent.pem
Look for the lines: Validity Not Before: <date> Not After : <date>
If the cert is valid, use this one as source of truth and update the ldap entry with ldapmodify (the description attribute and the usercertificate attribute).
If the cert is not valid, you need to find which one in the ldap entry corresponds to the serial 21. I did not manage to read the content of the usercertificate attribute, did you cut the ldapsearch output? I tried with $ openssl x509 -noout -text -----BEGIN CERTIFICATE----- MII... -----END CERTIFICATE-----
but the 2 certs in the usercertificate attribute failed with "unable to load certificate".
flo
...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines ...
On 2/5/20 1:35 PM, Jochen Demmer via FreeIPA-users wrote:
Yeah I actually modified the PEM outputs because I wasn't sure if it was sensible. The second attribute userCertificate has the serial 21. What about the ra-agent.key? When I put the certificate from the LDAP to the file named ra-agent.pem, does the .key file need to be updated, too?
If the cert was renewed, the key didn't change. You can actually check that a given key matches a cert with # openssl rsa -noout -modulus -in /var/lib/ipa/ra-agent.key | openssl md5 # openssl x509 -noout -modulus -in /var/lib/ipa/ra-agent.pem | openssl md5
Both outputs should be identical.
HTH, flo
Thank you so much. I'm looking forward to a working upgrade, soon ;-)
Jochen
Am Dienstag, 4. Februar 2020 17:47:05 CET schrieb Florence Blanc-Renaud:
On 2/3/20 9:07 AM, Jochen Demmer via FreeIPA-users wrote:
Hi,
unfortunately currently there's is no other node, which is why I'm trying to update to Fedora 31. I used to replicate between two machines but on got lost. I installed a new machine which is supposed to work as my new replica but this is being virtualized in bhyve / FreeNAS and this doesn't allow Fedora 30 to be installed so I'm stuck with Fedora 31. In the docs it's said that versions between replicas need to be consistent so I'm trying to update the only running FreeIPA node (srv107) to Fedora 31 first.
Ok, so in this case we need to work on this single node...
Jochen
On Monday, February 03, 2020 08:36 CET, Florence Blanc-Renaud via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote: ...
We can see that there is an inconsistency between the /var/lib/ipa/ra-agent.pem file and the LDAP content. You need to choose which one to pick as the source of truth and update the other one.
If the cert in /var/lib/ipa/ra-agent.pem is still valid, you can use this one. To check the validity: $ openssl x509 -noout -text -in /var/lib/ipa/ra-agent.pem
Look for the lines: Validity Not Before: <date> Not After : <date>
If the cert is valid, use this one as source of truth and update the ldap entry with ldapmodify (the description attribute and the usercertificate attribute).
If the cert is not valid, you need to find which one in the ldap entry corresponds to the serial 21. I did not manage to read the content of the usercertificate attribute, did you cut the ldapsearch output? I tried with $ openssl x509 -noout -text -----BEGIN CERTIFICATE----- MII... -----END CERTIFICATE-----
but the 2 certs in the usercertificate attribute failed with "unable to load certificate".
flo
...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines ...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org