[Freeipa-users] DNS stops working after upgrade (was DS failed after upgrade)

Rob Verduijn rob.verduijn at gmail.com
Fri Nov 7 13:26:53 UTC 2014 

Hello,

Yes this time there are
This section :
2014-11-07T13:10:03Z INFO Updating existing entry: cn=referential integrity
postoperation,cn=plugins,cn=config
<SNIP>
2014-11-07T13:10:03Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc':
'Operations error'}
2014-11-07T13:10:03Z ERROR Update failed: Operations error:

and this one
2014-11-07T13:10:18Z INFO New entry: cn=ADTrust
Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis
<snip>
2014-11-07T13:10:18Z ERROR Add failure

and this one: (but since I do not have AD it's kinda logical)
2014-11-07T13:10:18Z INFO New entry: cn=ADTrust
Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis
<snip>
2014-11-07T13:10:19Z ERROR Upgrade failed with
2014-11-07T13:10:19Z DEBUG Traceback (most recent call last):
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
line 152, in __upgrade
    self.modified = (ld.update(self.files, ordered=True) or
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 874, in update
    updates = api.Backend.updateclient.update(POST_UPDATE,
self.dm_password, self.ldapi, self.live_run)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py",
line 123, in update
    (restart, apply_now, res) = self.run(update.name, **kw)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py",
line 146, in run
    return self.Updater[method](**kw)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1399, in
__call__
    return self.execute(**options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py",
line 89, in execute
    api.Command.dnszone_mod(zone[u'idnsname'][0], **update)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in
__call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in
run
    return self.execute(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 2528,
in execute
    result = super(dnszone_mod, self).execute(*keys, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line
1385, in execute
    dn = self.obj.get_dn(*keys, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 1784,
in get_dn
    assert zone.is_absolute()
AssertionError
<snip>
2014-11-07T13:10:23Z ERROR IPA upgrade failed.
2014-11-07T13:10:23Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
    return_value = self.run()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py",
line 151, in run
    raise admintool.ScriptError('IPA upgrade failed.', 1)

2014-11-07T13:10:23Z DEBUG The ipa-ldap-updater command failed, exception:
ScriptError: IPA upgrade failed.
2014-11-07T13:10:23Z ERROR IPA upgrade failed.
2014-11-07T13:10:23Z DEBUG /usr/sbin/ipa-upgradeconfig was invoked with
options: {'debug': False, 'quiet': True}
2014-11-07T13:10:23Z DEBUG IPA version 4.1.1-1.fc20


and another
2014-11-07T13:10:03Z INFO Updating existing entry: cn=referential integrity
postoperation,cn=plugins,cn=config
<snip>
2014-11-07T13:10:03Z DEBUG Live 1, updated 1
2014-11-07T13:10:03Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc':
'Operations error'}
2014-11-07T13:10:03Z ERROR Update failed: Operations error:

That's it
Rob




2014-11-07 13:56 GMT+01:00 Martin Basti <mbasti at redhat.com>:

>  On 07/11/14 13:52, Rob Verduijn wrote:
>
> Hi all,
>
>  Either I was to worn out last night, or another update has happened.
> This morning the directory server did start after the update.
> local dns zones however where not available again after the update
> ipa-ldap-updater did not help to fix it.
>
>  The are again only 7 DNS aci objects are still in the ds.( same as
> before when it failed )
> I also noticed that there are also quite a lot lower case dns aci objects.
>
>  Rob
>
>
>   Hi,
>
> do you have any errors in /var/log/ipaupgrade.log ?
>
>
>
> 2014-11-07 10:25 GMT+01:00 Martin Basti <mbasti at redhat.com>:
>
>>  Changed subject.
>> Rob CCed
>>
>> On 07/11/14 09:52, Martin Basti wrote:
>>
>> Forward message back to list
>>
>>
>> -------- Original Message --------  Subject: Re: [Freeipa-users] dns
>> stops working after upgrade  Date: Thu, 6 Nov 2014 21:42:55 +0100  From: Rob
>> Verduijn <rob.verduijn at gmail.com> <rob.verduijn at gmail.com>  To: Martin
>> Basti <mbasti at redhat.com> <mbasti at redhat.com>
>>
>> Hi again,
>>
>>  I tried the update to 4.1.1
>> It didn't went well, actually it went worse than to 4.1.
>> Now the directory service went down and was no longer able to start.
>>
>>  Some part of the logs is below.
>> Besides the warnings about a weak cipher there was not much in the
>> journalctl.
>>
>>  It's getting late overhere, I'll dig into the logs tomorrow.
>>
>>  Rob
>>
>>  Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Starting 389 Directory
>> Server TJAKO-THUIS....
>> Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Started 389 Directory
>> Server TJAKO-THUIS..
>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58
>> +0100] - SSL alert: Cipher rsa_rc4_128_md5 is weak. It is enabled since
>> allowWeakCipher is "on" (default setting for the backward compatibility).
>> We strongly recommend to set it to "off".  Please replace the value of
>> allowWeakCipher with "off" in the encryption config entry
>> cn=encryption,cn=config and restart the server.
>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58
>> +0100] - SSL alert: Cipher rsa_rc4_40_md5 is weak. It is enabled since
>> allowWeakCipher is "on" (default setting for the backward compatibility).
>> We strongly recommend to set it to "off".  Please replace the value of
>> allowWeakCipher with "off" in the encryption config entry
>> cn=encryption,cn=config and restart the server.
>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58
>> +0100] - SSL alert: Cipher rsa_rc2_40_md5 is weak. It is enabled since
>> allowWeakCipher is "on" (default setting for the backward compatibility).
>> We strongly recommend to set it to "off".  Please replace the value of
>> allowWeakCipher with "off" in the encryption config entry
>> cn=encryption,cn=config and restart the server.
>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58
>> +0100] - SSL alert: Cipher rsa_des_sha is weak. It is enabled since
>> allowWeakCipher is "on" (default setting for the backward compatibility).
>> We strongly recommend to set it to "off".  Please replace the value of
>> allowWeakCipher with "off" in the encryption config entry
>> cn=encryption,cn=config and restart the server.
>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58
>> +0100] - SSL alert: Cipher rsa_fips_des_sha is weak. It is enabled since
>> allowWeakCipher is "on" (default setting for the backward compatibility).
>> We strongly recommend to set it to "off".  Please replace the value of
>> allowWeakCipher with "off" in the encryption config entry
>> cn=encryption,cn=config and restart the server.
>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58
>> +0100] - SSL alert: Cipher rsa_3des_sha is weak. It is enabled since
>> allowWeakCipher is "on" (default setting for the backward compatibility).
>> We strongly recommend to set it to "off".  Please replace the value of
>> allowWeakCipher with "off" in the encryption config entry
>> cn=encryption,cn=config and restart the server.
>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58
>> +0100] - SSL alert: Cipher rsa_fips_3des_sha is weak. It is enabled since
>> allowWeakCipher is "on" (default setting for the backward compatibility).
>> We strongly recommend to set it to "off".  Please replace the value of
>> allowWeakCipher with "off" in the encryption config entry
>> cn=encryption,cn=config and restart the server.
>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58
>> +0100] - SSL alert: Cipher suite fortezza is not available in NSS 3.17.
>> Ignoring fortezza
>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58
>> +0100] - SSL alert: Cipher suite fortezza_rc4_128_sha is not available in
>> NSS 3.17.  Ignoring fortezza_rc4_128_sha
>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58
>> +0100] - SSL alert: Cipher suite fortezza_null is not available in NSS
>> 3.17.  Ignoring fortezza_null
>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58
>> +0100] - SSL alert: Cipher tls_rsa_export1024_with_rc4_56_sha is weak.  It
>> is enabled since allowWeakCipher is "on" (default setting for the backward
>> compatibility). We strongly recommend to set it to "off".  Please replace
>> the value of allowWeakCipher with "off" in the encryption config entry
>> cn=encryption,cn=config and restart the server.
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:59
>> +0100] - SSL alert: Cipher tls_rsa_export1024_with_des_cbc_sha is weak.  It
>> is enabled since allowWeakCipher is "on" (default setting for the backward
>> compatibility). We strongly recommend to set it to "off".  Please replace
>> the value of allowWeakCipher with "off" in the encryption config entry
>> cn=encryption,cn=config and restart the server.
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:59
>> +0100] - SSL alert: Configured NSS Ciphers
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:59
>> +0100] - SSL alert:         SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: enabled,
>> (WEAK CIPHER)
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:59
>> +0100] - SSL alert:         TLS_RSA_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK
>> CIPHER)
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:59
>> +0100] - SSL alert:         TLS_RSA_WITH_RC4_128_MD5: enabled, (WEAK CIPHER)
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:59
>> +0100] - SSL alert:         SSL_RSA_FIPS_WITH_DES_CBC_SHA: enabled, (WEAK
>> CIPHER)
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:59
>> +0100] - SSL alert:         TLS_RSA_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:59
>> +0100] - SSL alert:         TLS_RSA_EXPORT1024_WITH_RC4_56_SHA: enabled,
>> (WEAK CIPHER)
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:59
>> +0100] - SSL alert:         TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA: enabled,
>> (WEAK CIPHER)
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:59
>> +0100] - SSL alert:         TLS_RSA_EXPORT_WITH_RC4_40_MD5: enabled, (WEAK
>> CIPHER)
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:59
>> +0100] - SSL alert:         TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: enabled,
>> (WEAK CIPHER)
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:59
>> +0100] SSL Initialization - SSL version range: min: TLS1.0, max: TLS1.2
>> Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]:
>> dirsrv at TJAKO-THUIS.service: main process exited, code=exited,
>> status=1/FAILURE
>> Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]: Unit
>> dirsrv at TJAKO-THUIS.service entered failed state.
>>
>>
>>
>>
>>
>> --
>> Martin Basti
>>
>>
>
>
> --
> Martin Basti
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141107/6a29063d/attachment.htm>

More information about the Freeipa-users mailing list