<div dir="ltr">before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo<div>after the update its 6.0-5.fc20.x86_64.rpm from copr repo</div><div><br></div><div>Regards</div><div>Rob<br><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2014-10-28 17:58 GMT+01:00 Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div><div class="h5">
<div>On 28/10/14 16:10, Rob Verduijn wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hello all,</div>
<div><br>
</div>
<div>I've been digging into my problem of being unable to update
from 3.3.5 to 4.1</div>
<div><br>
</div>
<div>First I add the repo from copr </div>
<div><br>
</div>
<div>Then I used to update it by issueing 'yum update' which
resulted in an update in which my local dns zone entries no
longer resolved.</div>
<div><br>
</div>
<div>So i tried the instructions mentioned on the site :</div>
<div>yum update freeipa-server</div>
<div>And this failed with a conflict in </div>
<div><br>
</div>
<div>bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and
bind-utils-32:9.9.4-15.P2.fc20.x86_64</div>
<div><br>
</div>
<div>I noticed the new bind comes from the copr repo and the old
bind utils from fedora.</div>
<div><br>
</div>
<div>So I first run 'yum update bind-utils -y'</div>
<div>Then I ran yum update freeipa-server</div>
<div>and see it fail with errors about softhsm</div>
<div><br>
</div>
<div>I remembered reading about package errors with softhsm and
installed the softhsm-devel package first.</div>
<div><br>
</div>
<div>so revert back the freeipa kvm snapshot to 3.3.5 and try
again</div>
<div>yum update bind-utils -y ; yum install softhsm-devel -y ;
yum update freeipa-server -y</div>
<div><br>
</div>
<div>However when restarting named-pkcs11 I can see in the
system log that it has 0 zones loaded </div>
<div><br>
</div>
<div>Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]:
managed-keys-zone: loaded serial 0</div>
<div>Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
0.in-addr.arpa/IN: loaded serial 0</div>
<div>Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
localhost/IN: loaded serial 0</div>
<div>Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
1.0.0.127.in-addr.arpa/IN: loaded serial 0</div>
<div>Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
localhost.localdomain/IN: loaded serial 0</div>
<div>Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
loaded serial 0</div>
<div>Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones
loaded</div>
<div>Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running</div>
<div>Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones
from LDAP instance 'ipa' loaded (0 zones defined, 0 inactive,
0 failed to load)</div>
<div><br>
</div>
<div>It claims 0 zones loaded but I can see my forward and
reverse zones in ipa</div>
<div><br>
</div>
<div>what could cause it not to load the zones that I defined in
ipa ?<br>
</div>
<div>Rob</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-10-27 23:05 GMT+01:00 Rob Verduijn
<span dir="ltr"><<a href="mailto:rob.verduijn@gmail.com" target="_blank">rob.verduijn@gmail.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">sorry for the xml formatting didn't realize
it would mess up some mail clients
<div><br>
</div>
<div>The last bit of the message again</div>
<div><br>
</div>
<div>
<div> ipa-upgradeconfig gives the following :</div>
<div>
<div>
<div>[Verifying that root certificate is published]<br>
</div>
<div>Failed to backup CS.cfg: no magic attribute
'dogtag'</div>
<div>[Migrate CRL publish directory]</div>
<div>CRL tree already moved</div>
<div>[Verifying that CA proxy configuration is
correct]</div>
<div>[Verifying that KDC configuration is using
ipa-kdb backend]</div>
<div>[Fixing trust flags in /etc/httpd/alias]</div>
<div>Trust flags already processed</div>
<div>[Fix DS schema file syntax]</div>
<div>Syntax already fixed</div>
<div>[Removing RA cert from DS NSS database]</div>
<div>RA cert already removed</div>
<div>[Removing self-signed CA]</div>
<div>[Checking for deprecated KDC configuration
files]</div>
<div>[Checking for deprecated backups of Samba
configuration files]</div>
<div>[Setting up Firefox extension]</div>
<div>[Add missing CA DNS records]</div>
<div>IPA CA DNS records already processed</div>
<div>[Removing deprecated DNS configuration options]</div>
<div>[Ensuring minimal number of connections]</div>
<div>[Enabling serial autoincrement in DNS]</div>
<div>[Updating GSSAPI configuration in DNS]</div>
<div>[Updating pid-file configuration in DNS]</div>
<div>[Masking named]</div>
<div>Changes to named.conf have been made, restart
named</div>
<div>[Verifying that CA service certificate profile
is updated]</div>
<div>[Update certmonger certificate renewal
configuration to version 2]</div>
<div>[Enable PKIX certificate path discovery and
validation]</div>
<div>PKIX already enabled</div>
<div>The ipa-upgradeconfig command was successful</div>
</div>
</div>
</div>
<div><br>
</div>
<div>Any ideas ?</div>
<div>I'm rather stuck now.</div>
<span><font color="#888888">
<div>Rob</div>
</font></span></div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-10-27 22:59 GMT+01:00
Rob Verduijn <span dir="ltr"><<a href="mailto:rob.verduijn@gmail.com" target="_blank">rob.verduijn@gmail.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hello,
<div><br>
</div>
<div>I'm rather at a loss here.</div>
<div>Everything seems to be running</div>
<div>
<div> ipactl status</div>
<div>Directory Service: RUNNING</div>
<div>krb5kdc Service: RUNNING</div>
<div>kadmin Service: RUNNING</div>
<div>named Service: RUNNING</div>
<div>ipa_memcached Service: RUNNING</div>
<div>httpd Service: RUNNING</div>
<div>pki-tomcatd Service: RUNNING</div>
<div>ipa-otpd Service: RUNNING</div>
<div>ipa-dnskeysyncd Service: RUNNING</div>
<div>ipa: INFO: The ipactl command was
successful</div>
</div>
<div><br>
</div>
<div>but the upgrade log is flooded with this
error :</div>
<div>
<div>2014-10-27T21:52:10Z DEBUG Waiting for CA
to start...</div>
<div>2014-10-27T21:52:11Z DEBUG request '<a href="https://freeipa.x.x:443/ca/admin/ca/getStatus" target="_blank">https://freeipa.x.x:443/ca/admin/ca/getStatus</a>'</div>
<div>2014-10-27T21:52:11Z DEBUG request body
''</div>
<div>2014-10-27T21:52:11Z DEBUG The CA status
is: check interrupted</div>
<div>2014-10-27T21:52:11Z DEBUG Waiting for CA
to start...</div>
<div>2014-10-27T21:52:12Z DEBUG request '<a href="https://freeipa.x.x:443/ca/admin/ca/getStatus" target="_blank">https://freeipa.x.x:443/ca/admin/ca/getStatus</a>'</div>
<div>2014-10-27T21:52:12Z DEBUG request body
''</div>
<div><br>
</div>
<div>I've tried the url and it works fine.</div>
<div><a href="https://freeipa.x.x/ca/admin/ca/getStatus" target="_blank">https://freeipa.x.x/ca/admin/ca/getStatus</a><br>
</div>
</div>
<div>it gives the following xml:<br>
</div>
<div>
<table>
<tbody>
<tr>
<td value="1"><br>
</td>
<td><span><?xml version="1.0"
encoding="UTF-8"
standalone="no"?></span><span><XMLResponse></span><span><State></span>1<span></State></span><span><Type></span>CA<span></Type></span><span><Status></span>running<span></Status></span><span><Version></span>10.2.0-3.fc20<span></Version></span><span></XMLResponse><br>
<br>
After I run ipa-upgradeconfig it
complains about a missing magic dog
tag attribute<br>
</span></td>
<td>ipa-upgradeconfig </td>
<td>[Verifying that root certificate is
published]</td>
<td>Failed to backup CS.cfg: no magic
attribute 'dogtag'</td>
<td>[Migrate CRL publish directory]</td>
<td>CRL tree already moved</td>
<td>[Verifying that CA proxy
configuration is correct]</td>
<td>[Verifying that KDC configuration is
using ipa-kdb backend]</td>
<td>[Fixing trust flags in
/etc/httpd/alias]</td>
<td>Trust flags already processed</td>
<td>[Fix DS schema file syntax]</td>
<td>Syntax already fixed</td>
<td>[Removing RA cert from DS NSS
database]</td>
<td>RA cert already removed</td>
<td>[Removing self-signed CA]</td>
<td>[Checking for deprecated KDC
configuration files]</td>
<td>[Checking for deprecated backups of
Samba configuration files]</td>
<td>[Setting up Firefox extension]</td>
<td>[Add missing CA DNS records]</td>
<td>IPA CA DNS records already processed</td>
<td>[Removing deprecated DNS
configuration options]</td>
<td>[Ensuring minimal number of
connections]</td>
<td>[Enabling serial autoincrement in
DNS]</td>
<td>[Updating GSSAPI configuration in
DNS]</td>
<td>[Updating pid-file configuration in
DNS]</td>
<td>[Masking named]</td>
<td>Changes to named.conf have been
made, restart named</td>
<td>[Verifying that CA service
certificate profile is updated]</td>
<td>[Update certmonger certificate
renewal configuration to version 2]</td>
<td>[Enable PKIX certificate path
discovery and validation]</td>
<td>PKIX already enabled</td>
<td>The ipa-upgradeconfig command was
successful<br>
<br>
But my local dns zone does no longer
resolve :(<br>
<br>
reverting back to the 3.3 snapshot
again :(<br>
<br>
Please help<span><font color="#888888"><br>
Rob</font></span></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote"><span>2014-10-26 21:38
GMT+01:00 Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span>:<br>
</span>
<div>
<div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>Rob Verduijn wrote:<br>
> hmmmm....<br>
><br>
> after some more digging
(monitoring the upgrade more
closely.)<br>
> I saw that the upgrade kept
waiting for the ca to start, which
it did<br>
> not do.<br>
> and after 5 minutes the upgrade
gave up with the following errors in
the<br>
> ipaupgrade log :<br>
><br>
> at 85% it says :<br>
> 2014-10-26T15:04:35Z DEBUG
retrieving schema for SchemaCache<br>
>
url=ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket<br>
>
conn=<ldap.ldapobject.SimpleLDAPObject
instance at 0x2b18cb0><br>
> 2014-10-26T15:04:35Z DEBUG
Starting external process<br>
> 2014-10-26T15:04:35Z DEBUG
args='/usr/bin/certutil' '-d'<br>
> '/etc/httpd/alias' '-L'<br>
> 2014-10-26T15:04:35Z DEBUG
Process finished, return code=0<br>
> 2014-10-26T15:04:35Z DEBUG
stdout=<br>
> Certificate Nickname
Trust<br>
> Attributes<br>
><br>
> SSL,S/MIME,JAR/XPI<br>
><br>
> Signing-Cert
u,u,u<br>
> XXXX.XXXX IPA CA
CT,C,C<br>
> ipaCert
u,u,u<br>
> Server-Cert
u,u,u<br>
><br>
> 2014-10-26T15:04:35Z DEBUG
stderr=<br>
> 2014-10-26T15:04:35Z DEBUG
Starting external process<br>
> 2014-10-26T15:04:35Z DEBUG
args='/usr/bin/certutil' '-d'<br>
> '/etc/httpd/alias' '-L' '-n'
'TJAKO.THUIS IPA CA' '-a'<br>
> 2014-10-26T15:04:35Z DEBUG
Process finished, return code=0<br>
> 2014-10-26T15:04:35Z DEBUG
stdout=-----BEGIN CERTIFICATE-----<br>
> < certificate-removed ><br>
> -----END CERTIFICATE-----<br>
> 2014-10-26T15:04:35Z DEBUG
stderr=<br>
> 2014-10-26T15:04:36Z ERROR
Upgrade failed with cannot connect
to<br>
</div>
</div>
>
'ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket':\<br>
<br>
This has nothing to do with the CA, the
LDAP server didn't come up. I'd<br>
start with those logs or look earlier in
ipaupgrade.log<br>
<br>
The CA requires 389-ds to be running so
if it isn't up, then it will<br>
fail to start too.<br>
<span><font color="#888888"><br>
rob<br>
<br>
</font></span></blockquote>
</div>
</div>
</div>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote></div></div>
Hello,<br>
Please which version of bind-dyndb-ldap do you have installed?<span class="HOEnZb"><font color="#888888"><br>
<br>
<pre cols="72">--
Martin Basti</pre>
</font></span></div>
</blockquote></div><br></div>