<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 29/10/14 16:46, Rob Verduijn wrote:<br>
</div>
<blockquote
cite="mid:CAMkGkc51YZqYKtHYfdAjiSh_hTHyRaVmqA3ujtEoGdS8N6-KEQ@mail.gmail.com"
type="cite">
<div dir="ltr">Hello,
<div><br>
</div>
<div>
<div># ipa-ldap-updater
/usr/share/ipa/updates/55-pbacmemberof.update</div>
</div>
<div> fixes the problem.</div>
<div><br>
</div>
<div>I can resolv my internal dns zones again :-)</div>
<div><br>
</div>
<div>Many thanx.</div>
<div><br>
</div>
<div>Since this problem happened every time I tried to update
the freeipa server.</div>
<div>I could re-run the update with some debug options if you
like so you can pinpoint what goes wrong with the update
script if you like.</div>
<div><br>
</div>
<div>Rob</div>
</div>
</blockquote>
<br>
We know where the problem is, and we though we fixed it, but
obviously some parts of problem persist.<br>
<br>
Thank you for your patience :-)<br>
<blockquote
cite="mid:CAMkGkc51YZqYKtHYfdAjiSh_hTHyRaVmqA3ujtEoGdS8N6-KEQ@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-10-29 16:13 GMT+01:00 Martin Basti
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 29/10/14 15:56, Martin Basti wrote:<br>
</div>
<blockquote type="cite">
<div>On 29/10/14 15:46, Rob Verduijn wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">You're right
<div>duh I should read more carefully and not try
to do to many things at once.
<div><br>
</div>
<div>when using the dns principal and keytab the
entries are not found.</div>
<div><br>
</div>
<div>How do i fix the access controll
instructions ?</div>
<div>I can revert back easely and try a
different aproach for the upgrade if you know
one</div>
<div>(I really started to appreciate snapshots
with this upgrade :-) </div>
<div><br>
</div>
<div>Rob</div>
</div>
</div>
</blockquote>
<br>
Please try first this:<br>
<br>
# ipa-ldap-updater /usr/share/ipa/memberof-task.ldif<br>
<br>
It should repair privileges.<br>
</blockquote>
</span> Sorry I wrote you wrong file<br>
# ipa-ldap-updater
/usr/share/ipa/updates/55-pbacmemberof.update
<div>
<div class="h5"><br>
<blockquote type="cite">
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-10-29 14:50
GMT+01:00 Petr Spacek <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:pspacek@redhat.com"
target="_blank">pspacek@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex"><span>On
29.10.2014 14:32, Rob Verduijn wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex"> I've
checked and I see a lot of objects
representing my dns entries.<br>
Still I get no answers if i try to
resolve any of them :(<br>
</blockquote>
<br>
</span> Are you running ldapsearch with
*exactly* same credentials as you have in
/etc/named.conf?<br>
<br>
Could you post dynamic-db section from your
named.conf?<br>
<br>
Petr^2 Spacek
<div>
<div><br>
<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"> Rob<br>
<br>
2014-10-29 13:28 GMT+01:00 Petr Spacek
<<a moz-do-not-send="true"
href="mailto:pspacek@redhat.com"
target="_blank">pspacek@redhat.com</a>>:<br>
<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"> On
28.10.2014 18:42, Rob Verduijn
wrote:<br>
<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"> before
the update its
4.5-1.fc20.x86_64.rpm from fedora
20 updates repo<br>
after the update its
6.0-5.fc20.x86_64.rpm from copr
repo<br>
<br>
Regards<br>
Rob<br>
<br>
<br>
2014-10-28 17:58 GMT+01:00 Martin
Basti <<a
moz-do-not-send="true"
href="mailto:mbasti@redhat.com"
target="_blank">mbasti@redhat.com</a>>:<br>
<br>
On 28/10/14 16:10, Rob
Verduijn wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex"> <br>
Hello all,<br>
<br>
I've been digging into my
problem of being unable to
update from 3.3.5<br>
to 4.1<br>
<br>
First I add the repo from
copr<br>
<br>
Then I used to update it by
issueing 'yum update' which
resulted in an<br>
update in which my local dns
zone entries no longer resolved.<br>
<br>
So i tried the instructions
mentioned on the site :<br>
yum update freeipa-server<br>
And this failed with a conflict
in<br>
<br>
bind-32:9.9.4-18.fc20.1.pkcs11.x86_64
and<br>
bind-utils-32:9.9.4-15.P2.fc20.x86_64<br>
<br>
I noticed the new bind comes
from the copr repo and the old
bind utils<br>
from fedora.<br>
<br>
So I first run 'yum update
bind-utils -y'<br>
Then I ran yum update
freeipa-server<br>
and see it fail with errors
about softhsm<br>
<br>
I remembered reading about
package errors with softhsm and
installed<br>
the<br>
softhsm-devel package first.<br>
<br>
so revert back the freeipa
kvm snapshot to 3.3.5 and try
again<br>
yum update bind-utils -y ; yum
install softhsm-devel -y ; yum
update<br>
freeipa-server -y<br>
<br>
However when restarting
named-pkcs11 I can see in the
system log that<br>
it<br>
has 0 zones loaded<br>
<br>
Oct 28 15:28:30 freeipa.x.x
named-pkcs11[3029]:
managed-keys-zone:<br>
loaded serial 0<br>
Oct 28 15:28:30 freeipa.x.x
named-pkcs11[3029]: zone
0.in-addr.arpa/IN:<br>
loaded serial 0<br>
Oct 28 15:28:30 freeipa.x.x
named-pkcs11[3029]: zone
localhost/IN: loaded<br>
serial 0<br>
Oct 28 15:28:30 freeipa.x.x
named-pkcs11[3029]: zone<br>
1.0.0.127.in-addr.arpa/IN:
loaded serial 0<br>
Oct 28 15:28:30 freeipa.x.x
named-pkcs11[3029]: zone<br>
localhost.localdomain/IN: loaded
serial 0<br>
Oct 28 15:28:30 freeipa.x.x
named-pkcs11[3029]: zone<br>
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.<br>
0.0.ip6.arpa/IN:<br>
loaded serial 0<br>
Oct 28 15:28:30 freeipa.x.x
named-pkcs11[3029]: all zones
loaded<br>
Oct 28 15:28:30 freeipa.x.x
named-pkcs11[3029]: running<br>
Oct 28 15:28:30 freeipa.x.x
named-pkcs11[3029]: 0 zones from
LDAP<br>
instance<br>
'ipa' loaded (0 zones defined, 0
inactive, 0 failed to load)<br>
<br>
It claims 0 zones loaded but
I can see my forward and reverse
zones in<br>
ipa<br>
<br>
what could cause it not to
load the zones that I defined in
ipa ?<br>
<br>
</blockquote>
<br>
</blockquote>
This problem is usually caused by
broken IPA upgrade which destroys
ACIs<br>
in LDAP which allow access to DNS
sub-tree.<br>
<br>
Please follow instructions on:<br>
<br>
<a moz-do-not-send="true"
href="https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5"
target="_blank">https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5</a>.<br>
NozonesfromLDAPareloaded<br>
<br>
... and let us know if you are able
to see idnsZone objects in LDAP or
not.<br>
</blockquote>
</blockquote>
<br>
<br>
-- <br>
Petr^2 Spacek<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
<pre cols="72">--
Martin Basti</pre>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</div>
</div>
<span class="HOEnZb"><font color="#888888">
<pre cols="72">--
Martin Basti</pre>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Martin Basti</pre>
</body>
</html>