<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 29/10/14 16:13, Martin Basti wrote:<br>
</div>
<blockquote cite="mid:54510424.8080004@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 29/10/14 15:56, Martin Basti
wrote:<br>
</div>
<blockquote cite="mid:54510035.7010707@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 29/10/14 15:46, Rob Verduijn
wrote:<br>
</div>
<blockquote
cite="mid:CAMkGkc7WEQz7MZpr2v8yWs_qGDfPx0eEAD5rV4DdpBLrvqT8xg@mail.gmail.com"
type="cite">
<div dir="ltr">You're right
<div>duh I should read more carefully and not try to do to
many things at once.
<div><br>
</div>
<div>when using the dns principal and keytab the entries
are not found.</div>
<div><br>
</div>
<div>How do i fix the access controll instructions ?</div>
<div>I can revert back easely and try a different aproach
for the upgrade if you know one</div>
<div>(I really started to appreciate snapshots with this
upgrade :-) </div>
<div><br>
</div>
<div>Rob</div>
</div>
</div>
</blockquote>
<br>
Please try first this:<br>
<br>
# ipa-ldap-updater /usr/share/ipa/memberof-task.ldif<br>
<br>
It should repair privileges.<br>
</blockquote>
Sorry I wrote you wrong file<br>
# ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update<br>
</blockquote>
<br>
If doesn't help, just run ipa-ldap-updater without parameters<br>
<blockquote cite="mid:54510424.8080004@redhat.com" type="cite">
<blockquote cite="mid:54510035.7010707@redhat.com" type="cite">
<blockquote
cite="mid:CAMkGkc7WEQz7MZpr2v8yWs_qGDfPx0eEAD5rV4DdpBLrvqT8xg@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-10-29 14:50 GMT+01:00 Petr
Spacek <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class="">On 29.10.2014 14:32, Rob Verduijn wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
I've checked and I see a lot of objects representing
my dns entries.<br>
Still I get no answers if i try to resolve any of
them :(<br>
</blockquote>
<br>
</span> Are you running ldapsearch with *exactly* same
credentials as you have in /etc/named.conf?<br>
<br>
Could you post dynamic-db section from your named.conf?<br>
<br>
Petr^2 Spacek
<div class="HOEnZb">
<div class="h5"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Rob<br>
<br>
2014-10-29 13:28 GMT+01:00 Petr Spacek <<a
moz-do-not-send="true"
href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>>:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex"> On 28.10.2014 18:42,
Rob Verduijn wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex"> before the update its
4.5-1.fc20.x86_64.rpm from fedora 20 updates
repo<br>
after the update its 6.0-5.fc20.x86_64.rpm
from copr repo<br>
<br>
Regards<br>
Rob<br>
<br>
<br>
2014-10-28 17:58 GMT+01:00 Martin Basti <<a
moz-do-not-send="true"
href="mailto:mbasti@redhat.com"
target="_blank">mbasti@redhat.com</a>>:<br>
<br>
On 28/10/14 16:10, Rob Verduijn wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex"> <br>
Hello all,<br>
<br>
I've been digging into my problem of
being unable to update from 3.3.5<br>
to 4.1<br>
<br>
First I add the repo from copr<br>
<br>
Then I used to update it by issueing
'yum update' which resulted in an<br>
update in which my local dns zone entries no
longer resolved.<br>
<br>
So i tried the instructions mentioned on
the site :<br>
yum update freeipa-server<br>
And this failed with a conflict in<br>
<br>
bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and<br>
bind-utils-32:9.9.4-15.P2.fc20.x86_64<br>
<br>
I noticed the new bind comes from the
copr repo and the old bind utils<br>
from fedora.<br>
<br>
So I first run 'yum update bind-utils -y'<br>
Then I ran yum update freeipa-server<br>
and see it fail with errors about softhsm<br>
<br>
I remembered reading about package errors
with softhsm and installed<br>
the<br>
softhsm-devel package first.<br>
<br>
so revert back the freeipa kvm snapshot
to 3.3.5 and try again<br>
yum update bind-utils -y ; yum install
softhsm-devel -y ; yum update<br>
freeipa-server -y<br>
<br>
However when restarting named-pkcs11 I
can see in the system log that<br>
it<br>
has 0 zones loaded<br>
<br>
Oct 28 15:28:30 freeipa.x.x
named-pkcs11[3029]: managed-keys-zone:<br>
loaded serial 0<br>
Oct 28 15:28:30 freeipa.x.x
named-pkcs11[3029]: zone 0.in-addr.arpa/IN:<br>
loaded serial 0<br>
Oct 28 15:28:30 freeipa.x.x
named-pkcs11[3029]: zone localhost/IN:
loaded<br>
serial 0<br>
Oct 28 15:28:30 freeipa.x.x
named-pkcs11[3029]: zone<br>
1.0.0.127.in-addr.arpa/IN: loaded serial 0<br>
Oct 28 15:28:30 freeipa.x.x
named-pkcs11[3029]: zone<br>
localhost.localdomain/IN: loaded serial 0<br>
Oct 28 15:28:30 freeipa.x.x
named-pkcs11[3029]: zone<br>
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.<br>
0.0.ip6.arpa/IN:<br>
loaded serial 0<br>
Oct 28 15:28:30 freeipa.x.x
named-pkcs11[3029]: all zones loaded<br>
Oct 28 15:28:30 freeipa.x.x
named-pkcs11[3029]: running<br>
Oct 28 15:28:30 freeipa.x.x
named-pkcs11[3029]: 0 zones from LDAP<br>
instance<br>
'ipa' loaded (0 zones defined, 0 inactive, 0
failed to load)<br>
<br>
It claims 0 zones loaded but I can see my
forward and reverse zones in<br>
ipa<br>
<br>
what could cause it not to load the zones
that I defined in ipa ?<br>
<br>
</blockquote>
<br>
</blockquote>
This problem is usually caused by broken IPA
upgrade which destroys ACIs<br>
in LDAP which allow access to DNS sub-tree.<br>
<br>
Please follow instructions on:<br>
<br>
<a moz-do-not-send="true"
href="https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5"
target="_blank">https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5</a>.<br>
NozonesfromLDAPareloaded<br>
<br>
... and let us know if you are able to see
idnsZone objects in LDAP or not.<br>
</blockquote>
</blockquote>
<br>
<br>
-- <br>
Petr^2 Spacek<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Martin Basti</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Martin Basti</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Martin Basti</pre>
</body>
</html>