<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 24/10/14 05:17, Michael Lasevich
wrote:<br>
</div>
<blockquote
cite="mid:CAAFs98W=KxsvVSy4eZ-r3hzvoRYjEsO7Exh9QX1r2L4SW7e43w@mail.gmail.com"
type="cite">
<div dir="ltr">While upgrading from 4.0.1. to 4.1 on fedora 20 got
following on one of the two boxes:
<div><br>
</div>
<div>
<p class="">Upgrade failed with attribute "allowWeakCipher"
not allowed<br>
IPA upgrade failed.<br>
Unexpected error<br>
DuplicateEntry: This entry already exists</p>
</div>
</div>
</blockquote>
<br>
Named errors are caused by cascade effect, if ldap schema and entry
updates failed, there is misconfigured DS plugin which is
responsible to keep DNSSEC keys DN unique, what causes duplication
errors. DuplicateEntry exception is fatal, so dnskeysyncd
installation will not continue,<br>
what causes there are not appropriate permissions for token
database, and named-pkcs11 can't read tokens.<br>
<blockquote
cite="mid:CAAFs98W=KxsvVSy4eZ-r3hzvoRYjEsO7Exh9QX1r2L4SW7e43w@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<p class=""><br>
</p>
<p class="">It seems the ipa no longer starts up after this.
The replica server seems to have had same error,but it runs
just fine.</p>
<p class="">From digging around, it appears that there are a
number of GSS errors in dirsrv and bind fails with something
like:</p>
<p class="">named-pkcs11[2212]: ObjectStore.cpp(74): Failed to
open token e919db16-6329-406c-6ae4-120ad68508c4<br>
named-pkcs11[2212]: sha1.c:92: fatal error:<br>
named-pkcs11[2212]: RUNTIME_CHECK(pk11_get_session(ctx,
OP_DIGEST, isc_boolean_true, isc_boolean_false,
isc_boolean_false, ((void *)0), 0) == 0) failed</p>
<p class="">Any help would be appreciated</p>
<p class=""><br>
</p>
<p class="">-M</p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Martin Basti</pre>
</body>
</html>