<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Thank you!!! That was exactly it.<br>
      <br>
      * Removed the "nsEncryptionConfig" entry from 99user.ldif<br>
      * Re-run the "ipa-ldap-update --upgrade" <br>
      * Then "ipa-dns-install" and things are looking much better - both
      servers are now back up and running.<br>
      <br>
      What is the lesson here (besides "have good backups")? <br>
      <br>
      Should we be turning off ALL servers before upgrading to prevent
      replication? I did notice that the 99user entry was made it to
      BOTH servers, which makes me think that replication is not exactly
      the culprit.<br>
      <br>
      -M<br>
      <br>
      On 10/31/14, 1:30 AM, Ludwig Krispenz wrote:<br>
    </div>
    <blockquote cite="mid:545348B5.1090904@redhat.com" type="cite">
      <meta http-equiv="Context-Type" content="text/html;
        charset=ISO-8859-1">
      <br>
      <div class="moz-cite-prefix">On 10/30/2014 07:36 PM, Martin Basti
        wrote:<br>
      </div>
      <blockquote cite="mid:54528526.4040500@redhat.com" type="cite">
        <div class="moz-cite-prefix">On 30/10/14 19:18, Michael Lasevich
          wrote:<br>
        </div>
        <blockquote cite="mid:545280EA.40604@gmail.com" type="cite">
          <div class="moz-cite-prefix">Makes sense. What is the solution
            here?<br>
            <br>
            I have the latest 389-ds installed but still getting
            "allowWeakCipher" error - how to I get around that?<br>
            <br>
            -M<br>
            <br>
          </div>
        </blockquote>
        Sorry I don't know, I CCied Ludwig, he is DS guru.<br>
      </blockquote>
      I already asked to verify the schema files:<br>
      can you check your schema files for the definition of the
      nsEncryptionConfig objectclass, it should be only in
      01core389.ldif and contain allowWeakCipher, but it could have been
      added also to 99user.ldif during replication when schema changes
      have been consolidated<br>
      <br>
      and what is the latest ds version you are using: rpm -q
      389-ds-base<br>
      <br>
      <br>
      <blockquote cite="mid:54528526.4040500@redhat.com" type="cite">
        Martin^2<br>
        <br>
        <blockquote cite="mid:545280EA.40604@gmail.com" type="cite">
          <div class="moz-cite-prefix"> <br>
            On 10/30/14, 11:12 AM, Martin Basti wrote:<br>
          </div>
          <blockquote cite="mid:54527F90.3000407@redhat.com" type="cite">
            <div class="moz-cite-prefix">On 24/10/14 05:17, Michael
              Lasevich wrote:<br>
            </div>
            <blockquote
cite="mid:CAAFs98W=KxsvVSy4eZ-r3hzvoRYjEsO7Exh9QX1r2L4SW7e43w@mail.gmail.com"
              type="cite">
              <div dir="ltr">While upgrading from 4.0.1. to 4.1 on
                fedora 20 got following on one of the two boxes:
                <div><br>
                </div>
                <div>
                  <p class="">Upgrade failed with attribute
                    "allowWeakCipher" not allowed<br>
                    IPA upgrade failed.<br>
                    Unexpected error<br>
                    DuplicateEntry: This entry already exists</p>
                </div>
              </div>
            </blockquote>
            <br>
            Named errors are caused by cascade effect, if ldap schema
            and entry updates failed, there is misconfigured DS plugin
            which is responsible to keep DNSSEC keys DN unique, what
            causes duplication errors. DuplicateEntry exception is
            fatal, so dnskeysyncd installation will not continue,<br>
            what causes there are not appropriate permissions for token
            database, and named-pkcs11 can't read tokens.<br>
            <blockquote
cite="mid:CAAFs98W=KxsvVSy4eZ-r3hzvoRYjEsO7Exh9QX1r2L4SW7e43w@mail.gmail.com"
              type="cite">
              <div dir="ltr">
                <div>
                  <p class=""><br>
                  </p>
                  <p class="">It seems the ipa no longer starts up after
                    this. The replica server seems to have had same
                    error,but it runs just fine.</p>
                  <p class="">From digging around, it appears that there
                    are a number of GSS errors in dirsrv and bind fails
                    with something like:</p>
                  <p class="">named-pkcs11[2212]: ObjectStore.cpp(74):
                    Failed to open token
                    e919db16-6329-406c-6ae4-120ad68508c4<br>
                    named-pkcs11[2212]: sha1.c:92: fatal error:<br>
                    named-pkcs11[2212]:
                    RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST,
                    isc_boolean_true, isc_boolean_false,
                    isc_boolean_false, ((void *)0), 0) == 0) failed</p>
                  <p class="">Any help would be appreciated</p>
                  <p class=""><br>
                  </p>
                  <p class="">-M</p>
                </div>
              </div>
              <br>
              <fieldset class="mimeAttachmentHeader"></fieldset>
              <br>
            </blockquote>
            <br>
            <br>
            <pre class="moz-signature" cols="72">-- 
Martin Basti</pre>
          </blockquote>
          <br>
        </blockquote>
        <br>
        <br>
        <pre class="moz-signature" cols="72">-- 
Martin Basti</pre>
      </blockquote>
      <br>
    </blockquote>
    <br>
  </body>
</html>