<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 07/11/14 14:26, Rob Verduijn wrote:<br>
</div>
<blockquote
cite="mid:CAMkGkc5GYpGhobvtT02JWy1AYQ2btqf-R9nssLKmi64VJw_b_A@mail.gmail.com"
type="cite">
<div dir="ltr">Hello,
<div><br>
</div>
<div>Yes this time there are </div>
<div>This section :</div>
<div>
<div>2014-11-07T13:10:03Z INFO Updating existing entry:
cn=referential integrity postoperation,cn=plugins,cn=config</div>
</div>
<div><SNIP></div>
<div>
<div>2014-11-07T13:10:03Z DEBUG Unhandled LDAPError:
OPERATIONS_ERROR: {'desc': 'Operations error'}</div>
<div>2014-11-07T13:10:03Z ERROR Update failed: Operations
error:</div>
</div>
<div><br>
</div>
<div>and this one</div>
<div>2014-11-07T13:10:18Z INFO New entry: cn=ADTrust
Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis<br>
</div>
<div><snip></div>
<div>2014-11-07T13:10:18Z ERROR Add failure</div>
</div>
</blockquote>
<div dir="ltr">
<div>Known issues<br>
</div>
</div>
<br>
<blockquote
cite="mid:CAMkGkc5GYpGhobvtT02JWy1AYQ2btqf-R9nssLKmi64VJw_b_A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>and this one: (but since I do not have AD it's kinda
logical)</div>
<div>2014-11-07T13:10:18Z INFO New entry: cn=ADTrust
Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis<br>
</div>
<div><snip></div>
<div>
<div>2014-11-07T13:10:19Z ERROR Upgrade failed with</div>
<div>2014-11-07T13:10:19Z DEBUG Traceback (most recent call
last):</div>
<div> File
"/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
line 152, in __upgrade</div>
<div> self.modified = (ld.update(self.files, ordered=True)
or</div>
<div> File
"/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 874, in update</div>
<div> updates =
api.Backend.updateclient.update(POST_UPDATE,
self.dm_password, self.ldapi, self.live_run)</div>
<div> File
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py",
line 123, in update</div>
<div> (restart, apply_now, res) = self.run(<a
moz-do-not-send="true" href="http://update.name">update.name</a>,
**kw)</div>
<div> File
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py",
line 146, in run</div>
<div> return self.Updater[method](**kw)</div>
<div> File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line
1399, in __call__</div>
<div> return self.execute(**options)</div>
<div> File
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py",
line 89, in execute</div>
<div> api.Command.dnszone_mod(zone[u'idnsname'][0],
**update)</div>
<div> File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line
439, in __call__</div>
<div> ret = self.run(*args, **options)</div>
<div> File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line
754, in run</div>
<div> return self.execute(*args, **options)</div>
<div> File
"/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py",
line 2528, in execute</div>
<div> result = super(dnszone_mod, self).execute(*keys,
**options)</div>
<div> File
"/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py",
line 1385, in execute</div>
<div> dn = self.obj.get_dn(*keys, **options)</div>
<div> File
"/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py",
line 1784, in get_dn</div>
<div> assert zone.is_absolute()</div>
<div>AssertionError</div>
</div>
</div>
</blockquote>
<br>
This is the problem, it is new bug.<br>
<br>
The workaround is replace the code in:<br>
/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py:68<br>
- zones = api.Command.dnszone_find(all=True)['result']<br>
+ zones = api.Command.dnszone_find(all=True, raw=True)['result']<br>
<br>
(I didn't test it)<br>
<br>
and run ipa-ldap-updater --upgrade<br>
<br>
Thank you for patience.<br>
<br>
<br>
<blockquote
cite="mid:CAMkGkc5GYpGhobvtT02JWy1AYQ2btqf-R9nssLKmi64VJw_b_A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><snip><br>
</div>
<div>2014-11-07T13:10:23Z ERROR IPA upgrade failed.<br>
</div>
<div>
<div>2014-11-07T13:10:23Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py",
line 171, in execute</div>
<div> return_value = self.run()</div>
<div> File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py",
line 151, in run</div>
<div> raise admintool.ScriptError('IPA upgrade failed.', 1)</div>
<div><br>
</div>
<div>2014-11-07T13:10:23Z DEBUG The ipa-ldap-updater command
failed, exception: ScriptError: IPA upgrade failed.</div>
<div>2014-11-07T13:10:23Z ERROR IPA upgrade failed.</div>
<div>2014-11-07T13:10:23Z DEBUG /usr/sbin/ipa-upgradeconfig
was invoked with options: {'debug': False, 'quiet': True}</div>
<div>2014-11-07T13:10:23Z DEBUG IPA version 4.1.1-1.fc20</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>and another</div>
<div>2014-11-07T13:10:03Z INFO Updating existing entry:
cn=referential integrity postoperation,cn=plugins,cn=config<br>
</div>
<div><snip></div>
<div>
<div>2014-11-07T13:10:03Z DEBUG Live 1, updated 1</div>
<div>2014-11-07T13:10:03Z DEBUG Unhandled LDAPError:
OPERATIONS_ERROR: {'desc': 'Operations error'}</div>
<div>2014-11-07T13:10:03Z ERROR Update failed: Operations
error:</div>
</div>
<div><br>
</div>
<div>That's it</div>
<div>Rob</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-11-07 13:56 GMT+01:00 Martin Basti
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>On 07/11/14 13:52, Rob Verduijn wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi all,
<div><br>
</div>
<div>Either I was to worn out last night, or another
update has happened.</div>
<div>This morning the directory server did start after
the update.</div>
<div>local dns zones however where not available again
after the update </div>
<div>ipa-ldap-updater did not help to fix it.</div>
<div><br>
</div>
<div>The are again only 7 DNS aci objects are still in
the ds.( same as before when it failed )</div>
<div>I also noticed that there are also quite a lot
lower case dns aci objects.</div>
<div><br>
</div>
<div>Rob</div>
<div><br>
</div>
<div><br>
</div>
</div>
</blockquote>
Hi,<br>
<br>
do you have any errors in /var/log/ipaupgrade.log ?<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-11-07 10:25 GMT+01:00
Martin Basti <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Changed subject.<br>
Rob CCed <br>
<br>
On 07/11/14 09:52, Martin Basti wrote:<br>
</div>
<blockquote type="cite"> Forward message back to
list<br>
<div><br>
<br>
-------- Original Message --------
<table border="0" cellpadding="0"
cellspacing="0">
<tbody>
<tr>
<th align="RIGHT" nowrap="nowrap"
valign="BASELINE">Subject: </th>
<td>Re: [Freeipa-users] dns stops
working after upgrade</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap"
valign="BASELINE">Date: </th>
<td>Thu, 6 Nov 2014 21:42:55 +0100</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap"
valign="BASELINE">From: </th>
<td>Rob Verduijn <a
moz-do-not-send="true"
href="mailto:rob.verduijn@gmail.com"
target="_blank"><rob.verduijn@gmail.com></a></td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap"
valign="BASELINE">To: </th>
<td>Martin Basti <a
moz-do-not-send="true"
href="mailto:mbasti@redhat.com"
target="_blank"><mbasti@redhat.com></a></td>
</tr>
</tbody>
</table>
<br>
<br>
<div dir="ltr">Hi again,
<div><br>
</div>
<div>I tried the update to 4.1.1</div>
<div>It didn't went well, actually it went
worse than to 4.1.</div>
<div>Now the directory service went down
and was no longer able to start.</div>
<div><br>
</div>
<div>Some part of the logs is below.</div>
<div>Besides the warnings about a weak
cipher there was not much in the
journalctl.</div>
<div><br>
</div>
<div>It's getting late overhere, I'll dig
into the logs tomorrow.</div>
<div><br>
</div>
<div>Rob</div>
<div><br>
</div>
<div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis
systemd[1]: Starting 389 Directory
Server TJAKO-THUIS....</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis
systemd[1]: Started 389 Directory
Server TJAKO-THUIS..</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis
ns-slapd[2244]: [06/Nov/2014:21:34:58
+0100] - SSL alert: Cipher
rsa_rc4_128_md5 is weak. It is enabled
since allowWeakCipher is "on" (default
setting for the backward
compatibility). We strongly recommend
to set it to "off". Please replace
the value of allowWeakCipher with
"off" in the encryption config entry
cn=encryption,cn=config and restart
the server.</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis
ns-slapd[2244]: [06/Nov/2014:21:34:58
+0100] - SSL alert: Cipher
rsa_rc4_40_md5 is weak. It is enabled
since allowWeakCipher is "on" (default
setting for the backward
compatibility). We strongly recommend
to set it to "off". Please replace
the value of allowWeakCipher with
"off" in the encryption config entry
cn=encryption,cn=config and restart
the server.</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis
ns-slapd[2244]: [06/Nov/2014:21:34:58
+0100] - SSL alert: Cipher
rsa_rc2_40_md5 is weak. It is enabled
since allowWeakCipher is "on" (default
setting for the backward
compatibility). We strongly recommend
to set it to "off". Please replace
the value of allowWeakCipher with
"off" in the encryption config entry
cn=encryption,cn=config and restart
the server.</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis
ns-slapd[2244]: [06/Nov/2014:21:34:58
+0100] - SSL alert: Cipher rsa_des_sha
is weak. It is enabled since
allowWeakCipher is "on" (default
setting for the backward
compatibility). We strongly recommend
to set it to "off". Please replace
the value of allowWeakCipher with
"off" in the encryption config entry
cn=encryption,cn=config and restart
the server.</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis
ns-slapd[2244]: [06/Nov/2014:21:34:58
+0100] - SSL alert: Cipher
rsa_fips_des_sha is weak. It is
enabled since allowWeakCipher is "on"
(default setting for the backward
compatibility). We strongly recommend
to set it to "off". Please replace
the value of allowWeakCipher with
"off" in the encryption config entry
cn=encryption,cn=config and restart
the server.</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis
ns-slapd[2244]: [06/Nov/2014:21:34:58
+0100] - SSL alert: Cipher
rsa_3des_sha is weak. It is enabled
since allowWeakCipher is "on" (default
setting for the backward
compatibility). We strongly recommend
to set it to "off". Please replace
the value of allowWeakCipher with
"off" in the encryption config entry
cn=encryption,cn=config and restart
the server.</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis
ns-slapd[2244]: [06/Nov/2014:21:34:58
+0100] - SSL alert: Cipher
rsa_fips_3des_sha is weak. It is
enabled since allowWeakCipher is "on"
(default setting for the backward
compatibility). We strongly recommend
to set it to "off". Please replace
the value of allowWeakCipher with
"off" in the encryption config entry
cn=encryption,cn=config and restart
the server.</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis
ns-slapd[2244]: [06/Nov/2014:21:34:58
+0100] - SSL alert: Cipher suite
fortezza is not available in NSS
3.17. Ignoring fortezza</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis
ns-slapd[2244]: [06/Nov/2014:21:34:58
+0100] - SSL alert: Cipher suite
fortezza_rc4_128_sha is not available
in NSS 3.17. Ignoring
fortezza_rc4_128_sha</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis
ns-slapd[2244]: [06/Nov/2014:21:34:58
+0100] - SSL alert: Cipher suite
fortezza_null is not available in NSS
3.17. Ignoring fortezza_null</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis
ns-slapd[2244]: [06/Nov/2014:21:34:58
+0100] - SSL alert: Cipher
tls_rsa_export1024_with_rc4_56_sha is
weak. It is enabled since
allowWeakCipher is "on" (default
setting for the backward
compatibility). We strongly recommend
to set it to "off". Please replace
the value of allowWeakCipher with
"off" in the encryption config entry
cn=encryption,cn=config and restart
the server.</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis
ns-slapd[2244]: [06/Nov/2014:21:34:59
+0100] - SSL alert: Cipher
tls_rsa_export1024_with_des_cbc_sha is
weak. It is enabled since
allowWeakCipher is "on" (default
setting for the backward
compatibility). We strongly recommend
to set it to "off". Please replace
the value of allowWeakCipher with
"off" in the encryption config entry
cn=encryption,cn=config and restart
the server.</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis
ns-slapd[2244]: [06/Nov/2014:21:34:59
+0100] - SSL alert: Configured NSS
Ciphers</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis
ns-slapd[2244]: [06/Nov/2014:21:34:59
+0100] - SSL alert:
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA:
enabled, (WEAK CIPHER)</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis
ns-slapd[2244]: [06/Nov/2014:21:34:59
+0100] - SSL alert:
TLS_RSA_WITH_3DES_EDE_CBC_SHA:
enabled, (WEAK CIPHER)</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis
ns-slapd[2244]: [06/Nov/2014:21:34:59
+0100] - SSL alert:
TLS_RSA_WITH_RC4_128_MD5: enabled,
(WEAK CIPHER)</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis
ns-slapd[2244]: [06/Nov/2014:21:34:59
+0100] - SSL alert:
SSL_RSA_FIPS_WITH_DES_CBC_SHA:
enabled, (WEAK CIPHER)</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis
ns-slapd[2244]: [06/Nov/2014:21:34:59
+0100] - SSL alert:
TLS_RSA_WITH_DES_CBC_SHA: enabled,
(WEAK CIPHER)</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis
ns-slapd[2244]: [06/Nov/2014:21:34:59
+0100] - SSL alert:
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA:
enabled, (WEAK CIPHER)</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis
ns-slapd[2244]: [06/Nov/2014:21:34:59
+0100] - SSL alert:
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA:
enabled, (WEAK CIPHER)</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis
ns-slapd[2244]: [06/Nov/2014:21:34:59
+0100] - SSL alert:
TLS_RSA_EXPORT_WITH_RC4_40_MD5:
enabled, (WEAK CIPHER)</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis
ns-slapd[2244]: [06/Nov/2014:21:34:59
+0100] - SSL alert:
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
enabled, (WEAK CIPHER)</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis
ns-slapd[2244]: [06/Nov/2014:21:34:59
+0100] SSL Initialization - SSL
version range: min: TLS1.0, max:
TLS1.2</div>
<div>Nov 06 21:35:01 freeipa.tjako.thuis
systemd[1]: <a moz-do-not-send="true"
href="mailto:dirsrv@TJAKO-THUIS.service" target="_blank">dirsrv@TJAKO-THUIS.service</a>:
main process exited, code=exited,
status=1/FAILURE</div>
<div>Nov 06 21:35:01 freeipa.tjako.thuis
systemd[1]: Unit <a
moz-do-not-send="true"
href="mailto:dirsrv@TJAKO-THUIS.service"
target="_blank">dirsrv@TJAKO-THUIS.service</a>
entered failed state.</div>
</div>
</div>
<div class="gmail_extra"><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<span><font color="#888888"> </font></span></blockquote>
<span><font color="#888888"> <br>
<span class="HOEnZb"><font color="#888888">
<br>
<pre cols="72">--
Martin Basti</pre>
</font></span></font></span></div>
<span class="HOEnZb"><font color="#888888"> </font></span></blockquote>
<span class="HOEnZb"><font color="#888888"> </font></span></div>
<span class="HOEnZb"><font color="#888888"> <br>
</font></span></div>
<span class="HOEnZb"><font color="#888888"> </font></span></blockquote>
<span class="HOEnZb"><font color="#888888"> <br>
<br>
<pre cols="72">--
Martin Basti</pre>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Martin Basti</pre>
</body>
</html>