[Freeipa-users] Upgrade failed -- how to recover?

Rob Crittenden rcritten at redhat.com
Wed Aug 14 13:10:12 UTC 2013 

Bret Wortman wrote:
> Rob, I got past this, as you indicated, by doing that after first running:
>
> # ipa-ldap-updater --ldapi ./schema.update
>
> Using a schema.update tip file I found in a note from you after some
> hard core googling. Should that extra step have been necessary?

No, it shouldn't be necessary. Can look in /var/log/ipaupgrade.log 
(likely humongous) for the original failure and post that section of the 
log?

Updating schema is hard. We are actually completely revamping the way we 
handle schema changes between version which should be a lot more stable.

rob

>
>
> _
> _
> *Bret Wortman*
>
> http://damascusgrp.com/
> http://about.me/wortmanbret
>
>
> On Tue, Aug 13, 2013 at 3:39 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
>     Bret Wortman wrote:
>
>         I tried this, but no joy:
>
>         # /usr/sbin/ipa-upgradeconfig --debug
>         :
>         :
>         DEBUG: caSignedLogCert.cfg
>         <http://bl-1.com/click/load/__VWRaa1w-b0221U28CYQNlAT4-b0231
>         <http://bl-1.com/click/load/VWRaa1w-b0221U28CYQNlAT4-b0231>__>
>         profile
>
>         validity range is 720
>         INFO: [Certificate renewal should stop the CA]
>         ERROR: Unable to find certmonger request ID for auditSigning Cert
>         INFO: The ipa-upgradeconfig command was successful
>         #
>
>
>     Run getcert list and sift through the output and see if you have a
>     request tracking for nickname auditSigningCert cert-pki-ca (or similar).
>
>         But I still can't connect to http://ipamaster/ipa/ui/; I get a
>         903 error
>         every time, and /var/log/httpd/error_log shows, in part:
>
>         [Tue Aug 13 13:07:20.786566 2013] [:error] [pid 5890] KeyError:
>         'ipadnszone'
>         [Tue Aug 13 13:07:20.786717 2013] [:error] [pid 5890] ipa: INFO:
>         bretw at FOO.NET <mailto:bretw at FOO.NET> <mailto:bretw at FOO.NET
>         <mailto:bretw at FOO.NET>>: json_metadata(None, None,
>
>         object=u'all'): KeyError
>         [Tue Aug 13 13:07:21.001525 2013] [:error] [pid 5890] ipa: INFO:
>         bretw at FOO.NET <mailto:bretw at FOO.NET> <mailto:bretw at FOO.NET
>         <mailto:bretw at FOO.NET>>: json_metadata(None, None,
>         command=u'all'): SUCCESS
>
>         DNS resolution, authentication and authorization all /appear/ to be
>         working fine.
>
>
>     The DNS schema was not updated properly. I'd run:
>
>     # ipa-ldap-updater --upgrade
>
>     rob
>
>

More information about the Freeipa-users mailing list