[Freeipa-users] Upgrading freeipa server from f18 to f20

Thomas Sailer t.sailer at alumni.ethz.ch
Tue Jan 7 13:58:50 UTC 2014 

On 12/29/2013 03:49 PM, Simo Sorce wrote:

> Unfortunately you should have created the replica *before* the upgrade.

Too bad fedup didn't refuse to update and created this mess...

> Have you tried downgrading all dogtag and tomcat packages to the fc18
> ones ?

After some trial and error, I downgraded the following RPMs:
freeipa-admintools-3.1.5-1.fc18.x86_64
freeipa-client-3.1.5-1.fc18.x86_64
freeipa-python-3.1.5-1.fc18.x86_64
freeipa-server-3.1.5-1.fc18.x86_64
jss-4.2.6-28.fc18.x86_64
pki-ca-10.0.6-1.fc18.noarch
pki-server-10.0.6-1.fc18.noarch
pki-symkey-10.0.6-1.fc18.x86_64
pki-tools-10.0.6-1.fc18.x86_64
tomcatjss-7.0.0-5.fc18.noarch
krb5-workstation-1.10.3-17.fc18
krb5-libs-1.10.3-17.fc18
krb5-server-ldap-1.10.3-17.fc18
krb5-pkinit-1.10.3-17.fc18
krb5-server-1.10.3-17.fc18

A file needed an ownership fix:
chown pkiuser.pkiuser /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg

Now I can prepare the replica without error.

However, installing the replica fails:

Connection check OK
Configuring NTP daemon (ntpd)
   [1/4]: stopping ntpd
   [2/4]: writing configuration
   [3/4]: configuring ntpd to start on boot
   [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
   [1/34]: creating directory server user
   [2/34]: creating directory server instance
   [3/34]: adding default schema
   [4/34]: enabling memberof plugin
   [5/34]: enabling winsync plugin
   [6/34]: configuring replication version plugin
   [7/34]: enabling IPA enrollment plugin
   [8/34]: enabling ldapi
   [9/34]: configuring uniqueness plugin
   [10/34]: configuring uuid plugin
   [11/34]: configuring modrdn plugin
   [12/34]: configuring DNS plugin
   [13/34]: enabling entryUSN plugin
   [14/34]: configuring lockout plugin
   [15/34]: creating indices
   [16/34]: enabling referential integrity plugin
   [17/34]: configuring ssl for ds instance
   [18/34]: configuring certmap.conf
   [19/34]: configure autobind for root
   [20/34]: configure new location for managed entries
   [21/34]: configure dirsrv ccache
   [22/34]: enable SASL mapping fallback
   [23/34]: restarting directory server
   [24/34]: setting up initial replication

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Unexpected error - see /var/log/ipareplica-install.log for details:
DatabaseError: Constraint violation: pre-hashed passwords are not valid

The last few lines from the install log look like:

2014-01-07T13:48:06Z DEBUG wait_for_open_ports: localhost [389] timeout 120
2014-01-07T13:48:07Z DEBUG flushing ldap://server.xxxx.com:389 from 
SchemaCache
2014-01-07T13:48:07Z DEBUG retrieving schema for SchemaCache 
url=ldap://server.xxxx.com:389 conn=<ldap.ldapobject.SimpleLDAPObject 
instance at 0x3445560>
2014-01-07T13:48:08Z DEBUG flushing ldaps://replica.xxxx.com:636 from 
SchemaCache
2014-01-07T13:48:08Z DEBUG retrieving schema for SchemaCache 
url=ldaps://replica.xxxx.com:636 conn=<ldap.ldapobject.SimpleLDAPObject 
instance at 0x35c22d8>
2014-01-07T13:48:09Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", 
line 622, in run_script
     return_value = main_function()

   File "/sbin/ipa-replica-install", line 669, in main
     ds = install_replica_ds(config)

   File "/sbin/ipa-replica-install", line 188, in install_replica_ds
     ca_file=config.dir + "/ca.crt",

   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 
360, in create_replica
     self.start_creation(runtime=60)

   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 364, in start_creation
     method()

   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 
373, in __setup_replica
     r_bindpw=self.dm_password)

   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", 
line 938, in setup_replication
     self.repl_man_dn, self.repl_man_passwd)

   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", 
line 909, in basic_replication_setup
     self.add_replication_manager(conn, repldn, replpw)

   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", 
line 362, in add_replication_manager
     conn.add_entry(ent)

   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 
1527, in add_entry
     self.conn.add_s(dn, attrs.items())

   File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
     self.gen.throw(type, value, traceback)

   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 
928, in error_handler
     raise errors.DatabaseError(desc=desc, info=info)

2014-01-07T13:48:09Z DEBUG The ipa-replica-install command failed, 
exception: DatabaseError: Constraint violation: pre-hashed passwords are 
not valid

Any hint on how to fix this?

Thanks,
Thomas

More information about the Freeipa-users mailing list