[Freeipa-users] Upgrading freeipa server from f18 to f20
Thomas Sailer
t.sailer at alumni.ethz.ch
Tue Jan 7 13:58:50 UTC 2014
On 12/29/2013 03:49 PM, Simo Sorce wrote:
> Unfortunately you should have created the replica *before* the upgrade.
Too bad fedup didn't refuse to update and created this mess...
> Have you tried downgrading all dogtag and tomcat packages to the fc18
> ones ?
After some trial and error, I downgraded the following RPMs:
freeipa-admintools-3.1.5-1.fc18.x86_64
freeipa-client-3.1.5-1.fc18.x86_64
freeipa-python-3.1.5-1.fc18.x86_64
freeipa-server-3.1.5-1.fc18.x86_64
jss-4.2.6-28.fc18.x86_64
pki-ca-10.0.6-1.fc18.noarch
pki-server-10.0.6-1.fc18.noarch
pki-symkey-10.0.6-1.fc18.x86_64
pki-tools-10.0.6-1.fc18.x86_64
tomcatjss-7.0.0-5.fc18.noarch
krb5-workstation-1.10.3-17.fc18
krb5-libs-1.10.3-17.fc18
krb5-server-ldap-1.10.3-17.fc18
krb5-pkinit-1.10.3-17.fc18
krb5-server-1.10.3-17.fc18
A file needed an ownership fix:
chown pkiuser.pkiuser /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg
Now I can prepare the replica without error.
However, installing the replica fails:
Connection check OK
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
[1/34]: creating directory server user
[2/34]: creating directory server instance
[3/34]: adding default schema
[4/34]: enabling memberof plugin
[5/34]: enabling winsync plugin
[6/34]: configuring replication version plugin
[7/34]: enabling IPA enrollment plugin
[8/34]: enabling ldapi
[9/34]: configuring uniqueness plugin
[10/34]: configuring uuid plugin
[11/34]: configuring modrdn plugin
[12/34]: configuring DNS plugin
[13/34]: enabling entryUSN plugin
[14/34]: configuring lockout plugin
[15/34]: creating indices
[16/34]: enabling referential integrity plugin
[17/34]: configuring ssl for ds instance
[18/34]: configuring certmap.conf
[19/34]: configure autobind for root
[20/34]: configure new location for managed entries
[21/34]: configure dirsrv ccache
[22/34]: enable SASL mapping fallback
[23/34]: restarting directory server
[24/34]: setting up initial replication
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Unexpected error - see /var/log/ipareplica-install.log for details:
DatabaseError: Constraint violation: pre-hashed passwords are not valid
The last few lines from the install log look like:
2014-01-07T13:48:06Z DEBUG wait_for_open_ports: localhost [389] timeout 120
2014-01-07T13:48:07Z DEBUG flushing ldap://server.xxxx.com:389 from
SchemaCache
2014-01-07T13:48:07Z DEBUG retrieving schema for SchemaCache
url=ldap://server.xxxx.com:389 conn=<ldap.ldapobject.SimpleLDAPObject
instance at 0x3445560>
2014-01-07T13:48:08Z DEBUG flushing ldaps://replica.xxxx.com:636 from
SchemaCache
2014-01-07T13:48:08Z DEBUG retrieving schema for SchemaCache
url=ldaps://replica.xxxx.com:636 conn=<ldap.ldapobject.SimpleLDAPObject
instance at 0x35c22d8>
2014-01-07T13:48:09Z DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 622, in run_script
return_value = main_function()
File "/sbin/ipa-replica-install", line 669, in main
ds = install_replica_ds(config)
File "/sbin/ipa-replica-install", line 188, in install_replica_ds
ca_file=config.dir + "/ca.crt",
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
360, in create_replica
self.start_creation(runtime=60)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 364, in start_creation
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
373, in __setup_replica
r_bindpw=self.dm_password)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 938, in setup_replication
self.repl_man_dn, self.repl_man_passwd)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 909, in basic_replication_setup
self.add_replication_manager(conn, repldn, replpw)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 362, in add_replication_manager
conn.add_entry(ent)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
1527, in add_entry
self.conn.add_s(dn, attrs.items())
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
928, in error_handler
raise errors.DatabaseError(desc=desc, info=info)
2014-01-07T13:48:09Z DEBUG The ipa-replica-install command failed,
exception: DatabaseError: Constraint violation: pre-hashed passwords are
not valid
Any hint on how to fix this?
Thanks,
Thomas
More information about the Freeipa-users
mailing list