[Freeipa-users] DNS stops working after upgrade (was DS failed after upgrade)
Martin Basti
mbasti at redhat.com
Fri Nov 7 13:55:18 UTC 2014
On 07/11/14 14:26, Rob Verduijn wrote:
> Hello,
>
> Yes this time there are
> This section :
> 2014-11-07T13:10:03Z INFO Updating existing entry: cn=referential
> integrity postoperation,cn=plugins,cn=config
> <SNIP>
> 2014-11-07T13:10:03Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR:
> {'desc': 'Operations error'}
> 2014-11-07T13:10:03Z ERROR Update failed: Operations error:
>
> and this one
> 2014-11-07T13:10:18Z INFO New entry: cn=ADTrust
> Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis
> <snip>
> 2014-11-07T13:10:18Z ERROR Add failure
Known issues
> and this one: (but since I do not have AD it's kinda logical)
> 2014-11-07T13:10:18Z INFO New entry: cn=ADTrust
> Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis
> <snip>
> 2014-11-07T13:10:19Z ERROR Upgrade failed with
> 2014-11-07T13:10:19Z DEBUG Traceback (most recent call last):
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
> line 152, in __upgrade
> self.modified = (ld.update(self.files, ordered=True) or
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
> line 874, in update
> updates = api.Backend.updateclient.update(POST_UPDATE,
> self.dm_password, self.ldapi, self.live_run)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py",
> line 123, in update
> (restart, apply_now, res) = self.run(update.name
> <http://update.name>, **kw)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py",
> line 146, in run
> return self.Updater[method](**kw)
> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line
> 1399, in __call__
> return self.execute(**options)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py",
> line 89, in execute
> api.Command.dnszone_mod(zone[u'idnsname'][0], **update)
> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line
> 439, in __call__
> ret = self.run(*args, **options)
> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line
> 754, in run
> return self.execute(*args, **options)
> File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line
> 2528, in execute
> result = super(dnszone_mod, self).execute(*keys, **options)
> File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py",
> line 1385, in execute
> dn = self.obj.get_dn(*keys, **options)
> File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line
> 1784, in get_dn
> assert zone.is_absolute()
> AssertionError
This is the problem, it is new bug.
The workaround is replace the code in:
/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py:68
- zones = api.Command.dnszone_find(all=True)['result']
+ zones = api.Command.dnszone_find(all=True, raw=True)['result']
(I didn't test it)
and run ipa-ldap-updater --upgrade
Thank you for patience.
> <snip>
> 2014-11-07T13:10:23Z ERROR IPA upgrade failed.
> 2014-11-07T13:10:23Z DEBUG File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171,
> in execute
> return_value = self.run()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py",
> line 151, in run
> raise admintool.ScriptError('IPA upgrade failed.', 1)
>
> 2014-11-07T13:10:23Z DEBUG The ipa-ldap-updater command failed,
> exception: ScriptError: IPA upgrade failed.
> 2014-11-07T13:10:23Z ERROR IPA upgrade failed.
> 2014-11-07T13:10:23Z DEBUG /usr/sbin/ipa-upgradeconfig was invoked
> with options: {'debug': False, 'quiet': True}
> 2014-11-07T13:10:23Z DEBUG IPA version 4.1.1-1.fc20
>
>
> and another
> 2014-11-07T13:10:03Z INFO Updating existing entry: cn=referential
> integrity postoperation,cn=plugins,cn=config
> <snip>
> 2014-11-07T13:10:03Z DEBUG Live 1, updated 1
> 2014-11-07T13:10:03Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR:
> {'desc': 'Operations error'}
> 2014-11-07T13:10:03Z ERROR Update failed: Operations error:
>
> That's it
> Rob
>
>
>
>
> 2014-11-07 13:56 GMT+01:00 Martin Basti <mbasti at redhat.com
> <mailto:mbasti at redhat.com>>:
>
> On 07/11/14 13:52, Rob Verduijn wrote:
>> Hi all,
>>
>> Either I was to worn out last night, or another update has happened.
>> This morning the directory server did start after the update.
>> local dns zones however where not available again after the update
>> ipa-ldap-updater did not help to fix it.
>>
>> The are again only 7 DNS aci objects are still in the ds.( same
>> as before when it failed )
>> I also noticed that there are also quite a lot lower case dns aci
>> objects.
>>
>> Rob
>>
>>
> Hi,
>
> do you have any errors in /var/log/ipaupgrade.log ?
>>
>>
>> 2014-11-07 10:25 GMT+01:00 Martin Basti <mbasti at redhat.com
>> <mailto:mbasti at redhat.com>>:
>>
>> Changed subject.
>> Rob CCed
>>
>> On 07/11/14 09:52, Martin Basti wrote:
>>> Forward message back to list
>>>
>>>
>>> -------- Original Message --------
>>> Subject: Re: [Freeipa-users] dns stops working after upgrade
>>> Date: Thu, 6 Nov 2014 21:42:55 +0100
>>> From: Rob Verduijn <rob.verduijn at gmail.com>
>>> <mailto:rob.verduijn at gmail.com>
>>> To: Martin Basti <mbasti at redhat.com>
>>> <mailto:mbasti at redhat.com>
>>>
>>>
>>>
>>> Hi again,
>>>
>>> I tried the update to 4.1.1
>>> It didn't went well, actually it went worse than to 4.1.
>>> Now the directory service went down and was no longer able
>>> to start.
>>>
>>> Some part of the logs is below.
>>> Besides the warnings about a weak cipher there was not much
>>> in the journalctl.
>>>
>>> It's getting late overhere, I'll dig into the logs tomorrow.
>>>
>>> Rob
>>>
>>> Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Starting 389
>>> Directory Server TJAKO-THUIS....
>>> Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Started 389
>>> Directory Server TJAKO-THUIS..
>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
>>> rsa_rc4_128_md5 is weak. It is enabled since allowWeakCipher
>>> is "on" (default setting for the backward compatibility). We
>>> strongly recommend to set it to "off". Please replace the
>>> value of allowWeakCipher with "off" in the encryption config
>>> entry cn=encryption,cn=config and restart the server.
>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
>>> rsa_rc4_40_md5 is weak. It is enabled since allowWeakCipher
>>> is "on" (default setting for the backward compatibility). We
>>> strongly recommend to set it to "off". Please replace the
>>> value of allowWeakCipher with "off" in the encryption config
>>> entry cn=encryption,cn=config and restart the server.
>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
>>> rsa_rc2_40_md5 is weak. It is enabled since allowWeakCipher
>>> is "on" (default setting for the backward compatibility). We
>>> strongly recommend to set it to "off". Please replace the
>>> value of allowWeakCipher with "off" in the encryption config
>>> entry cn=encryption,cn=config and restart the server.
>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_des_sha
>>> is weak. It is enabled since allowWeakCipher is "on"
>>> (default setting for the backward compatibility). We
>>> strongly recommend to set it to "off". Please replace the
>>> value of allowWeakCipher with "off" in the encryption config
>>> entry cn=encryption,cn=config and restart the server.
>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
>>> rsa_fips_des_sha is weak. It is enabled since
>>> allowWeakCipher is "on" (default setting for the backward
>>> compatibility). We strongly recommend to set it to "off".
>>> Please replace the value of allowWeakCipher with "off" in
>>> the encryption config entry cn=encryption,cn=config and
>>> restart the server.
>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
>>> rsa_3des_sha is weak. It is enabled since allowWeakCipher is
>>> "on" (default setting for the backward compatibility). We
>>> strongly recommend to set it to "off". Please replace the
>>> value of allowWeakCipher with "off" in the encryption config
>>> entry cn=encryption,cn=config and restart the server.
>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
>>> rsa_fips_3des_sha is weak. It is enabled since
>>> allowWeakCipher is "on" (default setting for the backward
>>> compatibility). We strongly recommend to set it to "off".
>>> Please replace the value of allowWeakCipher with "off" in
>>> the encryption config entry cn=encryption,cn=config and
>>> restart the server.
>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite
>>> fortezza is not available in NSS 3.17. Ignoring fortezza
>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite
>>> fortezza_rc4_128_sha is not available in NSS 3.17. Ignoring
>>> fortezza_rc4_128_sha
>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite
>>> fortezza_null is not available in NSS 3.17. Ignoring
>>> fortezza_null
>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
>>> tls_rsa_export1024_with_rc4_56_sha is weak. It is enabled
>>> since allowWeakCipher is "on" (default setting for the
>>> backward compatibility). We strongly recommend to set it to
>>> "off". Please replace the value of allowWeakCipher with
>>> "off" in the encryption config entry cn=encryption,cn=config
>>> and restart the server.
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] - SSL alert: Cipher
>>> tls_rsa_export1024_with_des_cbc_sha is weak. It is enabled
>>> since allowWeakCipher is "on" (default setting for the
>>> backward compatibility). We strongly recommend to set it to
>>> "off". Please replace the value of allowWeakCipher with
>>> "off" in the encryption config entry cn=encryption,cn=config
>>> and restart the server.
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] - SSL alert: Configured NSS Ciphers
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>> SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK CIPHER)
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>> TLS_RSA_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK CIPHER)
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>> TLS_RSA_WITH_RC4_128_MD5: enabled, (WEAK CIPHER)
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>> SSL_RSA_FIPS_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>> TLS_RSA_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA: enabled, (WEAK CIPHER)
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>> TLS_RSA_EXPORT_WITH_RC4_40_MD5: enabled, (WEAK CIPHER)
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>> TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: enabled, (WEAK CIPHER)
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] SSL Initialization - SSL
>>> version range: min: TLS1.0, max: TLS1.2
>>> Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]:
>>> dirsrv at TJAKO-THUIS.service
>>> <mailto:dirsrv at TJAKO-THUIS.service>: main process exited,
>>> code=exited, status=1/FAILURE
>>> Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]: Unit
>>> dirsrv at TJAKO-THUIS.service
>>> <mailto:dirsrv at TJAKO-THUIS.service> entered failed state.
>>>
>>>
>>>
>>
>>
>> --
>> Martin Basti
>>
>>
>
>
> --
> Martin Basti
>
>
--
Martin Basti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141107/ec5fb254/attachment.htm>
More information about the Freeipa-users
mailing list