[Freeipa-users] DNS stops working after upgrade (was DS failed after upgrade)
Martin Kosek
mkosek at redhat.com
Fri Nov 7 15:38:40 UTC 2014
On 11/07/2014 03:05 PM, Rob Verduijn wrote:
> Yup that solved it.
>
> Everything looks ok now :-)
>
> Thank you for you great effort.
Well, thank you for your patience. It will allow us to fix this bug in next
FreeIPA release, the patch was already submitted on freeipa-devel.
Thanks again!
Martin
> Rob
>
> 2014-11-07 14:55 GMT+01:00 Martin Basti <mbasti at redhat.com
> <mailto:mbasti at redhat.com>>:
>
> On 07/11/14 14:26, Rob Verduijn wrote:
>> Hello,
>>
>> Yes this time there are
>> This section :
>> 2014-11-07T13:10:03Z INFO Updating existing entry: cn=referential
>> integrity postoperation,cn=plugins,cn=config
>> <SNIP>
>> 2014-11-07T13:10:03Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR:
>> {'desc': 'Operations error'}
>> 2014-11-07T13:10:03Z ERROR Update failed: Operations error:
>>
>> and this one
>> 2014-11-07T13:10:18Z INFO New entry: cn=ADTrust
>> Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis
>> <snip>
>> 2014-11-07T13:10:18Z ERROR Add failure
> Known issues
>
>> and this one: (but since I do not have AD it's kinda logical)
>> 2014-11-07T13:10:18Z INFO New entry: cn=ADTrust
>> Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis
>> <snip>
>> 2014-11-07T13:10:19Z ERROR Upgrade failed with
>> 2014-11-07T13:10:19Z DEBUG Traceback (most recent call last):
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
>> line 152, in __upgrade
>> self.modified = (ld.update(self.files, ordered=True) or
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
>> 874, in update
>> updates = api.Backend.updateclient.update(POST_UPDATE,
>> self.dm_password, self.ldapi, self.live_run)
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py",
>> line 123, in update
>> (restart, apply_now, res) = self.run(update.name
>> <http://update.name>, **kw)
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py",
>> line 146, in run
>> return self.Updater[method](**kw)
>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1399,
>> in __call__
>> return self.execute(**options)
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py", line
>> 89, in execute
>> api.Command.dnszone_mod(zone[u'idnsname'][0], **update)
>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439,
>> in __call__
>> ret = self.run(*args, **options)
>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754,
>> in run
>> return self.execute(*args, **options)
>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line
>> 2528, in execute
>> result = super(dnszone_mod, self).execute(*keys, **options)
>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py",
>> line 1385, in execute
>> dn = self.obj.get_dn(*keys, **options)
>> File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line
>> 1784, in get_dn
>> assert zone.is_absolute()
>> AssertionError
>
> This is the problem, it is new bug.
>
> The workaround is replace the code in:
> /usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py:68
> - zones = api.Command.dnszone_find(all=True)['result']
> + zones = api.Command.dnszone_find(all=True, raw=True)['result']
>
> (I didn't test it)
>
> and run ipa-ldap-updater --upgrade
>
> Thank you for patience.
>
>
>
>> <snip>
>> 2014-11-07T13:10:23Z ERROR IPA upgrade failed.
>> 2014-11-07T13:10:23Z DEBUG File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
>> execute
>> return_value = self.run()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py",
>> line 151, in run
>> raise admintool.ScriptError('IPA upgrade failed.', 1)
>>
>> 2014-11-07T13:10:23Z DEBUG The ipa-ldap-updater command failed,
>> exception: ScriptError: IPA upgrade failed.
>> 2014-11-07T13:10:23Z ERROR IPA upgrade failed.
>> 2014-11-07T13:10:23Z DEBUG /usr/sbin/ipa-upgradeconfig was invoked with
>> options: {'debug': False, 'quiet': True}
>> 2014-11-07T13:10:23Z DEBUG IPA version 4.1.1-1.fc20
>>
>>
>> and another
>> 2014-11-07T13:10:03Z INFO Updating existing entry: cn=referential
>> integrity postoperation,cn=plugins,cn=config
>> <snip>
>> 2014-11-07T13:10:03Z DEBUG Live 1, updated 1
>> 2014-11-07T13:10:03Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR:
>> {'desc': 'Operations error'}
>> 2014-11-07T13:10:03Z ERROR Update failed: Operations error:
>>
>> That's it
>> Rob
>>
>>
>>
>>
>> 2014-11-07 13:56 GMT+01:00 Martin Basti <mbasti at redhat.com
>> <mailto:mbasti at redhat.com>>:
>>
>> On 07/11/14 13:52, Rob Verduijn wrote:
>>> Hi all,
>>>
>>> Either I was to worn out last night, or another update has happened.
>>> This morning the directory server did start after the update.
>>> local dns zones however where not available again after the update
>>> ipa-ldap-updater did not help to fix it.
>>>
>>> The are again only 7 DNS aci objects are still in the ds.( same as
>>> before when it failed )
>>> I also noticed that there are also quite a lot lower case dns aci
>>> objects.
>>>
>>> Rob
>>>
>>>
>> Hi,
>>
>> do you have any errors in /var/log/ipaupgrade.log ?
>>>
>>>
>>> 2014-11-07 10:25 GMT+01:00 Martin Basti <mbasti at redhat.com
>>> <mailto:mbasti at redhat.com>>:
>>>
>>> Changed subject.
>>> Rob CCed
>>>
>>> On 07/11/14 09:52, Martin Basti wrote:
>>>> Forward message back to list
>>>>
>>>>
>>>> -------- Original Message --------
>>>> Subject: Re: [Freeipa-users] dns stops working after upgrade
>>>> Date: Thu, 6 Nov 2014 21:42:55 +0100
>>>> From: Rob Verduijn <rob.verduijn at gmail.com>
>>>> <mailto:rob.verduijn at gmail.com>
>>>> To: Martin Basti <mbasti at redhat.com> <mailto:mbasti at redhat.com>
>>>>
>>>>
>>>>
>>>> Hi again,
>>>>
>>>> I tried the update to 4.1.1
>>>> It didn't went well, actually it went worse than to 4.1.
>>>> Now the directory service went down and was no longer able to
>>>> start.
>>>>
>>>> Some part of the logs is below.
>>>> Besides the warnings about a weak cipher there was not much in
>>>> the journalctl.
>>>>
>>>> It's getting late overhere, I'll dig into the logs tomorrow.
>>>>
>>>> Rob
>>>>
>>>> Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Starting 389
>>>> Directory Server TJAKO-THUIS....
>>>> Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Started 389
>>>> Directory Server TJAKO-THUIS..
>>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
>>>> rsa_rc4_128_md5 is weak. It is enabled since allowWeakCipher is
>>>> "on" (default setting for the backward compatibility). We
>>>> strongly recommend to set it to "off". Please replace the
>>>> value of allowWeakCipher with "off" in the encryption config
>>>> entry cn=encryption,cn=config and restart the server.
>>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc4_40_md5
>>>> is weak. It is enabled since allowWeakCipher is "on" (default
>>>> setting for the backward compatibility). We strongly recommend
>>>> to set it to "off". Please replace the value of
>>>> allowWeakCipher with "off" in the encryption config entry
>>>> cn=encryption,cn=config and restart the server.
>>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc2_40_md5
>>>> is weak. It is enabled since allowWeakCipher is "on" (default
>>>> setting for the backward compatibility). We strongly recommend
>>>> to set it to "off". Please replace the value of
>>>> allowWeakCipher with "off" in the encryption config entry
>>>> cn=encryption,cn=config and restart the server.
>>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_des_sha is
>>>> weak. It is enabled since allowWeakCipher is "on" (default
>>>> setting for the backward compatibility). We strongly recommend
>>>> to set it to "off". Please replace the value of
>>>> allowWeakCipher with "off" in the encryption config entry
>>>> cn=encryption,cn=config and restart the server.
>>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
>>>> rsa_fips_des_sha is weak. It is enabled since allowWeakCipher
>>>> is "on" (default setting for the backward compatibility). We
>>>> strongly recommend to set it to "off". Please replace the
>>>> value of allowWeakCipher with "off" in the encryption config
>>>> entry cn=encryption,cn=config and restart the server.
>>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_3des_sha
>>>> is weak. It is enabled since allowWeakCipher is "on" (default
>>>> setting for the backward compatibility). We strongly recommend
>>>> to set it to "off". Please replace the value of
>>>> allowWeakCipher with "off" in the encryption config entry
>>>> cn=encryption,cn=config and restart the server.
>>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
>>>> rsa_fips_3des_sha is weak. It is enabled since allowWeakCipher
>>>> is "on" (default setting for the backward compatibility). We
>>>> strongly recommend to set it to "off". Please replace the
>>>> value of allowWeakCipher with "off" in the encryption config
>>>> entry cn=encryption,cn=config and restart the server.
>>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite fortezza
>>>> is not available in NSS 3.17. Ignoring fortezza
>>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite
>>>> fortezza_rc4_128_sha is not available in NSS 3.17. Ignoring
>>>> fortezza_rc4_128_sha
>>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite
>>>> fortezza_null is not available in NSS 3.17. Ignoring fortezza_null
>>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
>>>> tls_rsa_export1024_with_rc4_56_sha is weak. It is enabled
>>>> since allowWeakCipher is "on" (default setting for the backward
>>>> compatibility). We strongly recommend to set it to "off".
>>>> Please replace the value of allowWeakCipher with "off" in the
>>>> encryption config entry cn=encryption,cn=config and restart the
>>>> server.
>>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>>> [06/Nov/2014:21:34:59 +0100] - SSL alert: Cipher
>>>> tls_rsa_export1024_with_des_cbc_sha is weak. It is enabled
>>>> since allowWeakCipher is "on" (default setting for the backward
>>>> compatibility). We strongly recommend to set it to "off".
>>>> Please replace the value of allowWeakCipher with "off" in the
>>>> encryption config entry cn=encryption,cn=config and restart the
>>>> server.
>>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>>> [06/Nov/2014:21:34:59 +0100] - SSL alert: Configured NSS Ciphers
>>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>>> SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK CIPHER)
>>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>>> TLS_RSA_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK CIPHER)
>>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>>> TLS_RSA_WITH_RC4_128_MD5: enabled, (WEAK CIPHER)
>>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>>> SSL_RSA_FIPS_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
>>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>>> TLS_RSA_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
>>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>>> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA: enabled, (WEAK CIPHER)
>>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>>> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
>>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>>> TLS_RSA_EXPORT_WITH_RC4_40_MD5: enabled, (WEAK CIPHER)
>>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>>> TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: enabled, (WEAK CIPHER)
>>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>>> [06/Nov/2014:21:34:59 +0100] SSL Initialization - SSL version
>>>> range: min: TLS1.0, max: TLS1.2
>>>> Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]:
>>>> dirsrv at TJAKO-THUIS.service <mailto:dirsrv at TJAKO-THUIS.service>:
>>>> main process exited, code=exited, status=1/FAILURE
>>>> Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]: Unit
>>>> dirsrv at TJAKO-THUIS.service <mailto:dirsrv at TJAKO-THUIS.service>
>>>> entered failed state.
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Martin Basti
>>>
>>>
>>
>>
>> --
>> Martin Basti
>>
>>
>
>
> --
> Martin Basti
>
>
>
>
More information about the Freeipa-users
mailing list