[Freeipa-users] dns stops working after upgrade

Tue Oct 28 16:58:50 UTC 2014

On 28/10/14 16:10, Rob Verduijn wrote:
> Hello all,
>
> I've been digging into my problem of being unable to update from 3.3.5 
> to 4.1
>
> First I add the repo from copr
>
> Then  I used to update it by issueing 'yum update' which resulted in 
> an update in which my local dns zone entries no longer resolved.
>
> So i tried the instructions mentioned on the site :
> yum update freeipa-server
> And this failed with a conflict in
>
> bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and 
> bind-utils-32:9.9.4-15.P2.fc20.x86_64
>
> I noticed the new bind comes from the copr repo and the old bind utils 
> from fedora.
>
> So I first run 'yum update bind-utils -y'
> Then I ran yum update freeipa-server
> and see it fail with errors about softhsm
>
> I remembered reading about package errors with softhsm and installed 
> the softhsm-devel package first.
>
> so revert back the freeipa kvm snapshot to 3.3.5  and try again
> yum update bind-utils -y ;  yum install softhsm-devel -y ; yum update 
> freeipa-server -y
>
> However when restarting named-pkcs11 I can see in the system log that 
> it has 0 zones loaded
>
> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone: 
> loaded serial 0
> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 
> 0.in-addr.arpa/IN: loaded serial 0
> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: 
> loaded serial 0
> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 
> 1.0.0.127.in-addr.arpa/IN: loaded serial 0
> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 
> localhost.localdomain/IN: loaded serial 0
> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 
> 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: 
> loaded serial 0
> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded
> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running
> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP 
> instance 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load)
>
> It claims 0 zones loaded but I can see my forward and reverse zones in ipa
>
> what could cause it not to load the zones that I defined in ipa ?
> Rob
>
>
> 2014-10-27 23:05 GMT+01:00 Rob Verduijn <rob.verduijn at gmail.com 
> <mailto:rob.verduijn at gmail.com>>:
>
>     sorry for the xml formatting didn't realize it would mess up some
>     mail clients
>
>     The last bit of the message again
>
>      ipa-upgradeconfig  gives the following :
>     [Verifying that root certificate is published]
>     Failed to backup CS.cfg: no magic attribute 'dogtag'
>     [Migrate CRL publish directory]
>     CRL tree already moved
>     [Verifying that CA proxy configuration is correct]
>     [Verifying that KDC configuration is using ipa-kdb backend]
>     [Fixing trust flags in /etc/httpd/alias]
>     Trust flags already processed
>     [Fix DS schema file syntax]
>     Syntax already fixed
>     [Removing RA cert from DS NSS database]
>     RA cert already removed
>     [Removing self-signed CA]
>     [Checking for deprecated KDC configuration files]
>     [Checking for deprecated backups of Samba configuration files]
>     [Setting up Firefox extension]
>     [Add missing CA DNS records]
>     IPA CA DNS records already processed
>     [Removing deprecated DNS configuration options]
>     [Ensuring minimal number of connections]
>     [Enabling serial autoincrement in DNS]
>     [Updating GSSAPI configuration in DNS]
>     [Updating pid-file configuration in DNS]
>     [Masking named]
>     Changes to named.conf have been made, restart named
>     [Verifying that CA service certificate profile is updated]
>     [Update certmonger certificate renewal configuration to version 2]
>     [Enable PKIX certificate path discovery and validation]
>     PKIX already enabled
>     The ipa-upgradeconfig command was successful
>
>     Any ideas ?
>     I'm rather stuck now.
>     Rob
>
>     2014-10-27 22:59 GMT+01:00 Rob Verduijn <rob.verduijn at gmail.com
>     <mailto:rob.verduijn at gmail.com>>:
>
>         Hello,
>
>         I'm rather at a loss here.
>         Everything seems to be running
>          ipactl status
>         Directory Service: RUNNING
>         krb5kdc Service: RUNNING
>         kadmin Service: RUNNING
>         named Service: RUNNING
>         ipa_memcached Service: RUNNING
>         httpd Service: RUNNING
>         pki-tomcatd Service: RUNNING
>         ipa-otpd Service: RUNNING
>         ipa-dnskeysyncd Service: RUNNING
>         ipa: INFO: The ipactl command was successful
>
>         but the upgrade log is flooded with this error :
>         2014-10-27T21:52:10Z DEBUG Waiting for CA to start...
>         2014-10-27T21:52:11Z DEBUG request
>         'https://freeipa.x.x:443/ca/admin/ca/getStatus'
>         2014-10-27T21:52:11Z DEBUG request body ''
>         2014-10-27T21:52:11Z DEBUG The CA status is: check interrupted
>         2014-10-27T21:52:11Z DEBUG Waiting for CA to start...
>         2014-10-27T21:52:12Z DEBUG request
>         'https://freeipa.x.x:443/ca/admin/ca/getStatus'
>         2014-10-27T21:52:12Z DEBUG request body ''
>
>         I've tried the url and it works fine.
>         https://freeipa.x.x/ca/admin/ca/getStatus
>         it gives the following xml:
>
>         	<?xml version="1.0" encoding="UTF-8"
>         standalone="no"?><XMLResponse><State>1</State><Type>CA</Type><Status>running</Status><Version>10.2.0-3.fc20</Version></XMLResponse>
>
>         After I run ipa-upgradeconfig it complains about a missing
>         magic dog tag attribute
>         	ipa-upgradeconfig 	[Verifying that root certificate is
>         published] 	Failed to backup CS.cfg: no magic attribute
>         'dogtag' 	[Migrate CRL publish directory] 	CRL tree already
>         moved 	[Verifying that CA proxy configuration is correct]
>         [Verifying that KDC configuration is using ipa-kdb backend]
>         [Fixing trust flags in /etc/httpd/alias] 	Trust flags already
>         processed 	[Fix DS schema file syntax] 	Syntax already fixed
>         [Removing RA cert from DS NSS database] 	RA cert already
>         removed 	[Removing self-signed CA] 	[Checking for deprecated
>         KDC configuration files] 	[Checking for deprecated backups of
>         Samba configuration files] 	[Setting up Firefox extension]
>         [Add missing CA DNS records] 	IPA CA DNS records already
>         processed 	[Removing deprecated DNS configuration options]
>         [Ensuring minimal number of connections] 	[Enabling serial
>         autoincrement in DNS] 	[Updating GSSAPI configuration in
>         DNS] 	[Updating pid-file configuration in DNS] 	[Masking
>         named] 	Changes to named.conf have been made, restart named
>         [Verifying that CA service certificate profile is updated]
>         [Update certmonger certificate renewal configuration to
>         version 2] 	[Enable PKIX certificate path discovery and
>         validation] 	PKIX already enabled 	The ipa-upgradeconfig
>         command was successful
>
>         But my local dns zone does no longer resolve :(
>
>         reverting back to the 3.3 snapshot again :(
>
>         Please help
>         Rob
>
>
>         2014-10-26 21:38 GMT+01:00 Rob Crittenden <rcritten at redhat.com
>         <mailto:rcritten at redhat.com>>:
>
>             Rob Verduijn wrote:
>             > hmmmm....
>             >
>             > after some more digging (monitoring the upgrade more
>             closely.)
>             > I saw that the upgrade kept waiting for the ca to start,
>             which it did
>             > not do.
>             > and after 5 minutes the upgrade gave up with the
>             following errors in the
>             > ipaupgrade log :
>             >
>             > at 85% it says :
>             > 2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache
>             > url=ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket
>             > conn=<ldap.ldapobject.SimpleLDAPObject instance at
>             0x2b18cb0>
>             > 2014-10-26T15:04:35Z DEBUG Starting external process
>             > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
>             > '/etc/httpd/alias' '-L'
>             > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0
>             > 2014-10-26T15:04:35Z DEBUG stdout=
>             > Certificate Nickname                              Trust
>             > Attributes
>             >
>             >  SSL,S/MIME,JAR/XPI
>             >
>             > Signing-Cert                              u,u,u
>             > XXXX.XXXX IPA CA                            CT,C,C
>             > ipaCert                               u,u,u
>             > Server-Cert                               u,u,u
>             >
>             > 2014-10-26T15:04:35Z DEBUG stderr=
>             > 2014-10-26T15:04:35Z DEBUG Starting external process
>             > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
>             > '/etc/httpd/alias' '-L' '-n' 'TJAKO.THUIS IPA CA' '-a'
>             > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0
>             > 2014-10-26T15:04:35Z DEBUG stdout=-----BEGIN
>             CERTIFICATE-----
>             > < certificate-removed >
>             > -----END CERTIFICATE-----
>             > 2014-10-26T15:04:35Z DEBUG stderr=
>             > 2014-10-26T15:04:36Z ERROR Upgrade failed with cannot
>             connect to
>             > 'ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket':\
>
>             This has nothing to do with the CA, the LDAP server didn't
>             come up. I'd
>             start with those logs or look earlier in ipaupgrade.log
>
>             The CA requires 389-ds to be running so if it isn't up,
>             then it will
>             fail to start too.
>
>             rob
>
>
>
>
>
>
Hello,
Please which version of bind-dyndb-ldap do you have installed?

-- 
Martin Basti

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141028/f25f5a62/attachment.htm>