[Freeipa-users] dns stops working after upgrade

Martin Basti mbasti at redhat.com
Wed Oct 29 14:56:53 UTC 2014 

On 29/10/14 15:46, Rob Verduijn wrote:
> You're right
> duh I should read more carefully and not try to do to many things at 
> once.
>
> when using the dns principal and keytab the entries are not found.
>
> How do i fix the access controll instructions ?
> I can revert back easely and try a different aproach for the upgrade 
> if you know one
> (I really started to appreciate snapshots with this upgrade :-)
>
> Rob

Please try first this:

# ipa-ldap-updater /usr/share/ipa/memberof-task.ldif

It should repair privileges.
>
> 2014-10-29 14:50 GMT+01:00 Petr Spacek <pspacek at redhat.com 
> <mailto:pspacek at redhat.com>>:
>
>     On 29.10.2014 14:32, Rob Verduijn wrote:
>
>         I've checked and I see a lot of objects representing my dns
>         entries.
>         Still I get no answers if i try to resolve any of them :(
>
>
>     Are you running ldapsearch with *exactly* same credentials as you
>     have in /etc/named.conf?
>
>     Could you post dynamic-db section from your named.conf?
>
>     Petr^2 Spacek
>
>
>         Rob
>
>         2014-10-29 13:28 GMT+01:00 Petr Spacek <pspacek at redhat.com
>         <mailto:pspacek at redhat.com>>:
>
>             On 28.10.2014 18:42, Rob Verduijn wrote:
>
>                 before the update its 4.5-1.fc20.x86_64.rpm from
>                 fedora 20 updates repo
>                 after the update its 6.0-5.fc20.x86_64.rpm from copr repo
>
>                 Regards
>                 Rob
>
>
>                 2014-10-28 17:58 GMT+01:00 Martin Basti
>                 <mbasti at redhat.com <mailto:mbasti at redhat.com>>:
>
>                     On 28/10/14 16:10, Rob Verduijn wrote:
>
>
>                        Hello all,
>
>                        I've been digging into my problem of being
>                     unable to update from 3.3.5
>                     to 4.1
>
>                        First I add the repo from copr
>
>                        Then  I used to update it by issueing 'yum
>                     update' which resulted in an
>                     update in which my local dns zone entries no
>                     longer resolved.
>
>                        So i tried the instructions mentioned on the site :
>                     yum update freeipa-server
>                     And this failed with a conflict in
>
>                        bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and
>                     bind-utils-32:9.9.4-15.P2.fc20.x86_64
>
>                        I noticed the new bind comes from the copr repo
>                     and the old bind utils
>                     from fedora.
>
>                        So I first run 'yum update bind-utils -y'
>                     Then I ran yum update freeipa-server
>                     and see it fail with errors about softhsm
>
>                        I remembered reading about package errors with
>                     softhsm and installed
>                     the
>                     softhsm-devel package first.
>
>                        so revert back the freeipa kvm snapshot to
>                     3.3.5  and try again
>                     yum update bind-utils -y ;  yum install
>                     softhsm-devel -y ; yum update
>                     freeipa-server -y
>
>                        However when restarting named-pkcs11 I can see
>                     in the system log that
>                     it
>                     has 0 zones loaded
>
>                        Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]:
>                     managed-keys-zone:
>                     loaded serial 0
>                     Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]:
>                     zone 0.in-addr.arpa/IN:
>                     loaded serial 0
>                     Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]:
>                     zone localhost/IN: loaded
>                     serial 0
>                     Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
>                     1.0.0.127.in-addr.arpa/IN: loaded serial 0
>                     Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
>                     localhost.localdomain/IN: loaded serial 0
>                     Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
>                     1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
>                     0.0.ip6.arpa/IN:
>                     loaded serial 0
>                     Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]:
>                     all zones loaded
>                     Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]:
>                     running
>                     Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0
>                     zones from LDAP
>                     instance
>                     'ipa' loaded (0 zones defined, 0 inactive, 0
>                     failed to load)
>
>                        It claims 0 zones loaded but I can see my
>                     forward and reverse zones in
>                     ipa
>
>                        what could cause it not to load the zones that
>                     I defined in ipa ?
>
>
>             This problem is usually caused by broken IPA upgrade which
>             destroys ACIs
>             in LDAP which allow access to DNS sub-tree.
>
>             Please follow instructions on:
>
>             https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5.
>             NozonesfromLDAPareloaded
>
>             ... and let us know if you are able to see idnsZone
>             objects in LDAP or not.
>
>
>
>     -- 
>     Petr^2 Spacek
>
>
>
>


-- 
Martin Basti

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141029/743680d8/attachment.htm>

More information about the Freeipa-users mailing list