[Freeipa-users] Errors upgrading 4.0.1 to 4.1
Michael Lasevich
mlasevich at gmail.com
Fri Oct 31 21:34:46 UTC 2014
Thank you!!! That was exactly it.
* Removed the "nsEncryptionConfig" entry from 99user.ldif
* Re-run the "ipa-ldap-update --upgrade"
* Then "ipa-dns-install" and things are looking much better - both
servers are now back up and running.
What is the lesson here (besides "have good backups")?
Should we be turning off ALL servers before upgrading to prevent
replication? I did notice that the 99user entry was made it to BOTH
servers, which makes me think that replication is not exactly the culprit.
-M
On 10/31/14, 1:30 AM, Ludwig Krispenz wrote:
>
> On 10/30/2014 07:36 PM, Martin Basti wrote:
>> On 30/10/14 19:18, Michael Lasevich wrote:
>>> Makes sense. What is the solution here?
>>>
>>> I have the latest 389-ds installed but still getting
>>> "allowWeakCipher" error - how to I get around that?
>>>
>>> -M
>>>
>> Sorry I don't know, I CCied Ludwig, he is DS guru.
> I already asked to verify the schema files:
> can you check your schema files for the definition of the
> nsEncryptionConfig objectclass, it should be only in 01core389.ldif
> and contain allowWeakCipher, but it could have been added also to
> 99user.ldif during replication when schema changes have been consolidated
>
> and what is the latest ds version you are using: rpm -q 389-ds-base
>
>
>> Martin^2
>>
>>>
>>> On 10/30/14, 11:12 AM, Martin Basti wrote:
>>>> On 24/10/14 05:17, Michael Lasevich wrote:
>>>>> While upgrading from 4.0.1. to 4.1 on fedora 20 got following on
>>>>> one of the two boxes:
>>>>>
>>>>> Upgrade failed with attribute "allowWeakCipher" not allowed
>>>>> IPA upgrade failed.
>>>>> Unexpected error
>>>>> DuplicateEntry: This entry already exists
>>>>>
>>>>
>>>> Named errors are caused by cascade effect, if ldap schema and entry
>>>> updates failed, there is misconfigured DS plugin which is
>>>> responsible to keep DNSSEC keys DN unique, what causes duplication
>>>> errors. DuplicateEntry exception is fatal, so dnskeysyncd
>>>> installation will not continue,
>>>> what causes there are not appropriate permissions for token
>>>> database, and named-pkcs11 can't read tokens.
>>>>>
>>>>>
>>>>> It seems the ipa no longer starts up after this. The replica
>>>>> server seems to have had same error,but it runs just fine.
>>>>>
>>>>> From digging around, it appears that there are a number of GSS
>>>>> errors in dirsrv and bind fails with something like:
>>>>>
>>>>> named-pkcs11[2212]: ObjectStore.cpp(74): Failed to open token
>>>>> e919db16-6329-406c-6ae4-120ad68508c4
>>>>> named-pkcs11[2212]: sha1.c:92: fatal error:
>>>>> named-pkcs11[2212]: RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST,
>>>>> isc_boolean_true, isc_boolean_false, isc_boolean_false, ((void
>>>>> *)0), 0) == 0) failed
>>>>>
>>>>> Any help would be appreciated
>>>>>
>>>>>
>>>>> -M
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Martin Basti
>>>
>>
>>
>> --
>> Martin Basti
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141031/adcb3596/attachment.htm>
More information about the Freeipa-users
mailing list