[Freeipa-users] dns stops working after upgrade
Rob Verduijn
rob.verduijn at gmail.com
Mon Oct 27 14:52:56 UTC 2014
Ok after some more digging :
I found some warnings (see below)
Is any of these the cause for the error ?
Rob
<snip>
2014-10-27T13:56:13Z INFO Updating existing entry: cn=sudoers,cn=Schema
Compatibility,cn=plugins,cn=config
<snip>
2014-10-27T13:56:13Z WARNING remove:
'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")' not in
schema-compat-entry-attribute
<snip>
2014-10-27T13:56:13Z WARNING remove: '(targetattr != "userPassword ||
krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory ||
krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled ||
krbTicketPolicyReference || krbPasswordExpiration || krbPwdPolicyReference
|| krbPrincipalType || krbPwdHistory || krbLastPwdChange ||
krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth ||
krbLastFailedAuth || krbLoginFailedCount || ipaUniqueId || memberOf ||
serverHostName || enrolledBy || ipaNTHash")(version 3.0; acl "Admin can
manage any entry"; allow (all) groupdn =
"ldap:///cn=admins,cn=groups,cn=accounts,dc=XXXXX,dc=XXXXX";)' not in aci
<snip>
2014-10-27T13:56:13Z WARNING remove: '(targetattr = "userPassword ||
krbPrincipalKey || sambaLMPassword || sambaNTPassword ||
passwordHistory")(version 3.0; acl "Admins can write passwords"; allow
(add,delete,write)
groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=XXXXX,dc=XXXXX";)' not
in aci
<snip>
<snip>
2014-10-27T13:56:13Z INFO Updating existing entry:
cn=ipa-winsync,cn=plugins,cn=config
<snip>
2014-10-27T13:56:13Z WARNING remove: 'uidNumber 999' not in
ipaWinSyncUserAttr
<snip>
2014-10-27T13:56:13Z WARNING remove: 'gidNumber 999' not in
ipaWinSyncUserAttr
<snip>
<snip>
2014-10-27T13:56:14Z INFO Updating existing entry: cn=referential integrity
postoperation,cn=plugins,cn=config
<snip>
2014-10-27T13:56:14Z WARNING remove: 'ipatokenradiusconfiglink' not in
nsslapd-pluginArg18
<snip>
<snip>
2014-10-27T13:56:27Z INFO Updating existing entry: dc=XXXXX,dc=XXXXX
<snip>
2014-10-27T13:56:27Z WARNING remove: '(target =
"ldap:///idnsname=*,cn=dns,dc=XXXXX,dc=XXXXX")(version 3.0;acl "Add DNS
entries";allow (add) groupdn = "ldap:///cn=add dns
entries,cn=permissions,cn=pbac,dc=XXXXX,dc=XXXXX";)' not in aci
<snip>
<snip>
014-10-27T13:56:13Z INFO Updating existing entry: cn=Kerberos Principal
Name,cn=IPA MODRDN,cn=plugins,cn=config
<snip>
2014-10-27T13:56:13Z DEBUG remove: '60' from nsslapd-pluginPrecedence,
current value []
2014-10-27T13:56:13Z WARNING remove: '60' not in nsslapd-pluginPrecedence
<snip>
<snip>
2014-10-27T13:56:13Z INFO Updating existing entry: dc=XXXXX,dc=XXXXX
<snip>
2014-10-27T13:56:27Z WARNING remove: '(target =
"ldap:///idnsname=*,cn=dns,dc=XXXXX,dc=XXXXX")(version 3.0;acl "Add DNS
entries";allow (add) groupdn = "ldap:///cn=add dns
entries,cn=permissions,cn=pbac,dc=XXXXX,dc=XXXXX";)' not in aci
<snip>
2014-10-27T13:56:27Z WARNING remove: '(target =
"ldap:///idnsname=*,cn=dns,dc=XXXXX,dc=XXXXX")(version 3.0;acl "Remove DNS
entries";allow (delete) groupdn = "ldap:///cn=remove dns
entries,cn=permissions,cn=pbac,dc=XXXXX,dc=XXXXX";)' not in aci
<snip>
2014-10-27T13:56:27Z WARNING remove: '(targetattr = "idnsname || cn ||
idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord ||
a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord
|| mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord ||
sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord
|| certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord ||
nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname ||
idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire ||
idnssoaminimum || idnsupdatepolicy")(target =
"ldap:///idnsname=*,cn=dns,dc=XXXXX,dc=XXXXX")(version 3.0;acl "Update DNS
entries";allow (write) groupdn = "ldap:///cn=update dns
entries,cn=permissions,cn=pbac,dc=XXXXX,dc=XXXXX";)' not in ac
<snip>
2014-10-27T13:56:27Z WARNING remove: '(target =
"ldap:///ipatokenuniqueid=*,cn=otp,dc=XXXXX,dc=XXXXX")(targetfilter =
"(objectClass=ipaToken)")(version 3.0; acl "Users can create and delete
tokens"; allow (add, delete) userattr = "ipatokenOwner#SELFDN";)' not in aci
<snip>
2014-10-27T13:56:27Z WARNING remove: '(targetfilter =
"(objectClass=ipatokenHOTP)")(targetattrs = "ipatokenOTPkey ||
ipatokenOTPalgorithm || ipatokenOTPdigits || ipatokenHOTPcounter")(version
3.0; acl "Users can add HOTP token secrets"; allow (write, search) userattr
= "ipatokenOwner#USERDN";)' not in aci
<snip>
<snip>
2014-10-27T13:56:28Z INFO Updating existing entry:
cn=ipaConfig,cn=etc,dc=XXXXX,dc=XXXXX
<snip>
2014-10-27T13:56:28Z WARNING remove: 'AllowLMhash' not in ipaConfigString
<snip>
and then we get to the traceback:
2014-10-27T13:56:34Z ERROR Upgrade failed with cannot connect to
'ldapi://%2fvar%2frun%2fslapd-XXXXX-XXXXX.socket':
2014-10-27T13:56:34Z DEBUG Traceback (most recent call last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
line 152, in __upgrade
self.modified = (ld.update(self.files, ordered=True) or
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 874, in update
updates = api.Backend.updateclient.update(POST_UPDATE,
self.dm_password, self.ldapi, self.live_run)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py",
line 131, in update
ld.update_from_dict(updates)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 889, in update_from_dict
self._run_updates(updates)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 799, in _run_updates
self._update_record(update)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 661, in _update_record
e = self._get_entry(new_entry.dn)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 544, in _get_entry
return self.conn.get_entries(dn, scope, searchfilter, sattrs)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1421,
in get_entries
base_dn=base_dn, scope=scope, filter=filter, attrs_list=attrs_list)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1527,
in find_entries
break
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1206,
in error_handler
error=info)
NetworkError: cannot connect to
'ldapi://%2fvar%2frun%2fslapd-XXXXX-XXXXX.socket':
2014-10-26 21:38 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
> Rob Verduijn wrote:
> > hmmmm....
> >
> > after some more digging (monitoring the upgrade more closely.)
> > I saw that the upgrade kept waiting for the ca to start, which it did
> > not do.
> > and after 5 minutes the upgrade gave up with the following errors in the
> > ipaupgrade log :
> >
> > at 85% it says :
> > 2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache
> > url=ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket
> > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0>
> > 2014-10-26T15:04:35Z DEBUG Starting external process
> > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
> > '/etc/httpd/alias' '-L'
> > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0
> > 2014-10-26T15:04:35Z DEBUG stdout=
> > Certificate Nickname Trust
> > Attributes
> >
> > SSL,S/MIME,JAR/XPI
> >
> > Signing-Cert u,u,u
> > XXXX.XXXX IPA CA CT,C,C
> > ipaCert u,u,u
> > Server-Cert u,u,u
> >
> > 2014-10-26T15:04:35Z DEBUG stderr=
> > 2014-10-26T15:04:35Z DEBUG Starting external process
> > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
> > '/etc/httpd/alias' '-L' '-n' 'TJAKO.THUIS IPA CA' '-a'
> > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0
> > 2014-10-26T15:04:35Z DEBUG stdout=-----BEGIN CERTIFICATE-----
> > < certificate-removed >
> > -----END CERTIFICATE-----
> > 2014-10-26T15:04:35Z DEBUG stderr=
> > 2014-10-26T15:04:36Z ERROR Upgrade failed with cannot connect to
> > 'ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket':\
>
> This has nothing to do with the CA, the LDAP server didn't come up. I'd
> start with those logs or look earlier in ipaupgrade.log
>
> The CA requires 389-ds to be running so if it isn't up, then it will
> fail to start too.
>
> rob
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141027/553baa07/attachment.htm>
More information about the Freeipa-users
mailing list