[Freeipa-users] dns stops working after upgrade

Rob Crittenden rcritten at redhat.com
Tue Oct 28 15:51:14 UTC 2014 

Rob Verduijn wrote:
> Ok after some more digging :
> 
> I found some warnings  (see below)
> 
> Is any of these the cause for the error ?
> 
> Rob
> 
> <snip>

<snip>

> <snip>
> 2014-10-27T13:56:28Z INFO Updating existing entry:
> cn=ipaConfig,cn=etc,dc=XXXXX,dc=XXXXX
> <snip>
> 2014-10-27T13:56:28Z WARNING remove: 'AllowLMhash' not in ipaConfigString
> <snip>

AFAICT these are all normal. It basically means the LDAP data is already
in the state we want.


> and then we get to the traceback:
> 2014-10-27T13:56:34Z ERROR Upgrade failed with cannot connect to
> 'ldapi://%2fvar%2frun%2fslapd-XXXXX-XXXXX.socket':
> 2014-10-27T13:56:34Z DEBUG Traceback (most recent call last):
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
> line 152, in __upgrade
>     self.modified = (ld.update(self.files, ordered=True) or
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
> 874, in update
>     updates = api.Backend.updateclient.update(POST_UPDATE,
> self.dm_password, self.ldapi, self.live_run)
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py",
> line 131, in update
>     ld.update_from_dict(updates)
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
> 889, in update_from_dict
>     self._run_updates(updates)
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
> 799, in _run_updates
>     self._update_record(update)
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
> 661, in _update_record
>     e = self._get_entry(new_entry.dn)
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
> 544, in _get_entry
>     return self.conn.get_entries(dn, scope, searchfilter, sattrs)
>   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> 1421, in get_entries
>     base_dn=base_dn, scope=scope, filter=filter, attrs_list=attrs_list)
>   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> 1527, in find_entries
>     break
>   File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
>     self.gen.throw(type, value, traceback)
>   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> 1206, in error_handler
>     error=info)
> NetworkError: cannot connect to
> 'ldapi://%2fvar%2frun%2fslapd-XXXXX-XXXXX.socket':

I'd poke around more in the ipaupgrade.log to see if you can find a
failed dirsrv restart. Looking at the 389-ds logs might be handy too,
and I'd check (dmesg, for example) to see if it core dumped.

rob

> 
> 
> 
> 2014-10-26 21:38 GMT+01:00 Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>>:
> 
>     Rob Verduijn wrote:
>     > hmmmm....
>     >
>     > after some more digging (monitoring the upgrade more closely.)
>     > I saw that the upgrade kept waiting for the ca to start, which it did
>     > not do.
>     > and after 5 minutes the upgrade gave up with the following errors
>     in the
>     > ipaupgrade log :
>     >
>     > at 85% it says :
>     > 2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache
>     > url=ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket
>     > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0>
>     > 2014-10-26T15:04:35Z DEBUG Starting external process
>     > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
>     > '/etc/httpd/alias' '-L'
>     > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0
>     > 2014-10-26T15:04:35Z DEBUG stdout=
>     > Certificate Nickname                                         Trust
>     > Attributes
>     >
>     >  SSL,S/MIME,JAR/XPI
>     >
>     > Signing-Cert                                                 u,u,u
>     > XXXX.XXXX IPA CA                                           CT,C,C
>     > ipaCert                                                      u,u,u
>     > Server-Cert                                                  u,u,u
>     >
>     > 2014-10-26T15:04:35Z DEBUG stderr=
>     > 2014-10-26T15:04:35Z DEBUG Starting external process
>     > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
>     > '/etc/httpd/alias' '-L' '-n' 'TJAKO.THUIS IPA CA' '-a'
>     > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0
>     > 2014-10-26T15:04:35Z DEBUG stdout=-----BEGIN CERTIFICATE-----
>     > < certificate-removed >
>     > -----END CERTIFICATE-----
>     > 2014-10-26T15:04:35Z DEBUG stderr=
>     > 2014-10-26T15:04:36Z ERROR Upgrade failed with cannot connect to
>     > 'ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket':\
> 
>     This has nothing to do with the CA, the LDAP server didn't come up. I'd
>     start with those logs or look earlier in ipaupgrade.log
> 
>     The CA requires 389-ds to be running so if it isn't up, then it will
>     fail to start too.
> 
>     rob
> 
>

More information about the Freeipa-users mailing list