[Freeipa-users] dns stops working after upgrade

Rob Verduijn rob.verduijn at gmail.com
Tue Oct 28 17:42:30 UTC 2014 

before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo
after the update its 6.0-5.fc20.x86_64.rpm from copr repo

Regards
Rob


2014-10-28 17:58 GMT+01:00 Martin Basti <mbasti at redhat.com>:

>  On 28/10/14 16:10, Rob Verduijn wrote:
>
>  Hello all,
>
>  I've been digging into my problem of being unable to update from 3.3.5
> to 4.1
>
>  First I add the repo from copr
>
>  Then  I used to update it by issueing 'yum update' which resulted in an
> update in which my local dns zone entries no longer resolved.
>
>  So i tried the instructions mentioned on the site :
> yum update freeipa-server
> And this failed with a conflict in
>
>  bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and
> bind-utils-32:9.9.4-15.P2.fc20.x86_64
>
>  I noticed the new bind comes from the copr repo and the old bind utils
> from fedora.
>
>  So I first run 'yum update bind-utils -y'
> Then I ran yum update freeipa-server
> and see it fail with errors about softhsm
>
>  I remembered reading about package errors with softhsm and installed the
> softhsm-devel package first.
>
>  so revert back the freeipa kvm snapshot to 3.3.5  and try again
> yum update bind-utils -y ;  yum install softhsm-devel -y ; yum update
> freeipa-server -y
>
>  However when restarting named-pkcs11 I can see in the system log that it
> has 0 zones loaded
>
>  Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone:
> loaded serial 0
> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN:
> loaded serial 0
> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded
> serial 0
> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
> 1.0.0.127.in-addr.arpa/IN: loaded serial 0
> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
> localhost.localdomain/IN: loaded serial 0
> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
> 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
> loaded serial 0
> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded
> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running
> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP instance
> 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load)
>
>  It claims 0 zones loaded but I can see my forward and reverse zones in
> ipa
>
>  what could cause it not to load the zones that I defined in ipa ?
>  Rob
>
>
> 2014-10-27 23:05 GMT+01:00 Rob Verduijn <rob.verduijn at gmail.com>:
>
>> sorry for the xml formatting didn't realize it would mess up some mail
>> clients
>>
>>  The last bit of the message again
>>
>>   ipa-upgradeconfig  gives the following :
>>  [Verifying that root certificate is published]
>>  Failed to backup CS.cfg: no magic attribute 'dogtag'
>> [Migrate CRL publish directory]
>> CRL tree already moved
>> [Verifying that CA proxy configuration is correct]
>> [Verifying that KDC configuration is using ipa-kdb backend]
>> [Fixing trust flags in /etc/httpd/alias]
>> Trust flags already processed
>> [Fix DS schema file syntax]
>> Syntax already fixed
>> [Removing RA cert from DS NSS database]
>> RA cert already removed
>> [Removing self-signed CA]
>> [Checking for deprecated KDC configuration files]
>> [Checking for deprecated backups of Samba configuration files]
>> [Setting up Firefox extension]
>> [Add missing CA DNS records]
>> IPA CA DNS records already processed
>> [Removing deprecated DNS configuration options]
>> [Ensuring minimal number of connections]
>> [Enabling serial autoincrement in DNS]
>> [Updating GSSAPI configuration in DNS]
>> [Updating pid-file configuration in DNS]
>> [Masking named]
>> Changes to named.conf have been made, restart named
>> [Verifying that CA service certificate profile is updated]
>> [Update certmonger certificate renewal configuration to version 2]
>> [Enable PKIX certificate path discovery and validation]
>> PKIX already enabled
>> The ipa-upgradeconfig command was successful
>>
>>  Any ideas ?
>> I'm rather stuck now.
>>  Rob
>>
>> 2014-10-27 22:59 GMT+01:00 Rob Verduijn <rob.verduijn at gmail.com>:
>>
>>> Hello,
>>>
>>>  I'm rather at a loss here.
>>> Everything seems to be running
>>>   ipactl status
>>> Directory Service: RUNNING
>>> krb5kdc Service: RUNNING
>>> kadmin Service: RUNNING
>>> named Service: RUNNING
>>> ipa_memcached Service: RUNNING
>>> httpd Service: RUNNING
>>> pki-tomcatd Service: RUNNING
>>> ipa-otpd Service: RUNNING
>>> ipa-dnskeysyncd Service: RUNNING
>>> ipa: INFO: The ipactl command was successful
>>>
>>>  but the upgrade log is flooded with this error :
>>>  2014-10-27T21:52:10Z DEBUG Waiting for CA to start...
>>> 2014-10-27T21:52:11Z DEBUG request '
>>> https://freeipa.x.x:443/ca/admin/ca/getStatus'
>>> 2014-10-27T21:52:11Z DEBUG request body ''
>>> 2014-10-27T21:52:11Z DEBUG The CA status is: check interrupted
>>> 2014-10-27T21:52:11Z DEBUG Waiting for CA to start...
>>> 2014-10-27T21:52:12Z DEBUG request '
>>> https://freeipa.x.x:443/ca/admin/ca/getStatus'
>>> 2014-10-27T21:52:12Z DEBUG request body ''
>>>
>>>  I've tried the url and it works fine.
>>> https://freeipa.x.x/ca/admin/ca/getStatus
>>>  it gives the following xml:
>>>
>>>  <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse>
>>> <State>1</State><Type>CA</Type><Status>running</Status><Version>
>>> 10.2.0-3.fc20</Version></XMLResponse>
>>>
>>> After I run ipa-upgradeconfig it complains about a missing magic dog tag
>>> attribute
>>>  ipa-upgradeconfig  [Verifying that root certificate is published] Failed
>>> to backup CS.cfg: no magic attribute 'dogtag' [Migrate CRL publish
>>> directory] CRL tree already moved [Verifying that CA proxy
>>> configuration is correct] [Verifying that KDC configuration is using
>>> ipa-kdb backend] [Fixing trust flags in /etc/httpd/alias] Trust flags
>>> already processed [Fix DS schema file syntax] Syntax already fixed [Removing
>>> RA cert from DS NSS database] RA cert already removed [Removing
>>> self-signed CA] [Checking for deprecated KDC configuration files] [Checking
>>> for deprecated backups of Samba configuration files] [Setting up
>>> Firefox extension] [Add missing CA DNS records] IPA CA DNS records
>>> already processed [Removing deprecated DNS configuration options] [Ensuring
>>> minimal number of connections] [Enabling serial autoincrement in DNS] [Updating
>>> GSSAPI configuration in DNS] [Updating pid-file configuration in DNS] [Masking
>>> named] Changes to named.conf have been made, restart named [Verifying
>>> that CA service certificate profile is updated] [Update certmonger
>>> certificate renewal configuration to version 2] [Enable PKIX
>>> certificate path discovery and validation] PKIX already enabled The
>>> ipa-upgradeconfig command was successful
>>>
>>> But my local dns zone does no longer resolve :(
>>>
>>> reverting back to the 3.3 snapshot again :(
>>>
>>> Please help
>>> Rob
>>>
>>> 2014-10-26 21:38 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>>
>>>>  Rob Verduijn wrote:
>>>> > hmmmm....
>>>> >
>>>> > after some more digging (monitoring the upgrade more closely.)
>>>> > I saw that the upgrade kept waiting for the ca to start, which it did
>>>> > not do.
>>>> > and after 5 minutes the upgrade gave up with the following errors in
>>>> the
>>>> > ipaupgrade log :
>>>> >
>>>> > at 85% it says :
>>>> > 2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache
>>>> > url=ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket
>>>> > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0>
>>>> > 2014-10-26T15:04:35Z DEBUG Starting external process
>>>> > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
>>>> > '/etc/httpd/alias' '-L'
>>>> > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0
>>>> > 2014-10-26T15:04:35Z DEBUG stdout=
>>>> > Certificate Nickname                                         Trust
>>>> > Attributes
>>>> >
>>>> >  SSL,S/MIME,JAR/XPI
>>>> >
>>>> > Signing-Cert                                                 u,u,u
>>>> > XXXX.XXXX IPA CA                                           CT,C,C
>>>> > ipaCert                                                      u,u,u
>>>> > Server-Cert                                                  u,u,u
>>>> >
>>>> > 2014-10-26T15:04:35Z DEBUG stderr=
>>>> > 2014-10-26T15:04:35Z DEBUG Starting external process
>>>> > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
>>>> > '/etc/httpd/alias' '-L' '-n' 'TJAKO.THUIS IPA CA' '-a'
>>>> > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0
>>>> > 2014-10-26T15:04:35Z DEBUG stdout=-----BEGIN CERTIFICATE-----
>>>> > < certificate-removed >
>>>> > -----END CERTIFICATE-----
>>>> > 2014-10-26T15:04:35Z DEBUG stderr=
>>>> > 2014-10-26T15:04:36Z ERROR Upgrade failed with cannot connect to
>>>>  > 'ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket':\
>>>>
>>>> This has nothing to do with the CA, the LDAP server didn't come up. I'd
>>>> start with those logs or look earlier in ipaupgrade.log
>>>>
>>>> The CA requires 389-ds to be running so if it isn't up, then it will
>>>> fail to start too.
>>>>
>>>> rob
>>>>
>>>>
>>>
>>
>
>
>  Hello,
> Please which version of bind-dyndb-ldap do you have installed?
>
> --
> Martin Basti
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141028/4eab0c3b/attachment.htm>

More information about the Freeipa-users mailing list