[Freeipa-users] F20 Problem upgrading to 4.1

Martin Basti mbasti at redhat.com
Thu Oct 30 08:44:36 UTC 2014 

On 30/10/14 06:09, Michael Lasevich wrote:
> Maybe I should not be doing this late at night, but I cannot find
> "cn=IPK11 Unique IDs,cn=IPA UUID,cn=plugins,cn=config " anywhere.
>
> -M

IMO something bad happens during the ipa upgrade,

can you remove

ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com

entry, and run ipa-ldap-updater --upgrade, then reinstall DNS  (rerun ipa-dns-install)

Let me know if it works.

>
> On 10/29/14, 3:03 AM, Martin Basti wrote:
>> On 28/10/14 20:54, Michael Lasevich wrote:
>>> I have a pair of servers that were both installed on clean Fedora20
>>> 4.0.1 from pviktori copr repo and then upgraded from mkosek to 4.1
>>>
>>> During update, secondary was done first and worked but primary run into
>>> trouble as described
>>>
>>> Looking under cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com I get one
>>> entry with dn:
>>>
>>> ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com
>>>
>>> Not sure what of that you need there, but for ipk11Label it has:
>>> dnssec-replica:infra-dc-02.my.domain.com. (which is the replica that IS
>>> working)
>>>
>>> Thanks,
>>>
>>> -M
>>>
>>> On 10/28/14, 3:21 AM, Martin Basti wrote:
>>>> On 28/10/14 06:14, Michael Lasevich wrote:
>>>>> Running into same thing, but running ipa-dnsinstall does not complete:
>>>>>
>>>>> =============================
>>>>> Configuring DNS (named)
>>>>>     [1/8]: generating rndc key file
>>>>> WARNING: Your system is running out of entropy, you may experience
>>>>> long delays
>>>>>     [2/8]: setting up our own record
>>>>>     [3/8]: adding NS record to the zones
>>>>>     [4/8]: setting up CA record
>>>>>     [5/8]: setting up kerberos principal
>>>>>     [6/8]: setting up named.conf
>>>>>     [7/8]: configuring named to start on boot
>>>>>     [8/8]: changing resolv.conf to point to ourselves
>>>>> Done configuring DNS (named).
>>>>> Configuring DNS key synchronization service (ipa-dnskeysyncd)
>>>>>     [1/6]: checking status
>>>>>     [2/6]: setting up kerberos principal
>>>>>     [3/6]: setting up SoftHSM
>>>>>     [4/6]: adding DNSSEC containers
>>>>>     [5/6]: creating replica keys
>>>>>     [error] DuplicateEntry: This entry already exists
>>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>>> DuplicateEntry: This entry already exists
>>>>> =============================
>>>>>
>>>>> Looking into the /var/log/ipaserver-install.log gets:
>>>>> =============================
>>>>> 2014-10-28T05:01:24Z DEBUG Storing replica public key to LDAP,
>>>>> ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com
>>>>>
>>>>> 2014-10-28T05:01:24Z DEBUG flushing
>>>>> ldap://infra-dc-01.my.domain.com:389 from SchemaCache
>>>>> 2014-10-28T05:01:24Z DEBUG retrieving schema for SchemaCache
>>>>> url=ldap://infra-dc-01.my.domain.com:389
>>>>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x47d0d88>
>>>>> 2014-10-28T05:01:24Z DEBUG Traceback (most recent call last):
>>>>>     File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
>>>>> 382, in start_creation run_step(full_msg, method)
>>>>>     File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
>>>>> 372, in run_step method()
>>>>>     File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
>>>>>
>>>>> line 340, in __setup_replica_keys ldap.add_entry(entry)
>>>>>     File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
>>>>> 1592, in add_entry self.conn.add_s(entry.dn, attrs.items())
>>>>>     File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
>>>>> self.gen.throw(type, value, traceback)
>>>>>     File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
>>>>> 1169, in error_handler raise errors.DuplicateEntry()
>>>>> DuplicateEntry: This entry already exists
>>>>>
>>>>> 2014-10-28T05:01:24Z DEBUG   [error] DuplicateEntry: This entry
>>>>> already exists
>>>>> 2014-10-28T05:01:24Z DEBUG   File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>>>> line 646, in run_script
>>>>>       return_value = main_function()
>>>>>     File "/sbin/ipa-dns-install", line 218, in main
>>>>> dnskeysyncd.create_instance(api.env.host, api.env.realm)
>>>>>     File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
>>>>>
>>>>> line 128, in create_instance self.start_creation()
>>>>>     File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
>>>>> 382, in start_creation run_step(full_msg, method)
>>>>>     File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
>>>>> 372, in run_step method()
>>>>>     File
>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
>>>>>
>>>>> line 340, in __setup_replica_keys ldap.add_entry(entry)
>>>>>     File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
>>>>> 1592, in add_entry self.conn.add_s(entry.dn, attrs.items())
>>>>>     File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
>>>>> self.gen.throw(type, value, traceback)
>>>>>     File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
>>>>> 1169, in error_handler raise errors.DuplicateEntry()
>>>>> 2014-10-28T05:01:24Z DEBUG The ipa-dns-install command failed,
>>>>> exception: DuplicateEntry: This entry already exists
>>>> Hello Michael,
>>>>
>>>> can you send me which entries do you have in
>>>> cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com, it looks like directory
>>>> server doesn't generate uniqueID for keys.
>>>>
>>>> Do you have upgraded IPA or fresh installed?
>>>>
>>>> Martin^2
>>>>
>> Can you send me content of cn=IPK11 Unique IDs,cn=IPA
>> UUID,cn=plugins,cn=config entry? (If exists)
>> It looks like DS doesn't generate unique IDs
>>
>> Martin^2
>>
>>


-- 
Martin Basti

More information about the Freeipa-users mailing list