[Freeipa-users] Errors upgrading 4.0.1 to 4.1
Ludwig Krispenz
lkrispen at redhat.com
Thu Oct 30 14:59:31 UTC 2014
On 10/24/2014 09:44 AM, Martin Kosek wrote:
> On 10/24/2014 05:17 AM, Michael Lasevich wrote:
>> While upgrading from 4.0.1. to 4.1 on fedora 20 got following on one
>> of the two
>> boxes:
>>
>> Upgrade failed with attribute "allowWeakCipher" not allowed
>> IPA upgrade failed.
>> Unexpected error
>> DuplicateEntry: This entry already exists
>>
>>
>> It seems the ipa no longer starts up after this. The replica server
>> seems to
>> have had same error,but it runs just fine.
>>
>> From digging around, it appears that there are a number of GSS
>> errors in
>> dirsrv and bind fails with something like:
>>
>> named-pkcs11[2212]: ObjectStore.cpp(74): Failed to open token
>> e919db16-6329-406c-6ae4-120ad68508c4
>> named-pkcs11[2212]: sha1.c:92: fatal error:
>> named-pkcs11[2212]: RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST,
>> isc_boolean_true, isc_boolean_false, isc_boolean_false, ((void *)0),
>> 0) == 0)
>> failed
>>
>> Any help would be appreciated
>>
>>
>> -M
>
> What Directory Server version do you use? This is an attribute
> introduced in 389-ds-base 1.3.3+ which should be included in the
> FreeIPA Copr (DS 1.3.3 is native to F21+). CCing Ludwig to advise
> further.
can you check your schema files for the definition of the
nsEncryptionConfig objectclass, itshould be only in 01core389.ldif and
contain allowWeakCipher, but it could have been added also to
99user.ldif during replication when schema changes have been comsolodated.
>
> Thanks,
> Martin
More information about the Freeipa-users
mailing list