[Freeipa-users] F20 Problem upgrading to 4.1

Michael Lasevich mlasevich at gmail.com
Thu Oct 30 17:22:42 UTC 2014


*sigh* Feel like I am going around in circles

"ipa-ldap-updater --upgrade" failed with:  "Upgrade failed with
attribute "allowWeakCipher" not allowed"


I am running 1.3.3 from mkosek-freeipa copr:

389-ds-base-libs-1.3.3.5-1.fc20.x86_64
389-ds-base-1.3.3.5-1.fc20.x86_64

 yum info 389-ds-base
Loaded plugins: copr
Installed Packages
Name        : 389-ds-base
Arch        : x86_64
Version     : 1.3.3.5
Release     : 1.fc20
Size        : 5.2 M
Repo        : installed
>From repo   : mkosek-freeipa
Summary     : 389 Directory Server (base)
URL         : http://port389.org/
License     : GPLv2 with exceptions
Description : 389 Directory Server is an LDAPv3 compliant server.  The
base package includes
            : the LDAP server and command line utilities for server
administration.


-M

On 10/30/14, 1:44 AM, Martin Basti wrote:
> On 30/10/14 06:09, Michael Lasevich wrote:
>> Maybe I should not be doing this late at night, but I cannot find
>> "cn=IPK11 Unique IDs,cn=IPA UUID,cn=plugins,cn=config " anywhere.
>>
>> -M
>
> IMO something bad happens during the ipa upgrade,
>
> can you remove
>
> ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com
>
> entry, and run ipa-ldap-updater --upgrade, then reinstall DNS  (rerun
> ipa-dns-install)
>
> Let me know if it works.
>
>>
>> On 10/29/14, 3:03 AM, Martin Basti wrote:
>>> On 28/10/14 20:54, Michael Lasevich wrote:
>>>> I have a pair of servers that were both installed on clean Fedora20
>>>> 4.0.1 from pviktori copr repo and then upgraded from mkosek to 4.1
>>>>
>>>> During update, secondary was done first and worked but primary run
>>>> into
>>>> trouble as described
>>>>
>>>> Looking under cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com I get one
>>>> entry with dn:
>>>>
>>>> ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com
>>>>
>>>>
>>>> Not sure what of that you need there, but for ipk11Label it has:
>>>> dnssec-replica:infra-dc-02.my.domain.com. (which is the replica
>>>> that IS
>>>> working)
>>>>
>>>> Thanks,
>>>>
>>>> -M
>>>>
>>>> On 10/28/14, 3:21 AM, Martin Basti wrote:
>>>>> On 28/10/14 06:14, Michael Lasevich wrote:
>>>>>> Running into same thing, but running ipa-dnsinstall does not
>>>>>> complete:
>>>>>>
>>>>>> =============================
>>>>>> Configuring DNS (named)
>>>>>>     [1/8]: generating rndc key file
>>>>>> WARNING: Your system is running out of entropy, you may experience
>>>>>> long delays
>>>>>>     [2/8]: setting up our own record
>>>>>>     [3/8]: adding NS record to the zones
>>>>>>     [4/8]: setting up CA record
>>>>>>     [5/8]: setting up kerberos principal
>>>>>>     [6/8]: setting up named.conf
>>>>>>     [7/8]: configuring named to start on boot
>>>>>>     [8/8]: changing resolv.conf to point to ourselves
>>>>>> Done configuring DNS (named).
>>>>>> Configuring DNS key synchronization service (ipa-dnskeysyncd)
>>>>>>     [1/6]: checking status
>>>>>>     [2/6]: setting up kerberos principal
>>>>>>     [3/6]: setting up SoftHSM
>>>>>>     [4/6]: adding DNSSEC containers
>>>>>>     [5/6]: creating replica keys
>>>>>>     [error] DuplicateEntry: This entry already exists
>>>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>>>> DuplicateEntry: This entry already exists
>>>>>> =============================
>>>>>>
>>>>>> Looking into the /var/log/ipaserver-install.log gets:
>>>>>> =============================
>>>>>> 2014-10-28T05:01:24Z DEBUG Storing replica public key to LDAP,
>>>>>> ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com
>>>>>>
>>>>>>
>>>>>> 2014-10-28T05:01:24Z DEBUG flushing
>>>>>> ldap://infra-dc-01.my.domain.com:389 from SchemaCache
>>>>>> 2014-10-28T05:01:24Z DEBUG retrieving schema for SchemaCache
>>>>>> url=ldap://infra-dc-01.my.domain.com:389
>>>>>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x47d0d88>
>>>>>> 2014-10-28T05:01:24Z DEBUG Traceback (most recent call last):
>>>>>>     File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>>>> line
>>>>>> 382, in start_creation run_step(full_msg, method)
>>>>>>     File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>>>> line
>>>>>> 372, in run_step method()
>>>>>>     File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
>>>>>>
>>>>>>
>>>>>> line 340, in __setup_replica_keys ldap.add_entry(entry)
>>>>>>     File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>>>>>> line
>>>>>> 1592, in add_entry self.conn.add_s(entry.dn, attrs.items())
>>>>>>     File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
>>>>>> self.gen.throw(type, value, traceback)
>>>>>>     File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>>>>>> line
>>>>>> 1169, in error_handler raise errors.DuplicateEntry()
>>>>>> DuplicateEntry: This entry already exists
>>>>>>
>>>>>> 2014-10-28T05:01:24Z DEBUG   [error] DuplicateEntry: This entry
>>>>>> already exists
>>>>>> 2014-10-28T05:01:24Z DEBUG   File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>>>>>
>>>>>> line 646, in run_script
>>>>>>       return_value = main_function()
>>>>>>     File "/sbin/ipa-dns-install", line 218, in main
>>>>>> dnskeysyncd.create_instance(api.env.host, api.env.realm)
>>>>>>     File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
>>>>>>
>>>>>>
>>>>>> line 128, in create_instance self.start_creation()
>>>>>>     File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>>>> line
>>>>>> 382, in start_creation run_step(full_msg, method)
>>>>>>     File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>>>> line
>>>>>> 372, in run_step method()
>>>>>>     File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
>>>>>>
>>>>>>
>>>>>> line 340, in __setup_replica_keys ldap.add_entry(entry)
>>>>>>     File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>>>>>> line
>>>>>> 1592, in add_entry self.conn.add_s(entry.dn, attrs.items())
>>>>>>     File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
>>>>>> self.gen.throw(type, value, traceback)
>>>>>>     File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>>>>>> line
>>>>>> 1169, in error_handler raise errors.DuplicateEntry()
>>>>>> 2014-10-28T05:01:24Z DEBUG The ipa-dns-install command failed,
>>>>>> exception: DuplicateEntry: This entry already exists
>>>>> Hello Michael,
>>>>>
>>>>> can you send me which entries do you have in
>>>>> cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com, it looks like directory
>>>>> server doesn't generate uniqueID for keys.
>>>>>
>>>>> Do you have upgraded IPA or fresh installed?
>>>>>
>>>>> Martin^2
>>>>>
>>> Can you send me content of cn=IPK11 Unique IDs,cn=IPA
>>> UUID,cn=plugins,cn=config entry? (If exists)
>>> It looks like DS doesn't generate unique IDs
>>>
>>> Martin^2
>>>
>>>
>
>




More information about the Freeipa-users mailing list