[Freeipa-users] F20 Problem upgrading to 4.1
Michael Lasevich
mlasevich at gmail.com
Thu Oct 30 17:22:42 UTC 2014
*sigh* Feel like I am going around in circles
"ipa-ldap-updater --upgrade" failed with: "Upgrade failed with
attribute "allowWeakCipher" not allowed"
I am running 1.3.3 from mkosek-freeipa copr:
389-ds-base-libs-1.3.3.5-1.fc20.x86_64
389-ds-base-1.3.3.5-1.fc20.x86_64
yum info 389-ds-base
Loaded plugins: copr
Installed Packages
Name : 389-ds-base
Arch : x86_64
Version : 1.3.3.5
Release : 1.fc20
Size : 5.2 M
Repo : installed
>From repo : mkosek-freeipa
Summary : 389 Directory Server (base)
URL : http://port389.org/
License : GPLv2 with exceptions
Description : 389 Directory Server is an LDAPv3 compliant server. The
base package includes
: the LDAP server and command line utilities for server
administration.
-M
On 10/30/14, 1:44 AM, Martin Basti wrote:
> On 30/10/14 06:09, Michael Lasevich wrote:
>> Maybe I should not be doing this late at night, but I cannot find
>> "cn=IPK11 Unique IDs,cn=IPA UUID,cn=plugins,cn=config " anywhere.
>>
>> -M
>
> IMO something bad happens during the ipa upgrade,
>
> can you remove
>
> ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com
>
> entry, and run ipa-ldap-updater --upgrade, then reinstall DNS (rerun
> ipa-dns-install)
>
> Let me know if it works.
>
>>
>> On 10/29/14, 3:03 AM, Martin Basti wrote:
>>> On 28/10/14 20:54, Michael Lasevich wrote:
>>>> I have a pair of servers that were both installed on clean Fedora20
>>>> 4.0.1 from pviktori copr repo and then upgraded from mkosek to 4.1
>>>>
>>>> During update, secondary was done first and worked but primary run
>>>> into
>>>> trouble as described
>>>>
>>>> Looking under cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com I get one
>>>> entry with dn:
>>>>
>>>> ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com
>>>>
>>>>
>>>> Not sure what of that you need there, but for ipk11Label it has:
>>>> dnssec-replica:infra-dc-02.my.domain.com. (which is the replica
>>>> that IS
>>>> working)
>>>>
>>>> Thanks,
>>>>
>>>> -M
>>>>
>>>> On 10/28/14, 3:21 AM, Martin Basti wrote:
>>>>> On 28/10/14 06:14, Michael Lasevich wrote:
>>>>>> Running into same thing, but running ipa-dnsinstall does not
>>>>>> complete:
>>>>>>
>>>>>> =============================
>>>>>> Configuring DNS (named)
>>>>>> [1/8]: generating rndc key file
>>>>>> WARNING: Your system is running out of entropy, you may experience
>>>>>> long delays
>>>>>> [2/8]: setting up our own record
>>>>>> [3/8]: adding NS record to the zones
>>>>>> [4/8]: setting up CA record
>>>>>> [5/8]: setting up kerberos principal
>>>>>> [6/8]: setting up named.conf
>>>>>> [7/8]: configuring named to start on boot
>>>>>> [8/8]: changing resolv.conf to point to ourselves
>>>>>> Done configuring DNS (named).
>>>>>> Configuring DNS key synchronization service (ipa-dnskeysyncd)
>>>>>> [1/6]: checking status
>>>>>> [2/6]: setting up kerberos principal
>>>>>> [3/6]: setting up SoftHSM
>>>>>> [4/6]: adding DNSSEC containers
>>>>>> [5/6]: creating replica keys
>>>>>> [error] DuplicateEntry: This entry already exists
>>>>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>>>>> DuplicateEntry: This entry already exists
>>>>>> =============================
>>>>>>
>>>>>> Looking into the /var/log/ipaserver-install.log gets:
>>>>>> =============================
>>>>>> 2014-10-28T05:01:24Z DEBUG Storing replica public key to LDAP,
>>>>>> ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com
>>>>>>
>>>>>>
>>>>>> 2014-10-28T05:01:24Z DEBUG flushing
>>>>>> ldap://infra-dc-01.my.domain.com:389 from SchemaCache
>>>>>> 2014-10-28T05:01:24Z DEBUG retrieving schema for SchemaCache
>>>>>> url=ldap://infra-dc-01.my.domain.com:389
>>>>>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x47d0d88>
>>>>>> 2014-10-28T05:01:24Z DEBUG Traceback (most recent call last):
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>>>> line
>>>>>> 382, in start_creation run_step(full_msg, method)
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>>>> line
>>>>>> 372, in run_step method()
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
>>>>>>
>>>>>>
>>>>>> line 340, in __setup_replica_keys ldap.add_entry(entry)
>>>>>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>>>>>> line
>>>>>> 1592, in add_entry self.conn.add_s(entry.dn, attrs.items())
>>>>>> File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
>>>>>> self.gen.throw(type, value, traceback)
>>>>>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>>>>>> line
>>>>>> 1169, in error_handler raise errors.DuplicateEntry()
>>>>>> DuplicateEntry: This entry already exists
>>>>>>
>>>>>> 2014-10-28T05:01:24Z DEBUG [error] DuplicateEntry: This entry
>>>>>> already exists
>>>>>> 2014-10-28T05:01:24Z DEBUG File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>>>>>
>>>>>> line 646, in run_script
>>>>>> return_value = main_function()
>>>>>> File "/sbin/ipa-dns-install", line 218, in main
>>>>>> dnskeysyncd.create_instance(api.env.host, api.env.realm)
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
>>>>>>
>>>>>>
>>>>>> line 128, in create_instance self.start_creation()
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>>>> line
>>>>>> 382, in start_creation run_step(full_msg, method)
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>>>> line
>>>>>> 372, in run_step method()
>>>>>> File
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
>>>>>>
>>>>>>
>>>>>> line 340, in __setup_replica_keys ldap.add_entry(entry)
>>>>>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>>>>>> line
>>>>>> 1592, in add_entry self.conn.add_s(entry.dn, attrs.items())
>>>>>> File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
>>>>>> self.gen.throw(type, value, traceback)
>>>>>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>>>>>> line
>>>>>> 1169, in error_handler raise errors.DuplicateEntry()
>>>>>> 2014-10-28T05:01:24Z DEBUG The ipa-dns-install command failed,
>>>>>> exception: DuplicateEntry: This entry already exists
>>>>> Hello Michael,
>>>>>
>>>>> can you send me which entries do you have in
>>>>> cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com, it looks like directory
>>>>> server doesn't generate uniqueID for keys.
>>>>>
>>>>> Do you have upgraded IPA or fresh installed?
>>>>>
>>>>> Martin^2
>>>>>
>>> Can you send me content of cn=IPK11 Unique IDs,cn=IPA
>>> UUID,cn=plugins,cn=config entry? (If exists)
>>> It looks like DS doesn't generate unique IDs
>>>
>>> Martin^2
>>>
>>>
>
>
More information about the Freeipa-users
mailing list