[Freeipa-users] Errors upgrading 4.0.1 to 4.1

[Martin Basti]

On 30/10/14 19:18, Michael Lasevich wrote:
> Makes sense. What is the solution here?
>
> I have the latest 389-ds installed but still getting "allowWeakCipher" 
> error - how to I get around that?
>
> -M
>
Sorry I don't know, I CCied Ludwig, he is DS guru.
Martin^2

>
> On 10/30/14, 11:12 AM, Martin Basti wrote:
>> On 24/10/14 05:17, Michael Lasevich wrote:
>>> While upgrading from 4.0.1. to 4.1 on fedora 20 got following on one 
>>> of the two boxes:
>>>
>>> Upgrade failed with attribute "allowWeakCipher" not allowed
>>> IPA upgrade failed.
>>> Unexpected error
>>> DuplicateEntry: This entry already exists
>>>
>>
>> Named errors are caused by cascade effect, if ldap schema and entry 
>> updates failed, there is misconfigured DS plugin which is responsible 
>> to keep DNSSEC keys DN unique, what causes duplication errors. 
>> DuplicateEntry exception is fatal, so dnskeysyncd installation will 
>> not continue,
>> what causes there are not appropriate permissions for token database, 
>> and named-pkcs11 can't read tokens.
>>>
>>>
>>> It seems the ipa no longer starts up after this. The replica server 
>>> seems to have had same error,but it runs just fine.
>>>
>>> From digging around, it appears that there are a number of GSS 
>>> errors in dirsrv and bind fails with something like:
>>>
>>> named-pkcs11[2212]: ObjectStore.cpp(74): Failed to open token 
>>> e919db16-6329-406c-6ae4-120ad68508c4
>>> named-pkcs11[2212]: sha1.c:92: fatal error:
>>> named-pkcs11[2212]: RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, 
>>> isc_boolean_true, isc_boolean_false, isc_boolean_false, ((void *)0), 
>>> 0) == 0) failed
>>>
>>> Any help would be appreciated
>>>
>>>
>>> -M
>>>
>>>
>>>
>>
>>
>> -- 
>> Martin Basti
>


-- 
Martin Basti

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141030/37ab8b1d/attachment.htm>