[Freeipa-users] Errors upgrading 4.0.1 to 4.1
Ludwig Krispenz
lkrispen at redhat.com
Fri Oct 31 08:30:45 UTC 2014
On 10/30/2014 07:36 PM, Martin Basti wrote:
> On 30/10/14 19:18, Michael Lasevich wrote:
>> Makes sense. What is the solution here?
>>
>> I have the latest 389-ds installed but still getting
>> "allowWeakCipher" error - how to I get around that?
>>
>> -M
>>
> Sorry I don't know, I CCied Ludwig, he is DS guru.
I already asked to verify the schema files:
can you check your schema files for the definition of the
nsEncryptionConfig objectclass, it should be only in 01core389.ldif and
contain allowWeakCipher, but it could have been added also to
99user.ldif during replication when schema changes have been consolidated
and what is the latest ds version you are using: rpm -q 389-ds-base
> Martin^2
>
>>
>> On 10/30/14, 11:12 AM, Martin Basti wrote:
>>> On 24/10/14 05:17, Michael Lasevich wrote:
>>>> While upgrading from 4.0.1. to 4.1 on fedora 20 got following on
>>>> one of the two boxes:
>>>>
>>>> Upgrade failed with attribute "allowWeakCipher" not allowed
>>>> IPA upgrade failed.
>>>> Unexpected error
>>>> DuplicateEntry: This entry already exists
>>>>
>>>
>>> Named errors are caused by cascade effect, if ldap schema and entry
>>> updates failed, there is misconfigured DS plugin which is
>>> responsible to keep DNSSEC keys DN unique, what causes duplication
>>> errors. DuplicateEntry exception is fatal, so dnskeysyncd
>>> installation will not continue,
>>> what causes there are not appropriate permissions for token
>>> database, and named-pkcs11 can't read tokens.
>>>>
>>>>
>>>> It seems the ipa no longer starts up after this. The replica server
>>>> seems to have had same error,but it runs just fine.
>>>>
>>>> From digging around, it appears that there are a number of GSS
>>>> errors in dirsrv and bind fails with something like:
>>>>
>>>> named-pkcs11[2212]: ObjectStore.cpp(74): Failed to open token
>>>> e919db16-6329-406c-6ae4-120ad68508c4
>>>> named-pkcs11[2212]: sha1.c:92: fatal error:
>>>> named-pkcs11[2212]: RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST,
>>>> isc_boolean_true, isc_boolean_false, isc_boolean_false, ((void
>>>> *)0), 0) == 0) failed
>>>>
>>>> Any help would be appreciated
>>>>
>>>>
>>>> -M
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Martin Basti
>>
>
>
> --
> Martin Basti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141031/90efd0fa/attachment.htm>
More information about the Freeipa-users
mailing list