[Freeipa-users] Antwort: Re: Upgrade fail 3.3.3 (rhel7) to 4.1 (rhel7.1)

Christoph Kaminski christoph.kaminski at biotronik.com
Thu Apr 2 16:54:38 UTC 2015 

see this in ipupgrade.log

2015-04-02T11:27:02Z ERROR Pre schema upgrade failed with [Errno 111] 
Connection refused
2015-04-02T11:27:02Z DEBUG Traceback (most recent call last):
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", 
line 128, in __pre_schema_upgrade
    ld = ldapupdate.LDAPUpdate(dm_password='', ldapi=True, 
live_run=self.live_run, plugins=True)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", 
line 220, in __init__
    self.create_connection()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", 
line 783, in create_connection
    dm_password=self.dm_password, pw_name=self.pw_name)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", 
line 65, in connect
    conn.do_external_bind(pw_name)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1761, 
in do_external_bind
    self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1747, 
in __bind_with_wait
    self.__wait_for_connection(timeout)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1733, 
in __wait_for_connection
    wait_for_open_socket(lurl.hostport, timeout)
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1173, 
in wait_for_open_socket
    raise e
error: [Errno 111] Connection refused

2015-04-02T11:27:02Z DEBUG   duration: 12 seconds
2015-04-02T11:27:02Z DEBUG   [6/10]: updating schema
2015-04-02T11:27:12Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 382, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
line 372, in run_step
    method()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", 
line 145, in __update_schema
    dm_password='', ldapi=True, live_run=self.live_run) or self.modified
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py", line 
112, in update_schema
    fqdn=installutils.get_fqdn())
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", 
line 65, in connect
    conn.do_external_bind(pw_name)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1761, 
in do_external_bind
    self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1747, 
in __bind_with_wait
    self.__wait_for_connection(timeout)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1733, 
in __wait_for_connection
    wait_for_open_socket(lurl.hostport, timeout)
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1173, 
in wait_for_open_socket
    raise e
error: [Errno 111] Connection refused

2015-04-02T11:27:12Z DEBUG   [error] error: [Errno 111] Connection refused
2015-04-02T11:27:12Z DEBUG   [cleanup]: stopping directory server

...

2015-04-02T12:46:11Z DEBUG stderr=
2015-04-02T12:46:12Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in 
execute
    return_value = self.run()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", 
line 213, in run
    modified = ld.update(self.files, ordered=True) or modified
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", 
line 874, in update
    updates = api.Backend.updateclient.update(POST_UPDATE, 
self.dm_password, self.ldapi, self.live_run)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", 
line 123, in update
    (restart, apply_now, res) = self.run(update.name, **kw)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", 
line 146, in run
    return self.Updater[method](**kw)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1399, 
in __call__
    return self.execute(**options)
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py", 
line 76, in execute
    ldap.add_entry(entry)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1592, 
in add_entry
    self.conn.add_s(entry.dn, attrs.items())
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1191, 
in error_handler
    raise errors.ObjectclassViolation(info=info)

2015-04-02T12:46:12Z DEBUG The ipa-ldap-updater command failed, exception: 
ObjectclassViolation: unknown object class "ipaKeyPolicy"
2015-04-02T12:46:12Z ERROR Unexpected error - see /var/log/ipaupgrade.log 
for details:
ObjectclassViolation: unknown object class "ipaKeyPolicy"

and: 
grep -i nsSchemaPolicy /etc/dirsrv/slapd-HSO/schema/01core389.ldif

objectClasses: ( 2.16.840.1.113730.3.2.328 NAME 'nsSchemaPolicy' DESC 
'Netscape defined objectclass' SUP top  MAY ( cn $ 
schemaUpdateObjectclassAccept $ schemaUpdateObjectclassReject $ 
schemaUpdateAttributeAccept $ schemaUpdateAttributeReject) X-ORIGIN 
'Netscape Directory Server' )

grep -i nsSchemaPolicy /etc/dirsrv/schema/01core389.ldif
objectClasses: ( 2.16.840.1.113730.3.2.328 NAME 'nsSchemaPolicy' DESC 
'Netscape defined objectclass' SUP top  MAY ( cn $ 
schemaUpdateObjectclassAccept $ schemaUpdateObjectclassReject $ 
schemaUpdateAttributeAccept $ schemaUpdateAttributeReject) X-ORIGIN 
'Netscape Directory Server' )

Greetz
Christoph Kaminski




Von:    Martin Basti <mbasti at redhat.com>
An:     Christoph Kaminski <christoph.kaminski at biotronik.com>, 
freeipa-users at redhat.com
Datum:  02.04.2015 17:25
Betreff:        Re: [Freeipa-users] Upgrade fail 3.3.3 (rhel7) to 4.1 
(rhel7.1)



On 02/04/15 16:57, Christoph Kaminski wrote:
Hi all! 

We have 6 IPA Servers here connected to each other. We want to upgrade all 
from RHEL 7 with IPA 3.3.3 to RHEL 7.1with IPA 4.1. 

I have done it one of the 6 servers and got a problem. 

After upgrade if I want to login to Web UI I get: "IPA-Error 903: 
InternalError" after typing the credentials... 
I have activated debug output of IPA and see this in 
/var/log/httpd/error_log: 

[Thu Apr 02 14:39:38.848474 2015] [:error] [pid 18020] ipa: ERROR: 
non-public: KeyError: 'idnsforwardzone' 
[Thu Apr 02 14:39:38.848536 2015] [:error] [pid 18020] Traceback (most 
recent call last): 
[Thu Apr 02 14:39:38.848600 2015] [:error] [pid 18020]   File 
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348, in 
wsgi_execute 
[Thu Apr 02 14:39:38.848607 2015] [:error] [pid 18020]     result = 
self.Command[name](*args, **options) 
[Thu Apr 02 14:39:38.848612 2015] [:error] [pid 18020]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in 
__call__ 
[Thu Apr 02 14:39:38.848671 2015] [:error] [pid 18020]     ret = 
self.run(*args, **options) 
[Thu Apr 02 14:39:38.848701 2015] [:error] [pid 18020]   File 
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in run 
[Thu Apr 02 14:39:38.848707 2015] [:error] [pid 18020]     return 
self.execute(*args, **options) 
[Thu Apr 02 14:39:38.848776 2015] [:error] [pid 18020]   File 
"/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py", line 123, 
in execute 
[Thu Apr 02 14:39:38.848783 2015] [:error] [pid 18020]     (o.name, 
json_serialize(o)) for o in self.api.Object() 
[Thu Apr 02 14:39:38.848789 2015] [:error] [pid 18020]   File 
"/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py", line 123, 
in <genexpr> 
[Thu Apr 02 14:39:38.848794 2015] [:error] [pid 18020]     (o.name, 
json_serialize(o)) for o in self.api.Object() 
[Thu Apr 02 14:39:38.848799 2015] [:error] [pid 18020]   File 
"/usr/lib/python2.7/site-packages/ipalib/util.py", line 60, in 
json_serialize 
[Thu Apr 02 14:39:38.848804 2015] [:error] [pid 18020]     return 
json_serialize(obj.__json__()) 
[Thu Apr 02 14:39:38.848809 2015] [:error] [pid 18020]   File 
"/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 710, 
in __json__ 
[Thu Apr 02 14:39:38.848814 2015] [:error] [pid 18020]     attrs = 
self.api.Backend.ldap2.schema.attribute_types(objectclasses) 
[Thu Apr 02 14:39:38.848820 2015] [:error] [pid 18020]   File 
"/usr/lib64/python2.7/site-packages/ldap/schema/subentry.py", line 377, in 
attribute_types 
[Thu Apr 02 14:39:38.848825 2015] [:error] [pid 18020]     object_class = 
self.sed[ObjectClass][object_class_oid] 
[Thu Apr 02 14:39:38.848830 2015] [:error] [pid 18020] KeyError: 
'idnsforwardzone' 

I have found this bug report: 
https://bugzilla.redhat.com/show_bug.cgi?id=1180325 
It should be fixed in the last version?! 

I have read there I should start: setup-ds.pl -d --update 

But Im afraid that it kills the date on the IPA Servers with version 
3.3.3... does it? 

What can I do? how can I fix it? 

Greetz
Christoph Kaminski



Hello, was the ipa upgrade successful? Do you have any errors in 
/var/log/ipaupgrade.log?

If you think it is 1180325 issue you can check if nsSchemaPolicy is in 
01core389.ldif:
grep -i nsSchemaPolicy /etc/dirsrv/slapd-INSTANCE/schema/01core389.ldif
grep -i nsSchemaPolicy /etc/dirsrv/schema/01core389.ldif 

Martin

-- 
Martin Basti


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150402/6031e1cc/attachment.htm>

More information about the Freeipa-users mailing list