[Freeipa-users] Accident upgrade 3.3 to 4.1
Ludwig Krispenz
lkrispen at redhat.com
Wed Apr 8 10:18:09 UTC 2015
On 04/08/2015 12:04 PM, Martin Kosek wrote:
> On 04/08/2015 11:52 AM, Alexander Frolushkin wrote:
>> Hello!
>> We used have a geo-replicated IPA with RHEL 7.0, and on one site ipa servers was upgraded by mistake to RHEL 7.1 (ipa-server-4.1.0-18.el7_1.3.x86_64).
>> Now it is broken globally, in logs I see these:
>>
>> [08/Apr/2015:13:06:47 +0600] NSACLPlugin - ACL PARSE ERR(rv=-5): (targetattr="ipaProtectedOperation;write_keys
>> [08/Apr/2015:13:06:47 +0600] NSACLPlugin - __aclp__init_targetattr: targetattr "ipaProtectedOperation;write_keys" does not exist in schema. Please add attributeTypes "ipaProtectedOperation;write_keys" to schema if necessary.
>>
>> What can I do to fix this catastrophe, or it is fatal?
>> As it seems from the client servers, hbac is not working at all, maybe all other things as well :(
>>
>> With best regards,
>> Alexander Frolushkin
> AFAIK, this particular error message should not be fatal to the function and
> new ACI should just be ignored.
yes, but I don't know if any IPA component would rely on access granted
by this aci.
> Maybe the new schema did not replicate
is this message logged on all servers ?
> properly. Do you see other DS errors? (CCing DS guys)
>
> Non-working HBAC is also strange, SSSD developers will want logs to analyze,
> see https://fedorahosted.org/sssd/wiki/Troubleshooting
>
> In any case, upgrade from 3.3 to 4.1 should just work, you just need to have a
> recent enough RHEL-6 servers - at least RHEL-6.6+z-streams.
More information about the Freeipa-users
mailing list