[Freeipa-users] Accident upgrade 3.3 to 4.1

Wed Apr 8 12:09:23 UTC 2015

On 04/08/2015 12:36 PM, Alexander Frolushkin wrote:
> -----Original Message-----
> From: Ludwig Krispenz [mailto:lkrispen at redhat.com]
> Sent: Wednesday, April 08, 2015 4:18 PM
> To: Martin Kosek
> Cc: Alexander Frolushkin (SIB); freeipa-users at redhat.com; Thierry Bordaz
> Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1
>
>
> On 04/08/2015 12:04 PM, Martin Kosek wrote:
>> On 04/08/2015 11:52 AM, Alexander Frolushkin wrote:
>>> Hello!
>>> We used have a geo-replicated IPA with RHEL 7.0, and on one site ipa servers was upgraded by mistake to RHEL 7.1 (ipa-server-4.1.0-18.el7_1.3.x86_64).
>>> Now it is broken globally, in logs I see these:
>>>
>>> [08/Apr/2015:13:06:47 +0600] NSACLPlugin - ACL PARSE ERR(rv=-5):
>>> (targetattr="ipaProtectedOperation;write_keys
>>> [08/Apr/2015:13:06:47 +0600] NSACLPlugin - __aclp__init_targetattr: targetattr "ipaProtectedOperation;write_keys" does not exist in schema. Please add attributeTypes "ipaProtectedOperation;write_keys" to schema if necessary.
>>>
>>> What can I do to fix this catastrophe, or it is fatal?
>>> As it seems from the client servers, hbac is not working at all,
>>> maybe all other things as well :(
>>>
>>> With best regards,
>>> Alexander Frolushkin
>> AFAIK, this particular error message should not be fatal to the
>> function and new ACI should just be ignored.
> yes, but I don't know if any IPA component would rely on access granted by this aci.
>> Maybe the new schema did not replicate
> is this message logged on all servers ?
>> properly. Do you see other DS errors? (CCing DS guys)
>>
>> Non-working HBAC is also strange, SSSD developers will want logs to
>> analyze, see https://fedorahosted.org/sssd/wiki/Troubleshooting
>>
>> In any case, upgrade from 3.3 to 4.1 should just work, you just need
>> to have a recent enough RHEL-6 servers - at least RHEL-6.6+z-streams.
> Error messages are differs on 7.0 and 7.1 servers.
> On one of accidently upgraded server I have following error in dirsrv logs:
>
> [08/Apr/2015:13:24:12 +0300] connection - conn=1095 fd=131 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.
> [08/Apr/2015:13:24:12 +0300] connection - conn=1094 fd=124 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.
> [08/Apr/2015:13:24:12 +0300] connection - conn=1096 fd=124 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.
> [08/Apr/2015:13:24:12 +0300] connection - conn=1097 fd=131 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase.
This message is logged if the received message was too large. But here 
max size was 200Mb.
I can not imagine a such large message.
Being log at the same second, it could be transient error. Have you seen 
others messages like these ?
> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed.
> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed.
> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed.
> [08/Apr/2015:13:25:15 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://vlg-rhidm02.unix.ad.com:389/o%3Dipaca) failed.
> [08/Apr/2015:13:25:15 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://vlg-rhidm02.unix.ad.com:389/o%3Dipaca) failed.

Here it is likely trigger by RUV containing duplicated values (multiple 
replica install ?). You may have to use cleanruv after the upgrade.
ipa-replica-manage list-ruv  and ipa-replica-manager clean-ruv
>
>
> ________________________________
>
> Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов. Если вы не адресат этого сообщения, то использование, переадресация, копирование или распространение содержания сообщения или его части незаконно и запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем содержимым само сообщение и любые возможные его копии и приложения.
>
> The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof.
>
> (c)20mf50