[Freeipa-users] Problems with failed upgrade: groups are not created

Will Sheldon mail at willsheldon.com
Wed May 13 23:50:29 UTC 2015 

Hello everyone :)

We are seeing some strange behavior (created groups don't exist) and I
really hope someone can lend some advice...

We installed v 3.0 some time ago, and tried an upgrade to 3.3 which was
aborted before completion, however I believe the schema was updated.

Recently we attempted to upgrade to 4.1, but encountered some issues with
the upgrade; replication failed :

from the install log (before schema update, so server was running 3.3
schema):

=======================>
Done configuring ipa-otpd.
Applying LDAP updates
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR    Add failure attribute
"cn" not allowed
=======================<


After that we tried updating the schema, and we now get this error (we have
log file captures for this):

=======================>
[24/35]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 131 seconds elapsed
Update in progress yet not in progress

[vanipa.foo.com] reports: Update failed! Status: [10 Total update
abortedLDAP error: Referral]

  [error] RuntimeError: Failed to start replication

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
========================<

which seems to be referring to this bit of the log:
=======================>
2015-04-21T19:18:48Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation
    run_step(full_msg, method)
=======================<


Since then we have a somewhat strange issue where new groups that are added
using the web interface and ipa CLI command interface are created in the
compat tree, but not in the cn=hostgroups,cn=accounts tree, even though ADD
operations appear to complete successfully (slapd log output below)

=======================>
[13/May/2015:23:13:58 +0000] conn=7120402 op=4 ADD
dn="cn=p-test-100,cn=hostgroups,cn=accounts,dc=foo,dc=com"

[13/May/2015:23:13:58 +0000] conn=2616653 op=3660217 SRCH
base="idnsName=net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660217 RESULT err=32 tag=101
nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660218 SRCH base="idnsName=
bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660218 RESULT err=32 tag=101
nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660219 SRCH base="idnsName=
vanzbx.bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660219 RESULT err=32 tag=101
nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660220 SRCH
base="idnsName=net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660220 RESULT err=32 tag=101
nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660221 SRCH base="idnsName=
bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660221 RESULT err=32 tag=101
nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660222 SRCH base="idnsName=
vanzbx.bar.net,idnsname=bar.net,cn=dns,dc=foo,dc=com" scope=0
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660222 RESULT err=32 tag=101
nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=7120402 op=4 RESULT err=0 tag=105
nentries=0 etime=0 csn=5553e3f8000100040000
=======================<


Which is consistent with the slapd log during the upgrade:

[21/Apr/2015:19:18:43 +0000] NSACLPlugin - The ACL target
cn=hr,cn=groups,cn=accounts,dc=foo,dc=com does not exist

-- 

Kind regards,

Will Sheldon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150513/bd68ae13/attachment.htm>

More information about the Freeipa-users mailing list