[Freeipa-users] Problems with failed upgrade: groups are not created
Martin Basti
mbasti at redhat.com
Thu May 14 08:44:09 UTC 2015
On 14/05/15 01:50, Will Sheldon wrote:
>
> Hello everyone :)
>
> We are seeing some strange behavior (created groups don't exist) and I
> really hope someone can lend some advice...
>
> We installed v 3.0 some time ago, and tried an upgrade to 3.3 which
> was aborted before completion, however I believe the schema was updated.
>
> Recently we attempted to upgrade to 4.1, but encountered some issues
> with the upgrade; replication failed :
>
> from the install log (before schema update, so server was running 3.3
> schema):
>
> =======================>
> Done configuring ipa-otpd.
> Applying LDAP updates
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure
> attribute "cn" not allowed
> =======================<
>
>
> After that we tried updating the schema, and we now get this error (we
> have log file captures for this):
>
> =======================>
> [24/35]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 131 seconds elapsed
> Update in progress yet not in progress
>
> [vanipa.foo.com <http://vanipa.foo.com>] reports: Update failed!
> Status: [10 Total update abortedLDAP error: Referral]
>
> [error] RuntimeError: Failed to start replication
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> ========================<
>
> which seems to be referring to this bit of the log:
> =======================>
> 2015-04-21T19:18:48Z DEBUG Traceback (most recent call last):
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 382, in start_creation
> run_step(full_msg, method)
> =======================<
>
>
> Since then we have a somewhat strange issue where new groups that are
> added using the web interface and ipa CLI command interface are
> created in the compat tree, but not in the cn=hostgroups,cn=accounts
> tree, even though ADD operations appear to complete successfully
> (slapd log output below)
>
> =======================>
> [13/May/2015:23:13:58 +0000] conn=7120402 op=4 ADD
> dn="cn=p-test-100,cn=hostgroups,cn=accounts,dc=foo,dc=com"
>
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660217 SRCH
> base="idnsName=net,idnsname=bar.net
> <http://bar.net>,cn=dns,dc=foo,dc=com" scope=0
> filter="(objectClass=idnsRecord)" attrs=ALL
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660217 RESULT err=32
> tag=101 nentries=0 etime=0
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660218 SRCH
> base="idnsName=bar.net <http://bar.net>,idnsname=bar.net
> <http://bar.net>,cn=dns,dc=foo,dc=com" scope=0
> filter="(objectClass=idnsRecord)" attrs=ALL
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660218 RESULT err=32
> tag=101 nentries=0 etime=0
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660219 SRCH
> base="idnsName=vanzbx.bar.net <http://vanzbx.bar.net>,idnsname=bar.net
> <http://bar.net>,cn=dns,dc=foo,dc=com" scope=0
> filter="(objectClass=idnsRecord)" attrs=ALL
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660219 RESULT err=32
> tag=101 nentries=0 etime=0
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660220 SRCH
> base="idnsName=net,idnsname=bar.net
> <http://bar.net>,cn=dns,dc=foo,dc=com" scope=0
> filter="(objectClass=idnsRecord)" attrs=ALL
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660220 RESULT err=32
> tag=101 nentries=0 etime=0
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660221 SRCH
> base="idnsName=bar.net <http://bar.net>,idnsname=bar.net
> <http://bar.net>,cn=dns,dc=foo,dc=com" scope=0
> filter="(objectClass=idnsRecord)" attrs=ALL
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660221 RESULT err=32
> tag=101 nentries=0 etime=0
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660222 SRCH
> base="idnsName=vanzbx.bar.net <http://vanzbx.bar.net>,idnsname=bar.net
> <http://bar.net>,cn=dns,dc=foo,dc=com" scope=0
> filter="(objectClass=idnsRecord)" attrs=ALL
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660222 RESULT err=32
> tag=101 nentries=0 etime=0
> [13/May/2015:23:13:58 +0000] conn=7120402 op=4 RESULT err=0 tag=105
> nentries=0 etime=0 csn=5553e3f8000100040000
> =======================<
>
>
> Which is consistent with the slapd log during the upgrade:
>
> [21/Apr/2015:19:18:43 +0000] NSACLPlugin - The ACL target
> cn=hr,cn=groups,cn=accounts,dc=foo,dc=com does not exist
>
> --
>
> Kind regards,
>
> Will Sheldon
>
>
>
Hello,
can you find in ipaserver-install.log more details about this error?
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure
attribute "cn" not allowed
Martin
--
Martin Basti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150514/9da52f41/attachment.htm>
More information about the Freeipa-users
mailing list