[Freeipa-users] Problems with failed upgrade: groups are not created

Martin Basti mbasti at redhat.com
Thu May 14 08:44:09 UTC 2015 

On 14/05/15 01:50, Will Sheldon wrote:
>
> Hello everyone :)
>
> We are seeing some strange behavior (created groups don't exist) and I 
> really hope someone can lend some advice...
>
> We installed v 3.0 some time ago, and tried an upgrade to 3.3 which 
> was aborted before completion, however I believe the schema was updated.
>
> Recently we attempted to upgrade to 4.1, but encountered some issues 
> with the upgrade; replication failed :
>
> from the install log (before schema update, so server was running 3.3 
> schema):
>
> =======================>
> Done configuring ipa-otpd.
> Applying LDAP updates
> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR    Add failure 
> attribute "cn" not allowed
> =======================<
>
>
> After that we tried updating the schema, and we now get this error (we 
> have log file captures for this):
>
> =======================>
> [24/35]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 131 seconds elapsed
> Update in progress yet not in progress
>
> [vanipa.foo.com <http://vanipa.foo.com>] reports: Update failed! 
> Status: [10 Total update abortedLDAP error: Referral]
>
>   [error] RuntimeError: Failed to start replication
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> ========================<
>
> which seems to be referring to this bit of the log:
> =======================>
> 2015-04-21T19:18:48Z DEBUG Traceback (most recent call last):
>   File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
> 382, in start_creation
>     run_step(full_msg, method)
> =======================<
>
>
> Since then we have a somewhat strange issue where new groups that are 
> added using the web interface and ipa CLI command interface are 
> created in the compat tree, but not in the cn=hostgroups,cn=accounts 
> tree, even though ADD operations appear to complete successfully 
> (slapd log output below)
>
> =======================>
> [13/May/2015:23:13:58 +0000] conn=7120402 op=4 ADD 
> dn="cn=p-test-100,cn=hostgroups,cn=accounts,dc=foo,dc=com"
>
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660217 SRCH 
> base="idnsName=net,idnsname=bar.net 
> <http://bar.net>,cn=dns,dc=foo,dc=com" scope=0 
> filter="(objectClass=idnsRecord)" attrs=ALL
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660217 RESULT err=32 
> tag=101 nentries=0 etime=0
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660218 SRCH 
> base="idnsName=bar.net <http://bar.net>,idnsname=bar.net 
> <http://bar.net>,cn=dns,dc=foo,dc=com" scope=0 
> filter="(objectClass=idnsRecord)" attrs=ALL
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660218 RESULT err=32 
> tag=101 nentries=0 etime=0
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660219 SRCH 
> base="idnsName=vanzbx.bar.net <http://vanzbx.bar.net>,idnsname=bar.net 
> <http://bar.net>,cn=dns,dc=foo,dc=com" scope=0 
> filter="(objectClass=idnsRecord)" attrs=ALL
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660219 RESULT err=32 
> tag=101 nentries=0 etime=0
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660220 SRCH 
> base="idnsName=net,idnsname=bar.net 
> <http://bar.net>,cn=dns,dc=foo,dc=com" scope=0 
> filter="(objectClass=idnsRecord)" attrs=ALL
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660220 RESULT err=32 
> tag=101 nentries=0 etime=0
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660221 SRCH 
> base="idnsName=bar.net <http://bar.net>,idnsname=bar.net 
> <http://bar.net>,cn=dns,dc=foo,dc=com" scope=0 
> filter="(objectClass=idnsRecord)" attrs=ALL
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660221 RESULT err=32 
> tag=101 nentries=0 etime=0
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660222 SRCH 
> base="idnsName=vanzbx.bar.net <http://vanzbx.bar.net>,idnsname=bar.net 
> <http://bar.net>,cn=dns,dc=foo,dc=com" scope=0 
> filter="(objectClass=idnsRecord)" attrs=ALL
> [13/May/2015:23:13:58 +0000] conn=2616653 op=3660222 RESULT err=32 
> tag=101 nentries=0 etime=0
> [13/May/2015:23:13:58 +0000] conn=7120402 op=4 RESULT err=0 tag=105 
> nentries=0 etime=0 csn=5553e3f8000100040000
> =======================<
>
>
> Which is consistent with the slapd log during the upgrade:
>
> [21/Apr/2015:19:18:43 +0000] NSACLPlugin - The ACL target 
> cn=hr,cn=groups,cn=accounts,dc=foo,dc=com does not exist
>
> -- 
>
> Kind regards,
>
> Will Sheldon
>
>
>
Hello,

can you find in ipaserver-install.log more details about this error?
ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR    Add failure 
attribute "cn" not allowed

Martin


-- 
Martin Basti

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150514/9da52f41/attachment.htm>

More information about the Freeipa-users mailing list