<div dir="ltr">Hello again,<div><br></div><div>I jumped to early.</div><div><div># ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update didn't work</div><div>but "ipa-ldap-updater "</div><div>fixes the problem for me.</div></div><div><br></div><div>Rob</div></div><div class="gmail_extra"><br><div class="gmail_quote">2014-10-29 16:55 GMT+01:00 Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000"><span class="">
    <div>On 29/10/14 16:46, Rob Verduijn wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">Hello,
        <div><br>
        </div>
        <div>
          <div># ipa-ldap-updater
            /usr/share/ipa/updates/55-pbacmemberof.update</div>
        </div>
        <div> fixes the problem.</div>
        <div><br>
        </div>
        <div>I can resolv my internal dns zones again :-)</div>
        <div><br>
        </div>
        <div>Many thanx.</div>
        <div><br>
        </div>
        <div>Since this problem happened every time I tried to update
          the freeipa server.</div>
        <div>I could re-run the update with some debug options if you
          like so you can pinpoint what goes wrong with the update
          script if you like.</div>
        <div><br>
        </div>
        <div>Rob</div>
      </div>
    </blockquote>
    <br></span>
    We know where the problem is, and we though we fixed it, but
    obviously some parts of problem persist.<br>
    <br>
    Thank you for your patience :-)<div><div class="h5"><br>
    <blockquote type="cite">
      <div class="gmail_extra"><br>
        <div class="gmail_quote">2014-10-29 16:13 GMT+01:00 Martin Basti
          <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"><span>
                <div>On 29/10/14 15:56, Martin Basti wrote:<br>
                </div>
                <blockquote type="cite">
                  <div>On 29/10/14 15:46, Rob Verduijn wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div dir="ltr">You're right
                      <div>duh I should read more carefully and not try
                        to do to many things at once.
                        <div><br>
                        </div>
                        <div>when using the dns principal and keytab the
                          entries are not found.</div>
                        <div><br>
                        </div>
                        <div>How do i fix the access controll
                          instructions ?</div>
                        <div>I can revert back easely and try a
                          different aproach for the upgrade if you know
                          one</div>
                        <div>(I really started to appreciate snapshots
                          with this upgrade :-) </div>
                        <div><br>
                        </div>
                        <div>Rob</div>
                      </div>
                    </div>
                  </blockquote>
                  <br>
                  Please try first this:<br>
                  <br>
                  # ipa-ldap-updater /usr/share/ipa/memberof-task.ldif<br>
                  <br>
                  It should repair privileges.<br>
                </blockquote>
              </span> Sorry I wrote you wrong file<br>
              # ipa-ldap-updater
              /usr/share/ipa/updates/55-pbacmemberof.update
              <div>
                <div><br>
                  <blockquote type="cite">
                    <blockquote type="cite">
                      <div class="gmail_extra"><br>
                        <div class="gmail_quote">2014-10-29 14:50
                          GMT+01:00 Petr Spacek <span dir="ltr"><<a href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>></span>:<br>
                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On
                              29.10.2014 14:32, Rob Verduijn wrote:<br>
                              <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> I've
                                checked and I see a lot of objects
                                representing my dns entries.<br>
                                Still I get no answers if i try to
                                resolve any of them :(<br>
                              </blockquote>
                              <br>
                            </span> Are you running ldapsearch with
                            *exactly* same credentials as you have in
                            /etc/named.conf?<br>
                            <br>
                            Could you post dynamic-db section from your
                            named.conf?<br>
                            <br>
                            Petr^2 Spacek
                            <div>
                              <div><br>
                                <br>
                                <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Rob<br>
                                  <br>
                                  2014-10-29 13:28 GMT+01:00 Petr Spacek
                                  <<a href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>>:<br>
                                  <br>
                                  <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On
                                    28.10.2014 18:42, Rob Verduijn
                                    wrote:<br>
                                    <br>
                                    <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> before
                                      the update its
                                      4.5-1.fc20.x86_64.rpm from fedora
                                      20 updates repo<br>
                                      after the update its
                                      6.0-5.fc20.x86_64.rpm from copr
                                      repo<br>
                                      <br>
                                      Regards<br>
                                      Rob<br>
                                      <br>
                                      <br>
                                      2014-10-28 17:58 GMT+01:00 Martin
                                      Basti <<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>>:<br>
                                      <br>
                                          On 28/10/14 16:10, Rob
                                      Verduijn wrote:<br>
                                      <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <br>
                                           Hello all,<br>
                                        <br>
                                           I've been digging into my
                                        problem of being unable to
                                        update from 3.3.5<br>
                                        to 4.1<br>
                                        <br>
                                           First I add the repo from
                                        copr<br>
                                        <br>
                                           Then  I used to update it by
                                        issueing 'yum update' which
                                        resulted in an<br>
                                        update in which my local dns
                                        zone entries no longer resolved.<br>
                                        <br>
                                           So i tried the instructions
                                        mentioned on the site :<br>
                                        yum update freeipa-server<br>
                                        And this failed with a conflict
                                        in<br>
                                        <br>
                                         
                                         bind-32:9.9.4-18.fc20.1.pkcs11.x86_64
                                        and<br>
bind-utils-32:9.9.4-15.P2.fc20.x86_64<br>
                                        <br>
                                           I noticed the new bind comes
                                        from the copr repo and the old
                                        bind utils<br>
                                        from fedora.<br>
                                        <br>
                                           So I first run 'yum update
                                        bind-utils -y'<br>
                                        Then I ran yum update
                                        freeipa-server<br>
                                        and see it fail with errors
                                        about softhsm<br>
                                        <br>
                                           I remembered reading about
                                        package errors with softhsm and
                                        installed<br>
                                        the<br>
                                        softhsm-devel package first.<br>
                                        <br>
                                           so revert back the freeipa
                                        kvm snapshot to 3.3.5  and try
                                        again<br>
                                        yum update bind-utils -y ;  yum
                                        install softhsm-devel -y ; yum
                                        update<br>
                                        freeipa-server -y<br>
                                        <br>
                                           However when restarting
                                        named-pkcs11 I can see in the
                                        system log that<br>
                                        it<br>
                                        has 0 zones loaded<br>
                                        <br>
                                           Oct 28 15:28:30 freeipa.x.x
                                        named-pkcs11[3029]:
                                        managed-keys-zone:<br>
                                        loaded serial 0<br>
                                        Oct 28 15:28:30 freeipa.x.x
                                        named-pkcs11[3029]: zone
                                        0.in-addr.arpa/IN:<br>
                                        loaded serial 0<br>
                                        Oct 28 15:28:30 freeipa.x.x
                                        named-pkcs11[3029]: zone
                                        localhost/IN: loaded<br>
                                        serial 0<br>
                                        Oct 28 15:28:30 freeipa.x.x
                                        named-pkcs11[3029]: zone<br>
                                        1.0.0.127.in-addr.arpa/IN:
                                        loaded serial 0<br>
                                        Oct 28 15:28:30 freeipa.x.x
                                        named-pkcs11[3029]: zone<br>
                                        localhost.localdomain/IN: loaded
                                        serial 0<br>
                                        Oct 28 15:28:30 freeipa.x.x
                                        named-pkcs11[3029]: zone<br>
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.<br>
                                        0.0.ip6.arpa/IN:<br>
                                        loaded serial 0<br>
                                        Oct 28 15:28:30 freeipa.x.x
                                        named-pkcs11[3029]: all zones
                                        loaded<br>
                                        Oct 28 15:28:30 freeipa.x.x
                                        named-pkcs11[3029]: running<br>
                                        Oct 28 15:28:30 freeipa.x.x
                                        named-pkcs11[3029]: 0 zones from
                                        LDAP<br>
                                        instance<br>
                                        'ipa' loaded (0 zones defined, 0
                                        inactive, 0 failed to load)<br>
                                        <br>
                                           It claims 0 zones loaded but
                                        I can see my forward and reverse
                                        zones in<br>
                                        ipa<br>
                                        <br>
                                           what could cause it not to
                                        load the zones that I defined in
                                        ipa ?<br>
                                        <br>
                                      </blockquote>
                                      <br>
                                    </blockquote>
                                    This problem is usually caused by
                                    broken IPA upgrade which destroys
                                    ACIs<br>
                                    in LDAP which allow access to DNS
                                    sub-tree.<br>
                                    <br>
                                    Please follow instructions on:<br>
                                    <br>
                                    <a href="https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5" target="_blank">https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5</a>.<br>
                                    NozonesfromLDAPareloaded<br>
                                    <br>
                                    ... and let us know if you are able
                                    to see idnsZone objects in LDAP or
                                    not.<br>
                                  </blockquote>
                                </blockquote>
                                <br>
                                <br>
                                -- <br>
                                Petr^2 Spacek<br>
                              </div>
                            </div>
                          </blockquote>
                        </div>
                        <br>
                      </div>
                      <br>
                      <fieldset></fieldset>
                      <br>
                    </blockquote>
                    <br>
                    <br>
                    <pre cols="72">-- 
Martin Basti</pre>
                    <br>
                    <fieldset></fieldset>
                    <br>
                  </blockquote>
                  <br>
                  <br>
                </div>
              </div>
              <span><font color="#888888">
                  <pre cols="72">-- 
Martin Basti</pre>
                </font></span></div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
    <br>
    </div></div><span class="HOEnZb"><font color="#888888"><pre cols="72">-- 
Martin Basti</pre>
  </font></span></div>

</blockquote></div><br></div>