<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 10/30/2014 07:36 PM, Martin Basti
wrote:<br>
</div>
<blockquote cite="mid:54528526.4040500@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 30/10/14 19:18, Michael Lasevich
wrote:<br>
</div>
<blockquote cite="mid:545280EA.40604@gmail.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Makes sense. What is the solution
here?<br>
<br>
I have the latest 389-ds installed but still getting
"allowWeakCipher" error - how to I get around that?<br>
<br>
-M<br>
<br>
</div>
</blockquote>
Sorry I don't know, I CCied Ludwig, he is DS guru.<br>
</blockquote>
I already asked to verify the schema files:<br>
can you check your schema files for the definition of the
nsEncryptionConfig objectclass, it should be only in 01core389.ldif
and contain allowWeakCipher, but it could have been added also to
99user.ldif during replication when schema changes have been
consolidated<br>
<br>
and what is the latest ds version you are using: rpm -q 389-ds-base<br>
<br>
<br>
<blockquote cite="mid:54528526.4040500@redhat.com" type="cite">
Martin^2<br>
<br>
<blockquote cite="mid:545280EA.40604@gmail.com" type="cite">
<div class="moz-cite-prefix"> <br>
On 10/30/14, 11:12 AM, Martin Basti wrote:<br>
</div>
<blockquote cite="mid:54527F90.3000407@redhat.com" type="cite">
<meta http-equiv="Context-Type" content="text/html;
charset=ISO-8859-1">
<div class="moz-cite-prefix">On 24/10/14 05:17, Michael
Lasevich wrote:<br>
</div>
<blockquote
cite="mid:CAAFs98W=KxsvVSy4eZ-r3hzvoRYjEsO7Exh9QX1r2L4SW7e43w@mail.gmail.com"
type="cite">
<div dir="ltr">While upgrading from 4.0.1. to 4.1 on fedora
20 got following on one of the two boxes:
<div><br>
</div>
<div>
<p class="">Upgrade failed with attribute
"allowWeakCipher" not allowed<br>
IPA upgrade failed.<br>
Unexpected error<br>
DuplicateEntry: This entry already exists</p>
</div>
</div>
</blockquote>
<br>
Named errors are caused by cascade effect, if ldap schema and
entry updates failed, there is misconfigured DS plugin which
is responsible to keep DNSSEC keys DN unique, what causes
duplication errors. DuplicateEntry exception is fatal, so
dnskeysyncd installation will not continue,<br>
what causes there are not appropriate permissions for token
database, and named-pkcs11 can't read tokens.<br>
<blockquote
cite="mid:CAAFs98W=KxsvVSy4eZ-r3hzvoRYjEsO7Exh9QX1r2L4SW7e43w@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<p class=""><br>
</p>
<p class="">It seems the ipa no longer starts up after
this. The replica server seems to have had same
error,but it runs just fine.</p>
<p class="">From digging around, it appears that there
are a number of GSS errors in dirsrv and bind fails
with something like:</p>
<p class="">named-pkcs11[2212]: ObjectStore.cpp(74):
Failed to open token
e919db16-6329-406c-6ae4-120ad68508c4<br>
named-pkcs11[2212]: sha1.c:92: fatal error:<br>
named-pkcs11[2212]:
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST,
isc_boolean_true, isc_boolean_false,
isc_boolean_false, ((void *)0), 0) == 0) failed</p>
<p class="">Any help would be appreciated</p>
<p class=""><br>
</p>
<p class="">-M</p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Martin Basti</pre>
</blockquote>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Martin Basti</pre>
</blockquote>
<br>
</body>
</html>