Bret Wortman wrote:
Rob, I got past this, as you indicated, by doing that after first running:

# ipa-ldap-updater --ldapi ./schema.update

Using a schema.update tip file I found in a note from you after some
hard core googling. Should that extra step have been necessary?

No, it shouldn't be necessary. Can look in /var/log/ipaupgrade.log (likely humongous) for the original failure and post that section of the log?

Updating schema is hard. We are actually completely revamping the way we handle schema changes between version which should be a lot more stable.


*Bret Wortman*

On Tue, Aug 13, 2013 at 3:39 PM, Rob Crittenden <
<>> wrote:

    Bret Wortman wrote:

        I tried this, but no joy:

        # /usr/sbin/ipa-upgradeconfig --debug
        DEBUG: caSignedLogCert.cfg

        validity range is 720
        INFO: [Certificate renewal should stop the CA]
        ERROR: Unable to find certmonger request ID for auditSigning Cert
        INFO: The ipa-upgradeconfig command was successful

    Run getcert list and sift through the output and see if you have a
    request tracking for nickname auditSigningCert cert-pki-ca (or similar).

        But I still can't connect to http://ipamaster/ipa/ui/; I get a
        903 error
        every time, and /var/log/httpd/error_log shows, in part:

        [Tue Aug 13 13:07:20.786566 2013] [:error] [pid 5890] KeyError:
        [Tue Aug 13 13:07:20.786717 2013] [:error] [pid 5890] ipa: INFO: <> <
        <>>: json_metadata(None, None,

        object=u'all'): KeyError
        [Tue Aug 13 13:07:21.001525 2013] [:error] [pid 5890] ipa: INFO: <> <
        <>>: json_metadata(None, None,
        command=u'all'): SUCCESS

        DNS resolution, authentication and authorization all /appear/ to be
        working fine.

    The DNS schema was not updated properly. I'd run:

    # ipa-ldap-updater --upgrade


Freeipa-users mailing list

Reply via email to