On 07/11/14 14:26, Rob Verduijn wrote:
Hello,
Yes this time there are
This section :
2014-11-07T13:10:03Z INFO Updating existing entry: cn=referential
integrity postoperation,cn=plugins,cn=config
<SNIP>
2014-11-07T13:10:03Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR:
{'desc': 'Operations error'}
2014-11-07T13:10:03Z ERROR Update failed: Operations error:
and this one
2014-11-07T13:10:18Z INFO New entry: cn=ADTrust
Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis
<snip>
2014-11-07T13:10:18Z ERROR Add failure
Known issues
and this one: (but since I do not have AD it's kinda logical)
2014-11-07T13:10:18Z INFO New entry: cn=ADTrust
Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis
<snip>
2014-11-07T13:10:19Z ERROR Upgrade failed with
2014-11-07T13:10:19Z DEBUG Traceback (most recent call last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
line 152, in __upgrade
self.modified = (ld.update(self.files, ordered=True) or
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 874, in update
updates = api.Backend.updateclient.update(POST_UPDATE,
self.dm_password, self.ldapi, self.live_run)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py",
line 123, in update
(restart, apply_now, res) = self.run(update.name
<http://update.name>, **kw)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py",
line 146, in run
return self.Updater[method](**kw)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line
1399, in __call__
return self.execute(**options)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py",
line 89, in execute
api.Command.dnszone_mod(zone[u'idnsname'][0], **update)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line
439, in __call__
ret = self.run(*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line
754, in run
return self.execute(*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line
2528, in execute
result = super(dnszone_mod, self).execute(*keys, **options)
File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py",
line 1385, in execute
dn = self.obj.get_dn(*keys, **options)
File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line
1784, in get_dn
assert zone.is_absolute()
AssertionError
This is the problem, it is new bug.
The workaround is replace the code in:
/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py:68
- zones = api.Command.dnszone_find(all=True)['result']
+ zones = api.Command.dnszone_find(all=True, raw=True)['result']
(I didn't test it)
and run ipa-ldap-updater --upgrade
Thank you for patience.
<snip>
2014-11-07T13:10:23Z ERROR IPA upgrade failed.
2014-11-07T13:10:23Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171,
in execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py",
line 151, in run
raise admintool.ScriptError('IPA upgrade failed.', 1)
2014-11-07T13:10:23Z DEBUG The ipa-ldap-updater command failed,
exception: ScriptError: IPA upgrade failed.
2014-11-07T13:10:23Z ERROR IPA upgrade failed.
2014-11-07T13:10:23Z DEBUG /usr/sbin/ipa-upgradeconfig was invoked
with options: {'debug': False, 'quiet': True}
2014-11-07T13:10:23Z DEBUG IPA version 4.1.1-1.fc20
and another
2014-11-07T13:10:03Z INFO Updating existing entry: cn=referential
integrity postoperation,cn=plugins,cn=config
<snip>
2014-11-07T13:10:03Z DEBUG Live 1, updated 1
2014-11-07T13:10:03Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR:
{'desc': 'Operations error'}
2014-11-07T13:10:03Z ERROR Update failed: Operations error:
That's it
Rob
2014-11-07 13:56 GMT+01:00 Martin Basti <mba...@redhat.com
<mailto:mba...@redhat.com>>:
On 07/11/14 13:52, Rob Verduijn wrote:
Hi all,
Either I was to worn out last night, or another update has happened.
This morning the directory server did start after the update.
local dns zones however where not available again after the update
ipa-ldap-updater did not help to fix it.
The are again only 7 DNS aci objects are still in the ds.( same
as before when it failed )
I also noticed that there are also quite a lot lower case dns aci
objects.
Rob
Hi,
do you have any errors in /var/log/ipaupgrade.log ?
2014-11-07 10:25 GMT+01:00 Martin Basti <mba...@redhat.com
<mailto:mba...@redhat.com>>:
Changed subject.
Rob CCed
On 07/11/14 09:52, Martin Basti wrote:
Forward message back to list
-------- Original Message --------
Subject: Re: [Freeipa-users] dns stops working after upgrade
Date: Thu, 6 Nov 2014 21:42:55 +0100
From: Rob Verduijn <rob.verdu...@gmail.com>
<mailto:rob.verdu...@gmail.com>
To: Martin Basti <mba...@redhat.com>
<mailto:mba...@redhat.com>
Hi again,
I tried the update to 4.1.1
It didn't went well, actually it went worse than to 4.1.
Now the directory service went down and was no longer able
to start.
Some part of the logs is below.
Besides the warnings about a weak cipher there was not much
in the journalctl.
It's getting late overhere, I'll dig into the logs tomorrow.
Rob
Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Starting 389
Directory Server TJAKO-THUIS....
Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Started 389
Directory Server TJAKO-THUIS..
Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
rsa_rc4_128_md5 is weak. It is enabled since allowWeakCipher
is "on" (default setting for the backward compatibility). We
strongly recommend to set it to "off". Please replace the
value of allowWeakCipher with "off" in the encryption config
entry cn=encryption,cn=config and restart the server.
Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
rsa_rc4_40_md5 is weak. It is enabled since allowWeakCipher
is "on" (default setting for the backward compatibility). We
strongly recommend to set it to "off". Please replace the
value of allowWeakCipher with "off" in the encryption config
entry cn=encryption,cn=config and restart the server.
Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
rsa_rc2_40_md5 is weak. It is enabled since allowWeakCipher
is "on" (default setting for the backward compatibility). We
strongly recommend to set it to "off". Please replace the
value of allowWeakCipher with "off" in the encryption config
entry cn=encryption,cn=config and restart the server.
Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_des_sha
is weak. It is enabled since allowWeakCipher is "on"
(default setting for the backward compatibility). We
strongly recommend to set it to "off". Please replace the
value of allowWeakCipher with "off" in the encryption config
entry cn=encryption,cn=config and restart the server.
Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
rsa_fips_des_sha is weak. It is enabled since
allowWeakCipher is "on" (default setting for the backward
compatibility). We strongly recommend to set it to "off".
Please replace the value of allowWeakCipher with "off" in
the encryption config entry cn=encryption,cn=config and
restart the server.
Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
rsa_3des_sha is weak. It is enabled since allowWeakCipher is
"on" (default setting for the backward compatibility). We
strongly recommend to set it to "off". Please replace the
value of allowWeakCipher with "off" in the encryption config
entry cn=encryption,cn=config and restart the server.
Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
rsa_fips_3des_sha is weak. It is enabled since
allowWeakCipher is "on" (default setting for the backward
compatibility). We strongly recommend to set it to "off".
Please replace the value of allowWeakCipher with "off" in
the encryption config entry cn=encryption,cn=config and
restart the server.
Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite
fortezza is not available in NSS 3.17. Ignoring fortezza
Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite
fortezza_rc4_128_sha is not available in NSS 3.17. Ignoring
fortezza_rc4_128_sha
Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite
fortezza_null is not available in NSS 3.17. Ignoring
fortezza_null
Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
tls_rsa_export1024_with_rc4_56_sha is weak. It is enabled
since allowWeakCipher is "on" (default setting for the
backward compatibility). We strongly recommend to set it to
"off". Please replace the value of allowWeakCipher with
"off" in the encryption config entry cn=encryption,cn=config
and restart the server.
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] - SSL alert: Cipher
tls_rsa_export1024_with_des_cbc_sha is weak. It is enabled
since allowWeakCipher is "on" (default setting for the
backward compatibility). We strongly recommend to set it to
"off". Please replace the value of allowWeakCipher with
"off" in the encryption config entry cn=encryption,cn=config
and restart the server.
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] - SSL alert: Configured NSS Ciphers
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] - SSL alert:
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK CIPHER)
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] - SSL alert:
TLS_RSA_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK CIPHER)
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] - SSL alert:
TLS_RSA_WITH_RC4_128_MD5: enabled, (WEAK CIPHER)
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] - SSL alert:
SSL_RSA_FIPS_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] - SSL alert:
TLS_RSA_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] - SSL alert:
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA: enabled, (WEAK CIPHER)
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] - SSL alert:
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] - SSL alert:
TLS_RSA_EXPORT_WITH_RC4_40_MD5: enabled, (WEAK CIPHER)
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] - SSL alert:
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: enabled, (WEAK CIPHER)
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] SSL Initialization - SSL
version range: min: TLS1.0, max: TLS1.2
Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]:
dirsrv@TJAKO-THUIS.service
<mailto:dirsrv@TJAKO-THUIS.service>: main process exited,
code=exited, status=1/FAILURE
Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]: Unit
dirsrv@TJAKO-THUIS.service
<mailto:dirsrv@TJAKO-THUIS.service> entered failed state.
--
Martin Basti
--
Martin Basti
--
Martin Basti
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
