Yup that solved it. Everything looks ok now :-)
Thank you for you great effort. Rob 2014-11-07 14:55 GMT+01:00 Martin Basti <[email protected]>: > On 07/11/14 14:26, Rob Verduijn wrote: > > Hello, > > Yes this time there are > This section : > 2014-11-07T13:10:03Z INFO Updating existing entry: cn=referential > integrity postoperation,cn=plugins,cn=config > <SNIP> > 2014-11-07T13:10:03Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: > {'desc': 'Operations error'} > 2014-11-07T13:10:03Z ERROR Update failed: Operations error: > > and this one > 2014-11-07T13:10:18Z INFO New entry: cn=ADTrust > Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis > <snip> > 2014-11-07T13:10:18Z ERROR Add failure > > Known issues > > and this one: (but since I do not have AD it's kinda logical) > 2014-11-07T13:10:18Z INFO New entry: cn=ADTrust > Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis > <snip> > 2014-11-07T13:10:19Z ERROR Upgrade failed with > 2014-11-07T13:10:19Z DEBUG Traceback (most recent call last): > File > "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", > line 152, in __upgrade > self.modified = (ld.update(self.files, ordered=True) or > File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 874, in update > updates = api.Backend.updateclient.update(POST_UPDATE, > self.dm_password, self.ldapi, self.live_run) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", > line 123, in update > (restart, apply_now, res) = self.run(update.name, **kw) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", > line 146, in run > return self.Updater[method](**kw) > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1399, > in __call__ > return self.execute(**options) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py", line > 89, in execute > api.Command.dnszone_mod(zone[u'idnsname'][0], **update) > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in > __call__ > ret = self.run(*args, **options) > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in > run > return self.execute(*args, **options) > File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line > 2528, in execute > result = super(dnszone_mod, self).execute(*keys, **options) > File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line > 1385, in execute > dn = self.obj.get_dn(*keys, **options) > File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line > 1784, in get_dn > assert zone.is_absolute() > AssertionError > > > This is the problem, it is new bug. > > The workaround is replace the code in: > /usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py:68 > - zones = api.Command.dnszone_find(all=True)['result'] > + zones = api.Command.dnszone_find(all=True, raw=True)['result'] > > (I didn't test it) > > and run ipa-ldap-updater --upgrade > > Thank you for patience. > > > > <snip> > 2014-11-07T13:10:23Z ERROR IPA upgrade failed. > 2014-11-07T13:10:23Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in > execute > return_value = self.run() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", > line 151, in run > raise admintool.ScriptError('IPA upgrade failed.', 1) > > 2014-11-07T13:10:23Z DEBUG The ipa-ldap-updater command failed, > exception: ScriptError: IPA upgrade failed. > 2014-11-07T13:10:23Z ERROR IPA upgrade failed. > 2014-11-07T13:10:23Z DEBUG /usr/sbin/ipa-upgradeconfig was invoked with > options: {'debug': False, 'quiet': True} > 2014-11-07T13:10:23Z DEBUG IPA version 4.1.1-1.fc20 > > > and another > 2014-11-07T13:10:03Z INFO Updating existing entry: cn=referential > integrity postoperation,cn=plugins,cn=config > <snip> > 2014-11-07T13:10:03Z DEBUG Live 1, updated 1 > 2014-11-07T13:10:03Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc': > 'Operations error'} > 2014-11-07T13:10:03Z ERROR Update failed: Operations error: > > That's it > Rob > > > > > 2014-11-07 13:56 GMT+01:00 Martin Basti <[email protected]>: > >> On 07/11/14 13:52, Rob Verduijn wrote: >> >> Hi all, >> >> Either I was to worn out last night, or another update has happened. >> This morning the directory server did start after the update. >> local dns zones however where not available again after the update >> ipa-ldap-updater did not help to fix it. >> >> The are again only 7 DNS aci objects are still in the ds.( same as >> before when it failed ) >> I also noticed that there are also quite a lot lower case dns aci objects. >> >> Rob >> >> >> Hi, >> >> do you have any errors in /var/log/ipaupgrade.log ? >> >> >> >> 2014-11-07 10:25 GMT+01:00 Martin Basti <[email protected]>: >> >>> Changed subject. >>> Rob CCed >>> >>> On 07/11/14 09:52, Martin Basti wrote: >>> >>> Forward message back to list >>> >>> >>> -------- Original Message -------- Subject: Re: [Freeipa-users] dns >>> stops working after upgrade Date: Thu, 6 Nov 2014 21:42:55 +0100 From: >>> Rob Verduijn <[email protected]> <[email protected]> To: Martin >>> Basti <[email protected]> <[email protected]> >>> >>> Hi again, >>> >>> I tried the update to 4.1.1 >>> It didn't went well, actually it went worse than to 4.1. >>> Now the directory service went down and was no longer able to start. >>> >>> Some part of the logs is below. >>> Besides the warnings about a weak cipher there was not much in the >>> journalctl. >>> >>> It's getting late overhere, I'll dig into the logs tomorrow. >>> >>> Rob >>> >>> Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Starting 389 Directory >>> Server TJAKO-THUIS.... >>> Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Started 389 Directory >>> Server TJAKO-THUIS.. >>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: >>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc4_128_md5 is weak. >>> It is enabled since allowWeakCipher is "on" (default setting for the >>> backward compatibility). We strongly recommend to set it to "off". Please >>> replace the value of allowWeakCipher with "off" in the encryption config >>> entry cn=encryption,cn=config and restart the server. >>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: >>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc4_40_md5 is weak. It >>> is enabled since allowWeakCipher is "on" (default setting for the backward >>> compatibility). We strongly recommend to set it to "off". Please replace >>> the value of allowWeakCipher with "off" in the encryption config entry >>> cn=encryption,cn=config and restart the server. >>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: >>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc2_40_md5 is weak. It >>> is enabled since allowWeakCipher is "on" (default setting for the backward >>> compatibility). We strongly recommend to set it to "off". Please replace >>> the value of allowWeakCipher with "off" in the encryption config entry >>> cn=encryption,cn=config and restart the server. >>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: >>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_des_sha is weak. It is >>> enabled since allowWeakCipher is "on" (default setting for the backward >>> compatibility). We strongly recommend to set it to "off". Please replace >>> the value of allowWeakCipher with "off" in the encryption config entry >>> cn=encryption,cn=config and restart the server. >>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: >>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_fips_des_sha is weak. >>> It is enabled since allowWeakCipher is "on" (default setting for the >>> backward compatibility). We strongly recommend to set it to "off". Please >>> replace the value of allowWeakCipher with "off" in the encryption config >>> entry cn=encryption,cn=config and restart the server. >>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: >>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_3des_sha is weak. It >>> is enabled since allowWeakCipher is "on" (default setting for the backward >>> compatibility). We strongly recommend to set it to "off". Please replace >>> the value of allowWeakCipher with "off" in the encryption config entry >>> cn=encryption,cn=config and restart the server. >>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: >>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_fips_3des_sha is weak. >>> It is enabled since allowWeakCipher is "on" (default setting for the >>> backward compatibility). We strongly recommend to set it to "off". Please >>> replace the value of allowWeakCipher with "off" in the encryption config >>> entry cn=encryption,cn=config and restart the server. >>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: >>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite fortezza is not >>> available in NSS 3.17. Ignoring fortezza >>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: >>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite fortezza_rc4_128_sha >>> is not available in NSS 3.17. Ignoring fortezza_rc4_128_sha >>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: >>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite fortezza_null is not >>> available in NSS 3.17. Ignoring fortezza_null >>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: >>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher >>> tls_rsa_export1024_with_rc4_56_sha is weak. It is enabled since >>> allowWeakCipher is "on" (default setting for the backward compatibility). >>> We strongly recommend to set it to "off". Please replace the value of >>> allowWeakCipher with "off" in the encryption config entry >>> cn=encryption,cn=config and restart the server. >>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: >>> [06/Nov/2014:21:34:59 +0100] - SSL alert: Cipher >>> tls_rsa_export1024_with_des_cbc_sha is weak. It is enabled since >>> allowWeakCipher is "on" (default setting for the backward compatibility). >>> We strongly recommend to set it to "off". Please replace the value of >>> allowWeakCipher with "off" in the encryption config entry >>> cn=encryption,cn=config and restart the server. >>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: >>> [06/Nov/2014:21:34:59 +0100] - SSL alert: Configured NSS Ciphers >>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: >>> [06/Nov/2014:21:34:59 +0100] - SSL alert: >>> SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK CIPHER) >>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: >>> [06/Nov/2014:21:34:59 +0100] - SSL alert: >>> TLS_RSA_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK CIPHER) >>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: >>> [06/Nov/2014:21:34:59 +0100] - SSL alert: TLS_RSA_WITH_RC4_128_MD5: >>> enabled, (WEAK CIPHER) >>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: >>> [06/Nov/2014:21:34:59 +0100] - SSL alert: >>> SSL_RSA_FIPS_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER) >>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: >>> [06/Nov/2014:21:34:59 +0100] - SSL alert: TLS_RSA_WITH_DES_CBC_SHA: >>> enabled, (WEAK CIPHER) >>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: >>> [06/Nov/2014:21:34:59 +0100] - SSL alert: >>> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA: enabled, (WEAK CIPHER) >>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: >>> [06/Nov/2014:21:34:59 +0100] - SSL alert: >>> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER) >>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: >>> [06/Nov/2014:21:34:59 +0100] - SSL alert: >>> TLS_RSA_EXPORT_WITH_RC4_40_MD5: enabled, (WEAK CIPHER) >>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: >>> [06/Nov/2014:21:34:59 +0100] - SSL alert: >>> TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: enabled, (WEAK CIPHER) >>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: >>> [06/Nov/2014:21:34:59 +0100] SSL Initialization - SSL version range: min: >>> TLS1.0, max: TLS1.2 >>> Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]: >>> [email protected]: main process exited, code=exited, >>> status=1/FAILURE >>> Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]: Unit >>> [email protected] entered failed state. >>> >>> >>> >>> >>> >>> -- >>> Martin Basti >>> >>> >> >> >> -- >> Martin Basti >> >> > > > -- > Martin Basti > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
