Yup that solved it.

Everything looks ok now :-)

Thank you for you great effort.
Rob

2014-11-07 14:55 GMT+01:00 Martin Basti <mba...@redhat.com>:

>  On 07/11/14 14:26, Rob Verduijn wrote:
>
> Hello,
>
>  Yes this time there are
> This section :
>  2014-11-07T13:10:03Z INFO Updating existing entry: cn=referential
> integrity postoperation,cn=plugins,cn=config
>  <SNIP>
>  2014-11-07T13:10:03Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR:
> {'desc': 'Operations error'}
> 2014-11-07T13:10:03Z ERROR Update failed: Operations error:
>
>  and this one
> 2014-11-07T13:10:18Z INFO New entry: cn=ADTrust
> Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis
>  <snip>
> 2014-11-07T13:10:18Z ERROR Add failure
>
>  Known issues
>
>  and this one: (but since I do not have AD it's kinda logical)
> 2014-11-07T13:10:18Z INFO New entry: cn=ADTrust
> Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis
>  <snip>
>  2014-11-07T13:10:19Z ERROR Upgrade failed with
> 2014-11-07T13:10:19Z DEBUG Traceback (most recent call last):
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
> line 152, in __upgrade
>     self.modified = (ld.update(self.files, ordered=True) or
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
> line 874, in update
>     updates = api.Backend.updateclient.update(POST_UPDATE,
> self.dm_password, self.ldapi, self.live_run)
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py",
> line 123, in update
>     (restart, apply_now, res) = self.run(update.name, **kw)
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py",
> line 146, in run
>     return self.Updater[method](**kw)
>   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1399,
> in __call__
>     return self.execute(**options)
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py", line
> 89, in execute
>     api.Command.dnszone_mod(zone[u'idnsname'][0], **update)
>   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in
> __call__
>     ret = self.run(*args, **options)
>   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in
> run
>     return self.execute(*args, **options)
>   File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line
> 2528, in execute
>     result = super(dnszone_mod, self).execute(*keys, **options)
>   File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line
> 1385, in execute
>     dn = self.obj.get_dn(*keys, **options)
>   File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line
> 1784, in get_dn
>     assert zone.is_absolute()
> AssertionError
>
>
> This is the problem, it is new bug.
>
> The workaround is replace the code in:
> /usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py:68
> - zones = api.Command.dnszone_find(all=True)['result']
> + zones = api.Command.dnszone_find(all=True, raw=True)['result']
>
> (I didn't test it)
>
> and run ipa-ldap-updater --upgrade
>
> Thank you for patience.
>
>
>
>  <snip>
>  2014-11-07T13:10:23Z ERROR IPA upgrade failed.
>  2014-11-07T13:10:23Z DEBUG   File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
> execute
>     return_value = self.run()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py",
> line 151, in run
>     raise admintool.ScriptError('IPA upgrade failed.', 1)
>
>  2014-11-07T13:10:23Z DEBUG The ipa-ldap-updater command failed,
> exception: ScriptError: IPA upgrade failed.
> 2014-11-07T13:10:23Z ERROR IPA upgrade failed.
> 2014-11-07T13:10:23Z DEBUG /usr/sbin/ipa-upgradeconfig was invoked with
> options: {'debug': False, 'quiet': True}
> 2014-11-07T13:10:23Z DEBUG IPA version 4.1.1-1.fc20
>
>
>  and another
> 2014-11-07T13:10:03Z INFO Updating existing entry: cn=referential
> integrity postoperation,cn=plugins,cn=config
>  <snip>
>  2014-11-07T13:10:03Z DEBUG Live 1, updated 1
> 2014-11-07T13:10:03Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc':
> 'Operations error'}
> 2014-11-07T13:10:03Z ERROR Update failed: Operations error:
>
>  That's it
> Rob
>
>
>
>
> 2014-11-07 13:56 GMT+01:00 Martin Basti <mba...@redhat.com>:
>
>>  On 07/11/14 13:52, Rob Verduijn wrote:
>>
>> Hi all,
>>
>>  Either I was to worn out last night, or another update has happened.
>> This morning the directory server did start after the update.
>> local dns zones however where not available again after the update
>> ipa-ldap-updater did not help to fix it.
>>
>>  The are again only 7 DNS aci objects are still in the ds.( same as
>> before when it failed )
>> I also noticed that there are also quite a lot lower case dns aci objects.
>>
>>  Rob
>>
>>
>>   Hi,
>>
>> do you have any errors in /var/log/ipaupgrade.log ?
>>
>>
>>
>> 2014-11-07 10:25 GMT+01:00 Martin Basti <mba...@redhat.com>:
>>
>>>  Changed subject.
>>> Rob CCed
>>>
>>> On 07/11/14 09:52, Martin Basti wrote:
>>>
>>> Forward message back to list
>>>
>>>
>>> -------- Original Message --------  Subject: Re: [Freeipa-users] dns
>>> stops working after upgrade  Date: Thu, 6 Nov 2014 21:42:55 +0100  From:
>>> Rob Verduijn <rob.verdu...@gmail.com> <rob.verdu...@gmail.com>  To: Martin
>>> Basti <mba...@redhat.com> <mba...@redhat.com>
>>>
>>> Hi again,
>>>
>>>  I tried the update to 4.1.1
>>> It didn't went well, actually it went worse than to 4.1.
>>> Now the directory service went down and was no longer able to start.
>>>
>>>  Some part of the logs is below.
>>> Besides the warnings about a weak cipher there was not much in the
>>> journalctl.
>>>
>>>  It's getting late overhere, I'll dig into the logs tomorrow.
>>>
>>>  Rob
>>>
>>>  Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Starting 389 Directory
>>> Server TJAKO-THUIS....
>>> Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Started 389 Directory
>>> Server TJAKO-THUIS..
>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc4_128_md5 is weak.
>>> It is enabled since allowWeakCipher is "on" (default setting for the
>>> backward compatibility). We strongly recommend to set it to "off".  Please
>>> replace the value of allowWeakCipher with "off" in the encryption config
>>> entry cn=encryption,cn=config and restart the server.
>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc4_40_md5 is weak. It
>>> is enabled since allowWeakCipher is "on" (default setting for the backward
>>> compatibility). We strongly recommend to set it to "off".  Please replace
>>> the value of allowWeakCipher with "off" in the encryption config entry
>>> cn=encryption,cn=config and restart the server.
>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc2_40_md5 is weak. It
>>> is enabled since allowWeakCipher is "on" (default setting for the backward
>>> compatibility). We strongly recommend to set it to "off".  Please replace
>>> the value of allowWeakCipher with "off" in the encryption config entry
>>> cn=encryption,cn=config and restart the server.
>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_des_sha is weak. It is
>>> enabled since allowWeakCipher is "on" (default setting for the backward
>>> compatibility). We strongly recommend to set it to "off".  Please replace
>>> the value of allowWeakCipher with "off" in the encryption config entry
>>> cn=encryption,cn=config and restart the server.
>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_fips_des_sha is weak.
>>> It is enabled since allowWeakCipher is "on" (default setting for the
>>> backward compatibility). We strongly recommend to set it to "off".  Please
>>> replace the value of allowWeakCipher with "off" in the encryption config
>>> entry cn=encryption,cn=config and restart the server.
>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_3des_sha is weak. It
>>> is enabled since allowWeakCipher is "on" (default setting for the backward
>>> compatibility). We strongly recommend to set it to "off".  Please replace
>>> the value of allowWeakCipher with "off" in the encryption config entry
>>> cn=encryption,cn=config and restart the server.
>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_fips_3des_sha is weak.
>>> It is enabled since allowWeakCipher is "on" (default setting for the
>>> backward compatibility). We strongly recommend to set it to "off".  Please
>>> replace the value of allowWeakCipher with "off" in the encryption config
>>> entry cn=encryption,cn=config and restart the server.
>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite fortezza is not
>>> available in NSS 3.17.  Ignoring fortezza
>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite fortezza_rc4_128_sha
>>> is not available in NSS 3.17.  Ignoring fortezza_rc4_128_sha
>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite fortezza_null is not
>>> available in NSS 3.17.  Ignoring fortezza_null
>>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
>>> tls_rsa_export1024_with_rc4_56_sha is weak.  It is enabled since
>>> allowWeakCipher is "on" (default setting for the backward compatibility).
>>> We strongly recommend to set it to "off".  Please replace the value of
>>> allowWeakCipher with "off" in the encryption config entry
>>> cn=encryption,cn=config and restart the server.
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] - SSL alert: Cipher
>>> tls_rsa_export1024_with_des_cbc_sha is weak.  It is enabled since
>>> allowWeakCipher is "on" (default setting for the backward compatibility).
>>> We strongly recommend to set it to "off".  Please replace the value of
>>> allowWeakCipher with "off" in the encryption config entry
>>> cn=encryption,cn=config and restart the server.
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] - SSL alert: Configured NSS Ciphers
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>> SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK CIPHER)
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>> TLS_RSA_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK CIPHER)
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:         TLS_RSA_WITH_RC4_128_MD5:
>>> enabled, (WEAK CIPHER)
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>> SSL_RSA_FIPS_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:         TLS_RSA_WITH_DES_CBC_SHA:
>>> enabled, (WEAK CIPHER)
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA: enabled, (WEAK CIPHER)
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>> TLS_RSA_EXPORT_WITH_RC4_40_MD5: enabled, (WEAK CIPHER)
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>> TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: enabled, (WEAK CIPHER)
>>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>> [06/Nov/2014:21:34:59 +0100] SSL Initialization - SSL version range: min:
>>> TLS1.0, max: TLS1.2
>>> Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]:
>>> dirsrv@TJAKO-THUIS.service: main process exited, code=exited,
>>> status=1/FAILURE
>>> Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]: Unit
>>> dirsrv@TJAKO-THUIS.service entered failed state.
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Martin Basti
>>>
>>>
>>
>>
>> --
>> Martin Basti
>>
>>
>
>
> --
> Martin Basti
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to