On 11/07/2014 03:05 PM, Rob Verduijn wrote:
Yup that solved it.

Everything looks ok now :-)

Thank you for you great effort.

Well, thank you for your patience. It will allow us to fix this bug in next FreeIPA release, the patch was already submitted on freeipa-devel.

Thanks again!
Martin

Rob

2014-11-07 14:55 GMT+01:00 Martin Basti <mba...@redhat.com
<mailto:mba...@redhat.com>>:

    On 07/11/14 14:26, Rob Verduijn wrote:
    Hello,

    Yes this time there are
    This section :
    2014-11-07T13:10:03Z INFO Updating existing entry: cn=referential
    integrity postoperation,cn=plugins,cn=config
    <SNIP>
    2014-11-07T13:10:03Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR:
    {'desc': 'Operations error'}
    2014-11-07T13:10:03Z ERROR Update failed: Operations error:

    and this one
    2014-11-07T13:10:18Z INFO New entry: cn=ADTrust
    Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis
    <snip>
    2014-11-07T13:10:18Z ERROR Add failure
    Known issues

    and this one: (but since I do not have AD it's kinda logical)
    2014-11-07T13:10:18Z INFO New entry: cn=ADTrust
    Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis
    <snip>
    2014-11-07T13:10:19Z ERROR Upgrade failed with
    2014-11-07T13:10:19Z DEBUG Traceback (most recent call last):
      File
    "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
    line 152, in __upgrade
        self.modified = (ld.update(self.files, ordered=True) or
      File
    "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
    874, in update
        updates = api.Backend.updateclient.update(POST_UPDATE,
    self.dm_password, self.ldapi, self.live_run)
      File
    
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py",
    line 123, in update
        (restart, apply_now, res) = self.run(update.name
    <http://update.name>, **kw)
      File
    
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py",
    line 146, in run
        return self.Updater[method](**kw)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1399,
    in __call__
        return self.execute(**options)
      File
    "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py", line
    89, in execute
        api.Command.dnszone_mod(zone[u'idnsname'][0], **update)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439,
    in __call__
        ret = self.run(*args, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754,
    in run
        return self.execute(*args, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line
    2528, in execute
        result = super(dnszone_mod, self).execute(*keys, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py",
    line 1385, in execute
        dn = self.obj.get_dn(*keys, **options)
      File "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line
    1784, in get_dn
        assert zone.is_absolute()
    AssertionError

    This is the problem, it is new bug.

    The workaround is replace the code in:
    /usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py:68
    - zones = api.Command.dnszone_find(all=True)['result']
    + zones = api.Command.dnszone_find(all=True, raw=True)['result']

    (I didn't test it)

    and run ipa-ldap-updater --upgrade

    Thank you for patience.



    <snip>
    2014-11-07T13:10:23Z ERROR IPA upgrade failed.
    2014-11-07T13:10:23Z DEBUG   File
    "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
    execute
        return_value = self.run()
      File
    "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py",
    line 151, in run
        raise admintool.ScriptError('IPA upgrade failed.', 1)

    2014-11-07T13:10:23Z DEBUG The ipa-ldap-updater command failed,
    exception: ScriptError: IPA upgrade failed.
    2014-11-07T13:10:23Z ERROR IPA upgrade failed.
    2014-11-07T13:10:23Z DEBUG /usr/sbin/ipa-upgradeconfig was invoked with
    options: {'debug': False, 'quiet': True}
    2014-11-07T13:10:23Z DEBUG IPA version 4.1.1-1.fc20


    and another
    2014-11-07T13:10:03Z INFO Updating existing entry: cn=referential
    integrity postoperation,cn=plugins,cn=config
    <snip>
    2014-11-07T13:10:03Z DEBUG Live 1, updated 1
    2014-11-07T13:10:03Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR:
    {'desc': 'Operations error'}
    2014-11-07T13:10:03Z ERROR Update failed: Operations error:

    That's it
    Rob




    2014-11-07 13:56 GMT+01:00 Martin Basti <mba...@redhat.com
    <mailto:mba...@redhat.com>>:

        On 07/11/14 13:52, Rob Verduijn wrote:
        Hi all,

        Either I was to worn out last night, or another update has happened.
        This morning the directory server did start after the update.
        local dns zones however where not available again after the update
        ipa-ldap-updater did not help to fix it.

        The are again only 7 DNS aci objects are still in the ds.( same as
        before when it failed )
        I also noticed that there are also quite a lot lower case dns aci
        objects.

        Rob


        Hi,

        do you have any errors in /var/log/ipaupgrade.log ?


        2014-11-07 10:25 GMT+01:00 Martin Basti <mba...@redhat.com
        <mailto:mba...@redhat.com>>:

            Changed subject.
            Rob CCed

            On 07/11/14 09:52, Martin Basti wrote:
            Forward message back to list


            -------- Original Message --------
            Subject:    Re: [Freeipa-users] dns stops working after upgrade
            Date:       Thu, 6 Nov 2014 21:42:55 +0100
            From:       Rob Verduijn <rob.verdu...@gmail.com>
            <mailto:rob.verdu...@gmail.com>
            To:         Martin Basti <mba...@redhat.com> 
<mailto:mba...@redhat.com>



            Hi again,

            I tried the update to 4.1.1
            It didn't went well, actually it went worse than to 4.1.
            Now the directory service went down and was no longer able to
            start.

            Some part of the logs is below.
            Besides the warnings about a weak cipher there was not much in
            the journalctl.

            It's getting late overhere, I'll dig into the logs tomorrow.

            Rob

            Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Starting 389
            Directory Server TJAKO-THUIS....
            Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Started 389
            Directory Server TJAKO-THUIS..
            Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
            [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
            rsa_rc4_128_md5 is weak. It is enabled since allowWeakCipher is
            "on" (default setting for the backward compatibility). We
            strongly recommend to set it to "off".  Please replace the
            value of allowWeakCipher with "off" in the encryption config
            entry cn=encryption,cn=config and restart the server.
            Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
            [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc4_40_md5
            is weak. It is enabled since allowWeakCipher is "on" (default
            setting for the backward compatibility). We strongly recommend
            to set it to "off".  Please replace the value of
            allowWeakCipher with "off" in the encryption config entry
            cn=encryption,cn=config and restart the server.
            Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
            [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc2_40_md5
            is weak. It is enabled since allowWeakCipher is "on" (default
            setting for the backward compatibility). We strongly recommend
            to set it to "off".  Please replace the value of
            allowWeakCipher with "off" in the encryption config entry
            cn=encryption,cn=config and restart the server.
            Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
            [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_des_sha is
            weak. It is enabled since allowWeakCipher is "on" (default
            setting for the backward compatibility). We strongly recommend
            to set it to "off".  Please replace the value of
            allowWeakCipher with "off" in the encryption config entry
            cn=encryption,cn=config and restart the server.
            Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
            [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
            rsa_fips_des_sha is weak. It is enabled since allowWeakCipher
            is "on" (default setting for the backward compatibility). We
            strongly recommend to set it to "off".  Please replace the
            value of allowWeakCipher with "off" in the encryption config
            entry cn=encryption,cn=config and restart the server.
            Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
            [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_3des_sha
            is weak. It is enabled since allowWeakCipher is "on" (default
            setting for the backward compatibility). We strongly recommend
            to set it to "off".  Please replace the value of
            allowWeakCipher with "off" in the encryption config entry
            cn=encryption,cn=config and restart the server.
            Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
            [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
            rsa_fips_3des_sha is weak. It is enabled since allowWeakCipher
            is "on" (default setting for the backward compatibility). We
            strongly recommend to set it to "off".  Please replace the
            value of allowWeakCipher with "off" in the encryption config
            entry cn=encryption,cn=config and restart the server.
            Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
            [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite fortezza
            is not available in NSS 3.17.  Ignoring fortezza
            Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
            [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite
            fortezza_rc4_128_sha is not available in NSS 3.17.  Ignoring
            fortezza_rc4_128_sha
            Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
            [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite
            fortezza_null is not available in NSS 3.17.  Ignoring fortezza_null
            Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
            [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
            tls_rsa_export1024_with_rc4_56_sha is weak.  It is enabled
            since allowWeakCipher is "on" (default setting for the backward
            compatibility). We strongly recommend to set it to "off".
            Please replace the value of allowWeakCipher with "off" in the
            encryption config entry cn=encryption,cn=config and restart the
            server.
            Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
            [06/Nov/2014:21:34:59 +0100] - SSL alert: Cipher
            tls_rsa_export1024_with_des_cbc_sha is weak.  It is enabled
            since allowWeakCipher is "on" (default setting for the backward
            compatibility). We strongly recommend to set it to "off".
            Please replace the value of allowWeakCipher with "off" in the
            encryption config entry cn=encryption,cn=config and restart the
            server.
            Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
            [06/Nov/2014:21:34:59 +0100] - SSL alert: Configured NSS Ciphers
            Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
            [06/Nov/2014:21:34:59 +0100] - SSL alert:
            SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK CIPHER)
            Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
            [06/Nov/2014:21:34:59 +0100] - SSL alert:
            TLS_RSA_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK CIPHER)
            Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
            [06/Nov/2014:21:34:59 +0100] - SSL alert:
            TLS_RSA_WITH_RC4_128_MD5: enabled, (WEAK CIPHER)
            Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
            [06/Nov/2014:21:34:59 +0100] - SSL alert:
            SSL_RSA_FIPS_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
            Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
            [06/Nov/2014:21:34:59 +0100] - SSL alert:
            TLS_RSA_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
            Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
            [06/Nov/2014:21:34:59 +0100] - SSL alert:
            TLS_RSA_EXPORT1024_WITH_RC4_56_SHA: enabled, (WEAK CIPHER)
            Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
            [06/Nov/2014:21:34:59 +0100] - SSL alert:
            TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
            Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
            [06/Nov/2014:21:34:59 +0100] - SSL alert:
            TLS_RSA_EXPORT_WITH_RC4_40_MD5: enabled, (WEAK CIPHER)
            Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
            [06/Nov/2014:21:34:59 +0100] - SSL alert:
            TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: enabled, (WEAK CIPHER)
            Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
            [06/Nov/2014:21:34:59 +0100] SSL Initialization - SSL version
            range: min: TLS1.0, max: TLS1.2
            Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]:
            dirsrv@TJAKO-THUIS.service <mailto:dirsrv@TJAKO-THUIS.service>:
            main process exited, code=exited, status=1/FAILURE
            Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]: Unit
            dirsrv@TJAKO-THUIS.service <mailto:dirsrv@TJAKO-THUIS.service>
            entered failed state.





            --
            Martin Basti




        --
        Martin Basti




    --
    Martin Basti





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to