On 04/08/2015 12:04 PM, Martin Kosek wrote:
On 04/08/2015 11:52 AM, Alexander Frolushkin wrote:
We used have a geo-replicated IPA with RHEL 7.0, and on one site ipa servers 
was upgraded by mistake to RHEL 7.1 (ipa-server-4.1.0-18.el7_1.3.x86_64).
Now it is broken globally, in logs I see these:

[08/Apr/2015:13:06:47 +0600] NSACLPlugin - ACL PARSE ERR(rv=-5): 
[08/Apr/2015:13:06:47 +0600] NSACLPlugin - __aclp__init_targetattr: targetattr 
"ipaProtectedOperation;write_keys" does not exist in schema. Please add attributeTypes 
"ipaProtectedOperation;write_keys" to schema if necessary.

What can I do to fix this catastrophe, or it is fatal?
As it seems from the client servers, hbac is not working at all, maybe all 
other things as well :(

With best regards,
Alexander Frolushkin
AFAIK, this particular error message should not be fatal to the function and
new ACI should just be ignored.
yes, but I don't know if any IPA component would rely on access granted by this aci.
Maybe the new schema did not replicate
is this message logged on all servers ?
properly. Do you see other DS errors? (CCing DS guys)

Non-working HBAC is also strange, SSSD developers will want logs to analyze,
see https://fedorahosted.org/sssd/wiki/Troubleshooting

In any case, upgrade from 3.3 to 4.1 should just work, you just need to have a
recent enough RHEL-6 servers - at least RHEL-6.6+z-streams.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to