On 04/08/2015 12:12 PM, Alexander Frolushkin wrote:
> -----Original Message-----
> From: Martin Kosek [mailto:mko...@redhat.com]
> Sent: Wednesday, April 08, 2015 4:04 PM
> To: Alexander Frolushkin (SIB); email@example.com; Ludwig Krispenz;
> Thierry Bordaz
> Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1
> On 04/08/2015 11:52 AM, Alexander Frolushkin wrote:
>>> We used have a geo-replicated IPA with RHEL 7.0, and on one site ipa
>>> servers was upgraded by mistake to RHEL 7.1
>>> Now it is broken globally, in logs I see these:
>>> [08/Apr/2015:13:06:47 +0600] NSACLPlugin - ACL PARSE ERR(rv=-5):
>>> [08/Apr/2015:13:06:47 +0600] NSACLPlugin - __aclp__init_targetattr:
>>> targetattr "ipaProtectedOperation;write_keys" does not exist in schema.
>>> Please add attributeTypes "ipaProtectedOperation;write_keys" to schema if
>>> What can I do to fix this catastrophe, or it is fatal?
>>> As it seems from the client servers, hbac is not working at all, maybe
>>> all other things as well :(
>>> With best regards,
>>> Alexander Frolushkin
>> AFAIK, this particular error message should not be fatal to the function and
>> new ACI should just be ignored. Maybe the new schema did not replicate
>> properly. Do you see other DS errors? (CCing DS guys)
>> Non-working HBAC is also strange, SSSD developers will want logs to analyze,
>> see https://fedorahosted.org/sssd/wiki/Troubleshooting
>> In any case, upgrade from 3.3 to 4.1 should just work, you just need to have
>> a recent enough RHEL-6 servers - at least RHEL-6.6+z-streams.
> Please note, we currently have a three servers with IPA 4.1.0, and 13 servers
> with IPA 3.3.3 working simultaneously.
> Also about hbac:
> [hbac_eval_user_element] (0x0080): Parse error on [cn=system: read
CCing Jakub, but this looks like
that is fixed in sssd-1.12.1-1.el7.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project