Re: [Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23

[John Obaterspok]

2015-11-05 17:07 GMT+01:00 John Obaterspok :

>
>
> 2015-11-05 12:26 GMT+01:00 Alexander Bokovoy :
>
>> On Thu, 05 Nov 2015, John Obaterspok wrote:
>>
>>> Hi,
>>>
>>> I waited a couple of days and when "dnf list freeipa-server
>>> --releasever=23" said 4.2.3 I hit the upgrade. Unfortunately I noticed to
>>> late that I received 4.2.2 during "dnf system-upgrade".
>>>
>>> Any ideas how to get it going again? Or is it easier to start from
>>> scratch
>>> if I only have ~ 10 IPA clients?
>>>
>> Did you already upgrade to 4.2.3? Make sure you have
>> pki-core-10.2.6-12.fc23 and freeipa 4.2.3-1.fc23, run
>> ipa-server-upgrade. It should be able to recover.
>>
>>
> Hi Alexander,
>
> Untfortunatly not, it's not able to recover:
>
> #  rpm -q pki-base freeipa-server
> pki-base-10.2.6-12.fc23.noarch
> freeipa-server-4.2.3-1.fc23.x86_64
>
> (Note I have pki-base, not pki-core... but I guess that was what you ment)
>
> #  ipa-server-upgrade
> session memcached servers not running
> Missing version: no platform stored
> Upgrading IPA:
>   [1/8]: saving configuration
>   [2/8]: disabling listeners
>   [3/8]: enabling DS global lock
>   [4/8]: starting directory server
>   [error] CalledProcessError: Command ''/bin/systemctl' 'start'
> 'dirsrv@MY-LAN.service'' returned non-zero exit status 1
>   [cleanup]: stopping directory server
>   [cleanup]: restoring configuration
> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
> ipa-server-upgrade manually.
> Unexpected error - see /var/log/ipaupgrade.log for details:
> CalledProcessError: Command ''/bin/systemctl' 'start'
> 'dirsrv@MY-LAN.service'' returned non-zero exit status 1
>
> ns-slapd[2083]: [05/Nov/2015:16:55:32 +0100] - Cannot find parent
> attribute type "ipaPublicKey"
> ns-slapd[2083]: [05/Nov/2015:16:55:32 +0100] dse_read_one_file - The entry
> cn=schema in file /etc/dirsrv/slapd-MY-LAN/schema/99user.ldif (lineno: 1)
> is invalid, error code 21 (
> ns-slapd[2083]: [05/Nov/2015:16:55:32 +0100] dse - Please edit the file to
> correct the reported problems and then restart the server.
> systemd[1]: dirsrv@MY-LAN.service: Control process exited, code=exited
> status=1
>
> # 99user.ldif first lines has the following
> dn: cn=schema
> objectclass: top
> objectclass: ldapSubentry
> objectclass: subschema
> cn: schema
> aci: (target="ldap:///cn=schema;)(targetattr !="aci")(version 3.0;acl
> "anonymous, no acis"; allow (read, search, compare) userdn =
> "ldap:///anyone;;)
> modifiersname: cn=Directory Manager
>
>
> Any ideas?
>
> -- john
>

I just found
https://fedoraproject.org/wiki/Common_F23_bugs#freeipa-upgrade-fail which
allowed me to run freeipa-server-upgrade successfully.
Just a note:

It says "Find the entry (split across three lines) that starts attributeTypes:
( 2.16.840.1.113730.3.8.18.2.3 NAME 'ipaVaultPublicKey'"

However, it's all on one line without spaces
Then make sure the text you replace with don't have extra spaces. Should be
DESC 'IPA... & ...1466.115.121...

Thanks!

-- john
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23

[Alexander Bokovoy]

On Thu, 05 Nov 2015, John Obaterspok wrote:

Hi,

I waited a couple of days and when "dnf list freeipa-server
--releasever=23" said 4.2.3 I hit the upgrade. Unfortunately I noticed to
late that I received 4.2.2 during "dnf system-upgrade".

Any ideas how to get it going again? Or is it easier to start from scratch
if I only have ~ 10 IPA clients?

Did you already upgrade to 4.2.3? Make sure you have
pki-core-10.2.6-12.fc23 and freeipa 4.2.3-1.fc23, run
ipa-server-upgrade. It should be able to recover.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23

[Prashant Bapat]

I just upgraded a test env from 4.1.4 (F21) to 4.2.3 (F23) without issues.
I had to run a dnf upgrade freeipa-server AFTER upgrading to F23 and then
run ipa-server-upgrade.

On 5 November 2015 at 16:20, John Obaterspok 
wrote:

> Hi,
>
> I waited a couple of days and when "dnf list freeipa-server
> --releasever=23" said 4.2.3 I hit the upgrade. Unfortunately I noticed to
> late that I received 4.2.2 during "dnf system-upgrade".
>
> Any ideas how to get it going again? Or is it easier to start from scratch
> if I only have ~ 10 IPA clients?
>
> -- john
>
>
> 2015-11-03 8:44 GMT+01:00 Martin Kosek :
>
>> On 11/02/2015 05:48 PM, Martin Kosek wrote:
>> > Hello everyone,
>> >
>> > Fedora 23 with the new and shiny FreeIPA 4.2 will be out tomorrow. The
>> release
>> > adds a lot of new exiting functionality and we are eager to hear your
>> thoughts
>> > on the release [1].
>> >
>> > Unfortunately, the FreeIPA upgrade on Fedora 23 is broken at the moment
>> and
>> > fails on updating the LDAP schema. The problem is tracked in Red Hat
>> Bugzilla
>> > [2]. The problem is fixed in upstream project, the development team is
>> now
>> > working on releasing FreeIPA upstream release 4.2.3 ASAP and also
>> publishing it
>> > as a 0-day update for Fedora 23. This situation should be resolved
>> within
>> > couple days, when the released build hits the official Fedora repos and
>> mirrors.
>> >
>> > Until the fixed FreeIPA version is released and in the Fedora repos,
>> please
>> > wait with updating your existing FreeIPA installation.
>> >
>> > We will keep you posted. We are very sorry for the inconvenience.
>> >
>> > [1] http://www.freeipa.org/page/Releases/4.2.0
>> > [2] https://bugzilla.redhat.com/show_bug.cgi?id=1274905
>> >
>>
>> The respective F23 updates are now heading to testing repo:
>>
>> FreeIPA: https://bodhi.fedoraproject.org/updates/FEDORA-2015-4d94884a7e
>> pki-core
>> :
>> https://bodhi.fedoraproject.org/updates/FEDORA-2015-f12c332a2f
>>
>> Martin
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23

[John Obaterspok]

Hi,

I waited a couple of days and when "dnf list freeipa-server
--releasever=23" said 4.2.3 I hit the upgrade. Unfortunately I noticed to
late that I received 4.2.2 during "dnf system-upgrade".

Any ideas how to get it going again? Or is it easier to start from scratch
if I only have ~ 10 IPA clients?

-- john


2015-11-03 8:44 GMT+01:00 Martin Kosek :

> On 11/02/2015 05:48 PM, Martin Kosek wrote:
> > Hello everyone,
> >
> > Fedora 23 with the new and shiny FreeIPA 4.2 will be out tomorrow. The
> release
> > adds a lot of new exiting functionality and we are eager to hear your
> thoughts
> > on the release [1].
> >
> > Unfortunately, the FreeIPA upgrade on Fedora 23 is broken at the moment
> and
> > fails on updating the LDAP schema. The problem is tracked in Red Hat
> Bugzilla
> > [2]. The problem is fixed in upstream project, the development team is
> now
> > working on releasing FreeIPA upstream release 4.2.3 ASAP and also
> publishing it
> > as a 0-day update for Fedora 23. This situation should be resolved within
> > couple days, when the released build hits the official Fedora repos and
> mirrors.
> >
> > Until the fixed FreeIPA version is released and in the Fedora repos,
> please
> > wait with updating your existing FreeIPA installation.
> >
> > We will keep you posted. We are very sorry for the inconvenience.
> >
> > [1] http://www.freeipa.org/page/Releases/4.2.0
> > [2] https://bugzilla.redhat.com/show_bug.cgi?id=1274905
> >
>
> The respective F23 updates are now heading to testing repo:
>
> FreeIPA: https://bodhi.fedoraproject.org/updates/FEDORA-2015-4d94884a7e
> pki-core: https://bodhi.fedoraproject.org/updates/FEDORA-2015-f12c332a2f
>
> Martin
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23

[John Obaterspok]

2015-11-05 12:26 GMT+01:00 Alexander Bokovoy :

> On Thu, 05 Nov 2015, John Obaterspok wrote:
>
>> Hi,
>>
>> I waited a couple of days and when "dnf list freeipa-server
>> --releasever=23" said 4.2.3 I hit the upgrade. Unfortunately I noticed to
>> late that I received 4.2.2 during "dnf system-upgrade".
>>
>> Any ideas how to get it going again? Or is it easier to start from scratch
>> if I only have ~ 10 IPA clients?
>>
> Did you already upgrade to 4.2.3? Make sure you have
> pki-core-10.2.6-12.fc23 and freeipa 4.2.3-1.fc23, run
> ipa-server-upgrade. It should be able to recover.
>
>
Hi Alexander,

Untfortunatly not, it's not able to recover:

#  rpm -q pki-base freeipa-server
pki-base-10.2.6-12.fc23.noarch
freeipa-server-4.2.3-1.fc23.x86_64

(Note I have pki-base, not pki-core... but I guess that was what you ment)

#  ipa-server-upgrade
session memcached servers not running
Missing version: no platform stored
Upgrading IPA:
  [1/8]: saving configuration
  [2/8]: disabling listeners
  [3/8]: enabling DS global lock
  [4/8]: starting directory server
  [error] CalledProcessError: Command ''/bin/systemctl' 'start'
'dirsrv@MY-LAN.service'' returned non-zero exit status 1
  [cleanup]: stopping directory server
  [cleanup]: restoring configuration
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: Command ''/bin/systemctl' 'start' 'dirsrv@MY-LAN.service''
returned non-zero exit status 1

ns-slapd[2083]: [05/Nov/2015:16:55:32 +0100] - Cannot find parent attribute
type "ipaPublicKey"
ns-slapd[2083]: [05/Nov/2015:16:55:32 +0100] dse_read_one_file - The entry
cn=schema in file /etc/dirsrv/slapd-MY-LAN/schema/99user.ldif (lineno: 1)
is invalid, error code 21 (
ns-slapd[2083]: [05/Nov/2015:16:55:32 +0100] dse - Please edit the file to
correct the reported problems and then restart the server.
systemd[1]: dirsrv@MY-LAN.service: Control process exited, code=exited
status=1

# 99user.ldif first lines has the following
dn: cn=schema
objectclass: top
objectclass: ldapSubentry
objectclass: subschema
cn: schema
aci: (target="ldap:///cn=schema;)(targetattr !="aci")(version 3.0;acl
"anonymous, no acis"; allow (read, search, compare) userdn =
"ldap:///anyone;;)
modifiersname: cn=Directory Manager


Any ideas?

-- john
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23

[Martin Kosek]

Hello everyone,

Fedora 23 with the new and shiny FreeIPA 4.2 will be out tomorrow. The release
adds a lot of new exiting functionality and we are eager to hear your thoughts
on the release [1].

Unfortunately, the FreeIPA upgrade on Fedora 23 is broken at the moment and
fails on updating the LDAP schema. The problem is tracked in Red Hat Bugzilla
[2]. The problem is fixed in upstream project, the development team is now
working on releasing FreeIPA upstream release 4.2.3 ASAP and also publishing it
as a 0-day update for Fedora 23. This situation should be resolved within
couple days, when the released build hits the official Fedora repos and mirrors.

Until the fixed FreeIPA version is released and in the Fedora repos, please
wait with updating your existing FreeIPA installation.

We will keep you posted. We are very sorry for the inconvenience.

[1] http://www.freeipa.org/page/Releases/4.2.0
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1274905

-- 
Martin Kosek 
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IMPORTANT: FreeIPA upgrade broken in Fedora 23

[Martin Kosek]

On 11/02/2015 05:48 PM, Martin Kosek wrote:
> Hello everyone,
> 
> Fedora 23 with the new and shiny FreeIPA 4.2 will be out tomorrow. The release
> adds a lot of new exiting functionality and we are eager to hear your thoughts
> on the release [1].
> 
> Unfortunately, the FreeIPA upgrade on Fedora 23 is broken at the moment and
> fails on updating the LDAP schema. The problem is tracked in Red Hat Bugzilla
> [2]. The problem is fixed in upstream project, the development team is now
> working on releasing FreeIPA upstream release 4.2.3 ASAP and also publishing 
> it
> as a 0-day update for Fedora 23. This situation should be resolved within
> couple days, when the released build hits the official Fedora repos and 
> mirrors.
> 
> Until the fixed FreeIPA version is released and in the Fedora repos, please
> wait with updating your existing FreeIPA installation.
> 
> We will keep you posted. We are very sorry for the inconvenience.
> 
> [1] http://www.freeipa.org/page/Releases/4.2.0
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1274905
> 

The respective F23 updates are now heading to testing repo:

FreeIPA: https://bodhi.fedoraproject.org/updates/FEDORA-2015-4d94884a7e
pki-core: https://bodhi.fedoraproject.org/updates/FEDORA-2015-f12c332a2f

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project