Re: [Freeipa-users] Errors upgrading 4.0.1 to 4.1

2014-10-31 Thread Michael Lasevich
Thank you!!! That was exactly it.

* Removed the "nsEncryptionConfig" entry from 99user.ldif
* Re-run the "ipa-ldap-update --upgrade"
* Then "ipa-dns-install" and things are looking much better - both
servers are now back up and running.

What is the lesson here (besides "have good backups")?

Should we be turning off ALL servers before upgrading to prevent
replication? I did notice that the 99user entry was made it to BOTH
servers, which makes me think that replication is not exactly the culprit.

-M

On 10/31/14, 1:30 AM, Ludwig Krispenz wrote:
>
> On 10/30/2014 07:36 PM, Martin Basti wrote:
>> On 30/10/14 19:18, Michael Lasevich wrote:
>>> Makes sense. What is the solution here?
>>>
>>> I have the latest 389-ds installed but still getting
>>> "allowWeakCipher" error - how to I get around that?
>>>
>>> -M
>>>
>> Sorry I don't know, I CCied Ludwig, he is DS guru.
> I already asked to verify the schema files:
> can you check your schema files for the definition of the
> nsEncryptionConfig objectclass, it should be only in 01core389.ldif
> and contain allowWeakCipher, but it could have been added also to
> 99user.ldif during replication when schema changes have been consolidated
>
> and what is the latest ds version you are using: rpm -q 389-ds-base
>
>
>> Martin^2
>>
>>>
>>> On 10/30/14, 11:12 AM, Martin Basti wrote:
 On 24/10/14 05:17, Michael Lasevich wrote:
> While upgrading from 4.0.1. to 4.1 on fedora 20 got following on
> one of the two boxes:
>
> Upgrade failed with attribute "allowWeakCipher" not allowed
> IPA upgrade failed.
> Unexpected error
> DuplicateEntry: This entry already exists
>

 Named errors are caused by cascade effect, if ldap schema and entry
 updates failed, there is misconfigured DS plugin which is
 responsible to keep DNSSEC keys DN unique, what causes duplication
 errors. DuplicateEntry exception is fatal, so dnskeysyncd
 installation will not continue,
 what causes there are not appropriate permissions for token
 database, and named-pkcs11 can't read tokens.
>
>
> It seems the ipa no longer starts up after this. The replica
> server seems to have had same error,but it runs just fine.
>
> From digging around, it appears that there are a number of GSS
> errors in dirsrv and bind fails with something like:
>
> named-pkcs11[2212]: ObjectStore.cpp(74): Failed to open token
> e919db16-6329-406c-6ae4-120ad68508c4
> named-pkcs11[2212]: sha1.c:92: fatal error:
> named-pkcs11[2212]: RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST,
> isc_boolean_true, isc_boolean_false, isc_boolean_false, ((void
> *)0), 0) == 0) failed
>
> Any help would be appreciated
>
>
> -M
>
>
>


 -- 
 Martin Basti
>>>
>>
>>
>> -- 
>> Martin Basti
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Errors upgrading 4.0.1 to 4.1

2014-10-31 Thread Ludwig Krispenz


On 10/30/2014 07:36 PM, Martin Basti wrote:

On 30/10/14 19:18, Michael Lasevich wrote:

Makes sense. What is the solution here?

I have the latest 389-ds installed but still getting 
"allowWeakCipher" error - how to I get around that?


-M


Sorry I don't know, I CCied Ludwig, he is DS guru.

I already asked to verify the schema files:
can you check your schema files for the definition of the 
nsEncryptionConfig objectclass, it should be only in 01core389.ldif and 
contain allowWeakCipher, but it could have been added also to 
99user.ldif during replication when schema changes have been consolidated


and what is the latest ds version you are using: rpm -q 389-ds-base



Martin^2



On 10/30/14, 11:12 AM, Martin Basti wrote:

On 24/10/14 05:17, Michael Lasevich wrote:
While upgrading from 4.0.1. to 4.1 on fedora 20 got following on 
one of the two boxes:


Upgrade failed with attribute "allowWeakCipher" not allowed
IPA upgrade failed.
Unexpected error
DuplicateEntry: This entry already exists



Named errors are caused by cascade effect, if ldap schema and entry 
updates failed, there is misconfigured DS plugin which is 
responsible to keep DNSSEC keys DN unique, what causes duplication 
errors. DuplicateEntry exception is fatal, so dnskeysyncd 
installation will not continue,
what causes there are not appropriate permissions for token 
database, and named-pkcs11 can't read tokens.



It seems the ipa no longer starts up after this. The replica server 
seems to have had same error,but it runs just fine.


From digging around, it appears that there are a number of GSS 
errors in dirsrv and bind fails with something like:


named-pkcs11[2212]: ObjectStore.cpp(74): Failed to open token 
e919db16-6329-406c-6ae4-120ad68508c4

named-pkcs11[2212]: sha1.c:92: fatal error:
named-pkcs11[2212]: RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, 
isc_boolean_true, isc_boolean_false, isc_boolean_false, ((void 
*)0), 0) == 0) failed


Any help would be appreciated


-M






--
Martin Basti





--
Martin Basti


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Errors upgrading 4.0.1 to 4.1

2014-10-30 Thread Martin Basti

On 30/10/14 19:18, Michael Lasevich wrote:

Makes sense. What is the solution here?

I have the latest 389-ds installed but still getting "allowWeakCipher" 
error - how to I get around that?


-M


Sorry I don't know, I CCied Ludwig, he is DS guru.
Martin^2



On 10/30/14, 11:12 AM, Martin Basti wrote:

On 24/10/14 05:17, Michael Lasevich wrote:
While upgrading from 4.0.1. to 4.1 on fedora 20 got following on one 
of the two boxes:


Upgrade failed with attribute "allowWeakCipher" not allowed
IPA upgrade failed.
Unexpected error
DuplicateEntry: This entry already exists



Named errors are caused by cascade effect, if ldap schema and entry 
updates failed, there is misconfigured DS plugin which is responsible 
to keep DNSSEC keys DN unique, what causes duplication errors. 
DuplicateEntry exception is fatal, so dnskeysyncd installation will 
not continue,
what causes there are not appropriate permissions for token database, 
and named-pkcs11 can't read tokens.



It seems the ipa no longer starts up after this. The replica server 
seems to have had same error,but it runs just fine.


From digging around, it appears that there are a number of GSS 
errors in dirsrv and bind fails with something like:


named-pkcs11[2212]: ObjectStore.cpp(74): Failed to open token 
e919db16-6329-406c-6ae4-120ad68508c4

named-pkcs11[2212]: sha1.c:92: fatal error:
named-pkcs11[2212]: RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, 
isc_boolean_true, isc_boolean_false, isc_boolean_false, ((void *)0), 
0) == 0) failed


Any help would be appreciated


-M






--
Martin Basti





--
Martin Basti

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Errors upgrading 4.0.1 to 4.1

2014-10-30 Thread Michael Lasevich
Makes sense. What is the solution here?

I have the latest 389-ds installed but still getting "allowWeakCipher"
error - how to I get around that?

-M


On 10/30/14, 11:12 AM, Martin Basti wrote:
> On 24/10/14 05:17, Michael Lasevich wrote:
>> While upgrading from 4.0.1. to 4.1 on fedora 20 got following on one
>> of the two boxes:
>>
>> Upgrade failed with attribute "allowWeakCipher" not allowed
>> IPA upgrade failed.
>> Unexpected error
>> DuplicateEntry: This entry already exists
>>
>
> Named errors are caused by cascade effect, if ldap schema and entry
> updates failed, there is misconfigured DS plugin which is responsible
> to keep DNSSEC keys DN unique, what causes duplication errors.
> DuplicateEntry exception is fatal, so dnskeysyncd installation will
> not continue,
> what causes there are not appropriate permissions for token database,
> and named-pkcs11 can't read tokens.
>>
>>
>> It seems the ipa no longer starts up after this. The replica server
>> seems to have had same error,but it runs just fine.
>>
>> From digging around, it appears that there are a number of GSS errors
>> in dirsrv and bind fails with something like:
>>
>> named-pkcs11[2212]: ObjectStore.cpp(74): Failed to open token
>> e919db16-6329-406c-6ae4-120ad68508c4
>> named-pkcs11[2212]: sha1.c:92: fatal error:
>> named-pkcs11[2212]: RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST,
>> isc_boolean_true, isc_boolean_false, isc_boolean_false, ((void *)0),
>> 0) == 0) failed
>>
>> Any help would be appreciated
>>
>>
>> -M
>>
>>
>>
>
>
> -- 
> Martin Basti

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Errors upgrading 4.0.1 to 4.1

2014-10-30 Thread Martin Basti

On 24/10/14 05:17, Michael Lasevich wrote:
While upgrading from 4.0.1. to 4.1 on fedora 20 got following on one 
of the two boxes:


Upgrade failed with attribute "allowWeakCipher" not allowed
IPA upgrade failed.
Unexpected error
DuplicateEntry: This entry already exists



Named errors are caused by cascade effect, if ldap schema and entry 
updates failed, there is misconfigured DS plugin which is responsible to 
keep DNSSEC keys DN unique, what causes duplication errors. 
DuplicateEntry exception is fatal, so dnskeysyncd installation will not 
continue,
what causes there are not appropriate permissions for token database, 
and named-pkcs11 can't read tokens.



It seems the ipa no longer starts up after this. The replica server 
seems to have had same error,but it runs just fine.


From digging around, it appears that there are a number of GSS errors 
in dirsrv and bind fails with something like:


named-pkcs11[2212]: ObjectStore.cpp(74): Failed to open token 
e919db16-6329-406c-6ae4-120ad68508c4

named-pkcs11[2212]: sha1.c:92: fatal error:
named-pkcs11[2212]: RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, 
isc_boolean_true, isc_boolean_false, isc_boolean_false, ((void *)0), 
0) == 0) failed


Any help would be appreciated


-M






--
Martin Basti

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Errors upgrading 4.0.1 to 4.1

2014-10-30 Thread Ludwig Krispenz


On 10/24/2014 09:44 AM, Martin Kosek wrote:

On 10/24/2014 05:17 AM, Michael Lasevich wrote:
While upgrading from 4.0.1. to 4.1 on fedora 20 got following on one 
of the two

boxes:

Upgrade failed with attribute "allowWeakCipher" not allowed
IPA upgrade failed.
Unexpected error
DuplicateEntry: This entry already exists


It seems the ipa no longer starts up after this. The replica server 
seems to

have had same error,but it runs just fine.

 From digging around, it appears that there are a number of GSS 
errors in

dirsrv and bind fails with something like:

named-pkcs11[2212]: ObjectStore.cpp(74): Failed to open token
e919db16-6329-406c-6ae4-120ad68508c4
named-pkcs11[2212]: sha1.c:92: fatal error:
named-pkcs11[2212]: RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST,
isc_boolean_true, isc_boolean_false, isc_boolean_false, ((void *)0), 
0) == 0)

failed

Any help would be appreciated


-M


What Directory Server version do you use? This is an attribute 
introduced in 389-ds-base 1.3.3+ which should be included in the 
FreeIPA Copr (DS 1.3.3 is native to F21+). CCing Ludwig to advise 
further.
can you check your schema files for the definition of the 
nsEncryptionConfig objectclass, itshould be only in 01core389.ldif and 
contain allowWeakCipher, but it could have been added also to 
99user.ldif during replication when schema changes have been comsolodated.


Thanks,
Martin


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] Errors upgrading 4.0.1 to 4.1

2014-10-24 Thread Martin Kosek

On 10/24/2014 05:17 AM, Michael Lasevich wrote:

While upgrading from 4.0.1. to 4.1 on fedora 20 got following on one of the two
boxes:

Upgrade failed with attribute "allowWeakCipher" not allowed
IPA upgrade failed.
Unexpected error
DuplicateEntry: This entry already exists


It seems the ipa no longer starts up after this. The replica server seems to
have had same error,but it runs just fine.

 From digging around, it appears that there are a number of GSS errors in
dirsrv and bind fails with something like:

named-pkcs11[2212]: ObjectStore.cpp(74): Failed to open token
e919db16-6329-406c-6ae4-120ad68508c4
named-pkcs11[2212]: sha1.c:92: fatal error:
named-pkcs11[2212]: RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST,
isc_boolean_true, isc_boolean_false, isc_boolean_false, ((void *)0), 0) == 0)
failed

Any help would be appreciated


-M


What Directory Server version do you use? This is an attribute introduced in 
389-ds-base 1.3.3+ which should be included in the FreeIPA Copr (DS 1.3.3 is 
native to F21+). CCing Ludwig to advise further.


Thanks,
Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


[Freeipa-users] Errors upgrading 4.0.1 to 4.1

2014-10-23 Thread Michael Lasevich
While upgrading from 4.0.1. to 4.1 on fedora 20 got following on one of the
two boxes:

Upgrade failed with attribute "allowWeakCipher" not allowed
IPA upgrade failed.
Unexpected error
DuplicateEntry: This entry already exists


It seems the ipa no longer starts up after this. The replica server seems
to have had same error,but it runs just fine.

>From digging around, it appears that there are a number of GSS errors in
dirsrv and bind fails with something like:

named-pkcs11[2212]: ObjectStore.cpp(74): Failed to open token
e919db16-6329-406c-6ae4-120ad68508c4
named-pkcs11[2212]: sha1.c:92: fatal error:
named-pkcs11[2212]: RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST,
isc_boolean_true, isc_boolean_false, isc_boolean_false, ((void *)0), 0) ==
0) failed

Any help would be appreciated


-M
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project