Hello,

comments inline
Martin

On 02/04/15 18:54, Christoph Kaminski wrote:
see this in ipupgrade.log

2015-04-02T11:27:02Z ERROR Pre schema upgrade failed with [Errno 111] Connection refused
2015-04-02T11:27:02Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 128, in __pre_schema_upgrade ld = ldapupdate.LDAPUpdate(dm_password='', ldapi=True, live_run=self.live_run, plugins=True) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 220, in __init__
    self.create_connection()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 783, in create_connection
    dm_password=self.dm_password, pw_name=self.pw_name)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 65, in connect
conn.do_external_bind(pw_name)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1761, in do_external_bind
self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1747, in __bind_with_wait
self.__wait_for_connection(timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1733, in __wait_for_connection
wait_for_open_socket(lurl.hostport, timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1173, in wait_for_open_socket
    raise e
error: [Errno 111] Connection refused
This is the issue.
Do you have any errors in DS error log?
/var/log/dirsrv/slapd-INSTANCE/errors

2015-04-02T11:27:02Z DEBUG duration: 12 seconds
2015-04-02T11:27:02Z DEBUG [6/10]: updating schema
2015-04-02T11:27:12Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation
    run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step
    method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 145, in __update_schema
    dm_password='', ldapi=True, live_run=self.live_run) or self.modified
File "/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py", line 112, in update_schema
    fqdn=installutils.get_fqdn())
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 65, in connect
conn.do_external_bind(pw_name)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1761, in do_external_bind
self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1747, in __bind_with_wait
self.__wait_for_connection(timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1733, in __wait_for_connection
wait_for_open_socket(lurl.hostport, timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1173, in wait_for_open_socket
    raise e
error: [Errno 111] Connection refused

2015-04-02T11:27:12Z DEBUG [error] error: [Errno 111] Connection refused
2015-04-02T11:27:12Z DEBUG [cleanup]: stopping directory server

...
Is this another upgrade? Or why is here this  time gap?

2015-04-02T12:46:11Z DEBUG stderr=
2015-04-02T12:46:12Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line 213, in run
    modified = ld.update(self.files, ordered=True) or modified
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 874, in update updates = api.Backend.updateclient.update(POST_UPDATE, self.dm_password, self.ldapi, self.live_run) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", line 123, in update
    (restart, apply_now, res) = self.run(update.name, **kw)
File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", line 146, in run
    return self.Updater[method](**kw)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1399, in __call__
    return self.execute(**options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py", line 76, in execute
    ldap.add_entry(entry)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1592, in add_entry
    self.conn.add_s(entry.dn, attrs.items())
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1191, in error_handler
    raise errors.ObjectclassViolation(info=info)

2015-04-02T12:46:12Z DEBUG The ipa-ldap-updater command failed, exception: ObjectclassViolation: unknown object class "ipaKeyPolicy" 2015-04-02T12:46:12Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
ObjectclassViolation: unknown object class "ipaKeyPolicy"

and:
grep -i nsSchemaPolicy /etc/dirsrv/slapd-HSO/schema/01core389.ldif

objectClasses: ( 2.16.840.1.113730.3.2.328 NAME 'nsSchemaPolicy' DESC 'Netscape defined objectclass' SUP top MAY ( cn $ schemaUpdateObjectclassAccept $ schemaUpdateObjectclassReject $ schemaUpdateAttributeAccept $ schemaUpdateAttributeReject) X-ORIGIN 'Netscape Directory Server' )

grep -i nsSchemaPolicy /etc/dirsrv/schema/01core389.ldif
objectClasses: ( 2.16.840.1.113730.3.2.328 NAME 'nsSchemaPolicy' DESC 'Netscape defined objectclass' SUP top MAY ( cn $ schemaUpdateObjectclassAccept $ schemaUpdateObjectclassReject $ schemaUpdateAttributeAccept $ schemaUpdateAttributeReject) X-ORIGIN 'Netscape Directory Server' )
You have objectclass there, it should not be bz1180325.
But send the errors from DS log if there are any.


Greetz
Christoph Kaminski




Von: Martin Basti <mba...@redhat.com>
An: Christoph Kaminski <christoph.kamin...@biotronik.com>, freeipa-users@redhat.com
Datum: 02.04.2015 17:25
Betreff: Re: [Freeipa-users] Upgrade fail 3.3.3 (rhel7) to 4.1 (rhel7.1)
------------------------------------------------------------------------



On 02/04/15 16:57, Christoph Kaminski wrote:
Hi all!

We have 6 IPA Servers here connected to each other. We want to upgrade all from RHEL 7 with IPA 3.3.3 to RHEL 7.1with IPA 4.1.

I have done it one of the 6 servers and got a problem.

After upgrade if I want to login to Web UI I get: "*IPA-Error 903: InternalError*" after typing the credentials... I have activated debug output of IPA and see this in /var/log/httpd/error_log:

[Thu Apr 02 14:39:38.848474 2015] [:error] [pid 18020] ipa: ERROR: non-public: KeyError: 'idnsforwardzone' [Thu Apr 02 14:39:38.848536 2015] [:error] [pid 18020] Traceback (most recent call last): [Thu Apr 02 14:39:38.848600 2015] [:error] [pid 18020] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348, in wsgi_execute [Thu Apr 02 14:39:38.848607 2015] [:error] [pid 18020] result = self.Command[name](*args, **options) [Thu Apr 02 14:39:38.848612 2015] [:error] [pid 18020] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in __call__ [Thu Apr 02 14:39:38.848671 2015] [:error] [pid 18020] ret = self.run(*args, **options) [Thu Apr 02 14:39:38.848701 2015] [:error] [pid 18020] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in run [Thu Apr 02 14:39:38.848707 2015] [:error] [pid 18020] return self.execute(*args, **options) [Thu Apr 02 14:39:38.848776 2015] [:error] [pid 18020] File "/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py", line 123, in execute [Thu Apr 02 14:39:38.848783 2015] [:error] [pid 18020] (o.name, json_serialize(o)) for o in self.api.Object() [Thu Apr 02 14:39:38.848789 2015] [:error] [pid 18020] File "/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py", line 123, in <genexpr> [Thu Apr 02 14:39:38.848794 2015] [:error] [pid 18020] (o.name, json_serialize(o)) for o in self.api.Object() [Thu Apr 02 14:39:38.848799 2015] [:error] [pid 18020] File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 60, in json_serialize [Thu Apr 02 14:39:38.848804 2015] [:error] [pid 18020] return json_serialize(obj.__json__()) [Thu Apr 02 14:39:38.848809 2015] [:error] [pid 18020] File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 710, in __json__ [Thu Apr 02 14:39:38.848814 2015] [:error] [pid 18020] attrs = self.api.Backend.ldap2.schema.attribute_types(objectclasses) [Thu Apr 02 14:39:38.848820 2015] [:error] [pid 18020] File "/usr/lib64/python2.7/site-packages/ldap/schema/subentry.py", line 377, in attribute_types [Thu Apr 02 14:39:38.848825 2015] [:error] [pid 18020] object_class = self.sed[ObjectClass][object_class_oid] [Thu Apr 02 14:39:38.848830 2015] [:error] [pid 18020] KeyError: 'idnsforwardzone'

I have found this bug report: _https://bugzilla.redhat.com/show_bug.cgi?id=1180325_
It should be fixed in the last version?!

I have read there I should start: setup-ds.pl -d --update

But Im afraid that it kills the date on the IPA Servers with version 3.3.3... does it?

What can I do? how can I fix it?

Greetz
Christoph Kaminski



Hello, was the ipa upgrade successful? Do you have any errors in /var/log/ipaupgrade.log?

If you think it is 1180325 issue you can check if nsSchemaPolicy is in 01core389.ldif:
grep -i nsSchemaPolicy /etc/dirsrv/slapd-INSTANCE/schema/01core389.ldif
grep -i nsSchemaPolicy /etc/dirsrv/schema/01core389.ldif

Martin

--
Martin Basti




--
Martin Basti

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to