Re: [Freeipa-users] Upgrade failed -- how to recover?

[Rob Crittenden]

Bret Wortman wrote:
Rob, I got past this, as you indicated, by doing that after first running:
# ipa-ldap-updater --ldapi ./schema.update

Using a schema.update tip file I found in a note from you after some
hard core googling. Should that extra step have been necessary?

No, it shouldn't be necessary. Can look in /var/log/ipaupgrade.log 
(likely humongous) for the original failure and post that section of the 
log?

Updating schema is hard. We are actually completely revamping the way we 
handle schema changes between version which should be a lot more stable.

rob



_
_
*Bret Wortman*

http://damascusgrp.com/
http://about.me/wortmanbret


On Tue, Aug 13, 2013 at 3:39 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    Bret Wortman wrote:

        I tried this, but no joy:

        # /usr/sbin/ipa-upgradeconfig --debug
        :
        :
        DEBUG: caSignedLogCert.cfg
        <http://bl-1.com/click/load/__VWRaa1w-b0221U28CYQNlAT4-b0231
        <http://bl-1.com/click/load/VWRaa1w-b0221U28CYQNlAT4-b0231>__>
        profile

        validity range is 720
        INFO: [Certificate renewal should stop the CA]
        ERROR: Unable to find certmonger request ID for auditSigning Cert
        INFO: The ipa-upgradeconfig command was successful
        #


    Run getcert list and sift through the output and see if you have a
    request tracking for nickname auditSigningCert cert-pki-ca (or similar).

        But I still can't connect to http://ipamaster/ipa/ui/; I get a
        903 error
        every time, and /var/log/httpd/error_log shows, in part:

        [Tue Aug 13 13:07:20.786566 2013] [:error] [pid 5890] KeyError:
        'ipadnszone'
        [Tue Aug 13 13:07:20.786717 2013] [:error] [pid 5890] ipa: INFO:
        br...@foo.net <mailto:br...@foo.net> <mailto:br...@foo.net
        <mailto:br...@foo.net>>: json_metadata(None, None,

        object=u'all'): KeyError
        [Tue Aug 13 13:07:21.001525 2013] [:error] [pid 5890] ipa: INFO:
        br...@foo.net <mailto:br...@foo.net> <mailto:br...@foo.net
        <mailto:br...@foo.net>>: json_metadata(None, None,
        command=u'all'): SUCCESS

        DNS resolution, authentication and authorization all /appear/ to be
        working fine.


    The DNS schema was not updated properly. I'd run:

    # ipa-ldap-updater --upgrade

    rob



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users