Hello again, I jumped to early. # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update didn't work but "ipa-ldap-updater " fixes the problem for me.
Rob 2014-10-29 16:55 GMT+01:00 Martin Basti <[email protected]>: > On 29/10/14 16:46, Rob Verduijn wrote: > > Hello, > > # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update > fixes the problem. > > I can resolv my internal dns zones again :-) > > Many thanx. > > Since this problem happened every time I tried to update the freeipa > server. > I could re-run the update with some debug options if you like so you can > pinpoint what goes wrong with the update script if you like. > > Rob > > > We know where the problem is, and we though we fixed it, but obviously > some parts of problem persist. > > Thank you for your patience :-) > > > 2014-10-29 16:13 GMT+01:00 Martin Basti <[email protected]>: > >> On 29/10/14 15:56, Martin Basti wrote: >> >> On 29/10/14 15:46, Rob Verduijn wrote: >> >> You're right >> duh I should read more carefully and not try to do to many things at >> once. >> >> when using the dns principal and keytab the entries are not found. >> >> How do i fix the access controll instructions ? >> I can revert back easely and try a different aproach for the upgrade if >> you know one >> (I really started to appreciate snapshots with this upgrade :-) >> >> Rob >> >> >> Please try first this: >> >> # ipa-ldap-updater /usr/share/ipa/memberof-task.ldif >> >> It should repair privileges. >> >> Sorry I wrote you wrong file >> # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update >> >> >> 2014-10-29 14:50 GMT+01:00 Petr Spacek <[email protected]>: >> >>> On 29.10.2014 14:32, Rob Verduijn wrote: >>> >>>> I've checked and I see a lot of objects representing my dns entries. >>>> Still I get no answers if i try to resolve any of them :( >>>> >>> >>> Are you running ldapsearch with *exactly* same credentials as you have >>> in /etc/named.conf? >>> >>> Could you post dynamic-db section from your named.conf? >>> >>> Petr^2 Spacek >>> >>> >>> Rob >>>> >>>> 2014-10-29 13:28 GMT+01:00 Petr Spacek <[email protected]>: >>>> >>>> On 28.10.2014 18:42, Rob Verduijn wrote: >>>>> >>>>> before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates >>>>>> repo >>>>>> after the update its 6.0-5.fc20.x86_64.rpm from copr repo >>>>>> >>>>>> Regards >>>>>> Rob >>>>>> >>>>>> >>>>>> 2014-10-28 17:58 GMT+01:00 Martin Basti <[email protected]>: >>>>>> >>>>>> On 28/10/14 16:10, Rob Verduijn wrote: >>>>>> >>>>>>> >>>>>>> Hello all, >>>>>>> >>>>>>> I've been digging into my problem of being unable to update from >>>>>>> 3.3.5 >>>>>>> to 4.1 >>>>>>> >>>>>>> First I add the repo from copr >>>>>>> >>>>>>> Then I used to update it by issueing 'yum update' which resulted >>>>>>> in an >>>>>>> update in which my local dns zone entries no longer resolved. >>>>>>> >>>>>>> So i tried the instructions mentioned on the site : >>>>>>> yum update freeipa-server >>>>>>> And this failed with a conflict in >>>>>>> >>>>>>> bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and >>>>>>> bind-utils-32:9.9.4-15.P2.fc20.x86_64 >>>>>>> >>>>>>> I noticed the new bind comes from the copr repo and the old bind >>>>>>> utils >>>>>>> from fedora. >>>>>>> >>>>>>> So I first run 'yum update bind-utils -y' >>>>>>> Then I ran yum update freeipa-server >>>>>>> and see it fail with errors about softhsm >>>>>>> >>>>>>> I remembered reading about package errors with softhsm and >>>>>>> installed >>>>>>> the >>>>>>> softhsm-devel package first. >>>>>>> >>>>>>> so revert back the freeipa kvm snapshot to 3.3.5 and try again >>>>>>> yum update bind-utils -y ; yum install softhsm-devel -y ; yum update >>>>>>> freeipa-server -y >>>>>>> >>>>>>> However when restarting named-pkcs11 I can see in the system log >>>>>>> that >>>>>>> it >>>>>>> has 0 zones loaded >>>>>>> >>>>>>> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone: >>>>>>> loaded serial 0 >>>>>>> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone >>>>>>> 0.in-addr.arpa/IN: >>>>>>> loaded serial 0 >>>>>>> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: >>>>>>> loaded >>>>>>> serial 0 >>>>>>> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone >>>>>>> 1.0.0.127.in-addr.arpa/IN: loaded serial 0 >>>>>>> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone >>>>>>> localhost.localdomain/IN: loaded serial 0 >>>>>>> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone >>>>>>> 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. >>>>>>> 0.0.ip6.arpa/IN: >>>>>>> loaded serial 0 >>>>>>> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded >>>>>>> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running >>>>>>> Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP >>>>>>> instance >>>>>>> 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load) >>>>>>> >>>>>>> It claims 0 zones loaded but I can see my forward and reverse >>>>>>> zones in >>>>>>> ipa >>>>>>> >>>>>>> what could cause it not to load the zones that I defined in ipa ? >>>>>>> >>>>>>> >>>>>> This problem is usually caused by broken IPA upgrade which destroys >>>>> ACIs >>>>> in LDAP which allow access to DNS sub-tree. >>>>> >>>>> Please follow instructions on: >>>>> >>>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5 >>>>> . >>>>> NozonesfromLDAPareloaded >>>>> >>>>> ... and let us know if you are able to see idnsZone objects in LDAP or >>>>> not. >>>>> >>>> >>> >>> -- >>> Petr^2 Spacek >>> >> >> >> >> >> >> -- >> Martin Basti >> >> >> >> >> >> -- >> Martin Basti >> >> > > > -- > Martin Basti > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
