*sigh* Feel like I am going around in circles "ipa-ldap-updater --upgrade" failed with: "Upgrade failed with attribute "allowWeakCipher" not allowed"
I am running 1.3.3 from mkosek-freeipa copr: 389-ds-base-libs-1.3.3.5-1.fc20.x86_64 389-ds-base-1.3.3.5-1.fc20.x86_64 yum info 389-ds-base Loaded plugins: copr Installed Packages Name : 389-ds-base Arch : x86_64 Version : 1.3.3.5 Release : 1.fc20 Size : 5.2 M Repo : installed >From repo : mkosek-freeipa Summary : 389 Directory Server (base) URL : http://port389.org/ License : GPLv2 with exceptions Description : 389 Directory Server is an LDAPv3 compliant server. The base package includes : the LDAP server and command line utilities for server administration. -M On 10/30/14, 1:44 AM, Martin Basti wrote: > On 30/10/14 06:09, Michael Lasevich wrote: >> Maybe I should not be doing this late at night, but I cannot find >> "cn=IPK11 Unique IDs,cn=IPA UUID,cn=plugins,cn=config " anywhere. >> >> -M > > IMO something bad happens during the ipa upgrade, > > can you remove > > ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com > > entry, and run ipa-ldap-updater --upgrade, then reinstall DNS (rerun > ipa-dns-install) > > Let me know if it works. > >> >> On 10/29/14, 3:03 AM, Martin Basti wrote: >>> On 28/10/14 20:54, Michael Lasevich wrote: >>>> I have a pair of servers that were both installed on clean Fedora20 >>>> 4.0.1 from pviktori copr repo and then upgraded from mkosek to 4.1 >>>> >>>> During update, secondary was done first and worked but primary run >>>> into >>>> trouble as described >>>> >>>> Looking under cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com I get one >>>> entry with dn: >>>> >>>> ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com >>>> >>>> >>>> Not sure what of that you need there, but for ipk11Label it has: >>>> dnssec-replica:infra-dc-02.my.domain.com. (which is the replica >>>> that IS >>>> working) >>>> >>>> Thanks, >>>> >>>> -M >>>> >>>> On 10/28/14, 3:21 AM, Martin Basti wrote: >>>>> On 28/10/14 06:14, Michael Lasevich wrote: >>>>>> Running into same thing, but running ipa-dnsinstall does not >>>>>> complete: >>>>>> >>>>>> ============================= >>>>>> Configuring DNS (named) >>>>>> [1/8]: generating rndc key file >>>>>> WARNING: Your system is running out of entropy, you may experience >>>>>> long delays >>>>>> [2/8]: setting up our own record >>>>>> [3/8]: adding NS record to the zones >>>>>> [4/8]: setting up CA record >>>>>> [5/8]: setting up kerberos principal >>>>>> [6/8]: setting up named.conf >>>>>> [7/8]: configuring named to start on boot >>>>>> [8/8]: changing resolv.conf to point to ourselves >>>>>> Done configuring DNS (named). >>>>>> Configuring DNS key synchronization service (ipa-dnskeysyncd) >>>>>> [1/6]: checking status >>>>>> [2/6]: setting up kerberos principal >>>>>> [3/6]: setting up SoftHSM >>>>>> [4/6]: adding DNSSEC containers >>>>>> [5/6]: creating replica keys >>>>>> [error] DuplicateEntry: This entry already exists >>>>>> Unexpected error - see /var/log/ipaserver-install.log for details: >>>>>> DuplicateEntry: This entry already exists >>>>>> ============================= >>>>>> >>>>>> Looking into the /var/log/ipaserver-install.log gets: >>>>>> ============================= >>>>>> 2014-10-28T05:01:24Z DEBUG Storing replica public key to LDAP, >>>>>> ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com >>>>>> >>>>>> >>>>>> 2014-10-28T05:01:24Z DEBUG flushing >>>>>> ldap://infra-dc-01.my.domain.com:389 from SchemaCache >>>>>> 2014-10-28T05:01:24Z DEBUG retrieving schema for SchemaCache >>>>>> url=ldap://infra-dc-01.my.domain.com:389 >>>>>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x47d0d88> >>>>>> 2014-10-28T05:01:24Z DEBUG Traceback (most recent call last): >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>>> line >>>>>> 382, in start_creation run_step(full_msg, method) >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>>> line >>>>>> 372, in run_step method() >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", >>>>>> >>>>>> >>>>>> line 340, in __setup_replica_keys ldap.add_entry(entry) >>>>>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", >>>>>> line >>>>>> 1592, in add_entry self.conn.add_s(entry.dn, attrs.items()) >>>>>> File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ >>>>>> self.gen.throw(type, value, traceback) >>>>>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", >>>>>> line >>>>>> 1169, in error_handler raise errors.DuplicateEntry() >>>>>> DuplicateEntry: This entry already exists >>>>>> >>>>>> 2014-10-28T05:01:24Z DEBUG [error] DuplicateEntry: This entry >>>>>> already exists >>>>>> 2014-10-28T05:01:24Z DEBUG File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>>>>> >>>>>> line 646, in run_script >>>>>> return_value = main_function() >>>>>> File "/sbin/ipa-dns-install", line 218, in main >>>>>> dnskeysyncd.create_instance(api.env.host, api.env.realm) >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", >>>>>> >>>>>> >>>>>> line 128, in create_instance self.start_creation() >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>>> line >>>>>> 382, in start_creation run_step(full_msg, method) >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>>> line >>>>>> 372, in run_step method() >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", >>>>>> >>>>>> >>>>>> line 340, in __setup_replica_keys ldap.add_entry(entry) >>>>>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", >>>>>> line >>>>>> 1592, in add_entry self.conn.add_s(entry.dn, attrs.items()) >>>>>> File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ >>>>>> self.gen.throw(type, value, traceback) >>>>>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", >>>>>> line >>>>>> 1169, in error_handler raise errors.DuplicateEntry() >>>>>> 2014-10-28T05:01:24Z DEBUG The ipa-dns-install command failed, >>>>>> exception: DuplicateEntry: This entry already exists >>>>> Hello Michael, >>>>> >>>>> can you send me which entries do you have in >>>>> cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com, it looks like directory >>>>> server doesn't generate uniqueID for keys. >>>>> >>>>> Do you have upgraded IPA or fresh installed? >>>>> >>>>> Martin^2 >>>>> >>> Can you send me content of cn=IPK11 Unique IDs,cn=IPA >>> UUID,cn=plugins,cn=config entry? (If exists) >>> It looks like DS doesn't generate unique IDs >>> >>> Martin^2 >>> >>> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
