Thank you!!! That was exactly it. * Removed the "nsEncryptionConfig" entry from 99user.ldif * Re-run the "ipa-ldap-update --upgrade" * Then "ipa-dns-install" and things are looking much better - both servers are now back up and running.
What is the lesson here (besides "have good backups")? Should we be turning off ALL servers before upgrading to prevent replication? I did notice that the 99user entry was made it to BOTH servers, which makes me think that replication is not exactly the culprit. -M On 10/31/14, 1:30 AM, Ludwig Krispenz wrote: > > On 10/30/2014 07:36 PM, Martin Basti wrote: >> On 30/10/14 19:18, Michael Lasevich wrote: >>> Makes sense. What is the solution here? >>> >>> I have the latest 389-ds installed but still getting >>> "allowWeakCipher" error - how to I get around that? >>> >>> -M >>> >> Sorry I don't know, I CCied Ludwig, he is DS guru. > I already asked to verify the schema files: > can you check your schema files for the definition of the > nsEncryptionConfig objectclass, it should be only in 01core389.ldif > and contain allowWeakCipher, but it could have been added also to > 99user.ldif during replication when schema changes have been consolidated > > and what is the latest ds version you are using: rpm -q 389-ds-base > > >> Martin^2 >> >>> >>> On 10/30/14, 11:12 AM, Martin Basti wrote: >>>> On 24/10/14 05:17, Michael Lasevich wrote: >>>>> While upgrading from 4.0.1. to 4.1 on fedora 20 got following on >>>>> one of the two boxes: >>>>> >>>>> Upgrade failed with attribute "allowWeakCipher" not allowed >>>>> IPA upgrade failed. >>>>> Unexpected error >>>>> DuplicateEntry: This entry already exists >>>>> >>>> >>>> Named errors are caused by cascade effect, if ldap schema and entry >>>> updates failed, there is misconfigured DS plugin which is >>>> responsible to keep DNSSEC keys DN unique, what causes duplication >>>> errors. DuplicateEntry exception is fatal, so dnskeysyncd >>>> installation will not continue, >>>> what causes there are not appropriate permissions for token >>>> database, and named-pkcs11 can't read tokens. >>>>> >>>>> >>>>> It seems the ipa no longer starts up after this. The replica >>>>> server seems to have had same error,but it runs just fine. >>>>> >>>>> From digging around, it appears that there are a number of GSS >>>>> errors in dirsrv and bind fails with something like: >>>>> >>>>> named-pkcs11[2212]: ObjectStore.cpp(74): Failed to open token >>>>> e919db16-6329-406c-6ae4-120ad68508c4 >>>>> named-pkcs11[2212]: sha1.c:92: fatal error: >>>>> named-pkcs11[2212]: RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, >>>>> isc_boolean_true, isc_boolean_false, isc_boolean_false, ((void >>>>> *)0), 0) == 0) failed >>>>> >>>>> Any help would be appreciated >>>>> >>>>> >>>>> -M >>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Martin Basti >>> >> >> >> -- >> Martin Basti >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project