On 04/08/2015 12:04 PM, Martin Kosek wrote:
On 04/08/2015 11:52 AM, Alexander Frolushkin wrote:
Hello!
We used have a geo-replicated IPA with RHEL 7.0, and on one site ipa servers
was upgraded by mistake to RHEL 7.1 (ipa-server-4.1.0-18.el7_1.3.x86_64).
Now it is broken globally, in logs I see these:
[08/Apr/2015:13:06:47 +0600] NSACLPlugin - ACL PARSE ERR(rv=-5):
(targetattr="ipaProtectedOperation;write_keys
[08/Apr/2015:13:06:47 +0600] NSACLPlugin - __aclp__init_targetattr: targetattr
"ipaProtectedOperation;write_keys" does not exist in schema. Please add attributeTypes
"ipaProtectedOperation;write_keys" to schema if necessary.
What can I do to fix this catastrophe, or it is fatal?
As it seems from the client servers, hbac is not working at all, maybe all
other things as well :(
With best regards,
Alexander Frolushkin
AFAIK, this particular error message should not be fatal to the function and
new ACI should just be ignored.
yes, but I don't know if any IPA component would rely on access granted
by this aci.
Maybe the new schema did not replicate
is this message logged on all servers ?
properly. Do you see other DS errors? (CCing DS guys)
Non-working HBAC is also strange, SSSD developers will want logs to analyze,
see https://fedorahosted.org/sssd/wiki/Troubleshooting
In any case, upgrade from 3.3 to 4.1 should just work, you just need to have a
recent enough RHEL-6 servers - at least RHEL-6.6+z-streams.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project