On 04/08/2015 12:12 PM, Alexander Frolushkin wrote: > > -----Original Message----- > From: Martin Kosek [mailto:mko...@redhat.com] > Sent: Wednesday, April 08, 2015 4:04 PM > To: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Ludwig Krispenz; > Thierry Bordaz > Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 > > On 04/08/2015 11:52 AM, Alexander Frolushkin wrote: >>> Hello! >>> We used have a geo-replicated IPA with RHEL 7.0, and on one site ipa >>> servers was upgraded by mistake to RHEL 7.1 >>> (ipa-server-4.1.0-18.el7_1.3.x86_64). >>> Now it is broken globally, in logs I see these: >>> >>> [08/Apr/2015:13:06:47 +0600] NSACLPlugin - ACL PARSE ERR(rv=-5): >>> (targetattr="ipaProtectedOperation;write_keys >>> [08/Apr/2015:13:06:47 +0600] NSACLPlugin - __aclp__init_targetattr: >>> targetattr "ipaProtectedOperation;write_keys" does not exist in schema. >>> Please add attributeTypes "ipaProtectedOperation;write_keys" to schema if >>> necessary. >>> >>> What can I do to fix this catastrophe, or it is fatal? >>> As it seems from the client servers, hbac is not working at all, maybe >>> all other things as well :( >>> >>> With best regards, >>> Alexander Frolushkin > >> AFAIK, this particular error message should not be fatal to the function and >> new ACI should just be ignored. Maybe the new schema did not replicate >> properly. Do you see other DS errors? (CCing DS guys) > >> Non-working HBAC is also strange, SSSD developers will want logs to analyze, >> see https://fedorahosted.org/sssd/wiki/Troubleshooting > >> In any case, upgrade from 3.3 to 4.1 should just work, you just need to have >> a recent enough RHEL-6 servers - at least RHEL-6.6+z-streams. > > Please note, we currently have a three servers with IPA 4.1.0, and 13 servers > with IPA 3.3.3 working simultaneously. > Also about hbac: > > [hbac_eval_user_element] (0x0080): Parse error on [cn=system: read > replication > agreements+nsuniqueid=..........,cn=permissions,cn=pbac,dc=unix,dc=ad,dc=com]
CCing Jakub, but this looks like https://bugzilla.redhat.com/show_bug.cgi?id=1135433 that is fixed in sssd-1.12.1-1.el7. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project