Re: [Freeipa-users] Problems with failed upgrade: groups are not created

Thu, 14 May 2015 01:49:00 -0700 

On 14/05/15 01:50, Will Sheldon wrote:


Hello everyone :)


We are seeing some strange behavior (created groups don't exist) and I 
really hope someone can lend some advice...



We installed v 3.0 some time ago, and tried an upgrade to 3.3 which 
was aborted before completion, however I believe the schema was updated.



Recently we attempted to upgrade to 4.1, but encountered some issues 
with the upgrade; replication failed :



from the install log (before schema update, so server was running 3.3 
schema):


=======================>
Done configuring ipa-otpd.
Applying LDAP updates

ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR    Add failure 
attribute "cn" not allowed

=======================<



After that we tried updating the schema, and we now get this error (we 
have log file captures for this):


=======================>
[24/35]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 131 seconds elapsed
Update in progress yet not in progress


[vanipa.foo.com <http://vanipa.foo.com>] reports: Update failed! 
Status: [10 Total update abortedLDAP error: Referral]


  [error] RuntimeError: Failed to start replication

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
========================<

which seems to be referring to this bit of the log:
=======================>
2015-04-21T19:18:48Z DEBUG Traceback (most recent call last):

  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
382, in start_creation

    run_step(full_msg, method)
=======================<



Since then we have a somewhat strange issue where new groups that are 
added using the web interface and ipa CLI command interface are 
created in the compat tree, but not in the cn=hostgroups,cn=accounts 
tree, even though ADD operations appear to complete successfully 
(slapd log output below)


=======================>

[13/May/2015:23:13:58 +0000] conn=7120402 op=4 ADD 
dn="cn=p-test-100,cn=hostgroups,cn=accounts,dc=foo,dc=com"



[13/May/2015:23:13:58 +0000] conn=2616653 op=3660217 SRCH 
base="idnsName=net,idnsname=bar.net 
<http://bar.net>,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660217 RESULT err=32 
tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660218 SRCH 
base="idnsName=bar.net <http://bar.net>,idnsname=bar.net 
<http://bar.net>,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660218 RESULT err=32 
tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660219 SRCH 
base="idnsName=vanzbx.bar.net <http://vanzbx.bar.net>,idnsname=bar.net 
<http://bar.net>,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660219 RESULT err=32 
tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660220 SRCH 
base="idnsName=net,idnsname=bar.net 
<http://bar.net>,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660220 RESULT err=32 
tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660221 SRCH 
base="idnsName=bar.net <http://bar.net>,idnsname=bar.net 
<http://bar.net>,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660221 RESULT err=32 
tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660222 SRCH 
base="idnsName=vanzbx.bar.net <http://vanzbx.bar.net>,idnsname=bar.net 
<http://bar.net>,cn=dns,dc=foo,dc=com" scope=0 
filter="(objectClass=idnsRecord)" attrs=ALL
[13/May/2015:23:13:58 +0000] conn=2616653 op=3660222 RESULT err=32 
tag=101 nentries=0 etime=0
[13/May/2015:23:13:58 +0000] conn=7120402 op=4 RESULT err=0 tag=105 
nentries=0 etime=0 csn=5553e3f8000100040000

=======================<


Which is consistent with the slapd log during the upgrade:


[21/Apr/2015:19:18:43 +0000] NSACLPlugin - The ACL target 
cn=hr,cn=groups,cn=accounts,dc=foo,dc=com does not exist


--

Kind regards,

Will Sheldon




Hello,

can you find in ipaserver-install.log more details about this error?

ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR    Add failure 
attribute "cn" not allowed


Martin


--
Martin Basti


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





















					Reply via email to