Re: upgrade from OES1SP2 to OES2SP1 : ndsconfig fails
Edward van der Maas
>
> Attempted to upgrade from OES1SP2 to OES2SP1 today. There are 3
> servers in the tree (including this server I'm attempting to
> upgrade.) This is the first server in the tree that I'm upgrading to
> OES2SP1.
>
> ndsconfig update fails. Here is the only clues I'm getting:
>
> from /var/opt/novell/eDirectory/log/ndsd.log
>
> Mar 14 16:45:37 Successfully started Novell PKI Services
> Mar 14 16:45:37 SecurityInstall: Calling pkiInstallSetIdentity . . .
> Mar 14 16:45:37 SecurityInstall: Returned from pkiInstallSetIdentity.
> Mar 14 16:45:37 SecurityInstall: Calling pkiInstallsetCRLfile . . .
> Mar 14 16:45:37 SecurityInstall: Returned from pkiInstallsetCRLfile.
> Mar 14 16:45:37 SecurityInstall: Error from
> pkiInstallGetDistributionPointInfo (-601).
> Mar 14 16:45:37 SecurityInstall: Error from
> pkiInstallCreatePKIObjects (ccode = -634; retval = -7).
> Configuring Distribution Points for Certificate Revocation List:
> Mar 14 16:45:37 An error occurred while configuring product SAS.
> Error description no referrals.-634
> Mar 14 16:45:37 NDSIInstallDSProduct: Returning -634.
> Mar 14 16:45:37 DHModuleInit_dsi: Returning -634.
> Mar 14 16:45:37 Module dsi is not loaded
>
> server fully patched.
>
> was running eDirectory v8.7.3.7 I'm not sure if this is a certificate
> problem or not, it's not clear to me what the issue is.
Can you check if your CA is alive ? Check the CA object in the security
container and see if it has a host server on the general page.
--
Cheers,
Edward
Edward van der Maas
>
> I was incorrect, the CA is there and functional.
>
> I can only assume that the certificate is probably different than when
> it was initially installed. I shall treat it like it is expired, and
> try to reissue a new Server Certificate.
let us know how get you on.
--
Cheers,
Edward
Edward van der Maas
>
> well, i did something dumb, and I deleted it. It didn't appear that
> the server had the same cert that it did when the CA was created.
> (right before I upgraded, I noticed that the server cert was expired
> (in Yast), so I created a new one like the docs said, and proceeded
> to upgrade).
>
> The tree only has 3 servers in it, and recreating all the certs would
> have taken 10 minutes, i figured, what the heck, end my pain and move
> on.
>
> However, after I deleted it, I can't create a new CA. When attempting
> to create an Organizational CA, I get a similar error (-634 - no
> referrals). "Please delete the Organizational Certificate Authority
> and try again".
>
> Well, that's what I just did. I'm stuck. The more I touch, the more
> I break.
>
> So now, why the heck won't it create a new CA?
Hmm....do you have SLP configured ? That would be my first guess. 634
is generally that servers can't resolve eachother.
--
Cheers,
Edward
Edward van der Maas
try this on all servers:
slptool findsrvs bindery.novell
make sure 3 servers are displayed
--
Cheers,
Edward
Edward van der Maas
>
> ran on each of them. Each of the 3 returns the same thing (the
> numbers on the end differ slightly, not sure what they mean).
>
> argon:/home/admin # slptool findsrvs bindery.novell
> service:bindery.novell:///argon,3300
> service:bindery.novell:///nickel,3045
>
> cobalt:/home/admin # slptool findsrvs bindery.novell
> service:bindery.novell:///argon,3570
> service:bindery.novell:///nickel,3360
>
> admin@nickel:~> slptool findsrvs bindery.novell
> service:bindery.novell:///argon,3540
> service:bindery.novell:///nickel,3330
>
> None of them see the upgraded machine 'cobalt', including itself
> (which i would expect since it's not behaving).
so did you configure the slp.conf on cobalt to point to the SLP DA ?
--
Cheers,
Edward
Edward van der Maas
>
> yes, they're all explicitly pointing to the DA (argon)
>
> I did find something interesting:
>
> cobalt:/etc # slptool findsrvs service:service-agent
> service:directory-agent://192.168.7.234,65535
> service:service-agent://206.X.X.X,65535
> service:service-agent://192.168.7.233,65535
>
> Where 206.X.X.X is the IP address assigned to the external DMZ
> interface on cobalt. Cobalt has 2 interfaces, a DMZ and an internal.
> SLP seems to be broadcasting on the wrong interface.
>
> From the log:
> Listening on loopback...
> Listening on 192.168.7.235 ...
> Multicast socket on 192.168.7.235 ready
> SLPv1 Service Location General Multicast socket on 192.168.7.235 ready
> Unicast socket on 192.168.7.235 ready
> Broadcast socket for 255.255.255.255 ready
> Agent Interfaces = 192.168.7.235
> Agent URL = service:service-agent://206.X.X.X
> Startup complete entering main run loop ...
>
> That's just odd. I don't see anyway to force SLP to use a particular
> interface. There is the net.slp.interfaces, but that doesn't seem to
> have any effect.
>
Check your nds.conf and see what ip addresses are being used in there.
--
Cheers,
Edward
Edward van der Maas
>
> I just hadn't waited long enough - they're all there
>
> cobalt:/etc/opt/novell/eDirectory/conf # slptool findsrvs
> service:bindery.novell
> service:bindery.novell:///cobalt,1635
> service:bindery.novell:///nickel,3195
> service:bindery.novell:///argon,3525
>
> Checked nds.conf, nothing in there looks out of the ordinary.
>
> Reran ndsconfig, and tried recreating CA. Still get error -634 for
> both operations
>
> Mar 17 15:25:23 Successfully started Novell PKI Services
> Mar 17 15:25:23 SecurityInstall: Calling pkiInstallSetIdentity . . .
> Mar 17 15:25:23 SecurityInstall: Returned from pkiInstallSetIdentity.
> Mar 17 15:25:23 SecurityInstall: Calling pkiInstallsetCRLfile . . .
> Mar 17 15:25:23 SecurityInstall: Returned from pkiInstallsetCRLfile.
> Mar 17 15:25:23 SecurityInstall: Error from
> pkiInstallGetDistributionPointInfo (-601).
> Mar 17 15:25:23 SecurityInstall: Error from
> pkiInstallCreatePKIObjects (ccode = -634; retval = -7).
> Configuring Distribution Points for Certificate Revocation List:
> Mar 17 15:25:23 An error occurred while configuring product SAS.
> Error description no referrals.-634
> Mar 17 15:25:23 NDSIInstallDSProduct: Returning -634.
> Mar 17 15:25:23 DHModuleInit_dsi: Returning -634.
> Mar 17 15:25:23 Module dsi is not loaded
Hmm...i'm a little bit clueless on this one. which options in dstrace
do you have enabled ?
--
Cheers,
Edward
Edward van der Maas
> ndsconfig upgrade doesn't seem to really start over. I'm at a loss
> (sleep included).
maybe time to open a SR ?
--
Cheers,
Edward
Peter Kuo
> .[Root]. This
> was separate from the real tree (I'll call it MYTREE).
FYI: There /always/ is a partition called [Root]. This is the initial
partition.
--
Peter
eDirectory Rules!
http://www.DreamLAN.com
Hamish
> On the server that did know about .[Root]., I looked at the replica
> ring. Low and behold, it had no Master. This server was just a
> read/write replica.
You were running okay with no master of Root ? Wow.
> I feel 95% confident that I
> can move on. Now, to figure out if I can delete that partition
> safely....
Nope - you MUST have a Root partition.
H.
Hamish
> why did/do the others not see it then?
You must have a Root partition, but not every server has to have a
replica of it. I'd guess that the other servers that did have replicas
of Root have been removed from the tree.
H.
Edward van der Maas
> Since it had no master, my theory is that when Idid the upgrade, and
> went to configure NDS, it was checking with all the partitions it knew
> about.....[Root].....what is this?....can't find anything....BARF ->
> -634 (no referrals)
Glad you fixed it :) Welldone!
--
Cheers,
Edward