Univention Bugzilla – Bug 45996
heimdal LDAP schema krb5-kdc.schema out of date
Last modified: 2018-03-14 14:38:41 CET
-> kadmin -l init --realm-max-ticket-life=unlimited --realm-max-renewable-life=unlimited $kerberos_realm kadmin: unexpected error while replaying: ldap_add_ext_s: krbtgt/FOUR.THREE@FOUR.THREE (DN=krb5PrincipalName=krbtgt/FOUR.THREE@FOUR.THREE,cn=kerberos,dc=four,dc=three) Undefined attribute type: krb5ExtendedAttributes: attribute type undefined kadmin: create_random_entry(krbtgt/FOUR.THREE@FOUR.THREE): randkey failed: Incremental propagation log got corrupted kadmin: unexpected error while replaying: ldap_add_ext_s: kadmin/changepw@FOUR.THREE (DN=krb5PrincipalName=kadmin/changepw@FOUR.THREE,cn=kerberos,dc=four,dc=three) Undefined attribute type: krb5ExtendedAttributes: attribute type undefined kadmin: create_random_entry(kadmin/changepw@FOUR.THREE): randkey failed: Incremental propagation log got corrupted kadmin: unexpected error while replaying: ldap_add_ext_s: kadmin/admin@FOUR.THREE (DN=krb5PrincipalName=kadmin/admin@FOUR.THREE,cn=kerberos,dc=four,dc=three) Undefined attribute type: krb5ExtendedAttributes: attribute type undefined kadmin: create_random_entry(kadmin/admin@FOUR.THREE): randkey failed: Incremental propagation log got corrupted kadmin: unexpected error while replaying: ldap_add_ext_s: changepw/kerberos@FOUR.THREE (DN=krb5PrincipalName=changepw/kerberos@FOUR.THREE,cn=kerberos,dc=four,dc=three) Undefined attribute type: krb5ExtendedAttributes: attribute type undefined kadmin: create_random_entry(changepw/kerberos@FOUR.THREE): randkey failed: Incremental propagation log got corrupted kadmin: unexpected error while replaying: ldap_add_ext_s: kadmin/hprop@FOUR.THREE (DN=krb5PrincipalName=kadmin/hprop@FOUR.THREE,cn=kerberos,dc=four,dc=three) Undefined attribute type: krb5ExtendedAttributes: attribute type undefined kadmin: create_random_entry(kadmin/hprop@FOUR.THREE): randkey failed: Incremental propagation log got corrupted kadmin: unexpected error while replaying: ldap_add_ext_s: WELLKNOWN/ANONYMOUS@FOUR.THREE (DN=krb5PrincipalName=WELLKNOWN/ANONYMOUS@FOUR.THREE,cn=kerberos,dc=four,dc=three) Undefined attribute type: krb5ExtendedAttributes: attribute type undefined kadmin: create_random_entry(WELLKNOWN/ANONYMOUS@FOUR.THREE): randkey failed: Incremental propagation log got corrupted kadmin: unexpected error while replaying: ldap_add_ext_s: WELLKNOWN/org.h5l.fast-cookie@WELLKNOWN:ORG.H5L (DN=krb5PrincipalName=WELLKNOWN/org.h5l.fast-cookie@WELLKNOWN:ORG.H5L,cn=kerberos,dc=four,dc=three) Undefined attribute type: krb5ExtendedAttributes: attribute type undefined kadmin: create_random_entry(WELLKNOWN/org.h5l.fast-cookie@WELLKNOWN:ORG.H5L): randkey failed: Incremental propagation log got corrupted kadmin: unexpected error while replaying: ldap_add_ext_s: default@FOUR.THREE (DN=krb5PrincipalName=default@FOUR.THREE,cn=kerberos,dc=four,dc=three) Undefined attribute type: krb5ExtendedAttributes: attribute type undefined kadmin: kadm5_create_principal: Incremental propagation log got corrupted Seems that krb5ExtendedAttributes is missing in our kerberos schema, we should update the schema according to https://github.com/heimdal/heimdal/blob/master/lib/hdb/hdb.schema
I've merged the updated schema file from Heimdal 7.1: commit 2293f49988 Package: univention-heimdal Version: 11.0.1-2A~4.3.0.201801091617 Branch: ucs_4.3-0 We'll have to check if we need to either rebuild the equality index or revert this change in the schema: @@ -39,9 +42,9 @@ attributetype ( 1.3.6.1.4.1.5322.10.1.1 NAME 'krb5PrincipalName' DESC 'The unparsed Kerberos principal name' - EQUALITY octetStringMatch + EQUALITY caseExactIA5Match SINGLE-VALUE - SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
please build the package and add a slapindex to the updater's postup (necessary after the syntax change for krb5PrincipalName), the slapindex in the postup should be ignored if update43/skip/krb5PrincipalNameindex is true
I've adjusted the ldap_setup_index script in univention-ldap and the postup.sh to run: /usr/share/univention-ldap/ldap_setup_index --reindex krb5PrincipalName unless the UCR variable update43/skip/ldap/reindex is set to true before the update. commit 85d206315733394f87d399704081019c585bf3f5. Package: univention-ldap Version: 14.0.2-2A~4.3.0.201801091917 Branch: ucs_4.3-0 Package: univention-updater Version: 13.0.0-11A~4.3.0.201801091920 Branch: ucs_4.3-0
https://git.knut.univention.de/univention/ucs/commit/614da4dc3b1d26b7883bc36af568c71fe0348b5c Fixed syntax error in postup.sh (Bug #45996)
during 4.3 update Stopping slapd (via systemctl): slapd.service. Traceback (most recent call last): File "/usr/share/univention-ldap/ldap_setup_index", line 396, in <module> LdapIndex().main() File "/usr/share/univention-ldap/ldap_setup_index", line 53, in main self.modify_index() File "/usr/share/univention-ldap/ldap_setup_index", line 165, in modify_index self.changed_attrs |= added ^ removed UnboundLocalError: local variable 'added' referenced before assignment
sorry, fixed in: Package: univention-ldap Version: 14.0.2-5A~4.3.0.201801101640 Branch: ucs_4.3-0 root@master10:~# /usr/share/univention-ldap/ldap_setup_index --reindex krb5PrincipalName -vv INFO:__main__:Applying {}... INFO:__main__:Generating indexes... INFO:__main__:Re-indexing krb5PrincipalName WARNING! Check file permissions! 599f1211 OVER: Loading Translog Overlay 599f1211 OVER: db_init 599f1211 OVER: Configuring Translog Overlay 599f1211 OVER: Configured Translog Overlay to use file "/var/lib/univention-ldap/listener/listener" 599f1212 OVER: db_close 599f1212 OVER: db_destroy
I also fixed the "slapd not restarted" issue you reported. Package: univention-updater Version: 13.0.1-2A~4.3.0.201801101838 Branch: ucs_4.3-0
seems that we intentionally changed the krb5PrincipalName syntax http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-0/job/AutotestJoin/SambaVersion=s3,Systemrolle=master/lastCompletedBuild/testReport/60_umc/07_expired_password/test/ so please revert that change, and the postup change
Ok, right, let's keep it that way to not break UTF-8 Umlauts https://www.redhat.com/archives/freeipa-devel/2009-July/msg00095.html Package: univention-updater Version: 13.0.1-3A~4.3.0.201801111156 Branch: ucs_4.3-0 Package: univention-ldap Version: 14.0.2-6A~4.3.0.201801111210 Branch: ucs_4.3-0
OK - schema OK - revert OK - changelog
UCS 4.3 has been released: https://docs.software-univention.de/release-notes-4.3-0-en.html https://docs.software-univention.de/release-notes-4.3-0-de.html If this error occurs again, please use "Clone This Bug".