#5113 Upgrade to 4.2.0 fails when enabling kdc proxy
Closed: Fixed None Opened 8 years ago by abbra.

When upgrading to 4.2.0 with ipa-server-upgrade, things go wrong because kdc proxy upgrade script doesn't expect dirsrv will be down:

2015-07-10T09:56:36Z DEBUG   [7/8]: stopping directory server
2015-07-10T09:56:38Z DEBUG   [8/8]: restoring configuration
2015-07-10T09:56:38Z INFO [Verifying that root certificate is published]
2015-07-10T09:56:38Z INFO [Migrate CRL publish directory]
2015-07-10T09:56:38Z INFO [Verifying that KDC configuration is using ipa-kdb backend]
2015-07-10T09:56:38Z INFO [Enabling KDC Proxy]
2015-07-10T09:56:48Z DEBUG Could not connect to the Directory Server on XXXXX: [Errno 111] Connection refused
2015-07-10T09:56:48Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2015-07-10T09:56:48Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 48, in run
    server.upgrade()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1577, in upgrade
    upgrade_configuration()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1406, in upgrade_configuration
    http.ldap_connect()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 147, in ldap_connect
    conn.do_bind(self.dm_password, autobind=self.autobind)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1631, in do_bind
    self.do_external_bind(pw_name, timeout=timeout)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1621, in do_external_bind
    self.__bind_with_wait(self.external_bind, timeout, user_name)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1610, in __bind_with_wait
    self.__wait_for_connection(timeout)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1593, in __wait_for_connection
    wait_for_open_socket(lurl.hostport, timeout)
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1200, in wait_for_open_socket
    raise e

2015-07-10T09:56:48Z DEBUG The ipa-server-upgrade command failed, exception: error: [Errno 111] Connection refused
2015-07-10T09:56:48Z ERROR [Errno 111] Connection refused
2015-07-10T09:57:57Z DEBUG Logging to /var/log/ipaupgrade.log

The bug is related to #3351. mbasti suggests that I make sure that dirsrv is running.

Just note: to reproduce this behavior, please shutdown the DS server before upgrade.

Actually, you don't need to shutdown -- just take 4.2.0-0.fc22 from mkosek/freeipa-4.2 COPR repo because it has issues with ipaVaultPublicKey definition and upgrades from 4.1.x will cause directory server to not start (99user.ldif will contain definitions for ipaVaultPublicKey and ipaPublicKey but in the wrong order and as order is not guaranteed, upgrade or start will always fail until you'd copy over 60basev3.ldif from /usr/share/ipa).

master:

  • c701ab6 Start dirsrv for kdcproxy upgrade

ipa-4-2:

  • d98aa76 Start dirsrv for kdcproxy upgrade

Metadata Update from @abbra:
- Issue assigned to cheimes
- Issue set to the milestone: FreeIPA 4.2.1

7 years ago

Login to comment on this ticket.

Metadata