Steps to reproduce:
# dnf install -y freeipa-{server,client,admintools,python} # ipa-server-install -a Secret123 -p Secret123 -r EXAMPLE.TEST -U build current master (4.2.90.tshash) # dnf upgrade ./freeipa-{server,client,admintools,python}-4.2.90.tshash
Output:
Upgrading : freeipa-python-4.2.90.201512080712GITcac756b-0.fc23.x86_64 1/8 Upgrading : freeipa-client-4.2.90.201512080712GITcac756b-0.fc23.x86_64 2/8 Could not load host key: /etc/ssh/ssh_host_dsa_key Upgrading : freeipa-admintools-4.2.90.201512080712GITcac756b-0.fc23.x86_64 3/8 Upgrading : freeipa-server-4.2.90.201512080712GITcac756b-0.fc23.x86_64 4/8 Cleanup : freeipa-server-4.2.3-1.1.fc23.x86_64 5/8 Cleanup : freeipa-admintools-4.2.3-1.1.fc23.x86_64 6/8 Cleanup : freeipa-client-4.2.3-1.1.fc23.x86_64 7/8 Cleanup : freeipa-python-4.2.3-1.1.fc23.x86_64 8/8 Add failure missing required attribute "objectclass" Verifying : freeipa-admintools-4.2.90.201512080712GITcac756b-0.fc23.x86_64 1/8 Verifying : freeipa-client-4.2.90.201512080712GITcac756b-0.fc23.x86_64 2/8 Verifying : freeipa-python-4.2.90.201512080712GITcac756b-0.fc23.x86_64 3/8 Verifying : freeipa-server-4.2.90.201512080712GITcac756b-0.fc23.x86_64 4/8 Verifying : freeipa-server-4.2.3-1.1.fc23.x86_64 5/8 Verifying : freeipa-admintools-4.2.3-1.1.fc23.x86_64 6/8 Verifying : freeipa-client-4.2.3-1.1.fc23.x86_64 7/8 Verifying : freeipa-python-4.2.3-1.1.fc23.x86_64 8/8
Relevant part of log:
2015-12-08T07:52:16Z DEBUG New entry: cn=custodia,cn=ipa,cn=etc,dc=example,dc=test 2015-12-08T07:52:16Z DEBUG --------------------------------------------- 2015-12-08T07:52:16Z DEBUG Initial value 2015-12-08T07:52:16Z DEBUG dn: cn=custodia,cn=ipa,cn=etc,dc=example,dc=test 2015-12-08T07:52:16Z DEBUG add: '(target = "ldap:///cn=*/($dn),cn=custodia,cn=ipa,cn=etc,dc=example,dc=test")(version 3.0; acl "IPA server hosts can create own Custodia secrets"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=test" and userdn = "ldap:///fqdn=($dn),cn=computers,cn=accounts,dc=example,dc=test";)' to aci, current value [] 2015-12-08T07:52:16Z DEBUG add: updated value ['(target = "ldap:///cn=*/($dn),cn=custodia,cn=ipa,cn=etc,dc=example,dc=test")(version 3.0; acl "IPA server hosts can create own Custodia secrets"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=test" and userdn = "ldap:///fqdn=($dn),cn=computers,cn=accounts,dc=example,dc=test";)'] 2015-12-08T07:52:16Z DEBUG add: '(target = "ldap:///cn=*/($dn),cn=custodia,cn=ipa,cn=etc,dc=example,dc=test")(targetattr = "ipaPublicKey")(version 3.0; acl "IPA server hosts can manage own Custodia secrets"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=test" and userdn = "ldap:///fqdn=($dn),cn=computers,cn=accounts,dc=example,dc=test";)' to aci, current value ['(target = "ldap:///cn=*/($dn),cn=custodia,cn=ipa,cn=etc,dc=example,dc=test")(version 3.0; acl "IPA server hosts can create own Custodia secrets"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=test" and userdn = "ldap:///fqdn=($dn),cn=computers,cn=accounts,dc=example,dc=test";)'] 2015-12-08T07:52:16Z DEBUG add: updated value ['(target = "ldap:///cn=*/($dn),cn=custodia,cn=ipa,cn=etc,dc=example,dc=test")(version 3.0; acl "IPA server hosts can create own Custodia secrets"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=test" and userdn = "ldap:///fqdn=($dn),cn=computers,cn=accounts,dc=example,dc=test";)', '(target = "ldap:///cn=*/($dn),cn=custodia,cn=ipa,cn=etc,dc=example,dc=test")(targetattr = "ipaPublicKey")(version 3.0; acl "IPA server hosts can manage own Custodia secrets"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=test" and userdn = "ldap:///fqdn=($dn),cn=computers,cn=accounts,dc=example,dc=test";)'] 2015-12-08T07:52:16Z DEBUG --------------------------------------------- 2015-12-08T07:52:16Z DEBUG Final value after applying updates 2015-12-08T07:52:16Z DEBUG dn: cn=custodia,cn=ipa,cn=etc,dc=example,dc=test 2015-12-08T07:52:16Z DEBUG aci: 2015-12-08T07:52:16Z DEBUG (target = "ldap:///cn=*/($dn),cn=custodia,cn=ipa,cn=etc,dc=example,dc=test")(version 3.0; acl "IPA server hosts can create own Custodia secrets"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=test" and userdn = "ldap:///fqdn=($dn),cn=computers,cn=accounts,dc=example,dc=test";) 2015-12-08T07:52:16Z DEBUG (target = "ldap:///cn=*/($dn),cn=custodia,cn=ipa,cn=etc,dc=example,dc=test")(targetattr = "ipaPublicKey")(version 3.0; acl "IPA server hosts can manage own Custodia secrets"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=test" and userdn = "ldap:///fqdn=($dn),cn=computers,cn=accounts,dc=example,dc=test";) 2015-12-08T07:52:16Z ERROR Add failure missing required attribute "objectclass" 2015-12-08T07:52:16Z DEBUG Parsing update file '/usr/share/ipa/updates/20-dna.update' 2015-12-08T07:52:16Z DEBUG Updating existing entry: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config 2015-12-08T07:52:16Z DEBUG ---------------------------------------------
Starting review
I can see the relevance of the issue in the ticket, however I have been so far unable to reproduce it during upgrade from IPA 4.2.3-1.
I was able to reproduce the issue every time and the patch fixes it for me.
master:
Empty comment.
Metadata Update from @dkupka: - Issue assigned to mbabinsk - Issue set to the milestone: FreeIPA 4.3
Login to comment on this ticket.