#5575 replica promotion from upgraded IPA master fails during initial replication
Closed: Fixed None Opened 5 years ago by mbabinsk.

When upgrading IPA from 4.2.3-2 to git version from either 4-3 or master and raising domain level to 1 the replica promotion fails during initial replication setup with the following error:

INSUFFICIENT_ACCESS: {'info': "Insufficient 'write' privilege to the 'nsds5BeginReplicaRefresh' attribute of entry 'cn=metoreplica1.ipa.test,cn=replica,cn=dc\\3dipa\\2cdc\\3dtest,cn=mapping tree,cn=config'.\n", 'desc': 'Insufficient access'}

{{{/var/log/ipareplica-install.log}}} contains the following traceback:

packages/ipaserver/install/server/replicainstall.py", line 1553, in main
    promote(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 372, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1275, in promote
    promote=True, pkcs12_info=dirsrv_pkcs12_info)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 120, in install_replica_ds
    promote=promote,
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 398, in create_replica
    self.start_creation(runtime=60)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 447, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 437, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 413, in __setup_replica
    repl.setup_promote_replication(self.master_fqdn)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1596, in setup_promote_replication
    ret = self.start_replication(r_conn, master=False)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 975, in start_replication
    conn.modify_s(dn, mod)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1647, in modify_s
    return self.conn.modify_s(dn, modlist)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 364, in modify_s
    return self.result(msgid,all=1,timeout=self.timeout)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 465, in result
    resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 469, in result2
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 476, in result3
    resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 483, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)

2016-01-05T13:40:09Z DEBUG The ipa-replica-install command failed, exception: INSUFFICIENT_ACCESS: {'info': "Insufficient 'write' privilege to the 'nsds5BeginReplicaRefresh' attribute of entry 'cn=metoreplica1.ipa.test,cn=replica,cn=dc\\3dipa\\2cdc\\3dtest,cn=mapping tree,cn=config'.\n", 'desc': 'Insufficient access'}
2016-01-05T13:40:09Z ERROR {'info': "Insufficient 'write' privilege to the 'nsds5BeginReplicaRefresh' attribute of entry 'cn=metoreplica1.ipa.test,cn=replica,cn=dc\\3dipa\\2cdc\\3dtest,cn=mapping tree,cn=config'.\n", 'desc': 'Insufficient access'}
2016-01-05T13:40:09Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

Steps to reproduce:

1.) install freeipa 4.2.3-2 master and upgrade it
2.) raise domain level to 1 in order to enable replica promotion
3.) install freeipa from current master/ipa-4-3 branch on replica
4.) run ipa-replica-install on replica

Expected outcome:

replica install finished succesfully

Actual outcome:

replica install fails on {{{[28/43]: setting up initial replication}}} step during DS configuration.


The issue is caused by the incorrect update of replication ACIs during upgrade introduced by commit 6ea868e. When pre-4.3 IPA server is upgraded, the ACIs from {{{cn="$SUFFIX",cn=mapping tree,cn=config}}} and {{{cn=o\3Dipaca,cn=mapping tree,cn=config}}} are removed but never added back to the parent entry like during fresh install. Hence after upgrade there are no ACIs that permit manipulating replication agreements during replica install.

master:

  • e7a4faa IPA upgrade: move replication ACIs to the mapping tree entry

ipa-4-3:

  • c1faf72 IPA upgrade: move replication ACIs to the mapping tree entry

Metadata Update from @mbabinsk:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.3.1

4 years ago

Login to comment on this ticket.

Metadata