When upgrading from 4.4 to git master (4.5), we attempt to add PKINIT setup and generate PKINIT anonymous principal. Unfortunately, Krb instance is not fully initialized, including empty substitution dictionary. This causes ldapmodify to use incomplete LDIF file with non-replaced $SUFFIX, $DOMAIN and other variables.
2017-02-15T07:48:07Z DEBUG stderr= 2017-02-15T07:48:07Z DEBUG Starting external process 2017-02-15T07:48:07Z DEBUG args=kadmin.local -q addprinc -randkey WELLKNOWN/ANONYMOUS@XS.IPA.COOL -x ipa-setup-override-restrictions 2017-02-15T07:48:07Z DEBUG Process finished, return code=0 2017-02-15T07:48:07Z DEBUG stdout=Authenticating as principal root/admin@XS.IPA.COOL with password. Principal "WELLKNOWN/ANONYMOUS@XS.IPA.COOL" created. 2017-02-15T07:48:07Z DEBUG stderr=WARNING: no policy specified for WELLKNOWN/ANONYMOUS@XS.IPA.COOL; defaulting to no policy 2017-02-15T07:48:07Z DEBUG Starting external process 2017-02-15T07:48:07Z DEBUG args=/usr/bin/ldapmodify -v -f /usr/share/ipa/anon-princ-aci.ldif -H ldapi://%2fvar%2frun%2fslapd-XS-IPA-COOL.socket -Y EXTERNAL 2017-02-15T07:48:07Z DEBUG Process finished, return code=32 2017-02-15T07:48:07Z DEBUG stdout=add objectclass: ipaAllowedOperations add aci: (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Allow to retrieve keytab keys of the anonymous user"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";) add ipaAllowedToPerform;read_keys: cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX modifying entry "krbPrincipalName=WELLKNOWN/ANONYMOUS@$REALM,cn=$REALM,cn=kerberos,$SUFFIX" 2017-02-15T07:48:07Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-XS-IPA-COOL.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 ldap_modify: No such object (32) 2017-02-15T07:48:07Z CRITICAL Failed to load anon-princ-aci.ldif: Command '/usr/bin/ldapmodify -v -f /usr/share/ipa/anon-princ-aci.ldif -H ldapi://%2fvar%2frun%2fslapd-XS-IPA-COOL.socket -Y EXTERNAL' returned non-zero exit status 32 2017-02-15T07:48:07Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2017-02-15T07:48:07Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1840, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1769, in upgrade_configuration enable_anonymous_principal(krb) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1498, in enable_anonymous_principal krb.add_anonymous_principal() File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 391, in add_anonymous_principal self._ldap_mod("anon-princ-aci.ldif", self.sub_dict) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 227, in _ldap_mod ipautil.run(args, nolog=nologlist) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 495, in run raise CalledProcessError(p.returncode, arg_string, str(output))
bug only in master, related to priv separation
master:
Metadata Update from @abbra: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5
Log in to comment on this ticket.