freeipa

Clone
Source Code
GIT

#7174 ipa-replica-install might fail because of an already existing entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFI
Closed: fixed 6 years ago Opened 6 years ago by fbarreto.

Closed: fixed
Reopen Issue

Description of problem:

We have seen cases where ipa-replica-install is failing with this error:

 [31/40]: enabling S4U2Proxy delegation
ipa         : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmpVKeXNx -H ldapi://%2Fvar%2Frun%2Fslapd-EXAMPLE-COM.socket -Y EXTERNAL' returned non-zero exit status 20
  [error] CalledProcessError: Command '/usr/bin/ldapmodify -v -f /tmp/tmpVKeXNx -H ldapi://%2Fvar%2Frun%2Fslapd-EXAMPLE-COM.socket -Y EXTERNAL' returned non-zero exit status 20
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

The error occurs in __setup_s4u2proxy() when replica-s4u2proxy.ldif is applied. In the DS log we can see that one of the two entries already exists which then results in a failure:

[19/Sep/2017:08:24:09.269050086 -0400] conn=11 fd=68 slot=68 connection from local to /var/run/slapd-EXAMPLE-COM.socket
[19/Sep/2017:08:24:09.269396910 -0400] conn=11 AUTOBIND dn="cn=Directory Manager"
[19/Sep/2017:08:24:09.269402696 -0400] conn=11 op=0 BIND dn="cn=Directory Manager" method=sasl version=3 mech=EXTERNAL
[19/Sep/2017:08:24:09.269427850 -0400] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=Directory Manager"
[19/Sep/2017:08:24:09.269593705 -0400] conn=11 op=1 MOD dn="cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=example,dc=com"
[19/Sep/2017:08:24:09.270433469 -0400] conn=11 op=1 RESULT err=20 tag=103 nentries=0 etime=0 csn=39e7b123001d00fd0000
[19/Sep/2017:08:24:09.281553093 -0400] conn=11 op=2 UNBIND

The DS installer should not apply the ldif in case those entries are already stored in the LDAP tree.

Version-Release number of selected component (if applicable):
ipa-server-4.5.0-21.el7_4.1.2.x86_64

Metadata Update from @fbarreto:
- Issue assigned to fbarreto
6 years ago

Metadata Update from @fbarreto:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1493145
6 years ago

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.5.4
6 years ago

Metadata Update from @fbarreto:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1125
6 years ago

Metadata Update from @pvoborni:
- Issue priority set to: important
6 years ago

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.5.4)
6 years ago

master:

  • 23a0453 Checks if replica-s4u2proxy.ldif should be applied

ipa-4-6:

  • b3dfc13 Checks if replica-s4u2proxy.ldif should be applied

ipa-4-5:

  • 55b7f58 Checks if replica-s4u2proxy.ldif should be applied

master:

  • b84e8be Removing replica-s4u2proxy.ldif since it's not used anymore

ipa-4-6:

  • bff8cb6 Removing replica-s4u2proxy.ldif since it's not used anymore

ipa-4-5:

  • 447e2a2 Removing replica-s4u2proxy.ldif since it's not used anymore

Metadata Update from @fbarreto:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
6 years ago

master:

  • feee70d ipatest: replica install with existing entry on master

ipa-4-6:

  • 05acc9c ipatest: replica install with existing entry on master

ipa-4-5:

  • ca8af01 ipatest: replica install with existing entry on master

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/1125
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1493145
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.