Issue #7434: FreeIPA server deployment fails with "This entry already exists" error - freeipa

freeipa

#7434 FreeIPA server deployment fails with "This entry already exists" error

Closed: duplicate 6 years ago Opened 6 years ago by fbarreto.

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1551677

In current Fedora Rawhide (and, I expect, F28, as soon as we have a compose
with bind-dyndb-ldap-11.1-10.fc28 in it), FreeIPA server deployment fails with
an error from ipapython/ipaldap.py :

"This entry already exists"

I'm not sure yet what 'entry' it means or why it already exists, but this looks
like a clear Beta blocker, per Basic criterion "Release-blocking roles and the
supported role configuration interfaces must meet the core functional Role
Definition Requirements to the extent that supported roles can be successfully
deployed, started, stopped, brought to a working configuration, and queried",
as domain controller is one of the release-blocking roles.

Will attach all logs soon.

Metadata Update from @fbarreto:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1551677

6 years ago

frenaud commented 6 years ago

This is a duplicate of ticket #7393 fixed in master and ipa-4-6.

Metadata Update from @frenaud:
- Issue close_status updated to: duplicate

6 years ago

tbordaz commented 6 years ago

[04/Mar/2018:19:38:12.931685123 -0500] conn=8 op=3 ADD   dn="cn=RSA,cn=encryption,cn=config"
[04/Mar/2018:19:38:12.932916255 -0500] conn=8 op=3 RESULT err=68 tag=105 nentries=0 etime=0.0001420462

File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 358, in enable_ss
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1523, in add_entry
    self.conn.add_s(str(entry.dn), list(attrs.items()))
2018-03-05T00:38:12Z DEBUG The ipa-server-install command failed, exception: DuplicateEntry: This entry already exists

In 389-ds master branch the following entry exists by default

dn: cn=RSA,cn=encryption,cn=config                                                                                                  
objectClass: top
objectClass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLActivation: on
nsSSLToken: internal (software)

Could be a recent change in 389-ds that adds it by default or in ipa-server-install that now adds it without checking.

An easy fix, would be to test "cn=RSA,cn=encryption,cn=config" exists before adding it.

Metadata Update from @tbordaz:
- Issue status updated to: Open (was: Closed)

6 years ago

Metadata Update from @fbarreto:
- Issue priority set to: critical

6 years ago

rcritten commented 6 years ago

Closed as duplicate of #7393

Metadata Update from @rcritten:
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

critical

Milestone

FreeIPA 4.6.4

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1551677

tester

None

changelog

None

design

None

freeipa

Source Code

#7434 FreeIPA server deployment fails with "This entry already exists" error Closed: duplicate 6 years ago Opened 6 years ago by fbarreto.

Metadata

#7434 FreeIPA server deployment fails with "This entry already exists" error

Closed: duplicate 6 years ago Opened 6 years ago by fbarreto.