#7992 ipa upgrade fails with trust entry already exists
Closed: fixed a year ago by cheimes. Opened a year ago by abbra.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1723473

Description of problem:

Attempting to upgrade IPA resulted in ipa not started afterwards.  When I tried
to manually start it, I see this:

[root@rhel7-1 ~]# ipactl start
IPA version error: data needs to be upgraded (expected version '4.6.5-9.el7',
current version '4.6.5-6.el7')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
Be patient, this may take a few minutes.
Automatic upgrade failed: Upgrade failed with This entry already exists
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
ipa-server-upgrade manually.
('IPA upgrade failed.', 1)
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
information

See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade
again
Aborting ipactl

Reviewing log, I see this:

2019-06-24T14:52:51Z DEBUG Adding Kerberos principal entry for EXAMPLE$@AD.TEST
2019-06-24T14:52:51Z DEBUG Destroyed connection context.ldap2_140436545772368
2019-06-24T14:52:51Z ERROR Upgrade failed with This entry already exists
2019-06-24T14:52:51Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
line 274, in __upgrade
    self.modified = (ld.update(self.files) or self.modified)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
967, in update
    self._run_updates(all_updates)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
929, in _run_updates
    self._run_update_plugin(update['plugin'])
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
904, in _run_update_plugin
    restart_ds, updates = self.api.Updater[plugin_name]()
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1475, in
__call__
    return self.execute(**options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/adtrust.py",
line 693, in execute
    self.KRB_PRINC_CREATE_DISABLED)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/adtrust.py",
line 559, in set_krb_principal
    action(entry)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1580, in
add_entry
    self.conn.add_s(str(entry.dn), list(attrs.items()))
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1038, in
error_handler
    raise errors.DuplicateEntry()
DuplicateEntry: This entry already exists

2019-06-24T14:52:51Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
567, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
557, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
line 282, in __upgrade
    raise RuntimeError(e)
RuntimeError: This entry already exists

2019-06-24T14:52:51Z DEBUG   [error] RuntimeError: This entry already exists


Version-Release number of selected component (if applicable):
ipa-server-4.6.5-9.el7.x86_64

How reproducible:
Unknown

Steps to Reproduce:
1.  Install IPA version 4.6.5-6.el7 on rhel7.7 (from beta I think?)
2.  Setup Trust with AD
3.  Upgrade

Actual results:

ipa not running and errors shown above.


Expected results:

ipa running after upgrade with no errors.

Additional info:
Will attach logs and ldapsearch

Metadata Update from @abbra:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1723473

a year ago

Metadata Update from @abbra:
- Issue assigned to abbra

a year ago

master:

  • 34bfffd adtrust upgrade: fix wrong primary principal name

ipa-4-6:

  • 910e8b1 adtrust upgrade: fix wrong primary principal name

ipa-4-7:

  • dcce0e4 adtrust upgrade: fix wrong primary principal name

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

master:

  • 7af4c7d adtrust upgrade: fix wrong primary principal name, part 2

ipa-4-6:

  • cb74ea9 adtrust upgrade: fix wrong primary principal name, part 2

ipa-4-7:

  • d6f8e06 adtrust upgrade: fix wrong primary principal name, part 2

Login to comment on this ticket.

Metadata