Issue #9500: ipa-server-upgrade failiure - freeipa

freeipa

#9500 ipa-server-upgrade failiure

Closed: fixed 5 months ago by gngui. Opened 5 months ago by gngui.

Issue

ipa-server-upgrade fails to complete. As a result the ipa service fails to start.

Steps to Reproduce

sudo ipa-server-upgrade

Actual behavior

[gn@ipa ~]$ sudo ipa-server-upgrade
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/11]: stopping directory server
[2/11]: saving configuration
[3/11]: disabling listeners
[4/11]: enabling DS global lock
[5/11]: disabling Schema Compat
[6/11]: starting directory server
[7/11]: updating schema
[8/11]: upgrading server
[9/11]: stopping directory server
[10/11]: restoring configuration
[11/11]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
Disabled p11-kit-proxy
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating HTTPD service IPA WSGI configuration]
[Migrating from mod_nss to mod_ssl]
Already migrated to mod_ssl
[Moving HTTPD service keytab to gssproxy]
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
dnssec-validation yes
[Add missing CA DNS records]
IPA CA DNS records already processed
named user config '/etc/named/ipa-ext.conf' already exists
named user config '/etc/named/ipa-options-ext.conf' already exists
named user config '/etc/named/ipa-logging-ext.conf' already exists
[Upgrading CA schema]
CA schema update complete
[Update certmonger certificate renewal configuration]
Certmonger certificate renewal configuration already up-to-date
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
[Disabling cert publishing]
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
[Ensuring presence of included profiles]
[Add default CA ACL]
Default CA ACL already added
[Updating ACME configuration]
[Migrating to authselect profile]
Already migrated to authselect profile
[Create systemd-user hbac service and rule]
hbac service systemd-user already exists
[Add root@LOCAL.MERGE.CO.KE alias to admin account]
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
NotFound: no such entry
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information

Expected behavior

Upgrade should complete without errors

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
freeipa-server-4.10.2-1.fc38.x86_64
freeipa-client-4.10.2-1.fc38.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-2.3.7-2.fc38.x86_64
package pki-ca is not installed
krb5-server-1.21-3.fc38.x86_64
Fedora Linux 38 (Server Edition)

Additional info:

2023-12-19T06:22:57Z INFO [Create systemd-user hbac service and rule]
2023-12-19T06:22:57Z DEBUG raw: hbacsvc_add('systemd-user', description='pam_systemd and systemd user@.service', version='2.252')
2023-12-19T06:22:57Z DEBUG hbacsvc_add('systemd-user', description='pam_systemd and systemd user@.service', all=False, raw=False, version='2.252', no_members=False)
2023-12-19T06:22:57Z INFO hbac service systemd-user already exists
2023-12-19T06:22:57Z INFO [Add root@LOCAL.MERGE.CO.KE alias to admin account]
2023-12-19T06:22:57Z DEBUG raw: user_add_principal('admin', ('root@LOCAL.MERGE.CO.KE',), version='2.252')
2023-12-19T06:22:57Z DEBUG user_add_principal('admin', (ipapython.kerberos.Principal('root@LOCAL.MERGE.CO.KE'),), all=False, raw=False, version='2.252', no_members=False)
2023-12-19T06:22:57Z DEBUG raw: trust_find('', sizelimit=0, version='2.252')
2023-12-19T06:22:57Z DEBUG trust_find(None, sizelimit=0, all=False, raw=False, version='2.252', pkey_only=False)
2023-12-19T06:22:57Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2023-12-19T06:22:57Z DEBUG File "/usr/lib/python3.11/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run
server.upgrade()
File "/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py", line 2066, in upgrade
upgrade_configuration()
File "/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py", line 1937, in upgrade_configuration
add_admin_root_alias()
File "/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py", line 1446, in add_admin_root_alias
api.Command.user_add_principal("admin", rootprinc)
File "/usr/lib/python3.11/site-packages/ipalib/frontend.py", line 471, in call
return self.do_call(args, options)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/ipalib/frontend.py", line 499, in __do_call
ret = self.run(*args, options)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/ipalib/frontend.py", line 816, in run
return self.execute(args, **options)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/ipaserver/plugins/baseldap.py", line 2475, in execute
entry_attrs.dn = callback(
^^^^^^^^^
File "/usr/lib/python3.11/site-packages/ipaserver/plugins/baseuser.py", line 820, in pre_callback
ensure_krbcanonicalname_set(ldap, entry_attrs)
File "/usr/lib/python3.11/site-packages/ipalib/util.py", line 1188, in ensure_krbcanonicalname_set
old_entry = ldap.get_entry(
^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/ipapython/ipaldap.py", line 1943, in get_entry
return super(LDAPCache, self).get_entry(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/ipapython/ipaldap.py", line 1643, in get_entry
entries = self.get_entries(
^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/ipapython/ipaldap.py", line 1454, in get_entries
entries, truncated = self.find_entries(
^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/ipapython/ipaldap.py", line 1528, in find_entries
with self.error_handler():
File "/usr/lib64/python3.11/contextlib.py", line 155, in __exit
self.gen.throw(typ, value, traceback)
File "/usr/lib/python3.11/site-packages/ipapython/ipaldap.py", line 1098, in error_handler
raise errors.NotFound(reason=arg_desc or 'no such entry')

2023-12-19T06:22:57Z DEBUG The ipa-server-upgrade command failed, exception: NotFound: no such entry
2023-12-19T06:22:57Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
NotFound: no such entry
2023-12-19T06:22:57Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
[gn@ipa ~]$

frenaud commented 5 months ago

Hi @gngui
based on the logs, it looks like you don't have any admin user.
Older IPA version didn't prevent the deletion of the admin user, and the upgrade fails if this user entry is missing (see issue #9045).
You can find recovery steps in the ticket's comment, please let us know if it fixes your issue.

The deletion of the admin user is not possible any more, it was fixed with #8878 (available in 4.9.13 and 4.11.0)

gngui commented 5 months ago

Hi @frenaud
I believe that since my IPA service is down any query returns ipa: ERROR: did not receive Kerberos credentials.
With this I am unable to proceed with the admin recovery steps. Kindly assist.

gngui commented 5 months ago

Some good news.
I had previously documented our UID ranges and used those for the uidNumber and gidNumber. I removed the ipaNTSecurityIdentifier and ipaNTUserAttrs lines since I could not run the ipa trustconfig-show command. I applied the updated file on pure faith using the # ipa-ldap-updater ./80-admin-user.update command after which I run the ipa-server-upgrade which completed.

I'm happy to announce my IPA service is back up.

Curiously I am still unable to run these commands which return ipa: ERROR: did not receive Kerberos credentials;
- ipa group-add-member admins --users=admin
- ipa idrange-show xxx_id_range

Metadata Update from @gngui:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 months ago

frenaud commented 5 months ago

@gngui thanks for confirming that the steps helped.
If you still face issues, please start a thread on freeipa-users@lists.fedorahosted.org, I'm sure you will get some help there.

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#9500 ipa-server-upgrade failiure Closed: fixed 5 months ago by gngui. Opened 5 months ago by gngui.

Issue

Steps to Reproduce

Actual behavior

Expected behavior

Version/Release/Distribution

Additional info:

Metadata

#9500 ipa-server-upgrade failiure

Closed: fixed 5 months ago by gngui. Opened 5 months ago by gngui.