ipa-server-upgrade fails to complete. As a result the ipa service fails to start.
[gn@ipa ~]$ sudo ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/11]: stopping directory server [2/11]: saving configuration [3/11]: disabling listeners [4/11]: enabling DS global lock [5/11]: disabling Schema Compat [6/11]: starting directory server [7/11]: updating schema [8/11]: upgrading server [9/11]: stopping directory server [10/11]: restoring configuration [11/11]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services Disabled p11-kit-proxy [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating HTTPD service IPA WSGI configuration] [Migrating from mod_nss to mod_ssl] Already migrated to mod_ssl [Moving HTTPD service keytab to gssproxy] [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] dnssec-validation yes [Add missing CA DNS records] IPA CA DNS records already processed named user config '/etc/named/ipa-ext.conf' already exists named user config '/etc/named/ipa-options-ext.conf' already exists named user config '/etc/named/ipa-logging-ext.conf' already exists [Upgrading CA schema] CA schema update complete [Update certmonger certificate renewal configuration] Certmonger certificate renewal configuration already up-to-date [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Disabling cert publishing] [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] [Ensuring presence of included profiles] [Add default CA ACL] Default CA ACL already added [Updating ACME configuration] [Migrating to authselect profile] Already migrated to authselect profile [Create systemd-user hbac service and rule] hbac service systemd-user already exists [Add root@LOCAL.MERGE.CO.KE alias to admin account] IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: NotFound: no such entry The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
Upgrade should complete without errors
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server freeipa-server-4.10.2-1.fc38.x86_64 freeipa-client-4.10.2-1.fc38.x86_64 package ipa-server is not installed package ipa-client is not installed 389-ds-base-2.3.7-2.fc38.x86_64 package pki-ca is not installed krb5-server-1.21-3.fc38.x86_64 Fedora Linux 38 (Server Edition)
2023-12-19T06:22:57Z INFO [Create systemd-user hbac service and rule] 2023-12-19T06:22:57Z DEBUG raw: hbacsvc_add('systemd-user', description='pam_systemd and systemd user@.service', version='2.252') 2023-12-19T06:22:57Z DEBUG hbacsvc_add('systemd-user', description='pam_systemd and systemd user@.service', all=False, raw=False, version='2.252', no_members=False) 2023-12-19T06:22:57Z INFO hbac service systemd-user already exists 2023-12-19T06:22:57Z INFO [Add root@LOCAL.MERGE.CO.KE alias to admin account] 2023-12-19T06:22:57Z DEBUG raw: user_add_principal('admin', ('root@LOCAL.MERGE.CO.KE',), version='2.252') 2023-12-19T06:22:57Z DEBUG user_add_principal('admin', (ipapython.kerberos.Principal('root@LOCAL.MERGE.CO.KE'),), all=False, raw=False, version='2.252', no_members=False) 2023-12-19T06:22:57Z DEBUG raw: trust_find('', sizelimit=0, version='2.252') 2023-12-19T06:22:57Z DEBUG trust_find(None, sizelimit=0, all=False, raw=False, version='2.252', pkey_only=False) 2023-12-19T06:22:57Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2023-12-19T06:22:57Z DEBUG File "/usr/lib/python3.11/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() ^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py", line 2066, in upgrade upgrade_configuration() File "/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py", line 1937, in upgrade_configuration add_admin_root_alias() File "/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py", line 1446, in add_admin_root_alias api.Command.user_add_principal("admin", rootprinc) File "/usr/lib/python3.11/site-packages/ipalib/frontend.py", line 471, in call return self.do_call(args, options) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ipalib/frontend.py", line 499, in __do_call ret = self.run(*args, options) ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ipalib/frontend.py", line 816, in run return self.execute(args, **options) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ipaserver/plugins/baseldap.py", line 2475, in execute entry_attrs.dn = callback( ^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ipaserver/plugins/baseuser.py", line 820, in pre_callback ensure_krbcanonicalname_set(ldap, entry_attrs) File "/usr/lib/python3.11/site-packages/ipalib/util.py", line 1188, in ensure_krbcanonicalname_set old_entry = ldap.get_entry( ^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ipapython/ipaldap.py", line 1943, in get_entry return super(LDAPCache, self).get_entry( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ipapython/ipaldap.py", line 1643, in get_entry entries = self.get_entries( ^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ipapython/ipaldap.py", line 1454, in get_entries entries, truncated = self.find_entries( ^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ipapython/ipaldap.py", line 1528, in find_entries with self.error_handler(): File "/usr/lib64/python3.11/contextlib.py", line 155, in __exit self.gen.throw(typ, value, traceback) File "/usr/lib/python3.11/site-packages/ipapython/ipaldap.py", line 1098, in error_handler raise errors.NotFound(reason=arg_desc or 'no such entry')
2023-12-19T06:22:57Z DEBUG The ipa-server-upgrade command failed, exception: NotFound: no such entry 2023-12-19T06:22:57Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: NotFound: no such entry 2023-12-19T06:22:57Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information [gn@ipa ~]$
Hi @gngui based on the logs, it looks like you don't have any admin user. Older IPA version didn't prevent the deletion of the admin user, and the upgrade fails if this user entry is missing (see issue #9045). You can find recovery steps in the ticket's comment, please let us know if it fixes your issue.
The deletion of the admin user is not possible any more, it was fixed with #8878 (available in 4.9.13 and 4.11.0)
Hi @frenaud I believe that since my IPA service is down any query returns ipa: ERROR: did not receive Kerberos credentials. With this I am unable to proceed with the admin recovery steps. Kindly assist.
Some good news. I had previously documented our UID ranges and used those for the uidNumber and gidNumber. I removed the ipaNTSecurityIdentifier and ipaNTUserAttrs lines since I could not run the ipa trustconfig-show command. I applied the updated file on pure faith using the # ipa-ldap-updater ./80-admin-user.update command after which I run the ipa-server-upgrade which completed.
I'm happy to announce my IPA service is back up.
Curiously I am still unable to run these commands which return ipa: ERROR: did not receive Kerberos credentials; - ipa group-add-member admins --users=admin - ipa idrange-show xxx_id_range
Metadata Update from @gngui: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
@gngui thanks for confirming that the steps helped. If you still face issues, please start a thread on freeipa-users@lists.fedorahosted.org, I'm sure you will get some help there.
Login to comment on this ticket.