Bug 1266667

Summary: ipa-replica-install command failed, exception: NotFound: ACI with name "Enable Anonymous access" not found
Product: [Fedora] Fedora Reporter: s.zemlyanoy
Component: freeipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: abokovoy, ipa-maint, jhrozek, mkosek, pviktori, pvoborni, rcritten, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-22 08:02:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description s.zemlyanoy 2015-09-26 10:02:33 UTC 
Description of problem:
Installing of replica fails with message
INFO The ipa-replica-install command failed, exception: NotFound: ACI with name "Enable Anonymous access" not found

Replication seems works between nodes but definitely replica is not in sane state. Also I cannot authenticate on new replica via ssh.

Version-Release number of selected component (if applicable):
Replica:
Name        : ipa-server
Arch        : x86_64
Version     : 3.0.0
Release     : 47.el6.centos

Master:
Name        : ipa-server
Arch        : x86_64
Version     : 3.0.0
Release     : 42.el6.centos

How reproducible:
Prepare and install replica. Actually replica server was accidentally removed in AWS, so we recreated the new one with the same name.

Steps to Reproduce:
1.
2.
3.

Actual results:
Replica is partially installed

Expected results:
Successful setup of replica 

Additional info:

Log trace

2015-09-26T08:34:04Z INFO POST_UPDATE
2015-09-26T08:34:04Z DEBUG Created connection context.ldap2
2015-09-26T08:34:04Z DEBUG flushing ldap://ldap2-ec2-prod.improve:389 from SchemaCache
2015-09-26T08:34:04Z DEBUG retrieving schema for SchemaCache url=ldap://ldap2-ec2-prod.improve:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4bb8248>
2015-09-26T08:34:04Z DEBUG raw: update_anonymous_aci
2015-09-26T08:34:04Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-IMPROVE.socket from SchemaCache
2015-09-26T08:34:04Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IMPROVE.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x249a200>
2015-09-26T08:34:05Z INFO   File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-replica-install", line 510, in main
    ds.apply_updates()

  File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line 476, in apply_updates
    ld.update(files, ordered=True)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/ldapupdate.py", line 959, in update
    updates = api.Backend.updateclient.update(POST_UPDATE, self.dm_password, self.ldapi, self.live_run)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/plugins/updateclient.py", line 126, in update
    (restart, apply_now, res) = self.run(update.name, **kw)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/plugins/updateclient.py", line 146, in run
    return self.Updater[method](**kw) #pylint: disable=E1101

  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 1421, in __call__
    return self.execute(**options)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/plugins/update_anonymous_aci.py", line 45, in execute
    rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname)

  File "/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py", line 391, in _find_aci_by_name
    raise errors.NotFound(reason=_('ACI with name "%s" not found') % aciname)

2015-09-26T08:34:05Z INFO The ipa-replica-install command failed, exception: NotFound: ACI with name "Enable Anonymous access" not found
Comment 1 Petr Vobornik 2015-10-22 08:02:21 UTC 
Sorry for not taking care of this BZ for so long. 

Is it possible that you removed ACI "Enable Anonymous access" prior replica installation? Installation fails because it doesn't exists. 

The aci needs to be returned back or a workaround is to remove file: /usr/lib/python2.6/site-packages/ipaserver/install/plugins/update_anonymous_aci.py on a replica prior running ipa-replica-install.

The IPA version enclosed match RHEL 6.6 and RHEL 6.7.  This ACI was removed in later releases of IPA.

Fedora no longer contain IPA 3.x.x therefore setting as won't fix.