Bug 1447284

Summary: Upgrade from ipa-4.1 fails when enabling KDC proxy
Product: Red Hat Enterprise Linux 7 Reporter: Tomas Krizek <tkrizek>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Nikhil Dehadrai <ndehadra>
Severity: high Docs Contact:
Priority: high    
Version: 7.4CC: ipa-qe, ksiddiqu, mbabinsk, mbasti, ndehadra, nsoman, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: Regression, TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-12.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:50:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Krizek 2017-05-02 10:07:59 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/6920

During an upgrade from IPA 4.1, when upgrade script attempts to enable KDC proxy by creating an LDAP entry in `cn=KDC,cn=vm,cn=master,cn=ipa,cn=etc,dc=example,dc=com` it fails, because the parent entry does not exist.

This is a regression was introduced by b1a1e104391c84cb9af7b0a7c8748c8652442ddb

/var/log/ipaupgrade.log

```
2017-05-02T07:11:19Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run
    server.upgrade()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1869, in upgrade
    upgrade_configuration()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1658, in upgrade_configuration
    http.enable_kdcproxy()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 437, in enable_kdcproxy
    'KDC', self.fqdn, [u'kdcProxyEnabled'], self.suffix)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 214, in set_service_entry_config
    api.Backend.ldap2.add_entry(entry)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1504, in add_entry
    self.conn.add_s(str(entry.dn), list(attrs.items()))
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 966, in error_handler
    raise errors.NotFound(reason=arg_desc or 'no such entry')
```
Comment 3 Martin Bašti 2017-05-05 16:56:44 UTC 
master:
https://pagure.io/freeipa/c/999706fcdfa7fd4206a2399aa578fb00753d9978
https://pagure.io/freeipa/c/4b8ab77dd4800bd9c6b822502462ee649c88c663
https://pagure.io/freeipa/c/ebefb281775d5bd5f32459ac597af78781d7dbf5

Not moving to POST, waiting for 4.5 patches
Comment 4 Martin Babinsky 2017-05-09 08:34:17 UTC 
ipa-4-5:

* cdefa3030fba0f9a79f65f91aec84a44795c17f5 python2-ipalib: add missing python dependency
* 1662b0ef2fff6ee002afd99f86b9075a603b6027 installer service: fix typo in service entry
* d10d5066aa60288703f2cf4b1a8dd7ed0aab8842 upgrade: add missing suffix to http instance

Moving to POST.
Comment 6 Nikhil Dehadrai 2017-05-17 15:10:32 UTC 
IPA-server-version: ipa-server-4.5.0-12.el7.x86_64

Tested the bug for IPA upgrade from Rhel 7.1.z to Rhel 7.4 ( ipa 4.5.0.12) and it failed as per the observations listed in BZ#1451804
Comment 7 Nikhil Dehadrai 2017-05-22 10:30:47 UTC 
IPA server version: ipa-server-4.5.0-13.el7.x86_64

Tested the bug with following observations:

1) Verified that upgrade of IPA server to latest version is successful.
2) No errors/ failures are observed during upgrade process.
3) All the basic commands work successfully after upgrade.
4) Verified the same for other upgrade paths:
  - RHEL 7.1.z > Rhel 7.4
  - RHEL 7.2.z > Rhel 7.4
  - RHEL 7.3 > Rhel 7.4
  - RHEL 7.3.z > Rhel 7.4
5) For log through UI after upgrade we are unable to login for which a separate bug is logged BZ#1451733

Thus on the basis of above observations, marking status of bug to "VERIFIED"
Comment 9 errata-xmlrpc 2017-08-01 09:50:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304