Bug 1551677

Summary: FreeIPA server deployment fails with "This entry already exists" error
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: freeipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 28CC: abokovoy, cheimes, frenaud, fzatlouk, ipa-maint, jcholast, jhrozek, pvoborni, rcritten, robatino, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: AcceptedBlocker
Fixed In Version: freeipa-4.6.90.pre1-1.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-18 00:48:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1469204    
Attachments:
Description Flags
Complete /var/log archive (will also attach specific log files)
none
ipaserver-install.log
none
/var/log/messages none

Description Adam Williamson 2018-03-05 17:02:06 UTC 
In current Fedora Rawhide (and, I expect, F28, as soon as we have a compose with bind-dyndb-ldap-11.1-10.fc28 in it), FreeIPA server deployment fails with an error from ipapython/ipaldap.py :

"This entry already exists"

I'm not sure yet what 'entry' it means or why it already exists, but this looks like a clear Beta blocker, per Basic criterion "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried", as domain controller is one of the release-blocking roles.

Will attach all logs soon.
Comment 1 Adam Williamson 2018-03-05 17:14:53 UTC 
Created attachment 1404408 [details]
Complete /var/log archive (will also attach specific log files)
Comment 2 Adam Williamson 2018-03-05 17:15:27 UTC 
Created attachment 1404409 [details]
ipaserver-install.log
Comment 3 Adam Williamson 2018-03-05 17:15:49 UTC 
Created attachment 1404410 [details]
/var/log/messages
Comment 4 FrantiĊĦek Zatloukal 2018-03-05 17:42:51 UTC 
Discussed at blocker bug meeting [1]:
    
AcceptedBlocker (Beta) - clear violation of "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried" for the domain controller role

[1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2018-03-05/
Comment 5 fbarreto 2018-03-07 15:26:03 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7434
Comment 6 Florence Blanc-Renaud 2018-03-07 15:57:08 UTC 
An upstream ticket already exists for this issue:
https://pagure.io/freeipa/issue/7393

And the ticket has been fixed in ipa-4-6 and master branches

Fixed upstream:
master
https://pagure.io/freeipa/c/939db89cacdd9450400093be33af891d17545c10
ipa-4-6
https://pagure.io/freeipa/c/1f942efab7ca47382209cb6b83d82051d73220bf
Comment 7 Adam Williamson 2018-03-13 00:41:28 UTC 
so, Beta go/no-go is in 10 days (2018-03-22) and we still do not have a working FreeIPA.

Could we please get an update of the overall plan to get a working FreeIPA into F28, preferably with specific dates of when stuff is going to show up? Thanks.

As a reminder, *any* package which is necessary to make FreeIPA in F28 work needs to be part of an update that is marked as fixing this bug, https://bugzilla.redhat.com/show_bug.cgi?id=1496562 , https://bugzilla.redhat.com/show_bug.cgi?id=1552318 , or another appropriate blocker/FE bug.

Thanks!
Comment 8 Rob Crittenden 2018-03-13 03:12:40 UTC 
I have a candidate build that I've tested with updated dogtag, tomcat and tomcatjss bits (and perhaps a few other things). To date I've only tested new installs and it seems to function as expected. Endi from the dogtag team has confirmed that the build is installable.

I will coordinate the release with the dogtag team.
Comment 9 Rob Crittenden 2018-03-14 22:04:46 UTC 
The duplicate error is fixed in:

master: 
    939db89 Update existing 389-DS cn=RSA,cn=encryption config

ipa-4-6: 
    1f942ef Update existing 389-DS cn=RSA,cn=encryption config
Comment 10 Fedora Update System 2018-03-16 21:08:35 UTC 
freeipa-4.6.90.pre1-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2fd7295cb9
Comment 11 Fedora Update System 2018-03-17 19:29:23 UTC 
dogtag-pki-10.6.0-0.2.fc28, dogtag-pki-theme-10.6.0-0.2.fc28, freeipa-4.6.90.pre1-1.fc28, pki-console-10.6.0-0.2.fc28, pki-core-10.6.0-0.2.fc28, tomcat-8.5.29-1.fc28, tomcatjss-7.3.0-0.2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2fd7295cb9
Comment 12 Fedora Update System 2018-03-18 00:48:13 UTC 
dogtag-pki-10.6.0-0.2.fc28, dogtag-pki-theme-10.6.0-0.2.fc28, freeipa-4.6.90.pre1-1.fc28, pki-console-10.6.0-0.2.fc28, pki-core-10.6.0-0.2.fc28, tomcat-8.5.29-1.fc28, tomcatjss-7.3.0-0.2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.