Bug 1600074
| Summary: | ipa-server-upgrade displays 'DN: cn=Schema Compatibility,cn=plugins,cn=config does not exists or haven't been updated' | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Sudhir Menon <sumenon> | ||||
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.6 | CC: | frenaud, ndehadra, nsoman, pasik, pvoborni, rcritten, tdudlak, tscherf | ||||
| Target Milestone: | rc | Keywords: | Regression | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | ipa-4.6.4-6.el7 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-10-30 10:58:44 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Sudhir Menon
2018-07-11 11:24:41 UTC
Created attachment 1458081 [details]
ipa upgrade log
Bug analysis ------------ Valid bug: yes Regression: yes Regression introduction: 4.6.4 Affected versions: RHEL 7.6+, FreeIPA 4.6.4+ Use cases (reproduction steps): * Fresh installation Cause: LDIF file pointer needs to be reset to the 0 when re-reading Consequence: bogus warning message about schema compat Workaround: None Fix complexity: trivial Upstream ticket: https://pagure.io/freeipa/issue/7644 Fixed upstream master: https://pagure.io/freeipa/c/6fa1e6f18ef1798fa8cd5030807c81699fdfbdc6 https://pagure.io/freeipa/c/89799a14ce674f73bdfb8310256e7c8c67866a34 Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/6df65a13fec9e1c2e4a95011b2e117d3d452a513 https://pagure.io/freeipa/c/46feb670bdc02f968b7dacd8b639c52a6f34623b Fixed upstream ipa-4-7: https://pagure.io/freeipa/c/6daf4dad5149290dc9253803deb22b78a62fad67 https://pagure.io/freeipa/c/421e61cf1b8e21ca58e6f96857436412638f8287 ipa-server-version: ipa-server-4.6.4-6.el7.x86_64 Verified the bug on the basis of following observations: 1. Verified that the error message discussed in the description is no more observed, when ipa-server installed with RHEL 7.6 and then run with command 'ipa-server-upgrade'. [root@vm-idm-038 ~]# ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/11]: stopping directory server [2/11]: saving configuration [3/11]: disabling listeners [4/11]: enabling DS global lock [5/11]: disabling Schema Compat [6/11]: starting directory server [7/11]: updating schema [8/11]: upgrading server [9/11]: stopping directory server [10/11]: restoring configuration [11/11]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] Publish directory already set to new location [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] [Removing RA cert from DS NSS database] [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating HTTPD service IPA WSGI configuration] Nothing to do for configure_httpd_wsgi_conf [Updating mod_nss protocol versions] [Updating mod_nss cipher suite] [Updating mod_nss enabling OCSP] [Fixing trust flags in /etc/httpd/alias] [Moving HTTPD service keytab to gssproxy] [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Add missing CA DNS records] Updating DNS system records [Removing deprecated DNS configuration options] [Ensuring minimal number of connections] [Updating GSSAPI configuration in DNS] [Updating pid-file configuration in DNS] [Enabling "dnssec-enable" configuration in DNS] [Setting "bindkeys-file" option in named.conf] [Including named root key in named.conf] [Checking global forwarding policy in named.conf to avoid conflicts with automatic empty zones] [Masking named] [Fix bind-dyndb-ldap IPA working directory] [Adding server_id to named.conf] Changes to named.conf have been made, restart named [Upgrading CA schema] CA schema update complete (no changes) [Verifying that CA audit signing cert has 2 year validity] [Update certmonger certificate renewal configuration] Certmonger certificate renewal configuration already up-to-date [Enable PKIX certificate path discovery and validation] [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] [Ensuring presence of included profiles] [Add default CA ACL] [Set up lightweight CA key retrieval] Creating principal Retrieving keytab Creating Custodia keys Configuring key retriever [Setup PKINIT] [Enable certauth] The IPA services were upgraded The ipa-server-upgrade command was successful [root@vm-idm-038 ~]# echo $? 0 [root@vm-idm-038 ~]# tail -1 /var/log/ipaupgrade.log 2018-08-17T19:42:36Z INFO The ipa-server-upgrade command was successful [root@vm-idm-038 ~]# 2. Verified the same steps as in step1, against Replica with similar observation. [root@vm-idm-019 ~]# ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/11]: stopping directory server [2/11]: saving configuration [3/11]: disabling listeners [4/11]: enabling DS global lock [5/11]: disabling Schema Compat [6/11]: starting directory server [7/11]: updating schema [8/11]: upgrading server [9/11]: stopping directory server [10/11]: restoring configuration [11/11]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] Publish directory already set to new location [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] [Removing RA cert from DS NSS database] [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating HTTPD service IPA WSGI configuration] Nothing to do for configure_httpd_wsgi_conf [Updating mod_nss protocol versions] [Updating mod_nss cipher suite] [Updating mod_nss enabling OCSP] [Fixing trust flags in /etc/httpd/alias] [Moving HTTPD service keytab to gssproxy] [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Add missing CA DNS records] Updating DNS system records [Removing deprecated DNS configuration options] [Ensuring minimal number of connections] [Updating GSSAPI configuration in DNS] [Updating pid-file configuration in DNS] [Enabling "dnssec-enable" configuration in DNS] [Setting "bindkeys-file" option in named.conf] [Including named root key in named.conf] [Checking global forwarding policy in named.conf to avoid conflicts with automatic empty zones] [Masking named] [Fix bind-dyndb-ldap IPA working directory] [Adding server_id to named.conf] Changes to named.conf have been made, restart named [Upgrading CA schema] CA schema update complete (no changes) [Verifying that CA audit signing cert has 2 year validity] [Update certmonger certificate renewal configuration] Certmonger certificate renewal configuration already up-to-date [Enable PKIX certificate path discovery and validation] [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] [Ensuring presence of included profiles] [Add default CA ACL] [Set up lightweight CA key retrieval] Creating principal Retrieving keytab Creating Custodia keys Configuring key retriever [Setup PKINIT] [Enable certauth] The IPA services were upgraded The ipa-server-upgrade command was successful [root@vm-idm-019 ~]# 3. Verified that when IPA server is upgraded and then command 'ipa-server-upgrade' is run , no issues are observed and the command is run successfully. ( In my case RHEL 75z > RHEL 7.6) 4. Verified that after the command 'ipa-server-upgrade' is run, the 'ipactl restart', 'kinit' commands are successful 5. Verified that server UI login is successful after the command 'ipa-server-upgrade' is run on the IPA server. Thus on the basis of above observations, marking the status of bug to 'VERIFIED'. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3187 |