Bug 1708873

Summary: Unable to upgrade ipa data: IPA version error: data needs to be upgraded (expected version '4.7.90.pre1-3.fc30', current version '4.7.2-8.fc30')
Product: Red Hat Enterprise Linux 7 Reporter: Alexander Bokovoy <abokovoy>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.0CC: abokovoy, chris, contribs, extras-qa, fcami, frenaud, ipa-maint, jcholast, jhrozek, ndehadra, pvoborni, rcritten, ssorce, tscherf, twoerner
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.6.5-8.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1708808 Environment:
Last Closed: 2019-08-06 13:09:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1708808, 1708874    
Bug Blocks:    

Description Alexander Bokovoy 2019-05-11 09:11:01 UTC 
This bug also affects RHEL IdM in RHEL 7.7 as it has the very same feature.

+++ This bug was initially created as a clone of Bug #1708808 +++

Description of problem:
After dnf upgrade of freeipa server to 4.7.90.pre1-3, I'm unable to restart freeipa using ipactl due to data upgrade failing.

Version-Release number of selected component (if applicable):
freeipa-common-4.7.90.pre1-3

How reproducible:
Everytime freeipa server is attempted to be started after rpm upgrade.

Steps to Reproduce:
1. Upgrade freeipa from 4.7.2-8-fc30 to 4.7.90.pre1-3.fc30.
2. Restart freeipa server using ipactl.
 or
2. Attempt manual data migration using ipa-server-upgrade.

Actual results:
Data migration fails with "RuntimeError: no matching entry found"
Reviewed attached spa-server-upgrade -v log.

Expected results:
Data migration process would successfully execute, data would be migrated and freeipa server suite would start.

Additional info:

--- Additional comment from Rob Crittenden on 2019-05-11 03:52:23 EEST ---

Code came from 18cb30d4638c0fecf5f02735f2b4794be5d97b67

This should let you get past the error (untested):

diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins
/adtrust.py
index 6b4e2ca..3415f08 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -609,11 +609,14 @@ class update_tdo_to_new_layout(Updater):
 
         trusts_dn = self.api.env.container_adtrusts + self.api.env.basedn
 
-        trusts = ldap.get_entries(
-            base_dn=trusts_dn,
-            scope=ldap.SCOPE_ONELEVEL,
-            filter=self.trust_filter,
-            attrs_list=self.trust_attrs)
+        try:
+            trusts = ldap.get_entries(
+                base_dn=trusts_dn,
+                scope=ldap.SCOPE_ONELEVEL,
+                filter=self.trust_filter,
+                attrs_list=self.trust_attrs)
+        except errors.EmptyResult:
+            trusts = []
 
         # For every trust, retrieve its principals and convert
         for t_entry in trusts:


Or you can skip the upgrade check with: ipactl --skip-version-check start

--- Additional comment from Chris Roadfeldt on 2019-05-11 04:27:10 EEST ---

Appreciate the patch, I don't have time to duplicate the environment tonight to test this before running it on the "prod" instance. Won't have time until next week. If no one else has tested before I am able to, will do so. Otherwise, will wait for patched release version. For now, I've downgraded back to 4.7.2-8-fc30 and have everything back up and running.

--- Additional comment from Alexander Bokovoy on 2019-05-11 11:48:54 EEST ---

Rob,

I think your proposal is correct. It covers a case when FreeIPA is configured to serve trust but there are no established trusts to AD. I'll add this patch to Fedora release.
Comment 2 Alexander Bokovoy 2019-05-11 09:12:24 UTC 
Upstream pull request: https://github.com/freeipa/freeipa/pull/3130
Comment 3 François Cami 2019-05-12 21:45:35 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/98b4c710d90f289322ebda457fdb84c2dd34aace

Fixed upstream
ipa-4-7:
https://pagure.io/freeipa/c/81756c78b7760003d12d7c5e252446972f101258

Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/aa8b1b963d697b40178e2c762fbefb9762e84e14
Comment 7 Nikhil Dehadrai 2019-05-16 10:37:20 UTC 
IPA version: ipa-server-4.6.5-8.el7.x86_64

Tested the bug on the basis of following observations:

Scenario-1
----------------
1. Setup IPA-server at older version (in my case its RHEL 76z)
2. Install ipa-server-trust-ad package on it. (yum -y update ipa-server-trust-ad)
3. Run command 'ipa-adtrust-install'
4. Configure RHEL 77 repo to this server.
5. Run 'yum -y update' to upgrade IPA-server
6. Now run 'ipa-server-upgrade', the command is run successfully.

[root@auto-hv-01-guest10 ~]# rpm -q ipa-server
ipa-server-4.6.4-10.el7_6.3.x86_64
[root@auto-hv-01-guest10 ~]# yum -y install ipa-server-trust-ad ......
[root@auto-hv-01-guest10 ~]# ipa-adtrust-install   ......
[root@auto-hv-01-guest10 ~]# tail -1 /var/log/ipaupgrade.log 
2019-05-16T09:14:25Z INFO The ipa-server-upgrade command was successful
[root@auto-hv-01-guest10 ~]# rpm -q ipa-server
ipa-server-4.6.5-8.el7.x86_64
[root@auto-hv-01-guest10 ~]# ipa-server-upgrade 
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/11]: stopping directory server
  [2/11]: saving configuration
  [3/11]: disabling listeners
  [4/11]: enabling DS global lock
  [5/11]: disabling Schema Compat
  [6/11]: starting directory server
  [7/11]: updating schema
  [8/11]: upgrading server
  [9/11]: stopping directory server
  [10/11]: restoring configuration
  [11/11]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating HTTPD service IPA WSGI configuration]
Nothing to do for configure_httpd_wsgi_conf
[Updating mod_nss protocol versions]
Protocol versions already updated
[Updating mod_nss cipher suite]
[Updating mod_nss enabling OCSP]
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Moving HTTPD service keytab to gssproxy]
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Remove FILE: prefix from 'dedicated keytab file' in Samba configuration]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Checking global forwarding policy in named.conf to avoid conflicts with automatic empty zones]
Changes to named.conf have been made, restart named
[Upgrading CA schema]
CA schema update complete (no changes)
[Verifying that CA audit signing cert has 2 year validity]
[Update certmonger certificate renewal configuration]
Certmonger certificate renewal configuration already up-to-date
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
[Ensuring presence of included profiles]
[Add default CA ACL]
Default CA ACL already added
[Set up lightweight CA key retrieval]
Creating principal
Retrieving keytab
Creating Custodia keys
Configuring key retriever
[Create systemd-user hbac service and rule]
hbac service systemd-user already exists
[Setup PKINIT]
[Enable certauth]
The IPA services were upgraded
The ipa-server-upgrade command was successful


Scenario-2
----------------
1. Setup IPA-server (in my case RHEL 77)
2. Install ipa-server-trust-ad package on it. (yum -y update ipa-server-trust-ad)
3. Run command 'ipa-adtrust-install'
4. Now run 'ipa-server-upgrade', the command is run successfully.

[root@hp-xw4600-01 ~]# rpm -q ipa-server
ipa-server-4.6.5-8.el7.x86_64
[root@hp-xw4600-01 ~]# yum -y install ipa-server-trust-ad  ....
[root@hp-xw4600-01 ~]# ipa-server-upgrade 
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/11]: stopping directory server
  [2/11]: saving configuration
  [3/11]: disabling listeners
  [4/11]: enabling DS global lock
  [5/11]: disabling Schema Compat
  [6/11]: starting directory server
  [7/11]: updating schema
  [8/11]: upgrading server
  [9/11]: stopping directory server
  [10/11]: restoring configuration
  [11/11]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
Publish directory already set to new location
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
[Removing RA cert from DS NSS database]
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating HTTPD service IPA WSGI configuration]
Nothing to do for configure_httpd_wsgi_conf
[Updating mod_nss protocol versions]
[Updating mod_nss cipher suite]
[Updating mod_nss enabling OCSP]
[Fixing trust flags in /etc/httpd/alias]
[Moving HTTPD service keytab to gssproxy]
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Remove FILE: prefix from 'dedicated keytab file' in Samba configuration]
[Add missing CA DNS records]
Updating DNS system records
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Enabling "dnssec-enable" configuration in DNS]
[Setting "bindkeys-file" option in named.conf]
[Including named root key in named.conf]
[Checking global forwarding policy in named.conf to avoid conflicts with automatic empty zones]
[Masking named]
[Fix bind-dyndb-ldap IPA working directory]
[Adding server_id to named.conf]
Changes to named.conf have been made, restart named
[Upgrading CA schema]
CA schema update complete (no changes)
[Verifying that CA audit signing cert has 2 year validity]
[Update certmonger certificate renewal configuration]
Certmonger certificate renewal configuration already up-to-date
[Enable PKIX certificate path discovery and validation]
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
pki-tomcat configuration changed, restart pki-tomcat
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
[Ensuring presence of included profiles]
[Add default CA ACL]
[Set up lightweight CA key retrieval]
Creating principal
Retrieving keytab
Creating Custodia keys
Configuring key retriever
[Create systemd-user hbac service and rule]
hbac service systemd-user already exists
[Setup PKINIT]
[Enable certauth]
The IPA services were upgraded
The ipa-server-upgrade command was successful
[root@hp-xw4600-01 ~]# 



Thus based on observations above, and confirmation at Comment#6, marking the status of bug to 'VERIFIED'
Comment 9 errata-xmlrpc 2019-08-06 13:09:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241