Bug 1773550

Summary: IPA upgrade fails for latest ipa package when adtrust is installed
Product: Red Hat Enterprise Linux 7 Reporter: Thomas Woerner <twoerner>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: high Docs Contact:
Priority: high    
Version: 7.8CC: abokovoy, ipa-qe, ksiddiqu, lmiksik, ndehadra, pasik, rcritten, toneata, tscherf
Target Milestone: rcKeywords: Regression, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.6.6-10.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1757064 Environment:
Last Closed: 2020-03-31 19:56:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1757064    
Bug Blocks: 1773516    

Comment 4 Florence Blanc-Renaud 2019-11-21 09:50:38 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/ba466a802129cbe61964653fdfddacd5d43f6771

ipa-4-8:
https://pagure.io/freeipa/c/18540386230e295087296e58761ced2b781ae4e3

ipa-4-7:
https://pagure.io/freeipa/c/2f8f257d9a9c076bf1a2d28aee06fbac0532aa72

ipa-4-6:
https://pagure.io/freeipa/c/fa23f5a13a326b4cedf6705be7d14da8bc813763
Comment 7 Nikhil Dehadrai 2019-12-10 10:57:00 UTC 
ipa-server version: ipa-server-4.6.6-11.el7.x86_64


Verified the bug on the basis of following observations:
1) Setup IPA server at RHEL77z with trust installed.

2019-12-09T08:28:41+0000 [ci-vm-10-0-154-174.h] :: [ 03:28:41 ] :: [  BEGIN   ] :: Running ' /usr/sbin/ipa-server-install --setup-dns --forwarder=10.11.5.19 --reverse-zone=154.0.10.in-addr.arpa. --allow-zone-overlap --hostname=ci-vm-10-0-154-174.upgrade.test -r UPGRADE.TEST -n upgrade.test -p Secret123 -a Secret123 --ip-address=10.0.154.174 --allow-zone-overlap -U'


2019-12-09T08:33:54+0000 [ci-vm-10-0-154-174.h] :: [ 03:33:53 ] :: [   PASS   ] :: Command ' /usr/sbin/ipa-server-install --setup-dns --forwarder=10.11.5.19 --reverse-zone=154.0.10.in-addr.arpa. --allow-zone-overlap --hostname=ci-vm-10-0-154-174.upgrade.test -r UPGRADE.TEST -n upgrade.test -p Secret123 -a Secret123 --ip-address=10.0.154.174 --allow-zone-overlap -U' (Expected 0, got 0)


2019-12-09T10:00:28+0000 [ci-vm-10-0-154-192.h] :: [ 05:00:27 ] :: [  BEGIN   ] :: Running 'rpm -q ipa-server 389-ds-base bind bind-dyndb-ldap pki-ca sssd'
2019-12-09T10:00:28+0000 [ci-vm-10-0-154-192.h] ipa-server-4.6.5-11.el7_7.3.x86_64
2019-12-09T10:00:28+0000 [ci-vm-10-0-154-192.h] 389-ds-base-1.3.9.1-12.el7_7.x86_64
2019-12-09T10:00:28+0000 [ci-vm-10-0-154-192.h] bind-9.11.4-9.P2.el7.x86_64
2019-12-09T10:00:28+0000 [ci-vm-10-0-154-192.h] bind-dyndb-ldap-11.1-6.el7.x86_64
2019-12-09T10:00:28+0000 [ci-vm-10-0-154-192.h] pki-ca-10.5.16-5.el7_7.noarch
2019-12-09T10:00:28+0000 [ci-vm-10-0-154-192.h] sssd-1.16.4-21.el7_7.1.x86_64
2019-12-09T10:00:28+0000 [ci-vm-10-0-154-192.h] :: [ 05:00:27 ] :: [   PASS   ] :: Command 'rpm -q ipa-server 389-ds-base bind bind-dyndb-ldap pki-ca sssd' (Expected 0, got 0)

2019-12-09T08:54:12+0000 [ci-vm-10-0-154-174.h] :: [ 03:54:12 ] :: [  BEGIN   ] :: Running 'echo Secret123 | ipa trust-add ipaad2k16cin.test --admin Administrator                 --range-type=ipa-ad-trust --password --two-way=True'
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h] ----------------------------------------------------------
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h] Added Active Directory trust for realm "ipaad2k16cin.test"
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h] ----------------------------------------------------------
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h]   Realm name: ipaad2k16cin.test
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h]   Domain NetBIOS name: IPAAD2K16CIN
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h]   Domain Security Identifier: S-1-5-21-2842256260-195550463-1751006347
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h]   Trust direction: Two-way trust
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h]   Trust type: Active Directory domain
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h]   Trust status: Established and verified
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h] :: [ 03:54:14 ] :: [   PASS   ] :: Command 'echo Secret123 | ipa trust-add ipaad2k16cin.test --admin Administrator                 --range-type=ipa-ad-trust --password --two-way=True' (Expected 0, got 0)
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h] :: [ 03:54:14 ] :: [  BEGIN   ] :: Running 'systemctl stop sssd'
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h] :: [ 03:54:14 ] :: [   PASS   ] :: Command 'systemctl stop sssd' (Expected 0, got 0)
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h] :: [ 03:54:14 ] :: [  BEGIN   ] :: Running 'rm -frv /var/lib/sss/{db,mc}/*'
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h] removed ?/var/lib/sss/db/cache_upgrade.test.ldb?
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h] removed ?/var/lib/sss/db/ccache_UPGRADE.TEST?
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h] removed ?/var/lib/sss/db/config.ldb?
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h] removed ?/var/lib/sss/db/sssd.ldb?
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h] removed ?/var/lib/sss/db/timestamps_upgrade.test.ldb?
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h] removed ?/var/lib/sss/mc/group?
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h] removed ?/var/lib/sss/mc/initgroups?
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h] removed ?/var/lib/sss/mc/passwd?
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h] :: [ 03:54:14 ] :: [   PASS   ] :: Command 'rm -frv /var/lib/sss/{db,mc}/*' (Expected 0, got 0)
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h] :: [ 03:54:14 ] :: [  BEGIN   ] :: Running 'systemctl start sssd'
2019-12-09T08:54:14+0000 [ci-vm-10-0-154-174.h] :: [ 03:54:14 ] :: [   PASS   ] :: Command 'systemctl start sssd' (Expected 0, got 0)
2019-12-09T08:54:15+0000 [ci-vm-10-0-154-174.h] :: [ 03:54:14 ] :: [  BEGIN   ] :: Running 'ipa trust-find ipaad2k16cin.test'
2019-12-09T08:54:15+0000 [ci-vm-10-0-154-174.h] ---------------
2019-12-09T08:54:15+0000 [ci-vm-10-0-154-174.h] 1 trust matched
2019-12-09T08:54:15+0000 [ci-vm-10-0-154-174.h] ---------------
2019-12-09T08:54:15+0000 [ci-vm-10-0-154-174.h]   Realm name: ipaad2k16cin.test
2019-12-09T08:54:15+0000 [ci-vm-10-0-154-174.h]   Domain NetBIOS name: IPAAD2K16CIN
2019-12-09T08:54:15+0000 [ci-vm-10-0-154-174.h]   Domain Security Identifier: S-1-5-21-2842256260-195550463-1751006347
2019-12-09T08:54:15+0000 [ci-vm-10-0-154-174.h]   Trust type: Active Directory domain
2019-12-09T08:54:15+0000 [ci-vm-10-0-154-174.h]   UPN suffixes: testupnsuffix.test, testupnsuffix, tomupn14.in, upn2016.in
2019-12-09T08:54:15+0000 [ci-vm-10-0-154-174.h] ----------------------------
2019-12-09T08:54:15+0000 [ci-vm-10-0-154-174.h] Number of entries returned 1
2019-12-09T08:54:15+0000 [ci-vm-10-0-154-174.h] ----------------------------
2019-12-09T08:54:15+0000 [ci-vm-10-0-154-174.h] :: [ 03:54:15 ] :: [   PASS   ] :: Command 'ipa trust-find ipaad2k16cin.test' (Expected 0, got 0)
2019-12-09T09:00:15+0000 [ci-vm-10-0-154-174.h] :: [ 04:00:15 ] :: [  BEGIN   ] :: Running 'id administrator'
2019-12-09T09:00:16+0000 [ci-vm-10-0-154-174.h] uid=879000500(administrator) gid=879000500(administrator) groups=879000500(administrator),879000518(schema admins),879000519(enterprise admins),879000512(domain admins),879000513(domain users),879000520(group policy creator owners)
2019-12-09T09:00:16+0000 [ci-vm-10-0-154-174.h] :: [ 04:00:16 ] :: [   PASS   ] :: Command 'id administrator' (Expected 0, got 0)


2) Upgrade the Ipa server to RHEL 78

2019-12-09T09:19:35+0000 [ci-vm-10-0-154-174.h] :: [ 04:19:35 ] :: [  BEGIN   ] :: Initiating upgrade Process :: actually running 'yum -y update'
.
.
.
2019-12-09T10:10:21+0000 [ci-vm-10-0-154-192.h] :: [ 05:10:21 ] :: [   PASS   ] :: Initiating upgrade Process (Expected 0, got 0)
2019-12-09T10:10:21+0000 [ci-vm-10-0-154-192.h] :: [ 05:10:21 ] :: [  BEGIN   ] :: Running 'tail -1 /var/log/ipaupgrade.log | grep 'The ipa-server-upgrade command was successful''
2019-12-09T10:10:21+0000 [ci-vm-10-0-154-192.h] 2019-12-09T10:07:43Z INFO The ipa-server-upgrade command was successful
2019-12-09T10:10:21+0000 [ci-vm-10-0-154-192.h] :: [ 05:10:21 ] :: [   PASS   ] :: Command 'tail -1 /var/log/ipaupgrade.log | grep 'The ipa-server-upgrade command was successful'' (Expected 0, got 0)

2019-12-09T10:13:19+0000 [ci-vm-10-0-154-192.h] :: [ 05:13:19 ] :: [  BEGIN   ] :: Running 'rpm -q ipa-server 389-ds-base bind bind-dyndb-ldap pki-ca sssd'
2019-12-09T10:13:19+0000 [ci-vm-10-0-154-192.h] ipa-server-4.6.6-11.el7.x86_64
2019-12-09T10:13:19+0000 [ci-vm-10-0-154-192.h] 389-ds-base-1.3.10.1-4.el7.x86_64
2019-12-09T10:13:19+0000 [ci-vm-10-0-154-192.h] bind-9.11.4-15.P2.el7.x86_64
2019-12-09T10:13:19+0000 [ci-vm-10-0-154-192.h] bind-dyndb-ldap-11.1-7.el7.x86_64
2019-12-09T10:13:19+0000 [ci-vm-10-0-154-192.h] pki-ca-10.5.17-6.el7.noarch
2019-12-09T10:13:19+0000 [ci-vm-10-0-154-192.h] sssd-1.16.4-35.el7.x86_64
2019-12-09T10:13:19+0000 [ci-vm-10-0-154-192.h] :: [ 05:13:19 ] :: [   PASS   ] :: Command 'rpm -q ipa-server 389-ds-base bind bind-dyndb-ldap pki-ca sssd' (Expected 0, got 0)

3) Validate trust after upgrade using id command
2019-12-09T09:40:53+0000 [ci-vm-10-0-154-174.h] :: [ 04:40:53 ] :: [  BEGIN   ] :: Running 'id administrator'
2019-12-09T09:40:53+0000 [ci-vm-10-0-154-174.h] uid=879000500(administrator) gid=879000500(administrator) groups=879000500(administrator),879000518(schema admins),879000519(enterprise admins),879000512(domain admins),879000513(domain users),879000520(group policy creator owners)
2019-12-09T09:40:53+0000 [ci-vm-10-0-154-174.h] :: [ 04:40:53 ] :: [   PASS   ] :: Command 'id administrator' (Expected 0, got 0)


Thus on the basis of above observations marking the status of bug to "VERIFIED"
Comment 9 errata-xmlrpc 2020-03-31 19:56:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1083