Bug 2149956

Summary: ipa-server-install displays 'Add failure Server is unwilling to perform'
Product: Red Hat Enterprise Linux 8 Reporter: Sudhir Menon <sumenon>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: LDAP QA Team <idm-ds-qe-bugs>
Severity: unspecified Docs Contact:
Priority: high    
Version: 8.8CC: bsmejkal, gkimetto, idm-ds-dev-bugs, mreynolds
Target Milestone: rcKeywords: TestCaseProvided, Triaged
Target Release: 8.8   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 08:33:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2023-01-30   

Description Sudhir Menon 2022-12-01 12:49:16 UTC 
Description of problem: ipa-server-install displays 'Add failure Server is unwilling to perform'

Version-Release number of selected component (if applicable):
ipa-server-4.9.10-8.module+el8.8.0+17351+9a3fb056.x86_64
389-ds-base-1.4.3.32-1.module+el8.8.0+17275+1a8f9618.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Install ipa-server and check the message displayed on the console.

Actual results:
1. ipa-server-install console message
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: disabling Schema Compat
  [6/10]: starting directory server
  [7/10]: upgrading server
Add failure Server is unwilling to perform:  <-----
Could not get dnaHostname entries in 60 seconds

2. We are seeing a new message, in a step that is creating the following 2 tasks:

dn: cn=Update PBAC memberOf $TIME, cn=memberof task, cn=tasks, cn=config
objectClass: top
objectClass: extensibleObject
cn: IPA PBAC memberOf $TIME
basedn: cn=privileges,cn=pbac,$SUFFIX
filter: (objectclass=*)
ttl: 10

dn: cn=Update Role memberOf $TIME, cn=memberof task, cn=tasks, cn=config
objectClass: top
objectClass: extensibleObject
cn: Update Role memberOf $TIME
basedn: cn=roles,cn=accounts,$SUFFIX
filter: (objectclass=*)
ttl: 10

The first task is successfully created, but the 2nd ADD fails with Unwilling to perform:
[01/Dec/2022:02:47:57.262481121 -0500] conn=3 op=532 ADD dn="cn=Update PBAC memberOf 138891736,cn=memberof task,cn=tasks,cn=config"
[01/Dec/2022:02:47:57.270550278 -0500] conn=3 op=532 RESULT err=0 tag=105 nentries=0 wtime=0.000150057 optime=0.008081610 etime=0.008225051
...
[01/Dec/2022:02:47:57.274201980 -0500] conn=3 op=534 ADD dn="cn=Update Role memberOf 138891736,cn=memberof task,cn=tasks,cn=config"
[01/Dec/2022:02:47:57.280780873 -0500] conn=3 op=534 RESULT err=53 tag=105 nentries=0 wtime=0.000177071 optime=0.006586838 etime=0.006757306

And the error log shows:
[01/Dec/2022:02:47:57.271250651 -0500] - INFO - memberof-plugin - memberof_fixup_task_thread - Memberof task starts (filter: "(objectclass=*)") ...
[01/Dec/2022:02:47:57.276000958 -0500] - ERR - memberof-plugin - memberof_task_add - there is already a fixup task running
[01/Dec/2022:02:47:57.335782499 -0500] - INFO - memberof-plugin - memberof_fixup_task_thread - Memberof task finished (processed 33 entries in 0 seconds)

Expected results:
Fix the issue

Additional info:
https://github.com/389ds/389-ds-base/issues/5413#issuecomment-1333458982
Logging the bug for tracking.
Comment 1 mreynolds 2022-12-13 16:44:16 UTC 
Upstream ticket:

https://github.com/389ds/389-ds-base/issues/5413
Comment 8 bsmejkal 2023-01-26 13:27:49 UTC 
As per comment #c7 marking as VERIFIED.
Comment 10 errata-xmlrpc 2023-05-16 08:33:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2811