Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1186396

Summary: ipa-restore crashes if replica is unreachable
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: drieden, ksiddiqu, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.1.0-17.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:19:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Kosek 2015-01-27 15:37:24 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4857

Transcript:
{{{
# ipa-restore --data --online /var/lib/ipa/backup/ipa-data-2015-01-19-23-02-40 --debug
Directory Manager (existing master) password: 

ipa.ipaserver.install.ipa_restore.Restore: DEBUG: Logging to /var/log/iparestore.log
ipa.ipaserver.install.ipa_restore.Restore: DEBUG: ipa-restore was invoked with arguments ['/var/lib/ipa/backup/ipa-data-2015-01-19-23-02-40'] and options: {'log_file': None, 'data_only': True, 'verbose': True, 'gpg_keyring': None, 'quiet': False, 'instance': None, 'no_logs': False, 'online': True, 'password': None, 'unattended': False, 'backend': None}
ipa.ipaserver.install.ipa_restore.Restore: DEBUG: IPA version 4.1.2.201501140350GIT6950e7b-0.fc21
ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/idrange.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/idviews.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/otpconfig.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken_yubikey.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py'
ipa: DEBUG: Starting external process
ipa: DEBUG: args='klist' '-V'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=Kerberos 5 version 1.12.2

ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/radiusproxy.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/realmdomains.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/role.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/rpcclient.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selinuxusermap.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/service.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/user.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py'
ipa.ipaserver.install.ipa_restore.Restore: INFO: Preparing restore from /var/lib/ipa/backup/ipa-data-2015-01-19-23-02-40 on ipa.mkosek-f21.test
ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipa.ipaserver.install.ipa_restore.Restore: INFO: Performing DATA restore from DATA backup
ipa.ipaplatform.base.tasks: DEBUG: group dirsrv exists
ipa.ipaplatform.base.tasks: DEBUG: user dirsrv exists
ipa: DEBUG: Starting external process
ipa: DEBUG: args='tar' '--xattrs' '--selinux' '-xzf' '/var/lib/ipa/backup/ipa-data-2015-01-19-23-02-40/ipa-data.tar' '.'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
Restoring data will overwrite existing live data. Continue to restore? [no]: y
ipa.ipaserver.install.ipa_restore.Restore: INFO: Each master will individually need to be re-initialized or
ipa.ipaserver.install.ipa_restore.Restore: INFO: re-created from this one. The replication agreements on
ipa.ipaserver.install.ipa_restore.Restore: INFO: masters running IPA 3.1 or earlier will need to be manually
ipa.ipaserver.install.ipa_restore.Restore: INFO: re-enabled. See the man page for details.
ipa.ipaserver.install.ipa_restore.Restore: INFO: Disabling all replication.
ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing ldapi://%2fvar%2frun%2fslapd-MKOSEK-F21-TEST.socket from SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-MKOSEK-F21-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f0ba5a04098>
ipa: DEBUG: wait_for_open_ports: vm-089.idm.lab.bos.redhat.com [636] timeout 10
ipa.ipaserver.install.ipa_restore.Restore: CRITICAL: Unable to disable agreement on vm-089.idm.lab.bos.redhat.com: 
ipa.ipaserver.install.ipa_restore.Restore: DEBUG:   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_restore.py", line 349, in run
    self.disable_agreements()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_restore.py", line 464, in disable_agreements
    services = repl.conn.get_entries(master_dn,

ipa.ipaserver.install.ipa_restore.Restore: DEBUG: The ipa-restore command failed, exception: UnboundLocalError: local variable 'repl' referenced before assignment
ipa.ipaserver.install.ipa_restore.Restore: ERROR: local variable 'repl' referenced before assignment
}}}
Comment 2 Martin Kosek 2015-01-27 15:44:55 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/deb70d5b13ce0e7ec77debb4aa17d75df4c1dedd
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/74853b66f092a057c22ee811e945f631e6d65059
Comment 4 Kaleem 2015-01-28 15:41:04 UTC 
Verified.

IPA Version:
============
[root@master ~]# rpm -q ipa-server
ipa-server-4.1.0-17.el7.x86_64
[root@master ~]# 

"Unable to disable agreement on dhcp207-58.testrelm.test: " is shown now if Replica not reachable to during ipa-restore.


[root@master ~]# ipa user-del testuser1
------------------------
Deleted user "testuser1"
------------------------
[root@master ~]# ipa-restore --data --online -p xxxxxxxx /var/lib/ipa/backup/ipa-data-2015-01-28-23-39-11
Preparing restore from /var/lib/ipa/backup/ipa-data-2015-01-28-23-39-11 on master.testrelm.test
Performing DATA restore from DATA backup
Restoring data will overwrite existing live data. Continue to restore? [no]: yes
Each master will individually need to be re-initialized or
re-created from this one. The replication agreements on
masters running IPA 3.1 or earlier will need to be manually
re-enabled. See the man page for details.
Disabling all replication.
Unable to disable agreement on dhcp207-58.testrelm.test: 
Starting Directory Server
Restoring from userRoot in TESTRELM-TEST
Waiting for LDIF to finish
Restoring from ipaca in TESTRELM-TEST
Waiting for LDIF to finish
The ipa-restore command was successful
[root@master ~]# ipa user-find
---------------
3 users matched
---------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 1983000000
  GID: 1983000000
  Account disabled: False
  Password: True
  Kerberos keys available: True

  User login: testuser1
  First name: testuser1
  Last name: testuser1
  Home directory: /home/testuser1
  Login shell: /bin/sh
  Email address: testuser1
  UID: 1983000001
  GID: 1983000001
  Account disabled: False
  Password: True
  Kerberos keys available: True

  User login: testuser2
  First name: testuser2
  Last name: testuser2
  Home directory: /home/testuser2
  Login shell: /bin/sh
  Email address: testuser2
  UID: 1983100500
  GID: 1983100500
  Account disabled: False
  Password: True
  Kerberos keys available: True
----------------------------
Number of entries returned 3
----------------------------
[root@master ~]#
Comment 6 errata-xmlrpc 2015-03-05 10:19:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html