1242884 – Upgrade to 4.2.0 fails when enabling kdc proxy

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1242884 - Upgrade to 4.2.0 fails when enabling kdc proxy

Summary: Upgrade to 4.2.0 fails when enabling kdc proxy

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-07-14 10:41 UTC by Jan Cholasta
Modified:	2015-11-19 12:04 UTC (History)
CC List:	3 users (show)
Fixed In Version:	ipa-4.2.0-2.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 12:04:15 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2362	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2015-11-19 10:40:46 UTC

Description Jan Cholasta 2015-07-14 10:41:12 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5113

When upgrading to 4.2.0 with ipa-server-upgrade, things go wrong because kdc proxy upgrade script doesn't expect dirsrv will be down:

{{{
2015-07-10T09:56:36Z DEBUG   [7/8]: stopping directory server
2015-07-10T09:56:38Z DEBUG   [8/8]: restoring configuration
2015-07-10T09:56:38Z INFO [Verifying that root certificate is published]
2015-07-10T09:56:38Z INFO [Migrate CRL publish directory]
2015-07-10T09:56:38Z INFO [Verifying that KDC configuration is using ipa-kdb backend]
2015-07-10T09:56:38Z INFO [Enabling KDC Proxy]
2015-07-10T09:56:48Z DEBUG Could not connect to the Directory Server on XXXXX: [Errno 111] Connection refused
2015-07-10T09:56:48Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2015-07-10T09:56:48Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 48, in run
    server.upgrade()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1577, in upgrade
    upgrade_configuration()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1406, in upgrade_configuration
    http.ldap_connect()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 147, in ldap_connect
    conn.do_bind(self.dm_password, autobind=self.autobind)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1631, in do_bind
    self.do_external_bind(pw_name, timeout=timeout)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1621, in do_external_bind
    self.__bind_with_wait(self.external_bind, timeout, user_name)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1610, in __bind_with_wait
    self.__wait_for_connection(timeout)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1593, in __wait_for_connection
    wait_for_open_socket(lurl.hostport, timeout)
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1200, in wait_for_open_socket
    raise e

2015-07-10T09:56:48Z DEBUG The ipa-server-upgrade command failed, exception: error: [Errno 111] Connection refused
2015-07-10T09:56:48Z ERROR [Errno 111] Connection refused
2015-07-10T09:57:57Z DEBUG Logging to /var/log/ipaupgrade.log
}}}

Comment 1 Jan Cholasta 2015-07-14 10:41:47 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/c701ab612de831f72f21e0f3bfd105fbc515cd4d

Comment 2 Jan Cholasta 2015-07-14 10:43:41 UTC

Fixed upstream
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/d98aa76b26daf461f19d733fedc4bd9a8c36f05f

Comment 6 Scott Poore 2015-10-05 21:52:52 UTC

Verified.

Version ::

ipa-server-4.2.0-12.el7.x86_64

Results ::

[root@rhel7-5 yum.repos.d]# yum update -y
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
rhel-7.2-server                                                                 | 4.1 kB  00:00:00     
rhel-7.2-server-optional                                                        | 3.8 kB  00:00:00     
(1/4): rhel-7.2-server-optional/group_gz                                        | 6.1 kB  00:00:00     
(2/4): rhel-7.2-server/group_gz                                                 | 135 kB  00:00:00     
(3/4): rhel-7.2-server-optional/primary_db                                      | 1.7 MB  00:00:01     
(4/4): rhel-7.2-server/primary_db                                               | 3.6 MB  00:00:01     
Resolving Dependencies
--> Running transaction check
...
  Cleanup    : libgcc-4.8.3-9.el7.x86_64                                                       659/659 
2619 blocks
rhel-7.2-server/productid                                                       | 1.6 kB  00:00:00     
  Verifying  : libXext-1.3.3-3.el7.x86_64                                                        1/659 
...
Complete!

[root@rhel7-5 yum.repos.d]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful


...from /var/log/ipaupgrade.log...

2015-10-05T21:17:17Z INFO [Enabling KDC Proxy]
2015-10-05T21:17:17Z DEBUG Starting external process
2015-10-05T21:17:17Z DEBUG args='/bin/systemctl' 'start' 'dirsrv'
2015-10-05T21:17:17Z DEBUG Process finished, return code=0
2015-10-05T21:17:17Z DEBUG stdout=
2015-10-05T21:17:17Z DEBUG stderr=
2015-10-05T21:17:17Z DEBUG Starting external process
2015-10-05T21:17:17Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv'
2015-10-05T21:17:17Z DEBUG Process finished, return code=0
2015-10-05T21:17:17Z DEBUG stdout=active

2015-10-05T21:17:17Z DEBUG stderr=
2015-10-05T21:17:17Z DEBUG wait_for_open_ports: localhost [389] timeout 300
2015-10-05T21:17:17Z DEBUG Adding group kdcproxy
2015-10-05T21:17:17Z DEBUG Starting external process
2015-10-05T21:17:17Z DEBUG args='/usr/sbin/groupadd' '-r' 'kdcproxy'
2015-10-05T21:17:17Z DEBUG Process finished, return code=0
2015-10-05T21:17:17Z DEBUG stdout=
2015-10-05T21:17:17Z DEBUG stderr=
2015-10-05T21:17:17Z DEBUG Done adding group
2015-10-05T21:17:17Z DEBUG Adding user kdcproxy
2015-10-05T21:17:17Z DEBUG Starting external process
2015-10-05T21:17:17Z DEBUG args='/usr/sbin/useradd' '-g' 'kdcproxy' '-d' '/var/lib/kdcproxy' '-s' '/sbin/nologin' '-r' 'kdcproxy' '-c' 'IPA KDC Proxy User' '-m'
2015-10-05T21:17:17Z DEBUG Process finished, return code=0
2015-10-05T21:17:17Z DEBUG stdout=
2015-10-05T21:17:17Z DEBUG stderr=
2015-10-05T21:17:17Z DEBUG Done adding user
2015-10-05T21:17:17Z DEBUG Backing up system configuration file '/etc/ipa/kdcproxy/ipa-kdc-proxy.conf'
2015-10-05T21:17:17Z DEBUG   -> Not backing up - '/etc/ipa/kdcproxy/ipa-kdc-proxy.conf' doesn't exist
2015-10-05T21:17:17Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache
2015-10-05T21:17:17Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x6427488>
2015-10-05T21:17:17Z DEBUG service KDCPROXY enabled
2015-10-05T21:17:17Z DEBUG Starting external process
2015-10-05T21:17:17Z DEBUG args='/bin/systemctl' 'stop' 'httpd.service'
2015-10-05T21:17:19Z DEBUG Process finished, return code=0
2015-10-05T21:17:19Z DEBUG stdout=
2015-10-05T21:17:19Z DEBUG stderr=
2015-10-05T21:17:19Z INFO [Updating mod_nss protocol versions]

[root@rhel7-5 yum.repos.d]# ipa-server-upgrade 
Upgrading IPA:
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: starting directory server
  [6/10]: updating schema
  [7/10]: upgrading server
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating mod_nss protocol versions]
Protocol versions already updated
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Exporting KRA agent PEM file]
KRA is not installed
[Removing self-signed CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Setting up Firefox extension]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Enabling serial autoincrement in DNS]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
Changes to named.conf have been made, restart named
[Upgrading CA schema]
CA schema update complete (no changes)
[Verifying that CA audit signing cert has 2 year validity]
[Update certmonger certificate renewal configuration to version 3]
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Ensuring CA is using LDAPProfileSubsystem]
[Ensuring presence of included profiles]
[Add default CA ACL]
Default CA ACL already added
The IPA services were upgraded
The ipa-server-upgrade command was successful
[root@rhel7-5 yum.repos.d]#

Comment 7 errata-xmlrpc 2015-11-19 12:04:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html

Note You need to log in before you can comment on or make changes to this bug.