Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1242884

Summary: Upgrade to 4.2.0 fails when enabling kdc proxy
Product: Red Hat Enterprise Linux 7 Reporter: Jan Cholasta <jcholast>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: ksiddiqu, rcritten, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-2.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:04:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Cholasta 2015-07-14 10:41:12 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5113

When upgrading to 4.2.0 with ipa-server-upgrade, things go wrong because kdc proxy upgrade script doesn't expect dirsrv will be down:

{{{
2015-07-10T09:56:36Z DEBUG   [7/8]: stopping directory server
2015-07-10T09:56:38Z DEBUG   [8/8]: restoring configuration
2015-07-10T09:56:38Z INFO [Verifying that root certificate is published]
2015-07-10T09:56:38Z INFO [Migrate CRL publish directory]
2015-07-10T09:56:38Z INFO [Verifying that KDC configuration is using ipa-kdb backend]
2015-07-10T09:56:38Z INFO [Enabling KDC Proxy]
2015-07-10T09:56:48Z DEBUG Could not connect to the Directory Server on XXXXX: [Errno 111] Connection refused
2015-07-10T09:56:48Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2015-07-10T09:56:48Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 48, in run
    server.upgrade()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1577, in upgrade
    upgrade_configuration()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1406, in upgrade_configuration
    http.ldap_connect()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 147, in ldap_connect
    conn.do_bind(self.dm_password, autobind=self.autobind)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1631, in do_bind
    self.do_external_bind(pw_name, timeout=timeout)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1621, in do_external_bind
    self.__bind_with_wait(self.external_bind, timeout, user_name)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1610, in __bind_with_wait
    self.__wait_for_connection(timeout)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1593, in __wait_for_connection
    wait_for_open_socket(lurl.hostport, timeout)
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1200, in wait_for_open_socket
    raise e

2015-07-10T09:56:48Z DEBUG The ipa-server-upgrade command failed, exception: error: [Errno 111] Connection refused
2015-07-10T09:56:48Z ERROR [Errno 111] Connection refused
2015-07-10T09:57:57Z DEBUG Logging to /var/log/ipaupgrade.log
}}}
Comment 1 Jan Cholasta 2015-07-14 10:41:47 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/c701ab612de831f72f21e0f3bfd105fbc515cd4d
Comment 2 Jan Cholasta 2015-07-14 10:43:41 UTC 
Fixed upstream
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/d98aa76b26daf461f19d733fedc4bd9a8c36f05f
Comment 6 Scott Poore 2015-10-05 21:52:52 UTC 
Verified.

Version ::

ipa-server-4.2.0-12.el7.x86_64

Results ::

[root@rhel7-5 yum.repos.d]# yum update -y
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
rhel-7.2-server                                                                 | 4.1 kB  00:00:00     
rhel-7.2-server-optional                                                        | 3.8 kB  00:00:00     
(1/4): rhel-7.2-server-optional/group_gz                                        | 6.1 kB  00:00:00     
(2/4): rhel-7.2-server/group_gz                                                 | 135 kB  00:00:00     
(3/4): rhel-7.2-server-optional/primary_db                                      | 1.7 MB  00:00:01     
(4/4): rhel-7.2-server/primary_db                                               | 3.6 MB  00:00:01     
Resolving Dependencies
--> Running transaction check
...
  Cleanup    : libgcc-4.8.3-9.el7.x86_64                                                       659/659 
2619 blocks
rhel-7.2-server/productid                                                       | 1.6 kB  00:00:00     
  Verifying  : libXext-1.3.3-3.el7.x86_64                                                        1/659 
...
Complete!

[root@rhel7-5 yum.repos.d]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful


...from /var/log/ipaupgrade.log...

2015-10-05T21:17:17Z INFO [Enabling KDC Proxy]
2015-10-05T21:17:17Z DEBUG Starting external process
2015-10-05T21:17:17Z DEBUG args='/bin/systemctl' 'start' 'dirsrv'
2015-10-05T21:17:17Z DEBUG Process finished, return code=0
2015-10-05T21:17:17Z DEBUG stdout=
2015-10-05T21:17:17Z DEBUG stderr=
2015-10-05T21:17:17Z DEBUG Starting external process
2015-10-05T21:17:17Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv'
2015-10-05T21:17:17Z DEBUG Process finished, return code=0
2015-10-05T21:17:17Z DEBUG stdout=active

2015-10-05T21:17:17Z DEBUG stderr=
2015-10-05T21:17:17Z DEBUG wait_for_open_ports: localhost [389] timeout 300
2015-10-05T21:17:17Z DEBUG Adding group kdcproxy
2015-10-05T21:17:17Z DEBUG Starting external process
2015-10-05T21:17:17Z DEBUG args='/usr/sbin/groupadd' '-r' 'kdcproxy'
2015-10-05T21:17:17Z DEBUG Process finished, return code=0
2015-10-05T21:17:17Z DEBUG stdout=
2015-10-05T21:17:17Z DEBUG stderr=
2015-10-05T21:17:17Z DEBUG Done adding group
2015-10-05T21:17:17Z DEBUG Adding user kdcproxy
2015-10-05T21:17:17Z DEBUG Starting external process
2015-10-05T21:17:17Z DEBUG args='/usr/sbin/useradd' '-g' 'kdcproxy' '-d' '/var/lib/kdcproxy' '-s' '/sbin/nologin' '-r' 'kdcproxy' '-c' 'IPA KDC Proxy User' '-m'
2015-10-05T21:17:17Z DEBUG Process finished, return code=0
2015-10-05T21:17:17Z DEBUG stdout=
2015-10-05T21:17:17Z DEBUG stderr=
2015-10-05T21:17:17Z DEBUG Done adding user
2015-10-05T21:17:17Z DEBUG Backing up system configuration file '/etc/ipa/kdcproxy/ipa-kdc-proxy.conf'
2015-10-05T21:17:17Z DEBUG   -> Not backing up - '/etc/ipa/kdcproxy/ipa-kdc-proxy.conf' doesn't exist
2015-10-05T21:17:17Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache
2015-10-05T21:17:17Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x6427488>
2015-10-05T21:17:17Z DEBUG service KDCPROXY enabled
2015-10-05T21:17:17Z DEBUG Starting external process
2015-10-05T21:17:17Z DEBUG args='/bin/systemctl' 'stop' 'httpd.service'
2015-10-05T21:17:19Z DEBUG Process finished, return code=0
2015-10-05T21:17:19Z DEBUG stdout=
2015-10-05T21:17:19Z DEBUG stderr=
2015-10-05T21:17:19Z INFO [Updating mod_nss protocol versions]

[root@rhel7-5 yum.repos.d]# ipa-server-upgrade 
Upgrading IPA:
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: starting directory server
  [6/10]: updating schema
  [7/10]: upgrading server
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating mod_nss protocol versions]
Protocol versions already updated
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Exporting KRA agent PEM file]
KRA is not installed
[Removing self-signed CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Setting up Firefox extension]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Enabling serial autoincrement in DNS]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
Changes to named.conf have been made, restart named
[Upgrading CA schema]
CA schema update complete (no changes)
[Verifying that CA audit signing cert has 2 year validity]
[Update certmonger certificate renewal configuration to version 3]
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Ensuring CA is using LDAPProfileSubsystem]
[Ensuring presence of included profiles]
[Add default CA ACL]
Default CA ACL already added
The IPA services were upgraded
The ipa-server-upgrade command was successful
[root@rhel7-5 yum.repos.d]#
Comment 7 errata-xmlrpc 2015-11-19 12:04:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html