Bug 1354493 - Replica install fails with old IPA master
Summary: Replica install fails with old IPA master
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
: 1358886 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2016-07-11 12:29 UTC by Kaleem
Modified: 2016-11-04 05:57 UTC (History)
7 users (show)

Fixed In Version: ipa-4.4.0-3.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-11-04 05:57:23 UTC
Target Upstream Version:

Attachments (Terms of Use)
installation console output (8.21 KB, text/plain)
2016-07-25 10:20 UTC, Kaleem
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Kaleem 2016-07-11 12:29:05 UTC
Description of problem:

This is seen when 7.3 replica is created from 6.8 based IPA master.

Version-Release number of selected component (if applicable):
[root@dhcp207-81 ~]# rpm -q ipa-server 389-ds-base
[root@dhcp207-81 ~]# 

How reproducible:

Steps to Reproduce:
1. Install a 6.8 IPA master
2. Copy copy-to-ca-schema.py and run it on 6.8 IPA master
3. Create replica gpg file for 7.3 replica on 6.8 IPA master and copy it to 7.3 replica
4. Run ipa-replica-install on 7.3 replica with gpg file

Actual results:
ipa-replica-install fails with following error 

  [31/42]: enabling S4U2Proxy delegation
ipa         : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmpN0Qcv9 -H ldapi://%2fvar%2frun%2fslapd-TESTRELM-TEST.socket -x -D cn=Directory Manager -y /tmp/tmplp4arL' returned non-zero exit status 1
  [32/42]: importing CA certificates from LDAP
  [error] DatabaseError: Operations error: 
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR    Operations error: 
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

Expected results:
ipa-replica-install should be successful

Additional Info:
(1) Please find the attached replica-install log file.

Comment 1 Kaleem 2016-07-11 12:31:58 UTC
Not able to attach log file at the moment.

Comment 4 Noriko Hosoi 2016-07-11 16:21:11 UTC
Hello, Kaleem,

Could you take a look at this bug?  Could it be the same problem?


Comment 5 Noriko Hosoi 2016-07-12 16:20:39 UTC
(In reply to Kaleem)
> Keywords: TestBlocker

Did you have a chance to try the latest 389-ds-base-

Comment 6 Kaleem 2016-07-12 17:20:17 UTC
With new ds build able to proceed further but install still fails with following error message

ipa.ipapython.install.cli.install_tool(Replica): ERROR    container entry (cn=servers,cn=dns) not found

snip from console output...

Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/42]: creating directory server user
  [2/42]: creating directory server instance
  [3/42]: updating configuration in dse.ldif
  [4/42]: restarting directory server
  [5/42]: adding default schema
  [6/42]: enabling memberof plugin
  [7/42]: enabling winsync plugin
  [8/42]: configuring replication version plugin
  [9/42]: enabling IPA enrollment plugin
  [10/42]: enabling ldapi
  [11/42]: configuring uniqueness plugin
  [12/42]: configuring uuid plugin
  [13/42]: configuring modrdn plugin
  [14/42]: configuring DNS plugin
  [15/42]: enabling entryUSN plugin
  [16/42]: configuring lockout plugin
  [17/42]: configuring topology plugin
  [18/42]: creating indices
  [19/42]: enabling referential integrity plugin
  [20/42]: configuring ssl for ds instance
  [21/42]: configuring certmap.conf
  [22/42]: configure autobind for root
  [23/42]: configure new location for managed entries
  [24/42]: configure dirsrv ccache
  [25/42]: enabling SASL mapping fallback
  [26/42]: restarting directory server
  [27/42]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded

  [28/42]: adding sasl mappings to the directory
  [29/42]: updating schema
  [30/42]: setting Auto Member configuration
  [31/42]: enabling S4U2Proxy delegation
  [32/42]: importing CA certificates from LDAP
  [33/42]: initializing group membership
  [34/42]: adding master entry
  [35/42]: initializing domain level
  [36/42]: configuring Posix uid/gid generation
  [37/42]: adding replication acis
  [38/42]: enabling compatibility plugin
  [39/42]: activating sidgen plugin
  [40/42]: activating extdom plugin
  [41/42]: tuning directory server
  [42/42]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/27]: creating certificate server user
  [2/27]: configuring certificate server instance
  [3/27]: stopping certificate server instance to update CS.cfg
  [4/27]: backing up CS.cfg
  [5/27]: disabling nonces
  [6/27]: set up CRL publishing
  [7/27]: enable PKIX certificate path discovery and validation
  [8/27]: starting certificate server instance
  [9/27]: creating RA agent certificate database
  [10/27]: importing CA chain to RA certificate database
  [11/27]: fixing RA database permissions
  [12/27]: setting up signing cert profile
  [13/27]: setting audit signing renewal to 2 years
  [14/27]: importing RA certificate from PKCS #12 file
  [15/27]: authorizing RA to modify profiles
  [16/27]: authorizing RA to manage lightweight CAs
  [17/27]: Ensure lightweight CAs container exists
  [18/27]: configure certmonger for renewals
  [19/27]: configure certificate renewals
  [20/27]: configure Server-Cert certificate renewal
  [21/27]: Configure HTTP to proxy connections
  [22/27]: restarting certificate server
  [23/27]: migrating certificate profiles to LDAP
  [24/27]: importing IPA certificate profiles
  [25/27]: adding default CA ACL
  [26/27]: adding 'ipa' CA entry
  [27/27]: updating IPA configuration
Done configuring certificate server (pki-tomcatd).
Restarting the directory and certificate servers
Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
  [1/7]: configuring KDC
  [2/7]: creating a keytab for the directory
  [3/7]: creating a keytab for the machine
  [4/7]: adding the password extension to the directory
  [5/7]: enable GSSAPI for replication
  [6/7]: starting the KDC
  [7/7]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd). Estimated time: 1 minute
  [1/20]: setting mod_nss port to 443
  [2/20]: setting mod_nss cipher suite
  [3/20]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [4/20]: setting mod_nss password file
  [5/20]: enabling mod_nss renegotiate
  [6/20]: adding URL rewriting rules
  [7/20]: configuring httpd
  [8/20]: configure certmonger for renewals
  [9/20]: setting up httpd keytab
  [10/20]: setting up ssl
  [11/20]: importing CA certificates from LDAP
  [12/20]: publish CA cert
  [13/20]: clean up any existing httpd ccache
  [14/20]: configuring SELinux for httpd
  [15/20]: create KDC proxy user
  [16/20]: create KDC proxy config
  [17/20]: enable KDC proxy
  [18/20]: restarting httpd
  [19/20]: configuring httpd to start on boot
  [20/20]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
  [1/5]: Generating ipa-custodia config file
  [2/5]: Making sure custodia container exists
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Applying LDAP updates
Upgrading IPA:
  [1/9]: stopping directory server
  [2/9]: saving configuration
  [3/9]: disabling listeners
  [4/9]: enabling DS global lock
  [5/9]: starting directory server
  [6/9]: upgrading server
  [7/9]: stopping directory server
  [8/9]: restoring configuration
  [9/9]: starting directory server
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
  [1/8]: generating rndc key file
  [2/8]: setting up our own record
  [3/8]: adding NS record to the zones
  [4/8]: setting up kerberos principal
  [5/8]: setting up named.conf
  [6/8]: setting up server configuration
  [error] NotFound: container entry (cn=servers,cn=dns) not found
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR    container entry (cn=servers,cn=dns) not found
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

Comment 7 Petr Vobornik 2016-07-13 16:23:36 UTC
Comment 6 is most likely an IPA error, moving to IPA.

Comment 8 Petr Vobornik 2016-07-13 16:28:12 UTC
Upstream ticket:

Comment 9 Petr Vobornik 2016-07-15 12:14:44 UTC
Fixed upstream

Comment 11 Petr Vobornik 2016-07-22 16:45:11 UTC
*** Bug 1358886 has been marked as a duplicate of this bug. ***

Comment 12 Kaleem 2016-07-25 10:17:56 UTC

[root@dhcp207-47 ~]# rpm -q ipa-server
[root@dhcp207-47 ~]#

Please find the attached console output.

Comment 13 Kaleem 2016-07-25 10:20:19 UTC
Created attachment 1183677 [details]
installation console output

Comment 15 errata-xmlrpc 2016-11-04 05:57:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.