Cloned from upstream: https://pagure.io/freeipa/issue/6792
When upgrading from FreeIPA 4.4.3 to FreeIPA 4.5.0, the RPM upgrade fails with the following message:
Cleanup : freeipa-client-common-4.4.3-2.fc25.noarch 34/39
Cleanup : freeipa-common-4.4.3-2.fc25.noarch 35/39
Cleanup : bind-pkcs11-libs-32:9.10.4-4.P6.fc25.x86_64 36/39
Cleanup : bind-libs-lite-32:9.10.4-4.P6.fc25.x86_64 37/39
Cleanup : bind-libs-32:9.10.4-4.P6.fc25.x86_64 38/39
Cleanup : bind-license-32:9.10.4-4.P6.fc25.noarch 39/39
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Failed to configure anonymous PKINIT
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
When inspecting `/var/log/ipaupgrade.log` we can see that the PKINIT keypair is issued but the anonymous principal is not created by upgrader code:
2017-03-21T15:51:07Z DEBUG stderr=
2017-03-21T15:51:07Z DEBUG Starting external process
2017-03-21T15:51:07Z DEBUG args=/usr/bin/kinit -n -c /tmp/krbccMLh35h/ccache
2017-03-21T15:51:07Z DEBUG Process finished, return code=1
2017-03-21T15:51:07Z DEBUG stdout=
2017-03-21T15:51:07Z DEBUG stderr=kinit: Client 'WELLKNOWN/ANONYMOUS@IPA.TEST' not found in Kerberos database while getting initial credentials
2017-03-21T15:51:07Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-03-21T15:51:07Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 48, in run
2017-03-21T15:51:07Z DEBUG The ipa-server-upgrade command failed, exception: ScriptError: Failed to configure anonymous PKINIT
2017-03-21T15:51:07Z ERROR Failed to configure anonymous PKINIT
This causes the password auth to IPA server (via JSON-RPC API or WebUI) to fail after upgrade and thus breaks the core functionality.
Steps to reproduce:
1.) Install FreeIPA 4.4.3 or older
2.) Upgrade to FreeIPA 4.5.0
Upgrade fails and WebUI logins on updated master do not work
Upgrade finishes without errors and WebUI works.
c2d95d3962d525017732618e66b39b099235d43e Upgrade: configure PKINIT after adding anonymous principal
1fc48cd0af3b19272fcfe25235e55eae249bb6c9 Remove unused variable from failed anonymous PKINIT handling
17aa51ef0291b9c6174509f52913076ae599357f Split out anonymous PKINIT test to a separate method
5c22f905d48d3d8dd50e394290e1feb8f6dedcaa Ensure KDC is propery configured after upgrade
b9002bf6273151cb480dfba7ffa7480d037984ee Upgrade: configure PKINIT after adding anonymous principal
4b2b1d33157963a8b3d8229d1edd573dcbb93fb5 Remove unused variable from failed anonymous PKINIT handling
c1393029b6a853cc2cb874f4f93706368627d7c4 Split out anonymous PKINIT test to a separate method
89fc0a126be67755d4a687b427a6c67b3cbc4337 Ensure KDC is propery configured after upgrade
Hmmm, it looks like you have an old version of python-cryptography installed, can you please check that you have at least python-cryptography > 1.4? there were some incompatible API changes that can break older versions.
Great, after succesful upgrade check that `kinit -n` gets you a valid TGT and if yes, you can mark the BZ as verified. The issue with broken python2-cryptography is unrelated to this BZ and you may file a separate bug for it.
IPA server version: ipa-server-4.5.0-13.el7.x86_64
Python2-cryptography version: python2-cryptography-1.7.2-1.el7.x86_64
Tested the bug with following observations:
1) Verified that upgrade of IPA server to latest version is successful.
2) No errors/ failures are observed during upgrade process.
3) The said "PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE) Failed to configure PKINIT" message is not observed during upgrade process on using latest version of 'python2-cryptography' package during upgrade.
4) All the basic commands work successfully after upgrade.
5) Verified the same for other upgrade paths:
- RHEL 7.1.z > Rhel 7.4
- RHEL 7.2.z > Rhel 7.4
- RHEL 7.3 > Rhel 7.4
- RHEL 7.3.z > Rhel 7.4
6) For log through UI after upgrade we are unable to login for which a separate bug is logged BZ#1451733
Thus on the basis of above observations, marking status of bug to "VERIFIED"
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.