RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1447284 - Upgrade from ipa-4.1 fails when enabling KDC proxy
Summary: Upgrade from ipa-4.1 fails when enabling KDC proxy
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Nikhil Dehadrai
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-02 10:07 UTC by Tomas Krizek
Modified: 2017-08-01 09:50 UTC (History)
9 users (show)

Fixed In Version: ipa-4.5.0-12.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:50:15 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Tomas Krizek 2017-05-02 10:07:59 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/6920

During an upgrade from IPA 4.1, when upgrade script attempts to enable KDC proxy by creating an LDAP entry in `cn=KDC,cn=vm,cn=master,cn=ipa,cn=etc,dc=example,dc=com` it fails, because the parent entry does not exist.

This is a regression was introduced by b1a1e104391c84cb9af7b0a7c8748c8652442ddb

/var/log/ipaupgrade.log

```
2017-05-02T07:11:19Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run
    server.upgrade()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1869, in upgrade
    upgrade_configuration()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1658, in upgrade_configuration
    http.enable_kdcproxy()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 437, in enable_kdcproxy
    'KDC', self.fqdn, [u'kdcProxyEnabled'], self.suffix)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 214, in set_service_entry_config
    api.Backend.ldap2.add_entry(entry)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1504, in add_entry
    self.conn.add_s(str(entry.dn), list(attrs.items()))
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 966, in error_handler
    raise errors.NotFound(reason=arg_desc or 'no such entry')
```
Comment 3 Martin Bašti 2017-05-05 16:56:44 UTC 
master:
https://pagure.io/freeipa/c/999706fcdfa7fd4206a2399aa578fb00753d9978
https://pagure.io/freeipa/c/4b8ab77dd4800bd9c6b822502462ee649c88c663
https://pagure.io/freeipa/c/ebefb281775d5bd5f32459ac597af78781d7dbf5

Not moving to POST, waiting for 4.5 patches
Comment 4 Martin Babinsky 2017-05-09 08:34:17 UTC 
ipa-4-5:

* cdefa3030fba0f9a79f65f91aec84a44795c17f5 python2-ipalib: add missing python dependency
* 1662b0ef2fff6ee002afd99f86b9075a603b6027 installer service: fix typo in service entry
* d10d5066aa60288703f2cf4b1a8dd7ed0aab8842 upgrade: add missing suffix to http instance

Moving to POST.
Comment 6 Nikhil Dehadrai 2017-05-17 15:10:32 UTC 
IPA-server-version: ipa-server-4.5.0-12.el7.x86_64

Tested the bug for IPA upgrade from Rhel 7.1.z to Rhel 7.4 ( ipa 4.5.0.12) and it failed as per the observations listed in BZ#1451804
Comment 7 Nikhil Dehadrai 2017-05-22 10:30:47 UTC 
IPA server version: ipa-server-4.5.0-13.el7.x86_64

Tested the bug with following observations:

1) Verified that upgrade of IPA server to latest version is successful.
2) No errors/ failures are observed during upgrade process.
3) All the basic commands work successfully after upgrade.
4) Verified the same for other upgrade paths:
  - RHEL 7.1.z > Rhel 7.4
  - RHEL 7.2.z > Rhel 7.4
  - RHEL 7.3 > Rhel 7.4
  - RHEL 7.3.z > Rhel 7.4
5) For log through UI after upgrade we are unable to login for which a separate bug is logged BZ#1451733

Thus on the basis of above observations, marking status of bug to "VERIFIED"
Comment 9 errata-xmlrpc 2017-08-01 09:50:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304
Note You need to log in before you can comment on or make changes to this bug.