Bug 1447284 - Upgrade from ipa-4.1 fails when enabling KDC proxy
Summary: Upgrade from ipa-4.1 fails when enabling KDC proxy
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Nikhil Dehadrai
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-02 10:07 UTC by Tomas Krizek
Modified: 2017-08-01 09:50 UTC (History)
9 users (show)

Fixed In Version: ipa-4.5.0-12.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:50:15 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Tomas Krizek 2017-05-02 10:07:59 UTC
This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/6920

During an upgrade from IPA 4.1, when upgrade script attempts to enable KDC proxy by creating an LDAP entry in `cn=KDC,cn=vm,cn=master,cn=ipa,cn=etc,dc=example,dc=com` it fails, because the parent entry does not exist.

This is a regression was introduced by b1a1e104391c84cb9af7b0a7c8748c8652442ddb

/var/log/ipaupgrade.log

```
2017-05-02T07:11:19Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run
    server.upgrade()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1869, in upgrade
    upgrade_configuration()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1658, in upgrade_configuration
    http.enable_kdcproxy()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 437, in enable_kdcproxy
    'KDC', self.fqdn, [u'kdcProxyEnabled'], self.suffix)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 214, in set_service_entry_config
    api.Backend.ldap2.add_entry(entry)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1504, in add_entry
    self.conn.add_s(str(entry.dn), list(attrs.items()))
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 966, in error_handler
    raise errors.NotFound(reason=arg_desc or 'no such entry')
```

Comment 4 Martin Babinsky 2017-05-09 08:34:17 UTC
ipa-4-5:

* cdefa3030fba0f9a79f65f91aec84a44795c17f5 python2-ipalib: add missing python dependency
* 1662b0ef2fff6ee002afd99f86b9075a603b6027 installer service: fix typo in service entry
* d10d5066aa60288703f2cf4b1a8dd7ed0aab8842 upgrade: add missing suffix to http instance

Moving to POST.

Comment 6 Nikhil Dehadrai 2017-05-17 15:10:32 UTC
IPA-server-version: ipa-server-4.5.0-12.el7.x86_64

Tested the bug for IPA upgrade from Rhel 7.1.z to Rhel 7.4 ( ipa 4.5.0.12) and it failed as per the observations listed in BZ#1451804

Comment 7 Nikhil Dehadrai 2017-05-22 10:30:47 UTC
IPA server version: ipa-server-4.5.0-13.el7.x86_64

Tested the bug with following observations:

1) Verified that upgrade of IPA server to latest version is successful.
2) No errors/ failures are observed during upgrade process.
3) All the basic commands work successfully after upgrade.
4) Verified the same for other upgrade paths:
  - RHEL 7.1.z > Rhel 7.4
  - RHEL 7.2.z > Rhel 7.4
  - RHEL 7.3 > Rhel 7.4
  - RHEL 7.3.z > Rhel 7.4
5) For log through UI after upgrade we are unable to login for which a separate bug is logged BZ#1451733

Thus on the basis of above observations, marking status of bug to "VERIFIED"

Comment 9 errata-xmlrpc 2017-08-01 09:50:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.