Hide Forgot
Description of problem: We have seen cases where ipa-replica-install is failing with this error: """ [31/40]: enabling S4U2Proxy delegation ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmpVKeXNx -H ldapi://%2Fvar%2Frun%2Fslapd-EXAMPLE-COM.socket -Y EXTERNAL' returned non-zero exit status 20 [error] CalledProcessError: Command '/usr/bin/ldapmodify -v -f /tmp/tmpVKeXNx -H ldapi://%2Fvar%2Frun%2Fslapd-EXAMPLE-COM.socket -Y EXTERNAL' returned non-zero exit status 20 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. """ The error occurs in __setup_s4u2proxy() when replica-s4u2proxy.ldif is applied. In the DS log we can see that one of the two entries already exists which then results in a failure: [19/Sep/2017:08:24:09.269050086 -0400] conn=11 fd=68 slot=68 connection from local to /var/run/slapd-EXAMPLE-COM.socket [19/Sep/2017:08:24:09.269396910 -0400] conn=11 AUTOBIND dn="cn=Directory Manager" [19/Sep/2017:08:24:09.269402696 -0400] conn=11 op=0 BIND dn="cn=Directory Manager" method=sasl version=3 mech=EXTERNAL [19/Sep/2017:08:24:09.269427850 -0400] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=Directory Manager" [19/Sep/2017:08:24:09.269593705 -0400] conn=11 op=1 MOD dn="cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=example,dc=com" [19/Sep/2017:08:24:09.270433469 -0400] conn=11 op=1 RESULT err=20 tag=103 nentries=0 etime=0 csn=39e7b123001d00fd0000 [19/Sep/2017:08:24:09.281553093 -0400] conn=11 op=2 UNBIND The DS installer should not apply the ldif in case those entries are already stored in the LDAP tree. Version-Release number of selected component (if applicable): ipa-server-4.5.0-21.el7_4.1.2.x86_64 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Upstream ticket: https://pagure.io/freeipa/issue/7174
Fixed upstream master: https://pagure.io/freeipa/c/23a0453c4d33271376b2156f2e2b484e8b9708c9
Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/b3dfc13f36de365b78bfbf6ac0fda2549d134739 ipa-4-5: https://pagure.io/freeipa/c/55b7f588d0eced7e4b7840d808138eb798347d77
verified. version: ipa-server-4.5.4-4.el7.x86_64 Steps: 1. Added the entry for replica in directory server on master. [root@master ~]# cat a.ldif dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=testrelm,dc=test changetype: modify add: memberPrincipal memberPrincipal: HTTP/replica.testrelm.test@TESTRELM.TEST dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=testrelm,dc=test changetype: modify add: memberPrincipal memberPrincipal: ldap/replica.testrelm.test@TESTRELM.TEST [root@master ~]# ldapmodify -h master.testrelm.test -p 389 -D "cn=directory manager" -w Secret123 -f a.ldif modifying entry "cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=testrelm,dc=test" modifying entry "cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=testrelm,dc=test" [root@master ~]# 2. Install replica Expected result: replica should install Actual result: Replica installed successfully.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0918