Description of problem: Upgrading to F28 with freeipa-server-4.6.90.pre1-6.1.fc28.x86_64 has broken my FreeIPA installation, which was done with out DNS, no NTP and using an external CA. Version-Release number of selected component (if applicable): freeipa-server-4.6.90.pre1-6.1.fc28.x86_64 How reproducible: Always. Steps to Reproduce: 1. Upgrade to F28. 2. Reboot. Actual results: Hosed FreeIPA server. krb5kdc refuses to start. From /var/log/ipaupgrade.log: 2018-05-01T21:58:55Z INFO DNS is not configured 2018-05-01T21:58:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-05-01T21:58:55Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2018-05-01T21:58:55Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 50, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1985, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1814, in upgrade_configuration named_add_crypto_policy(), File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 916, in named_add_crypto_policy if bindinstance.named_conf_include_exists(policy_file): File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 220, in named_conf_include_exists with open(paths.NAMED_CONF, 'r') as f: 2018-05-01T21:58:55Z DEBUG The ipa-server-upgrade command failed, exception: FileNotFoundError: [Errno 2] No such file or directory: '/etc/named.conf' 2018-05-01T21:58:55Z ERROR [Errno 2] No such file or directory: '/etc/named.conf' 2018-05-01T21:58:55Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information Expected results: FreeIPA not broken.
OK, found the bug. Look in /usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py at the named_add_crypto_policy() function. All its neighbour functions use bindinstance.named_conf_exists() and bind.is_configured() to first check bind is configured. I modified named_add_crypto_policy() to read: def named_add_crypto_policy(): """Add crypto policy include """ if not bindinstance.named_conf_exists() or not bind.is_configured(): # DNS service may not be configured logger.info('DNS is not configured') return False (... rest of the function as before ...) and the upgrade worked. FreeIPA now working as before.
Yes, this is fixed upstream with https://pagure.io/freeipa/issue/4853. We are planning to do another upstream freeipa release once blocker bugs in NSS and Dogtag are fixed. Meanwhile, I'll add the patch from https://pagure.io/freeipa/issue/4853 to the F28 build as I need anyway to bump slapi-nis dependency.
slapi-nis-0.56.2-6.fc28 freeipa-4.6.90.pre1-7.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a22497315b
freeipa-4.6.90.pre1-7.fc28, slapi-nis-0.56.2-6.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a22497315b
freeipa-4.6.90.pre1-7.fc28, slapi-nis-0.56.2-6.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.