Created attachment 1566849 [details] ipa-server-upgrade -v log Description of problem: After dnf upgrade of freeipa server to 4.7.90.pre1-3, I'm unable to restart freeipa using ipactl due to data upgrade failing. Version-Release number of selected component (if applicable): freeipa-common-4.7.90.pre1-3 How reproducible: Everytime freeipa server is attempted to be started after rpm upgrade. Steps to Reproduce: 1. Upgrade freeipa from 4.7.2-8-fc30 to 4.7.90.pre1-3.fc30. 2. Restart freeipa server using ipactl. or 2. Attempt manual data migration using ipa-server-upgrade. Actual results: Data migration fails with "RuntimeError: no matching entry found" Reviewed attached spa-server-upgrade -v log. Expected results: Data migration process would successfully execute, data would be migrated and freeipa server suite would start. Additional info:
Code came from 18cb30d4638c0fecf5f02735f2b4794be5d97b67 This should let you get past the error (untested): diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins /adtrust.py index 6b4e2ca..3415f08 100644 --- a/ipaserver/install/plugins/adtrust.py +++ b/ipaserver/install/plugins/adtrust.py @@ -609,11 +609,14 @@ class update_tdo_to_new_layout(Updater): trusts_dn = self.api.env.container_adtrusts + self.api.env.basedn - trusts = ldap.get_entries( - base_dn=trusts_dn, - scope=ldap.SCOPE_ONELEVEL, - filter=self.trust_filter, - attrs_list=self.trust_attrs) + try: + trusts = ldap.get_entries( + base_dn=trusts_dn, + scope=ldap.SCOPE_ONELEVEL, + filter=self.trust_filter, + attrs_list=self.trust_attrs) + except errors.EmptyResult: + trusts = [] # For every trust, retrieve its principals and convert for t_entry in trusts: Or you can skip the upgrade check with: ipactl --skip-version-check start
Appreciate the patch, I don't have time to duplicate the environment tonight to test this before running it on the "prod" instance. Won't have time until next week. If no one else has tested before I am able to, will do so. Otherwise, will wait for patched release version. For now, I've downgraded back to 4.7.2-8-fc30 and have everything back up and running.
Rob, I think your proposal is correct. It covers a case when FreeIPA is configured to serve trust but there are no established trusts to AD. I'll add this patch to Fedora release.
freeipa-4.7.90.pre1-4.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-70a413c82d
Install pre1-4, made it past the ad-trust issue, encountered an unexpected error. Will open a new bugzilla ticket for that.
Fixed upstream master: https://pagure.io/freeipa/c/98b4c710d90f289322ebda457fdb84c2dd34aace
freeipa-4.7.90.pre1-4.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-70a413c82d
Fixed upstream ipa-4-7: https://pagure.io/freeipa/c/81756c78b7760003d12d7c5e252446972f101258
Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/aa8b1b963d697b40178e2c762fbefb9762e84e14
freeipa-4.7.90.pre1-4.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.