1723473 – ipa upgrade fails with trust entry already exists

Bug 1723473 - ipa upgrade fails with trust entry already exists

Summary: ipa upgrade fails with trust entry already exists

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-06-24 15:09 UTC by Scott Poore
Modified:	2020-04-23 09:25 UTC (History)
CC List:	9 users (show)
Fixed In Version:	ipa-4.6.5-11.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-06 13:09:47 UTC
Target Upstream Version:

Attachments	(Terms of Use)
ipa-ldap-updater output (19.02 KB, text/plain) 2019-06-24 15:28 UTC, Scott Poore	no flags	Details
full ipaupgrade.log with multiple attempts (806.42 KB, application/gzip) 2019-06-24 15:29 UTC, Scott Poore	no flags	Details
dirsrv logs (131.10 KB, application/gzip) 2019-06-24 15:34 UTC, Scott Poore	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:2241	None	None	None	2019-08-06 13:09:54 UTC

Description Scott Poore 2019-06-24 15:09:44 UTC

Description of problem:

Attempting to upgrade IPA resulted in ipa not started afterwards.  When I tried to manually start it, I see this:

[root@rhel7-1 ~]# ipactl start
IPA version error: data needs to be upgraded (expected version '4.6.5-9.el7', current version '4.6.5-6.el7')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
Be patient, this may take a few minutes.
Automatic upgrade failed: Upgrade failed with This entry already exists
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
('IPA upgrade failed.', 1)
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information

See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again
Aborting ipactl

Reviewing log, I see this:

2019-06-24T14:52:51Z DEBUG Adding Kerberos principal entry for EXAMPLE$@AD.TEST
2019-06-24T14:52:51Z DEBUG Destroyed connection context.ldap2_140436545772368
2019-06-24T14:52:51Z ERROR Upgrade failed with This entry already exists
2019-06-24T14:52:51Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 274, in __upgrade
    self.modified = (ld.update(self.files) or self.modified)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 967, in update
    self._run_updates(all_updates)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 929, in _run_updates
    self._run_update_plugin(update['plugin'])
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 904, in _run_update_plugin
    restart_ds, updates = self.api.Updater[plugin_name]()
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1475, in __call__
    return self.execute(**options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/adtrust.py", line 693, in execute
    self.KRB_PRINC_CREATE_DISABLED)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/adtrust.py", line 559, in set_krb_principal
    action(entry)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1580, in add_entry
    self.conn.add_s(str(entry.dn), list(attrs.items()))
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1038, in error_handler
    raise errors.DuplicateEntry()
DuplicateEntry: This entry already exists

2019-06-24T14:52:51Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 282, in __upgrade
    raise RuntimeError(e)
RuntimeError: This entry already exists

2019-06-24T14:52:51Z DEBUG   [error] RuntimeError: This entry already exists


Version-Release number of selected component (if applicable):
ipa-server-4.6.5-9.el7.x86_64

How reproducible:
Unknown

Steps to Reproduce:
1.  Install IPA version 4.6.5-6.el7 on rhel7.7 (from beta I think?)
2.  Setup Trust with AD
3.  Upgrade

Actual results:

ipa not running and errors shown above.


Expected results:

ipa running after upgrade with no errors.

Additional info:
Will attach logs and ldapsearch

Comment 2 Scott Poore 2019-06-24 15:28:19 UTC

Created attachment 1584066 [details]
ipa-ldap-updater output

[root@rhel7-1 ~]# ipa-ldap-updater ./90-upgrade-trust.update --log-file=/var/log/ipa-trust-update.log
Unexpected error - see /var/log/ipaupgrade.log for details:
DuplicateEntry: This entry already exists
The ipa-ldap-updater command failed. See /var/log/ipaupgrade.log for more information

Comment 3 Scott Poore 2019-06-24 15:29:24 UTC

Created attachment 1584067 [details]
full ipaupgrade.log with multiple attempts

Comment 4 Scott Poore 2019-06-24 15:32:56 UTC

[root@rhel7-1 ~]# ldapsearch -xLLL -D 'cn=Directory Manager' -w Secret123 -b cn=trusts,dc=example,dc=com
dn: cn=trusts,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: trusts

dn: cn=ad,cn=trusts,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: cn
cn: ad

dn: cn=ad.test,cn=ad,cn=trusts,dc=example,dc=com
objectClass: ipaNTTrustedDomain
objectClass: ipaIDobject
objectClass: posixAccount
objectClass: top
objectClass: ipantuserattrs
gidNumber: 17400001
homeDirectory: /dev/null
ipaNTFlatName: AD
uid: AD$
ipaNTTrustPartner: ad.test
ipaNTTrustedDomainSID: S-1-5-21-2178499580-3696211733-3412024300
ipaNTTrustType: 2
ipaNTTrustDirection: 1
ipaNTTrustPosixOffset: 0
ipaNTSupportedEncryptionTypes: 28
ipaNTTrustAuthOutgoing:: AQAAAAwAAAAcAQAAgK4/zt0J1QECAAAAAAEAAFQANwBRADMAaABrA
 CgASABIAG4AdgB3AEkANgB0AFgAWQBXADoAMABTAEQAVwAkAGIAQAA9AF8AfgBrAE0AcAB+AFsAaw
 AhADwAdABjAEwALABoAEIAVwBwAGQAMgA8AHkARQAsACYAPwBYAGIAYgA2AEsAVQBUAEwANgA/ADo
 AVwAkAEsARABQADQAXwBQAFEAVwBfAEEAOABPADwAbgBJAGEATgBpAE4APQBhAFIAYQBUAGMAeQAw
 AGoATgBAAC4ATQBvADUAVwBFAFUAeAByAGUAYwBqAFIAOwAsAE8AcQA/ACQAPgBmAGcAIQBCAHgAR
 QBaAHMATQBwAGwAVwCArj/O3QnVAQIAAAAAAQAAVAA3AFEAMwBoAGsAKABIAEgAbgB2AHcASQA2AH
 QAWABZAFcAOgAwAFMARABXACQAYgBAAD0AXwB+AGsATQBwAH4AWwBrACEAPAB0AGMATAAsAGgAQgB
 XAHAAZAAyADwAeQBFACwAJgA/AFgAYgBiADYASwBVAFQATAA2AD8AOgBXACQASwBEAFAANABfAFAA
 UQBXAF8AQQA4AE8APABuAEkAYQBOAGkATgA9AGEAUgBhAFQAYwB5ADAAagBOAEAALgBNAG8ANQBXA
 EUAVQB4AHIAZQBjAGoAUgA7ACwATwBxAD8AJAA+AGYAZwAhAEIAeABFAFoAcwBNAHAAbABXAA==
ipaNTTrustAuthIncoming:: AQAAAAwAAAAcAQAAgK4/zt0J1QECAAAAAAEAAFQANwBRADMAaABrA
 CgASABIAG4AdgB3AEkANgB0AFgAWQBXADoAMABTAEQAVwAkAGIAQAA9AF8AfgBrAE0AcAB+AFsAaw
 AhADwAdABjAEwALABoAEIAVwBwAGQAMgA8AHkARQAsACYAPwBYAGIAYgA2AEsAVQBUAEwANgA/ADo
 AVwAkAEsARABQADQAXwBQAFEAVwBfAEEAOABPADwAbgBJAGEATgBpAE4APQBhAFIAYQBUAGMAeQAw
 AGoATgBAAC4ATQBvADUAVwBFAFUAeAByAGUAYwBqAFIAOwAsAE8AcQA/ACQAPgBmAGcAIQBCAHgAR
 QBaAHMATQBwAGwAVwCArj/O3QnVAQIAAAAAAQAAVAA3AFEAMwBoAGsAKABIAEgAbgB2AHcASQA2AH
 QAWABZAFcAOgAwAFMARABXACQAYgBAAD0AXwB+AGsATQBwAH4AWwBrACEAPAB0AGMATAAsAGgAQgB
 XAHAAZAAyADwAeQBFACwAJgA/AFgAYgBiADYASwBVAFQATAA2AD8AOgBXACQASwBEAFAANABfAFAA
 UQBXAF8AQQA4AE8APABuAEkAYQBOAGkATgA9AGEAUgBhAFQAYwB5ADAAagBOAEAALgBNAG8ANQBXA
 EUAVQB4AHIAZQBjAGoAUgA7ACwATwBxAD8AJAA+AGYAZwAhAEIAeABFAFoAcwBNAHAAbABXAA==
ipaNTSIDBlacklistIncoming: S-1-0
ipaNTSIDBlacklistIncoming: S-1-1
ipaNTSIDBlacklistIncoming: S-1-2
ipaNTSIDBlacklistIncoming: S-1-3
ipaNTSIDBlacklistIncoming: S-1-5-1
ipaNTSIDBlacklistIncoming: S-1-5-2
ipaNTSIDBlacklistIncoming: S-1-5-3
ipaNTSIDBlacklistIncoming: S-1-5-4
ipaNTSIDBlacklistIncoming: S-1-5-5
ipaNTSIDBlacklistIncoming: S-1-5-6
ipaNTSIDBlacklistIncoming: S-1-5-7
ipaNTSIDBlacklistIncoming: S-1-5-8
ipaNTSIDBlacklistIncoming: S-1-5-9
ipaNTSIDBlacklistIncoming: S-1-5-10
ipaNTSIDBlacklistIncoming: S-1-5-11
ipaNTSIDBlacklistIncoming: S-1-5-12
ipaNTSIDBlacklistIncoming: S-1-5-13
ipaNTSIDBlacklistIncoming: S-1-5-14
ipaNTSIDBlacklistIncoming: S-1-5-15
ipaNTSIDBlacklistIncoming: S-1-5-16
ipaNTSIDBlacklistIncoming: S-1-5-17
ipaNTSIDBlacklistIncoming: S-1-5-18
ipaNTSIDBlacklistIncoming: S-1-5-19
ipaNTSIDBlacklistIncoming: S-1-5-20
ipaNTSIDBlacklistOutgoing: S-1-0
ipaNTSIDBlacklistOutgoing: S-1-1
ipaNTSIDBlacklistOutgoing: S-1-2
ipaNTSIDBlacklistOutgoing: S-1-3
ipaNTSIDBlacklistOutgoing: S-1-5-1
ipaNTSIDBlacklistOutgoing: S-1-5-2
ipaNTSIDBlacklistOutgoing: S-1-5-3
ipaNTSIDBlacklistOutgoing: S-1-5-4
ipaNTSIDBlacklistOutgoing: S-1-5-5
ipaNTSIDBlacklistOutgoing: S-1-5-6
ipaNTSIDBlacklistOutgoing: S-1-5-7
ipaNTSIDBlacklistOutgoing: S-1-5-8
ipaNTSIDBlacklistOutgoing: S-1-5-9
ipaNTSIDBlacklistOutgoing: S-1-5-10
ipaNTSIDBlacklistOutgoing: S-1-5-11
ipaNTSIDBlacklistOutgoing: S-1-5-12
ipaNTSIDBlacklistOutgoing: S-1-5-13
ipaNTSIDBlacklistOutgoing: S-1-5-14
ipaNTSIDBlacklistOutgoing: S-1-5-15
ipaNTSIDBlacklistOutgoing: S-1-5-16
ipaNTSIDBlacklistOutgoing: S-1-5-17
ipaNTSIDBlacklistOutgoing: S-1-5-18
ipaNTSIDBlacklistOutgoing: S-1-5-19
ipaNTSIDBlacklistOutgoing: S-1-5-20
cn: ad.test
uidNumber: 17400003
ipaNTSecurityIdentifier: S-1-5-21-3056789376-227772379-1370156814-1003
ipaNTTrustAttributes: 8

dn: krbPrincipalName=krbtgt/EXAMPLE.COM@AD.TEST,cn=ad.test,cn=ad,cn=trusts,dc=
 example,dc=com
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
objectClass: top
krbCanonicalName: krbtgt/EXAMPLE.COM@AD.TEST
krbPrincipalName: krbtgt/EXAMPLE.COM@AD.TEST
krbPrincipalKey:: MIIBUqADAgEBoQMCAQGiAwIBAaMDAgEBpIIBOjCCATYwcKAjMCGgAwIBAKEa
 BBhBRC5URVNUa3JidGd0RVhBTVBMRS5DT02hSTBHoAMCARKhQAQ+IACzwyeKMJURAQ1WdFY9wCfJL
 zYf7EIB2nZWCXGsn5soQfS8+9rP9jnlN2yEFDVeDaeYr/HNA9sRw8oJdiowYKAjMCGgAwIBAKEaBB
 hBRC5URVNUa3JidGd0RVhBTVBMRS5DT02hOTA3oAMCARGhMAQuEACTOSDOcnAT4qa9agCfbaoX/TQ
 oJ1OFaAnRO1lCyGwLOCcpg8jDfiRyDkNokzBgoCMwIaADAgEAoRoEGEFELlRFU1RrcmJ0Z3RFWEFN
 UExFLkNPTaE5MDegAwIBF6EwBC4QAK5gOZk0uWQlldpVOqejVOd6z8WJgmiuuoSF6OLlXzhjtCGNc
 cISDNzYzASW
krbLastPwdChange: 20190513224714Z
krbExtraData:: AALy89lca3JidGd0L0VYQU1QTEUuQ09NQEFELlRFU1QA

dn: krbPrincipalName=krbtgt/EXAMPLE@AD.TEST,cn=ad.test,cn=ad,cn=trusts,dc=exam
 ple,dc=com
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
objectClass: ipaAllowedOperations
objectClass: top
krbCanonicalName: krbtgt/EXAMPLE@AD.TEST
krbPrincipalName: krbtgt/EXAMPLE@AD.TEST
krbPrincipalName: EXAMPLE$@AD.TEST
krbTicketFlags: 64
ipaAllowedToPerform;read_keys: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=exam
 ple,dc=com
ipaAllowedToPerform;read_keys: cn=trust admins,cn=groups,cn=accounts,dc=exampl
 e,dc=com
krbPrincipalKey:: MIIBRqADAgEBoQMCAQGiAwIBAaMDAgEBpIIBLjCCASowbKAfMB2gAwIBAKEW
 BBRBRC5URVNUa3JidGd0RVhBTVBMRaFJMEegAwIBEqFABD4gADVUafcPW4lyHolFxEfKgH2U+g2ME
 Klj+uxTmX1J8PZ+mne0cGQ0lkvrUH11FgLLo/JqR5MMWBl1OS711DBcoB8wHaADAgEAoRYEFEFELl
 RFU1RrcmJ0Z3RFWEFNUExFoTkwN6ADAgERoTAELhAAz39Xb3WbB768yP7uzSejQxBqhM0wV5v4qP3
 J7XFDa7nuZQLfP7rSsjsmpvwwXKAfMB2gAwIBAKEWBBRBRC5URVNUa3JidGd0RVhBTVBMRaE5MDeg
 AwIBF6EwBC4QAAvHeIKwOM68UKdjHj7IZjI5ZP915t3rpqwuG6JhGfZlQN9VleLm6DiTPU8I
krbLastPwdChange: 20190513224714Z
krbExtraData:: AALy89lca3JidGd0L0VYQU1QTEVAQUQuVEVTVAA=

Comment 5 Scott Poore 2019-06-24 15:34:33 UTC

Created attachment 1584068 [details]
dirsrv logs

Comment 8 Alexander Bokovoy 2019-06-25 09:06:58 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7992

Comment 9 Alexander Bokovoy 2019-06-25 13:04:22 UTC

Upstream pull request: https://github.com/freeipa/freeipa/pull/3312

Comment 18 Nikhil Dehadrai 2019-06-27 07:45:14 UTC

IPA: ipa-server-4.6.5-10.el7.x86_64

Tested the bug with following observations:

1. Upgrade from RHEL77Beta to RHEL77RC with Trust setup is successful.
2. Upgrade from RHEL76z to RHEL77RC with Trust setup FAILS.


Thus changing status to "ASSIGNED"

Comment 22 Alexander Bokovoy 2019-06-27 13:45:59 UTC

Second part of the fix: https://github.com/freeipa/freeipa/pull/3326
Second part is already tested and ACKed by Flo.

Comment 23 Florence Blanc-Renaud 2019-06-27 17:47:08 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/7af4c7d4720227b5bff037a128061bf616e27096
ipa-4-6:
https://pagure.io/freeipa/c/cb74ea9c2164d23cede0961d62b2f0bf37e6e055
ipa-4-7:
https://pagure.io/freeipa/c/d6f8e0677db3fe70d74d98c4960ed1726e51b797

Comment 26 Nikhil Dehadrai 2019-06-29 05:05:33 UTC

ipa-4.6.5-11.el7

Tested the bug with following observations:

1. RHEL76z > RHEL77RC :: When IPA-server setup with TRUST is upgraded from RHEL 76z > RHEL 77 RC, the upgrade is successful
2. RHEL76z > RHEL77RC :: When IPA-server setup without TRUST is upgraded from RHEL 76z > RHEL 77 RC, the upgrade is successful
3. RHEL77Beta > RHEL77RC ::  When IPA-server setup with TRUST is upgraded from RHEL 77Beta > RHEL 77 RC, the upgrade is successful
4. RHEL77Beta > RHEL77RC ::  When IPA-server setup without TRUST is upgraded from RHEL 77Beta > RHEL 77 RC, the upgrade is successful

Thus on the basis of above observations, marking the status of bug to 'VERIFIED'.

Comment 29 errata-xmlrpc 2019-08-06 13:09:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241

Note You need to log in before you can comment on or make changes to this bug.