Bug 1723473
| Summary: | ipa upgrade fails with trust entry already exists | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Poore <spoore> | ||||||||
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | ||||||||
| Severity: | unspecified | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 7.7 | CC: | abokovoy, abroy, cheimes, frenaud, lmiksik, ndehadra, pvoborni, rcritten, tscherf | ||||||||
| Target Milestone: | rc | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | ipa-4.6.5-11.el7 | Doc Type: | If docs needed, set a value | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2019-08-06 13:09:47 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
Created attachment 1584066 [details]
ipa-ldap-updater output
[root@rhel7-1 ~]# ipa-ldap-updater ./90-upgrade-trust.update --log-file=/var/log/ipa-trust-update.log
Unexpected error - see /var/log/ipaupgrade.log for details:
DuplicateEntry: This entry already exists
The ipa-ldap-updater command failed. See /var/log/ipaupgrade.log for more information
Created attachment 1584067 [details]
full ipaupgrade.log with multiple attempts
[root@rhel7-1 ~]# ldapsearch -xLLL -D 'cn=Directory Manager' -w Secret123 -b cn=trusts,dc=example,dc=com dn: cn=trusts,dc=example,dc=com objectClass: top objectClass: nsContainer cn: trusts dn: cn=ad,cn=trusts,dc=example,dc=com objectClass: nsContainer objectClass: top cn: cn cn: ad dn: cn=ad.test,cn=ad,cn=trusts,dc=example,dc=com objectClass: ipaNTTrustedDomain objectClass: ipaIDobject objectClass: posixAccount objectClass: top objectClass: ipantuserattrs gidNumber: 17400001 homeDirectory: /dev/null ipaNTFlatName: AD uid: AD$ ipaNTTrustPartner: ad.test ipaNTTrustedDomainSID: S-1-5-21-2178499580-3696211733-3412024300 ipaNTTrustType: 2 ipaNTTrustDirection: 1 ipaNTTrustPosixOffset: 0 ipaNTSupportedEncryptionTypes: 28 ipaNTTrustAuthOutgoing:: AQAAAAwAAAAcAQAAgK4/zt0J1QECAAAAAAEAAFQANwBRADMAaABrA CgASABIAG4AdgB3AEkANgB0AFgAWQBXADoAMABTAEQAVwAkAGIAQAA9AF8AfgBrAE0AcAB+AFsAaw AhADwAdABjAEwALABoAEIAVwBwAGQAMgA8AHkARQAsACYAPwBYAGIAYgA2AEsAVQBUAEwANgA/ADo AVwAkAEsARABQADQAXwBQAFEAVwBfAEEAOABPADwAbgBJAGEATgBpAE4APQBhAFIAYQBUAGMAeQAw AGoATgBAAC4ATQBvADUAVwBFAFUAeAByAGUAYwBqAFIAOwAsAE8AcQA/ACQAPgBmAGcAIQBCAHgAR QBaAHMATQBwAGwAVwCArj/O3QnVAQIAAAAAAQAAVAA3AFEAMwBoAGsAKABIAEgAbgB2AHcASQA2AH QAWABZAFcAOgAwAFMARABXACQAYgBAAD0AXwB+AGsATQBwAH4AWwBrACEAPAB0AGMATAAsAGgAQgB XAHAAZAAyADwAeQBFACwAJgA/AFgAYgBiADYASwBVAFQATAA2AD8AOgBXACQASwBEAFAANABfAFAA UQBXAF8AQQA4AE8APABuAEkAYQBOAGkATgA9AGEAUgBhAFQAYwB5ADAAagBOAEAALgBNAG8ANQBXA EUAVQB4AHIAZQBjAGoAUgA7ACwATwBxAD8AJAA+AGYAZwAhAEIAeABFAFoAcwBNAHAAbABXAA== ipaNTTrustAuthIncoming:: AQAAAAwAAAAcAQAAgK4/zt0J1QECAAAAAAEAAFQANwBRADMAaABrA CgASABIAG4AdgB3AEkANgB0AFgAWQBXADoAMABTAEQAVwAkAGIAQAA9AF8AfgBrAE0AcAB+AFsAaw AhADwAdABjAEwALABoAEIAVwBwAGQAMgA8AHkARQAsACYAPwBYAGIAYgA2AEsAVQBUAEwANgA/ADo AVwAkAEsARABQADQAXwBQAFEAVwBfAEEAOABPADwAbgBJAGEATgBpAE4APQBhAFIAYQBUAGMAeQAw AGoATgBAAC4ATQBvADUAVwBFAFUAeAByAGUAYwBqAFIAOwAsAE8AcQA/ACQAPgBmAGcAIQBCAHgAR QBaAHMATQBwAGwAVwCArj/O3QnVAQIAAAAAAQAAVAA3AFEAMwBoAGsAKABIAEgAbgB2AHcASQA2AH QAWABZAFcAOgAwAFMARABXACQAYgBAAD0AXwB+AGsATQBwAH4AWwBrACEAPAB0AGMATAAsAGgAQgB XAHAAZAAyADwAeQBFACwAJgA/AFgAYgBiADYASwBVAFQATAA2AD8AOgBXACQASwBEAFAANABfAFAA UQBXAF8AQQA4AE8APABuAEkAYQBOAGkATgA9AGEAUgBhAFQAYwB5ADAAagBOAEAALgBNAG8ANQBXA EUAVQB4AHIAZQBjAGoAUgA7ACwATwBxAD8AJAA+AGYAZwAhAEIAeABFAFoAcwBNAHAAbABXAA== ipaNTSIDBlacklistIncoming: S-1-0 ipaNTSIDBlacklistIncoming: S-1-1 ipaNTSIDBlacklistIncoming: S-1-2 ipaNTSIDBlacklistIncoming: S-1-3 ipaNTSIDBlacklistIncoming: S-1-5-1 ipaNTSIDBlacklistIncoming: S-1-5-2 ipaNTSIDBlacklistIncoming: S-1-5-3 ipaNTSIDBlacklistIncoming: S-1-5-4 ipaNTSIDBlacklistIncoming: S-1-5-5 ipaNTSIDBlacklistIncoming: S-1-5-6 ipaNTSIDBlacklistIncoming: S-1-5-7 ipaNTSIDBlacklistIncoming: S-1-5-8 ipaNTSIDBlacklistIncoming: S-1-5-9 ipaNTSIDBlacklistIncoming: S-1-5-10 ipaNTSIDBlacklistIncoming: S-1-5-11 ipaNTSIDBlacklistIncoming: S-1-5-12 ipaNTSIDBlacklistIncoming: S-1-5-13 ipaNTSIDBlacklistIncoming: S-1-5-14 ipaNTSIDBlacklistIncoming: S-1-5-15 ipaNTSIDBlacklistIncoming: S-1-5-16 ipaNTSIDBlacklistIncoming: S-1-5-17 ipaNTSIDBlacklistIncoming: S-1-5-18 ipaNTSIDBlacklistIncoming: S-1-5-19 ipaNTSIDBlacklistIncoming: S-1-5-20 ipaNTSIDBlacklistOutgoing: S-1-0 ipaNTSIDBlacklistOutgoing: S-1-1 ipaNTSIDBlacklistOutgoing: S-1-2 ipaNTSIDBlacklistOutgoing: S-1-3 ipaNTSIDBlacklistOutgoing: S-1-5-1 ipaNTSIDBlacklistOutgoing: S-1-5-2 ipaNTSIDBlacklistOutgoing: S-1-5-3 ipaNTSIDBlacklistOutgoing: S-1-5-4 ipaNTSIDBlacklistOutgoing: S-1-5-5 ipaNTSIDBlacklistOutgoing: S-1-5-6 ipaNTSIDBlacklistOutgoing: S-1-5-7 ipaNTSIDBlacklistOutgoing: S-1-5-8 ipaNTSIDBlacklistOutgoing: S-1-5-9 ipaNTSIDBlacklistOutgoing: S-1-5-10 ipaNTSIDBlacklistOutgoing: S-1-5-11 ipaNTSIDBlacklistOutgoing: S-1-5-12 ipaNTSIDBlacklistOutgoing: S-1-5-13 ipaNTSIDBlacklistOutgoing: S-1-5-14 ipaNTSIDBlacklistOutgoing: S-1-5-15 ipaNTSIDBlacklistOutgoing: S-1-5-16 ipaNTSIDBlacklistOutgoing: S-1-5-17 ipaNTSIDBlacklistOutgoing: S-1-5-18 ipaNTSIDBlacklistOutgoing: S-1-5-19 ipaNTSIDBlacklistOutgoing: S-1-5-20 cn: ad.test uidNumber: 17400003 ipaNTSecurityIdentifier: S-1-5-21-3056789376-227772379-1370156814-1003 ipaNTTrustAttributes: 8 dn: krbPrincipalName=krbtgt/EXAMPLE.COM,cn=ad.test,cn=ad,cn=trusts,dc= example,dc=com objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux objectClass: top krbCanonicalName: krbtgt/EXAMPLE.COM krbPrincipalName: krbtgt/EXAMPLE.COM krbPrincipalKey:: MIIBUqADAgEBoQMCAQGiAwIBAaMDAgEBpIIBOjCCATYwcKAjMCGgAwIBAKEa BBhBRC5URVNUa3JidGd0RVhBTVBMRS5DT02hSTBHoAMCARKhQAQ+IACzwyeKMJURAQ1WdFY9wCfJL zYf7EIB2nZWCXGsn5soQfS8+9rP9jnlN2yEFDVeDaeYr/HNA9sRw8oJdiowYKAjMCGgAwIBAKEaBB hBRC5URVNUa3JidGd0RVhBTVBMRS5DT02hOTA3oAMCARGhMAQuEACTOSDOcnAT4qa9agCfbaoX/TQ oJ1OFaAnRO1lCyGwLOCcpg8jDfiRyDkNokzBgoCMwIaADAgEAoRoEGEFELlRFU1RrcmJ0Z3RFWEFN UExFLkNPTaE5MDegAwIBF6EwBC4QAK5gOZk0uWQlldpVOqejVOd6z8WJgmiuuoSF6OLlXzhjtCGNc cISDNzYzASW krbLastPwdChange: 20190513224714Z krbExtraData:: AALy89lca3JidGd0L0VYQU1QTEUuQ09NQEFELlRFU1QA dn: krbPrincipalName=krbtgt/EXAMPLE,cn=ad.test,cn=ad,cn=trusts,dc=exam ple,dc=com objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux objectClass: ipaAllowedOperations objectClass: top krbCanonicalName: krbtgt/EXAMPLE krbPrincipalName: krbtgt/EXAMPLE krbPrincipalName: EXAMPLE$@AD.TEST krbTicketFlags: 64 ipaAllowedToPerform;read_keys: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=exam ple,dc=com ipaAllowedToPerform;read_keys: cn=trust admins,cn=groups,cn=accounts,dc=exampl e,dc=com krbPrincipalKey:: MIIBRqADAgEBoQMCAQGiAwIBAaMDAgEBpIIBLjCCASowbKAfMB2gAwIBAKEW BBRBRC5URVNUa3JidGd0RVhBTVBMRaFJMEegAwIBEqFABD4gADVUafcPW4lyHolFxEfKgH2U+g2ME Klj+uxTmX1J8PZ+mne0cGQ0lkvrUH11FgLLo/JqR5MMWBl1OS711DBcoB8wHaADAgEAoRYEFEFELl RFU1RrcmJ0Z3RFWEFNUExFoTkwN6ADAgERoTAELhAAz39Xb3WbB768yP7uzSejQxBqhM0wV5v4qP3 J7XFDa7nuZQLfP7rSsjsmpvwwXKAfMB2gAwIBAKEWBBRBRC5URVNUa3JidGd0RVhBTVBMRaE5MDeg AwIBF6EwBC4QAAvHeIKwOM68UKdjHj7IZjI5ZP915t3rpqwuG6JhGfZlQN9VleLm6DiTPU8I krbLastPwdChange: 20190513224714Z krbExtraData:: AALy89lca3JidGd0L0VYQU1QTEVAQUQuVEVTVAA= Created attachment 1584068 [details]
dirsrv logs
Upstream ticket: https://pagure.io/freeipa/issue/7992 Upstream pull request: https://github.com/freeipa/freeipa/pull/3312 IPA: ipa-server-4.6.5-10.el7.x86_64 Tested the bug with following observations: 1. Upgrade from RHEL77Beta to RHEL77RC with Trust setup is successful. 2. Upgrade from RHEL76z to RHEL77RC with Trust setup FAILS. Thus changing status to "ASSIGNED" Second part of the fix: https://github.com/freeipa/freeipa/pull/3326 Second part is already tested and ACKed by Flo. Fixed upstream master: https://pagure.io/freeipa/c/7af4c7d4720227b5bff037a128061bf616e27096 ipa-4-6: https://pagure.io/freeipa/c/cb74ea9c2164d23cede0961d62b2f0bf37e6e055 ipa-4-7: https://pagure.io/freeipa/c/d6f8e0677db3fe70d74d98c4960ed1726e51b797 ipa-4.6.5-11.el7 Tested the bug with following observations: 1. RHEL76z > RHEL77RC :: When IPA-server setup with TRUST is upgraded from RHEL 76z > RHEL 77 RC, the upgrade is successful 2. RHEL76z > RHEL77RC :: When IPA-server setup without TRUST is upgraded from RHEL 76z > RHEL 77 RC, the upgrade is successful 3. RHEL77Beta > RHEL77RC :: When IPA-server setup with TRUST is upgraded from RHEL 77Beta > RHEL 77 RC, the upgrade is successful 4. RHEL77Beta > RHEL77RC :: When IPA-server setup without TRUST is upgraded from RHEL 77Beta > RHEL 77 RC, the upgrade is successful Thus on the basis of above observations, marking the status of bug to 'VERIFIED'. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2241 |
Description of problem: Attempting to upgrade IPA resulted in ipa not started afterwards. When I tried to manually start it, I see this: [root@rhel7-1 ~]# ipactl start IPA version error: data needs to be upgraded (expected version '4.6.5-9.el7', current version '4.6.5-6.el7') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Upgrade failed with This entry already exists IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. ('IPA upgrade failed.', 1) The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Aborting ipactl Reviewing log, I see this: 2019-06-24T14:52:51Z DEBUG Adding Kerberos principal entry for EXAMPLE$@AD.TEST 2019-06-24T14:52:51Z DEBUG Destroyed connection context.ldap2_140436545772368 2019-06-24T14:52:51Z ERROR Upgrade failed with This entry already exists 2019-06-24T14:52:51Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 274, in __upgrade self.modified = (ld.update(self.files) or self.modified) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 967, in update self._run_updates(all_updates) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 929, in _run_updates self._run_update_plugin(update['plugin']) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 904, in _run_update_plugin restart_ds, updates = self.api.Updater[plugin_name]() File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1475, in __call__ return self.execute(**options) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/adtrust.py", line 693, in execute self.KRB_PRINC_CREATE_DISABLED) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/adtrust.py", line 559, in set_krb_principal action(entry) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1580, in add_entry self.conn.add_s(str(entry.dn), list(attrs.items())) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1038, in error_handler raise errors.DuplicateEntry() DuplicateEntry: This entry already exists 2019-06-24T14:52:51Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 282, in __upgrade raise RuntimeError(e) RuntimeError: This entry already exists 2019-06-24T14:52:51Z DEBUG [error] RuntimeError: This entry already exists Version-Release number of selected component (if applicable): ipa-server-4.6.5-9.el7.x86_64 How reproducible: Unknown Steps to Reproduce: 1. Install IPA version 4.6.5-6.el7 on rhel7.7 (from beta I think?) 2. Setup Trust with AD 3. Upgrade Actual results: ipa not running and errors shown above. Expected results: ipa running after upgrade with no errors. Additional info: Will attach logs and ldapsearch