1723473 – ipa upgrade fails with trust entry already exists

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1723473 - ipa upgrade fails with trust entry already exists

Summary: ipa upgrade fails with trust entry already exists

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-06-24 15:09 UTC by Scott Poore
Modified:	2020-04-23 09:25 UTC (History)
CC List:	9 users (show)
Fixed In Version:	ipa-4.6.5-11.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-06 13:09:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
ipa-ldap-updater output (19.02 KB, text/plain) 2019-06-24 15:28 UTC, Scott Poore	no flags	Details
full ipaupgrade.log with multiple attempts (806.42 KB, application/gzip) 2019-06-24 15:29 UTC, Scott Poore	no flags	Details
dirsrv logs (131.10 KB, application/gzip) 2019-06-24 15:34 UTC, Scott Poore	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:2241	0	None	None	None	2019-08-06 13:09:54 UTC

Description Scott Poore 2019-06-24 15:09:44 UTC

Description of problem:

Attempting to upgrade IPA resulted in ipa not started afterwards.  When I tried to manually start it, I see this:

[root@rhel7-1 ~]# ipactl start
IPA version error: data needs to be upgraded (expected version '4.6.5-9.el7', current version '4.6.5-6.el7')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
Be patient, this may take a few minutes.
Automatic upgrade failed: Upgrade failed with This entry already exists
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
('IPA upgrade failed.', 1)
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information

See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again
Aborting ipactl

Reviewing log, I see this:

2019-06-24T14:52:51Z DEBUG Adding Kerberos principal entry for EXAMPLE$@AD.TEST
2019-06-24T14:52:51Z DEBUG Destroyed connection context.ldap2_140436545772368
2019-06-24T14:52:51Z ERROR Upgrade failed with This entry already exists
2019-06-24T14:52:51Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 274, in __upgrade
    self.modified = (ld.update(self.files) or self.modified)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 967, in update
    self._run_updates(all_updates)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 929, in _run_updates
    self._run_update_plugin(update['plugin'])
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 904, in _run_update_plugin
    restart_ds, updates = self.api.Updater[plugin_name]()
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1475, in __call__
    return self.execute(**options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/adtrust.py", line 693, in execute
    self.KRB_PRINC_CREATE_DISABLED)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/adtrust.py", line 559, in set_krb_principal
    action(entry)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1580, in add_entry
    self.conn.add_s(str(entry.dn), list(attrs.items()))
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1038, in error_handler
    raise errors.DuplicateEntry()
DuplicateEntry: This entry already exists

2019-06-24T14:52:51Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 282, in __upgrade
    raise RuntimeError(e)
RuntimeError: This entry already exists

2019-06-24T14:52:51Z DEBUG   [error] RuntimeError: This entry already exists


Version-Release number of selected component (if applicable):
ipa-server-4.6.5-9.el7.x86_64

How reproducible:
Unknown

Steps to Reproduce:
1.  Install IPA version 4.6.5-6.el7 on rhel7.7 (from beta I think?)
2.  Setup Trust with AD
3.  Upgrade

Actual results:

ipa not running and errors shown above.


Expected results:

ipa running after upgrade with no errors.

Additional info:
Will attach logs and ldapsearch

Comment 2 Scott Poore 2019-06-24 15:28:19 UTC

Created attachment 1584066 [details]
ipa-ldap-updater output

[root@rhel7-1 ~]# ipa-ldap-updater ./90-upgrade-trust.update --log-file=/var/log/ipa-trust-update.log
Unexpected error - see /var/log/ipaupgrade.log for details:
DuplicateEntry: This entry already exists
The ipa-ldap-updater command failed. See /var/log/ipaupgrade.log for more information

Comment 3 Scott Poore 2019-06-24 15:29:24 UTC

Created attachment 1584067 [details]
full ipaupgrade.log with multiple attempts

Comment 4 Scott Poore 2019-06-24 15:32:56 UTC

[root@rhel7-1 ~]# ldapsearch -xLLL -D 'cn=Directory Manager' -w Secret123 -b cn=trusts,dc=example,dc=com
dn: cn=trusts,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: trusts

dn: cn=ad,cn=trusts,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: cn
cn: ad

dn: cn=ad.test,cn=ad,cn=trusts,dc=example,dc=com
objectClass: ipaNTTrustedDomain
objectClass: ipaIDobject
objectClass: posixAccount
objectClass: top
objectClass: ipantuserattrs
gidNumber: 17400001
homeDirectory: /dev/null
ipaNTFlatName: AD
uid: AD$
ipaNTTrustPartner: ad.test
ipaNTTrustedDomainSID: S-1-5-21-2178499580-3696211733-3412024300
ipaNTTrustType: 2
ipaNTTrustDirection: 1
ipaNTTrustPosixOffset: 0
ipaNTSupportedEncryptionTypes: 28
ipaNTTrustAuthOutgoing:: AQAAAAwAAAAcAQAAgK4/zt0J1QECAAAAAAEAAFQANwBRADMAaABrA
 CgASABIAG4AdgB3AEkANgB0AFgAWQBXADoAMABTAEQAVwAkAGIAQAA9AF8AfgBrAE0AcAB+AFsAaw
 AhADwAdABjAEwALABoAEIAVwBwAGQAMgA8AHkARQAsACYAPwBYAGIAYgA2AEsAVQBUAEwANgA/ADo
 AVwAkAEsARABQADQAXwBQAFEAVwBfAEEAOABPADwAbgBJAGEATgBpAE4APQBhAFIAYQBUAGMAeQAw
 AGoATgBAAC4ATQBvADUAVwBFAFUAeAByAGUAYwBqAFIAOwAsAE8AcQA/ACQAPgBmAGcAIQBCAHgAR
 QBaAHMATQBwAGwAVwCArj/O3QnVAQIAAAAAAQAAVAA3AFEAMwBoAGsAKABIAEgAbgB2AHcASQA2AH
 QAWABZAFcAOgAwAFMARABXACQAYgBAAD0AXwB+AGsATQBwAH4AWwBrACEAPAB0AGMATAAsAGgAQgB
 XAHAAZAAyADwAeQBFACwAJgA/AFgAYgBiADYASwBVAFQATAA2AD8AOgBXACQASwBEAFAANABfAFAA
 UQBXAF8AQQA4AE8APABuAEkAYQBOAGkATgA9AGEAUgBhAFQAYwB5ADAAagBOAEAALgBNAG8ANQBXA
 EUAVQB4AHIAZQBjAGoAUgA7ACwATwBxAD8AJAA+AGYAZwAhAEIAeABFAFoAcwBNAHAAbABXAA==
ipaNTTrustAuthIncoming:: AQAAAAwAAAAcAQAAgK4/zt0J1QECAAAAAAEAAFQANwBRADMAaABrA
 CgASABIAG4AdgB3AEkANgB0AFgAWQBXADoAMABTAEQAVwAkAGIAQAA9AF8AfgBrAE0AcAB+AFsAaw
 AhADwAdABjAEwALABoAEIAVwBwAGQAMgA8AHkARQAsACYAPwBYAGIAYgA2AEsAVQBUAEwANgA/ADo
 AVwAkAEsARABQADQAXwBQAFEAVwBfAEEAOABPADwAbgBJAGEATgBpAE4APQBhAFIAYQBUAGMAeQAw
 AGoATgBAAC4ATQBvADUAVwBFAFUAeAByAGUAYwBqAFIAOwAsAE8AcQA/ACQAPgBmAGcAIQBCAHgAR
 QBaAHMATQBwAGwAVwCArj/O3QnVAQIAAAAAAQAAVAA3AFEAMwBoAGsAKABIAEgAbgB2AHcASQA2AH
 QAWABZAFcAOgAwAFMARABXACQAYgBAAD0AXwB+AGsATQBwAH4AWwBrACEAPAB0AGMATAAsAGgAQgB
 XAHAAZAAyADwAeQBFACwAJgA/AFgAYgBiADYASwBVAFQATAA2AD8AOgBXACQASwBEAFAANABfAFAA
 UQBXAF8AQQA4AE8APABuAEkAYQBOAGkATgA9AGEAUgBhAFQAYwB5ADAAagBOAEAALgBNAG8ANQBXA
 EUAVQB4AHIAZQBjAGoAUgA7ACwATwBxAD8AJAA+AGYAZwAhAEIAeABFAFoAcwBNAHAAbABXAA==
ipaNTSIDBlacklistIncoming: S-1-0
ipaNTSIDBlacklistIncoming: S-1-1
ipaNTSIDBlacklistIncoming: S-1-2
ipaNTSIDBlacklistIncoming: S-1-3
ipaNTSIDBlacklistIncoming: S-1-5-1
ipaNTSIDBlacklistIncoming: S-1-5-2
ipaNTSIDBlacklistIncoming: S-1-5-3
ipaNTSIDBlacklistIncoming: S-1-5-4
ipaNTSIDBlacklistIncoming: S-1-5-5
ipaNTSIDBlacklistIncoming: S-1-5-6
ipaNTSIDBlacklistIncoming: S-1-5-7
ipaNTSIDBlacklistIncoming: S-1-5-8
ipaNTSIDBlacklistIncoming: S-1-5-9
ipaNTSIDBlacklistIncoming: S-1-5-10
ipaNTSIDBlacklistIncoming: S-1-5-11
ipaNTSIDBlacklistIncoming: S-1-5-12
ipaNTSIDBlacklistIncoming: S-1-5-13
ipaNTSIDBlacklistIncoming: S-1-5-14
ipaNTSIDBlacklistIncoming: S-1-5-15
ipaNTSIDBlacklistIncoming: S-1-5-16
ipaNTSIDBlacklistIncoming: S-1-5-17
ipaNTSIDBlacklistIncoming: S-1-5-18
ipaNTSIDBlacklistIncoming: S-1-5-19
ipaNTSIDBlacklistIncoming: S-1-5-20
ipaNTSIDBlacklistOutgoing: S-1-0
ipaNTSIDBlacklistOutgoing: S-1-1
ipaNTSIDBlacklistOutgoing: S-1-2
ipaNTSIDBlacklistOutgoing: S-1-3
ipaNTSIDBlacklistOutgoing: S-1-5-1
ipaNTSIDBlacklistOutgoing: S-1-5-2
ipaNTSIDBlacklistOutgoing: S-1-5-3
ipaNTSIDBlacklistOutgoing: S-1-5-4
ipaNTSIDBlacklistOutgoing: S-1-5-5
ipaNTSIDBlacklistOutgoing: S-1-5-6
ipaNTSIDBlacklistOutgoing: S-1-5-7
ipaNTSIDBlacklistOutgoing: S-1-5-8
ipaNTSIDBlacklistOutgoing: S-1-5-9
ipaNTSIDBlacklistOutgoing: S-1-5-10
ipaNTSIDBlacklistOutgoing: S-1-5-11
ipaNTSIDBlacklistOutgoing: S-1-5-12
ipaNTSIDBlacklistOutgoing: S-1-5-13
ipaNTSIDBlacklistOutgoing: S-1-5-14
ipaNTSIDBlacklistOutgoing: S-1-5-15
ipaNTSIDBlacklistOutgoing: S-1-5-16
ipaNTSIDBlacklistOutgoing: S-1-5-17
ipaNTSIDBlacklistOutgoing: S-1-5-18
ipaNTSIDBlacklistOutgoing: S-1-5-19
ipaNTSIDBlacklistOutgoing: S-1-5-20
cn: ad.test
uidNumber: 17400003
ipaNTSecurityIdentifier: S-1-5-21-3056789376-227772379-1370156814-1003
ipaNTTrustAttributes: 8

dn: krbPrincipalName=krbtgt/EXAMPLE.COM,cn=ad.test,cn=ad,cn=trusts,dc=
 example,dc=com
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
objectClass: top
krbCanonicalName: krbtgt/EXAMPLE.COM
krbPrincipalName: krbtgt/EXAMPLE.COM
krbPrincipalKey:: MIIBUqADAgEBoQMCAQGiAwIBAaMDAgEBpIIBOjCCATYwcKAjMCGgAwIBAKEa
 BBhBRC5URVNUa3JidGd0RVhBTVBMRS5DT02hSTBHoAMCARKhQAQ+IACzwyeKMJURAQ1WdFY9wCfJL
 zYf7EIB2nZWCXGsn5soQfS8+9rP9jnlN2yEFDVeDaeYr/HNA9sRw8oJdiowYKAjMCGgAwIBAKEaBB
 hBRC5URVNUa3JidGd0RVhBTVBMRS5DT02hOTA3oAMCARGhMAQuEACTOSDOcnAT4qa9agCfbaoX/TQ
 oJ1OFaAnRO1lCyGwLOCcpg8jDfiRyDkNokzBgoCMwIaADAgEAoRoEGEFELlRFU1RrcmJ0Z3RFWEFN
 UExFLkNPTaE5MDegAwIBF6EwBC4QAK5gOZk0uWQlldpVOqejVOd6z8WJgmiuuoSF6OLlXzhjtCGNc
 cISDNzYzASW
krbLastPwdChange: 20190513224714Z
krbExtraData:: AALy89lca3JidGd0L0VYQU1QTEUuQ09NQEFELlRFU1QA

dn: krbPrincipalName=krbtgt/EXAMPLE,cn=ad.test,cn=ad,cn=trusts,dc=exam
 ple,dc=com
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
objectClass: ipaAllowedOperations
objectClass: top
krbCanonicalName: krbtgt/EXAMPLE
krbPrincipalName: krbtgt/EXAMPLE
krbPrincipalName: EXAMPLE$@AD.TEST
krbTicketFlags: 64
ipaAllowedToPerform;read_keys: cn=adtrust agents,cn=sysaccounts,cn=etc,dc=exam
 ple,dc=com
ipaAllowedToPerform;read_keys: cn=trust admins,cn=groups,cn=accounts,dc=exampl
 e,dc=com
krbPrincipalKey:: MIIBRqADAgEBoQMCAQGiAwIBAaMDAgEBpIIBLjCCASowbKAfMB2gAwIBAKEW
 BBRBRC5URVNUa3JidGd0RVhBTVBMRaFJMEegAwIBEqFABD4gADVUafcPW4lyHolFxEfKgH2U+g2ME
 Klj+uxTmX1J8PZ+mne0cGQ0lkvrUH11FgLLo/JqR5MMWBl1OS711DBcoB8wHaADAgEAoRYEFEFELl
 RFU1RrcmJ0Z3RFWEFNUExFoTkwN6ADAgERoTAELhAAz39Xb3WbB768yP7uzSejQxBqhM0wV5v4qP3
 J7XFDa7nuZQLfP7rSsjsmpvwwXKAfMB2gAwIBAKEWBBRBRC5URVNUa3JidGd0RVhBTVBMRaE5MDeg
 AwIBF6EwBC4QAAvHeIKwOM68UKdjHj7IZjI5ZP915t3rpqwuG6JhGfZlQN9VleLm6DiTPU8I
krbLastPwdChange: 20190513224714Z
krbExtraData:: AALy89lca3JidGd0L0VYQU1QTEVAQUQuVEVTVAA=

Comment 5 Scott Poore 2019-06-24 15:34:33 UTC

Created attachment 1584068 [details]
dirsrv logs

Comment 8 Alexander Bokovoy 2019-06-25 09:06:58 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7992

Comment 9 Alexander Bokovoy 2019-06-25 13:04:22 UTC

Upstream pull request: https://github.com/freeipa/freeipa/pull/3312

Comment 18 Nikhil Dehadrai 2019-06-27 07:45:14 UTC

IPA: ipa-server-4.6.5-10.el7.x86_64

Tested the bug with following observations:

1. Upgrade from RHEL77Beta to RHEL77RC with Trust setup is successful.
2. Upgrade from RHEL76z to RHEL77RC with Trust setup FAILS.


Thus changing status to "ASSIGNED"

Comment 22 Alexander Bokovoy 2019-06-27 13:45:59 UTC

Second part of the fix: https://github.com/freeipa/freeipa/pull/3326
Second part is already tested and ACKed by Flo.

Comment 23 Florence Blanc-Renaud 2019-06-27 17:47:08 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/7af4c7d4720227b5bff037a128061bf616e27096
ipa-4-6:
https://pagure.io/freeipa/c/cb74ea9c2164d23cede0961d62b2f0bf37e6e055
ipa-4-7:
https://pagure.io/freeipa/c/d6f8e0677db3fe70d74d98c4960ed1726e51b797

Comment 26 Nikhil Dehadrai 2019-06-29 05:05:33 UTC

ipa-4.6.5-11.el7

Tested the bug with following observations:

1. RHEL76z > RHEL77RC :: When IPA-server setup with TRUST is upgraded from RHEL 76z > RHEL 77 RC, the upgrade is successful
2. RHEL76z > RHEL77RC :: When IPA-server setup without TRUST is upgraded from RHEL 76z > RHEL 77 RC, the upgrade is successful
3. RHEL77Beta > RHEL77RC ::  When IPA-server setup with TRUST is upgraded from RHEL 77Beta > RHEL 77 RC, the upgrade is successful
4. RHEL77Beta > RHEL77RC ::  When IPA-server setup without TRUST is upgraded from RHEL 77Beta > RHEL 77 RC, the upgrade is successful

Thus on the basis of above observations, marking the status of bug to 'VERIFIED'.

Comment 29 errata-xmlrpc 2019-08-06 13:09:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241

Note You need to log in before you can comment on or make changes to this bug.