Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2216549

Summary: Upgrade to 4.9.10-6.0.1 fails: attributes are managed by topology plugin
Product: Red Hat Enterprise Linux 9 Reporter: Florence Blanc-Renaud <frenaud>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED ERRATA QA Contact: anuja <amore>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.2CC: amore, gkaihoro, rcritten, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.10.2-2.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2216551 (view as bug list) Environment:
Last Closed: 2023-11-07 08:34:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2216551    

Description Florence Blanc-Renaud 2023-06-21 18:54:47 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/9385

### Issue
ipactl start fails on a replica server

#### Steps to Reproduce
ipactl start

#### Actual behavior
Upgrade fails and rolls back.

#### Expected behavior
ipa starts

#### Version/Release/Distribution
The package freeipa-server is not installed
The package freeipa-client is not installed
ipa-server-4.9.11-5.0.1.module+el8.8.0+21013+a1d8660b.x86_64                                                                                         
ipa-client-4.9.11-5.0.1.module+el8.8.0+21013+a1d8660b.x86_64                                                                                         
389-ds-base-1.4.3.30-6.module+el8.7.0+20830+6d1ef8be.x86_64                                                                                          
The package pki-ca is not installed
krb5-server-1.18.2-22.0.1.el8_7.x86_64  

#### Additional info:
```
ipactl restart
IPA version error: data needs to be upgraded (expected version '4.9.11-5.0.1.module+el8.8.0+21013+a1d8660b', current version '4.9.10-6.0.1.module+el8.7.0+20837+581a7c1e')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/9]: saving configuration
  [2/9]: disabling listeners
  [3/9]: enabling DS global lock
  [4/9]: disabling Schema Compat
  [5/9]: starting directory server
  [6/9]: updating schema
  [7/9]: upgrading server
Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct mod
ifications allowed.
Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direc
t modifications allowed.
Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct mod
ifications allowed.
Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direc
t modifications allowed.
  [8/9]: stopping directory server
  [9/9]: restoring configuration
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
Disabled p11-kit-proxy
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating HTTPD service IPA WSGI configuration]
Nothing to do for configure_httpd_wsgi_conf
[Migrating from mod_nss to mod_ssl]
Already migrated to mod_ssl
[Moving HTTPD service keytab to gssproxy]
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Remove FILE: prefix from 'dedicated keytab file' in Samba configuration]
[Update 'max smbd processes' in Samba configuration to prevent unlimited SMBLoris attack amplification]
[Change 'server role' from 'CLASSIC PRIMARY DOMAIN CONTROLLER' to 'IPA PRIMARY DOMAIN CONTROLLER' in Samba configuration]
dnssec-validation yes
[Add missing CA DNS records]
IPA CA DNS records already processed
named user config '/etc/named/ipa-ext.conf' already exists
named user config '/etc/named/ipa-options-ext.conf' already exists
named user config '/etc/named/ipa-logging-ext.conf' already exists
[Upgrading CA schema]
CA schema update complete
[Update certmonger certificate renewal configuration]
Certmonger certificate renewal configuration already up-to-date
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
[Disabling cert publishing]
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
Migrating profile 'caECServerCertWithSCT'
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
RemoteRetrieveError: Failed to authenticate to CA REST API
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
```

#### Workaround:
Commenting out the update in `/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py` line 52.
Comment 3 Florence Blanc-Renaud 2023-06-21 18:59:55 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/143c3eb1612f9bb7f015dcf2dcb496e8ef324a38
https://pagure.io/freeipa/c/ac78a84fbe90f361a4a58fb2748d539647ffea52
Comment 4 Florence Blanc-Renaud 2023-06-21 19:00:55 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/9385
Comment 5 Florence Blanc-Renaud 2023-06-21 19:05:29 UTC 
Upstream test added in ipatests/test_integration/test_simple_replication.py::TestSimpleReplication::test_fix_agreements
Comment 7 Florence Blanc-Renaud 2023-06-22 15:50:30 UTC 
Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/ad77c4c6512f82019d1970d910647761b60aaedb
https://pagure.io/freeipa/c/3b58487c7b2f8ac133e37e8f90f85ff2fb05bf34

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/d29b47512a39ada02fb371521994576cd9815a6c
https://pagure.io/freeipa/c/93d97b59600c15e5028ee39b0e98450544165158
Comment 8 anuja 2023-07-05 07:30:31 UTC 
Verified Tested using test-compose:
ipa-server-4.10.2-2.el9.x86_64

test_integration/test_simple_replication.py::TestSimpleReplication::test_user_replication_to_replica PASSED [ 16%]
test_integration/test_simple_replication.py::TestSimpleReplication::test_user_replication_to_master PASSED [ 33%]
test_integration/test_simple_replication.py::TestSimpleReplication::test_replica_manage PASSED [ 50%]
test_integration/test_simple_replication.py::TestSimpleReplication::test_ipa_custodia_check PASSED [ 66%]
test_integration/test_simple_replication.py::TestSimpleReplication::test_fix_agreements PASSED [ 83%]
test_integration/test_simple_replication.py::TestSimpleReplication::test_replica_removal PASSED [100%]

=============================== warnings summary ===============================
    cls = pytest.mark.source_order(cls)
=================== 6 passed, 1 warning in 996.62s (0:16:36) ===================
Comment 11 anuja 2023-07-12 12:44:51 UTC 
Verified using nightly build:
ipa-4.10.2-2.el9

============================= test session starts ==============================
platform linux -- Python 3.9.17, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.9.17', 'Platform': 'Linux-5.14.0-333.el9.x86_64-x86_64-with-glibc2.34', 'Packages': {'pytest': '6.2.2', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.7.0', 'multihost': '3.0', 'html': '3.1.1', 'sourceorder': '0.6.0'}}
rootdir: /usr/lib/python3.9/site-packages/ipatests
plugins: metadata-1.7.0, multihost-3.0, html-3.1.1, sourceorder-0.6.0
collecting ... collected 6 items

test_integration/test_simple_replication.py::TestSimpleReplication::test_user_replication_to_replica PASSED [ 16%]
test_integration/test_simple_replication.py::TestSimpleReplication::test_user_replication_to_master PASSED [ 33%]
test_integration/test_simple_replication.py::TestSimpleReplication::test_replica_manage PASSED [ 50%]
test_integration/test_simple_replication.py::TestSimpleReplication::test_ipa_custodia_check PASSED [ 66%]
test_integration/test_simple_replication.py::TestSimpleReplication::test_fix_agreements PASSED [ 83%]
test_integration/test_simple_replication.py::TestSimpleReplication::test_replica_removal PASSED [100%]

=================== 6 passed, 1 warning in 999.74s (0:16:39) ===================
Comment 14 errata-xmlrpc 2023-11-07 08:34:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6477