2235569 – ipa-server-upgrade command failed, exception: NotFound: no such entry

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2235569 - ipa-server-upgrade command failed, exception: NotFound: no such entry

Summary: ipa-server-upgrade command failed, exception: NotFound: no such entry

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	9.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Florence Blanc-Renaud
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-08-29 06:02 UTC by Richard
Modified:	2023-08-29 07:02 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-08-29 06:18:51 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-10320	0	None	None	None	2023-08-29 06:05:08 UTC
Red Hat Issue Tracker	RHELPLAN-166738	0	None	None	None	2023-08-29 06:05:16 UTC

Description Richard 2023-08-29 06:02:17 UTC

Description of problem:
ipa service now fails to start after update
ipa-server-upgrade fails


Version-Release number of selected component (if applicable):
all idm packages appear to be at:  11.3.0-1.el9

How reproducible:


Steps to Reproduce:
1.  dnf update   (show ipa server update failed)
2.  ipa-server-upgrade   (manually still fails)
3.

Actual results:
Very sadly whole IPA system is down....

Expected results:


Additional info:

2023-08-29T05:46:51Z DEBUG response body (decoded): b'{"isHostAuthority":true,"id":"72814b22-01d5-49b5-820c-a6d1dc9eb93b","issuerDN":"CN=Certificate Authority,O=IDM
.ELECTROMAG.COM.AU","serial":1,"dn":"CN=Certificate Authority,O=IDM.<DOMAIN>","enabled":true,"description":"Host authority","ready":true}'
2023-08-29T05:46:51Z DEBUG request GET https://server1.idm.<DOMAIN>:8443/ca/rest/account/logout
2023-08-29T05:46:51Z DEBUG request body ''
2023-08-29T05:46:51Z DEBUG response status 204
2023-08-29T05:46:51Z DEBUG response headers Cache-Control: private
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=BBD55B31946CF4FA02C7D6F18DDA9B9A; Path=/ca; Secure; HttpOnly
Content-Type: application/json
Date: Tue, 29 Aug 2023 05:46:50 GMT


2023-08-29T05:46:51Z DEBUG response body (decoded): b''
2023-08-29T05:46:51Z DEBUG ACME service is already deployed
2023-08-29T05:46:51Z INFO [Updating ACME configuration]
2023-08-29T05:46:51Z DEBUG add_entry_to_group: dn=uid=ipara,ou=People,o=ipaca group_dn=cn=Security Domain Administrators,ou=groups,o=ipaca member_attr=uniqueMember
2023-08-29T05:46:51Z INFO [Migrating to authselect profile]
2023-08-29T05:46:51Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-08-29T05:46:51Z INFO Already migrated to authselect profile
2023-08-29T05:46:51Z INFO [Create systemd-user hbac service and rule]
2023-08-29T05:46:51Z DEBUG raw: hbacsvc_add('systemd-user', description='pam_systemd and systemd user@.service', version='2.251')
2023-08-29T05:46:51Z DEBUG hbacsvc_add('systemd-user', description='pam_systemd and systemd user@.service', all=False, raw=False, version='2.251', no_members=False)
2023-08-29T05:46:51Z INFO hbac service systemd-user already exists
2023-08-29T05:46:51Z INFO [Add root@IDM.<DOMAIN> alias to admin account]
2023-08-29T05:46:51Z DEBUG raw: user_add_principal('admin', ('root@IDM.<DOMAIN>',), version='2.251')
2023-08-29T05:46:51Z DEBUG user_add_principal('admin', (ipapython.kerberos.Principal('root@IDM.<DOMAIN>'),), all=False, raw=False, version='2.251', no_members=False)
2023-08-29T05:46:51Z DEBUG raw: trust_find('', sizelimit=0, version='2.251')
2023-08-29T05:46:51Z DEBUG trust_find(None, sizelimit=0, all=False, raw=False, version='2.251', pkey_only=False)
2023-08-29T05:46:51Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2023-08-29T05:46:51Z DEBUG   File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute
    return_value = self.run()
  File "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run
    server.upgrade()
  File "/usr/lib/python3.9/site-packages/ipaserver/install/server/upgrade.py", line 2066, in upgrade
    upgrade_configuration()
  File "/usr/lib/python3.9/site-packages/ipaserver/install/server/upgrade.py", line 1937, in upgrade_configuration
    add_admin_root_alias()
  File "/usr/lib/python3.9/site-packages/ipaserver/install/server/upgrade.py", line 1446, in add_admin_root_alias
    api.Command.user_add_principal("admin", rootprinc)
  File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 471, in __call__
    return self.__do_call(*args, **options)
  File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 499, in __do_call
    ret = self.run(*args, **options)
File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 816, in run
    return self.execute(*args, **options)
  File "/usr/lib/python3.9/site-packages/ipaserver/plugins/baseldap.py", line 2475, in execute
    entry_attrs.dn = callback(
  File "/usr/lib/python3.9/site-packages/ipaserver/plugins/baseuser.py", line 820, in pre_callback
    ensure_krbcanonicalname_set(ldap, entry_attrs)
  File "/usr/lib/python3.9/site-packages/ipalib/util.py", line 1187, in ensure_krbcanonicalname_set
    old_entry = ldap.get_entry(
  File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1942, in get_entry
    return super(LDAPCache, self).get_entry(
  File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1642, in get_entry
    entries = self.get_entries(
  File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1453, in get_entries
    entries, truncated = self.find_entries(
  File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1594, in find_entries
    break
  File "/usr/lib64/python3.9/contextlib.py", line 137, in __exit__
    self.gen.throw(typ, value, traceback)
  File "/usr/lib/python3.9/site-packages/ipapython/ipaldap.py", line 1097, in error_handler
    raise errors.NotFound(reason=arg_desc or 'no such entry')

2023-08-29T05:46:51Z DEBUG The ipa-server-upgrade command failed, exception: NotFound: no such entry
2023-08-29T05:46:51Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
NotFound: no such entry
2023-08-29T05:46:51Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information

Comment 1 Alexander Bokovoy 2023-08-29 06:18:51 UTC

According to the log above, 'admin' user does not exist. This is unsupported configuration.

Please see the warning at the end of '3.1. User life cycle' here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/managing-user-accounts-using-the-idm-web-ui_managing-users-groups-hosts

Comment 2 Richard 2023-08-29 07:02:40 UTC

Hmm must of missed that one.
Anyway for those that do hit this snag
See Bug 1898459 for a solution with the additional notes here.

Note because ipa was completely down due to the failed upgrade the fist step to recover the UID /GID won't work.
However it'll most likely be the beginning of the UID block assigned to your average user, so just do an 'ls -aln /home' 
eg a user in there was 725800003   for my setup so admin was 725800000

After the ldap command is completed continue the manual ipa-server-upgrade
Once that completes you should hopefully be ok to start the IPA server again.

Note You need to log in before you can comment on or make changes to this bug.