[Freeipa-users] Issue upgrading freeipa to ipa-server-4.4.0-14.el7.centos.4.x86_64

Petr Vobornik pvoborni at redhat.com
Tue Mar 14 15:25:13 UTC 2017 

On 03/08/2017 06:06 PM, freeipa at netnerdz.se wrote:
> Hi all!
>
> I'm trying to upgrade my ipa-server to the version in subject and
> hitting some bug that seems similar to
> https://bugzilla.redhat.com/show_bug.cgi?id=1404910

It is unlikely that it is this bug because the version of IPA with it 
was never released. BUt the error indeed looks similar.

>
> The yum upgrade process took a bit longer than expected so i ctrl+c

This is never a good idea.


> it
> and executed the command ipa-server-upgrade
>
> The error message from ipa-server-upgrade is:
> 8<---
> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
> command ipa-server-upgrade manually.
> Unexpected error - see /var/log/ipaupgrade.log for details:
> OSError: [Errno 2] No such file or directory:
> '/etc/pki/pki-tomcat/dogtag.keytab'
> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
> more information
> [root at o-ipa01-r ~]#
> 8<---
>
>
> The lines that indicate an error in the /var/log/ipaupgrade.log file is:
> 8<---
> 2017-03-07T23:05:38Z DEBUG stdout=Authenticating as principal
> root/admin at NETNERDZ.SE with password.
>
> 2017-03-07T23:05:38Z DEBUG stderr=WARNING: no policy specified for
> dogtag/o-ipa01-r.ovirt.netnerdz.se at NETNERDZ.SE; defaulting to no policy
> add_principal: Principal or policy already exists while creating
> "dogtag/o-ipa01-r.ovirt.netnerdz.se at NETNERDZ.SE".
>
> 2017-03-07T23:05:38Z INFO Retrieving keytab
> 2017-03-07T23:05:38Z DEBUG Starting external process
> 2017-03-07T23:05:38Z DEBUG args=kadmin.local -q ktadd -k
> /etc/pki/pki-tomcat/dogtag.keytab
> dogtag/o-ipa01-r.ovirt.netnerdz.se at NETNERDZ.SE -x
> ipa-setup-override-restrictions
> 2017-03-07T23:05:48Z DEBUG Process finished, return code=0
> 2017-03-07T23:05:48Z DEBUG stdout=Authenticating as principal
> root/admin at NETNERDZ.SE with password.
>
> 2017-03-07T23:05:48Z DEBUG stderr=kadmin.local: Server error while
> changing dogtag/o-ipa01-r.ovirt.netnerdz.se at NETNERDZ.SE's key
>
> 2017-03-07T23:05:48Z ERROR IPA server upgrade failed: Inspect
> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
> 2017-03-07T23:05:48Z DEBUG   File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
> execute
>     return_value = self.run()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
> line 46, in run
>     server.upgrade()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1863, in upgrade
>     upgrade_configuration()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1796, in upgrade_configuration
>     ca.setup_lightweight_ca_key_retrieval()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 1400, in setup_lightweight_ca_key_retrieval
>     self.__setup_lightweight_ca_key_retrieval_kerberos()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 1431, in __setup_lightweight_ca_key_retrieval_kerberos
>     os.chmod(keytab, 0o600)
>
> 2017-03-07T23:05:48Z DEBUG The ipa-server-upgrade command failed,
> exception: OSError: [Errno 2] No such file or directory:
> '/etc/pki/pki-tomcat/dogtag.keytab'
> 2017-03-07T23:05:48Z ERROR Unexpected error - see
> /var/log/ipaupgrade.log for details:
> OSError: [Errno 2] No such file or directory:
> '/etc/pki/pki-tomcat/dogtag.keytab'
> 2017-03-07T23:05:48Z ERROR The ipa-server-upgrade command failed. See
> /var/log/ipaupgrade.log for more information
> 8<---
>
>
> Here's the output from the ipa-server-upgrade command:
> [root at o-ipa01-r ~]# ipa-server-upgrade
> Upgrading IPA:
>   [1/8]: saving configuration
>   [2/8]: disabling listeners
>   [3/8]: enabling DS global lock
>   [4/8]: starting directory server
>   [5/8]: updating schema
>
>   [6/8]: upgrading server
>   [7/8]: stopping directory server
>   [8/8]: restoring configuration
> Done.
> Update complete
> Upgrading IPA services
> Upgrading the configuration of the IPA services
> [Verifying that root certificate is published]
> [Migrate CRL publish directory]
> CRL tree already moved
> /etc/dirsrv/slapd-NETNERDZ-SE/certmap.conf is now managed by IPA. It
> will be overwritten. A backup of the original will be made.
> [Verifying that CA proxy configuration is correct]
> [Verifying that KDC configuration is using ipa-kdb backend]
> [Fix DS schema file syntax]
> Syntax already fixed
> [Removing RA cert from DS NSS database]
> RA cert already removed
> [Enable sidgen and extdom plugins by default]
> [Updating HTTPD service IPA configuration]
> [Updating mod_nss protocol versions]
> Protocol versions already updated
> [Updating mod_nss cipher suite]
> [Fixing trust flags in /etc/httpd/alias]
> Trust flags already processed
> [Exporting KRA agent PEM file]
> KRA is not enabled
> [Removing self-signed CA]
> [Removing Dogtag 9 CA]
> [Checking for deprecated KDC configuration files]
> [Checking for deprecated backups of Samba configuration files]
> [Setting up Firefox extension]
> [Add missing CA DNS records]
> IPA CA DNS records already processed
> [Removing deprecated DNS configuration options]
> [Ensuring minimal number of connections]
> [Enabling serial autoincrement in DNS]
> [Updating GSSAPI configuration in DNS]
> [Updating pid-file configuration in DNS]
> [Checking global forwarding policy in named.conf to avoid conflicts with
> automatic empty zones]
> Changes to named.conf have been made, restart named
> [Upgrading CA schema]
> CA schema update complete (no changes)
> [Verifying that CA audit signing cert has 2 year validity]
> [Update certmonger certificate renewal configuration to version 5]
> [Enable PKIX certificate path discovery and validation]
> PKIX already enabled
> [Authorizing RA Agent to modify profiles]
> [Authorizing RA Agent to manage lightweight CAs]
> [Ensuring Lightweight CAs container exists in Dogtag database]
> [Adding default OCSP URI configuration]
> [Ensuring CA is using LDAPProfileSubsystem]
> [Migrating certificate profiles to LDAP]
> [Ensuring presence of included profiles]
> [Add default CA ACL]
> Default CA ACL already added
> [Set up lightweight CA key retrieval]
> Creating principal
> Retrieving keytab
> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
> command ipa-server-upgrade manually.
> Unexpected error - see /var/log/ipaupgrade.log for details:
> OSError: [Errno 2] No such file or directory:
> '/etc/pki/pki-tomcat/dogtag.keytab'
> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
> more information
> [root at o-ipa01-r ~]#
>
> Everything seems to be working as normal, but this error message worries
> me a bit since this is my only ipa server (setting up a secondary master
> have been on my todo list).
> Can you help me troubleshoot this?
> Or should I just setup a replica and propagate it to primary node for
> all clients and then reinstall the one that have problem?

Might be worth to check associated pw policies. What is the password 
policy associated with dogtag service ( 
krbprincipalname=dogtag/o-ipa01-r.ovirt.netnerdz.se at NETNERDZ.SEcn=services,cn=accounts,$SUFFIX 
and how does it look (attribute krbPwdPolicyReference) Does it point to 
"cn=Default Kerberos Service Password 
Policy,cn=services,cn=accounts,$SUFFIX", e.g. as defined in (line 45)?:
   https://pagure.io/freeipa/c/6f1d927467e7907fd1991f88388d96c67c9bff61

Does this policy exist?

Also look to /var/log/krb5kdc.log for any interesting messages
>
> Thank you in advance!
> //Robert
>


-- 
Petr Vobornik

More information about the Freeipa-users mailing list