[Freeipa-users] Issue upgrading freeipa to ipa-server-4.4.0-14.el7.centos.4.x86_64
Robert Söderlund
freeipa at netnerdz.se
Tue Mar 14 15:41:53 UTC 2017
Hi!
I was a bit eager to fix this so I installed a new ipa-aerver, executed
ipa migrate-ds and configured the replication afterwards.
Sorry not to be able to troubleshoot this further.
//Robban
On 2017-03-14 16:25, Petr Vobornik wrote:
> On 03/08/2017 06:06 PM, freeipa at netnerdz.se wrote:
>> Hi all!
>>
>> I'm trying to upgrade my ipa-server to the version in subject and
>> hitting some bug that seems similar to
>> https://bugzilla.redhat.com/show_bug.cgi?id=1404910
>
> It is unlikely that it is this bug because the version of IPA with it
> was never released. BUt the error indeed looks similar.
>
>>
>> The yum upgrade process took a bit longer than expected so i ctrl+c
>
> This is never a good idea.
>
>
>> it
>> and executed the command ipa-server-upgrade
>>
>> The error message from ipa-server-upgrade is:
>> 8<---
>> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
>> command ipa-server-upgrade manually.
>> Unexpected error - see /var/log/ipaupgrade.log for details:
>> OSError: [Errno 2] No such file or directory:
>> '/etc/pki/pki-tomcat/dogtag.keytab'
>> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
>> more information
>> [root at o-ipa01-r ~]#
>> 8<---
>>
>>
>> The lines that indicate an error in the /var/log/ipaupgrade.log file
>> is:
>> 8<---
>> 2017-03-07T23:05:38Z DEBUG stdout=Authenticating as principal
>> root/admin at NETNERDZ.SE with password.
>>
>> 2017-03-07T23:05:38Z DEBUG stderr=WARNING: no policy specified for
>> dogtag/o-ipa01-r.ovirt.netnerdz.se at NETNERDZ.SE; defaulting to no
>> policy
>> add_principal: Principal or policy already exists while creating
>> "dogtag/o-ipa01-r.ovirt.netnerdz.se at NETNERDZ.SE".
>>
>> 2017-03-07T23:05:38Z INFO Retrieving keytab
>> 2017-03-07T23:05:38Z DEBUG Starting external process
>> 2017-03-07T23:05:38Z DEBUG args=kadmin.local -q ktadd -k
>> /etc/pki/pki-tomcat/dogtag.keytab
>> dogtag/o-ipa01-r.ovirt.netnerdz.se at NETNERDZ.SE -x
>> ipa-setup-override-restrictions
>> 2017-03-07T23:05:48Z DEBUG Process finished, return code=0
>> 2017-03-07T23:05:48Z DEBUG stdout=Authenticating as principal
>> root/admin at NETNERDZ.SE with password.
>>
>> 2017-03-07T23:05:48Z DEBUG stderr=kadmin.local: Server error while
>> changing dogtag/o-ipa01-r.ovirt.netnerdz.se at NETNERDZ.SE's key
>>
>> 2017-03-07T23:05:48Z ERROR IPA server upgrade failed: Inspect
>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>> 2017-03-07T23:05:48Z DEBUG File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171,
>> in
>> execute
>> return_value = self.run()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
>> line 46, in run
>> server.upgrade()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 1863, in upgrade
>> upgrade_configuration()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 1796, in upgrade_configuration
>> ca.setup_lightweight_ca_key_retrieval()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> line
>> 1400, in setup_lightweight_ca_key_retrieval
>> self.__setup_lightweight_ca_key_retrieval_kerberos()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>> line
>> 1431, in __setup_lightweight_ca_key_retrieval_kerberos
>> os.chmod(keytab, 0o600)
>>
>> 2017-03-07T23:05:48Z DEBUG The ipa-server-upgrade command failed,
>> exception: OSError: [Errno 2] No such file or directory:
>> '/etc/pki/pki-tomcat/dogtag.keytab'
>> 2017-03-07T23:05:48Z ERROR Unexpected error - see
>> /var/log/ipaupgrade.log for details:
>> OSError: [Errno 2] No such file or directory:
>> '/etc/pki/pki-tomcat/dogtag.keytab'
>> 2017-03-07T23:05:48Z ERROR The ipa-server-upgrade command failed. See
>> /var/log/ipaupgrade.log for more information
>> 8<---
>>
>>
>> Here's the output from the ipa-server-upgrade command:
>> [root at o-ipa01-r ~]# ipa-server-upgrade
>> Upgrading IPA:
>> [1/8]: saving configuration
>> [2/8]: disabling listeners
>> [3/8]: enabling DS global lock
>> [4/8]: starting directory server
>> [5/8]: updating schema
>>
>> [6/8]: upgrading server
>> [7/8]: stopping directory server
>> [8/8]: restoring configuration
>> Done.
>> Update complete
>> Upgrading IPA services
>> Upgrading the configuration of the IPA services
>> [Verifying that root certificate is published]
>> [Migrate CRL publish directory]
>> CRL tree already moved
>> /etc/dirsrv/slapd-NETNERDZ-SE/certmap.conf is now managed by IPA. It
>> will be overwritten. A backup of the original will be made.
>> [Verifying that CA proxy configuration is correct]
>> [Verifying that KDC configuration is using ipa-kdb backend]
>> [Fix DS schema file syntax]
>> Syntax already fixed
>> [Removing RA cert from DS NSS database]
>> RA cert already removed
>> [Enable sidgen and extdom plugins by default]
>> [Updating HTTPD service IPA configuration]
>> [Updating mod_nss protocol versions]
>> Protocol versions already updated
>> [Updating mod_nss cipher suite]
>> [Fixing trust flags in /etc/httpd/alias]
>> Trust flags already processed
>> [Exporting KRA agent PEM file]
>> KRA is not enabled
>> [Removing self-signed CA]
>> [Removing Dogtag 9 CA]
>> [Checking for deprecated KDC configuration files]
>> [Checking for deprecated backups of Samba configuration files]
>> [Setting up Firefox extension]
>> [Add missing CA DNS records]
>> IPA CA DNS records already processed
>> [Removing deprecated DNS configuration options]
>> [Ensuring minimal number of connections]
>> [Enabling serial autoincrement in DNS]
>> [Updating GSSAPI configuration in DNS]
>> [Updating pid-file configuration in DNS]
>> [Checking global forwarding policy in named.conf to avoid conflicts
>> with
>> automatic empty zones]
>> Changes to named.conf have been made, restart named
>> [Upgrading CA schema]
>> CA schema update complete (no changes)
>> [Verifying that CA audit signing cert has 2 year validity]
>> [Update certmonger certificate renewal configuration to version 5]
>> [Enable PKIX certificate path discovery and validation]
>> PKIX already enabled
>> [Authorizing RA Agent to modify profiles]
>> [Authorizing RA Agent to manage lightweight CAs]
>> [Ensuring Lightweight CAs container exists in Dogtag database]
>> [Adding default OCSP URI configuration]
>> [Ensuring CA is using LDAPProfileSubsystem]
>> [Migrating certificate profiles to LDAP]
>> [Ensuring presence of included profiles]
>> [Add default CA ACL]
>> Default CA ACL already added
>> [Set up lightweight CA key retrieval]
>> Creating principal
>> Retrieving keytab
>> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
>> command ipa-server-upgrade manually.
>> Unexpected error - see /var/log/ipaupgrade.log for details:
>> OSError: [Errno 2] No such file or directory:
>> '/etc/pki/pki-tomcat/dogtag.keytab'
>> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
>> more information
>> [root at o-ipa01-r ~]#
>>
>> Everything seems to be working as normal, but this error message
>> worries
>> me a bit since this is my only ipa server (setting up a secondary
>> master
>> have been on my todo list).
>> Can you help me troubleshoot this?
>> Or should I just setup a replica and propagate it to primary node for
>> all clients and then reinstall the one that have problem?
>
> Might be worth to check associated pw policies. What is the password
> policy associated with dogtag service (
> krbprincipalname=dogtag/o-ipa01-r.ovirt.netnerdz.se at NETNERDZ.SEcn=services,cn=accounts,$SUFFIX
> and how does it look (attribute krbPwdPolicyReference) Does it point
> to "cn=Default Kerberos Service Password
> Policy,cn=services,cn=accounts,$SUFFIX", e.g. as defined in (line
> 45)?:
> https://pagure.io/freeipa/c/6f1d927467e7907fd1991f88388d96c67c9bff61
>
> Does this policy exist?
>
> Also look to /var/log/krb5kdc.log for any interesting messages
>>
>> Thank you in advance!
>> //Robert
>>
More information about the Freeipa-users
mailing list