[Freeipa-users] upgrade ipa-server fails changing dogtag key

Andrew E. Bruno aebruno2 at buffalo.edu
Mon Mar 20 13:52:43 UTC 2017 

When yum updating our ipa-server running CentOS 7.3.1611 from
ipa-server-4.4.0-14.el7.centos.1.1.x86_64 to
ipa-server-4.4.0-14.el7.centos.6.x86_64 we got this error:


IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
OSError: [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/dogtag.keytab'
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information

Inspecting /var/log/ipaupgrade.log shows this error:


2017-03-20T12:58:41Z DEBUG Process finished, return code=0
2017-03-20T12:58:41Z DEBUG stdout=Authenticating as principal root/admin at REALM with password.

2017-03-20T12:58:41Z DEBUG stderr=kadmin.local: Server error while changing dogtag/host at REAM's key

2017-03-20T12:58:41Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-03-20T12:58:41Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run
    server.upgrade()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1863, in upgrade
    upgrade_configuration()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1796, in upgrade_configuration
    ca.setup_lightweight_ca_key_retrieval()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1400, in setup_lightweight_ca_key_retrieval
    self.__setup_lightweight_ca_key_retrieval_kerberos()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1431, in __setup_lightweight_ca_key_retrieval_kerberos
    os.chmod(keytab, 0o600)

2017-03-20T12:58:41Z DEBUG The ipa-server-upgrade command failed, exception: OSError: [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/dogtag.keytab'


The ipa services came back up (kinit is working and can login to the console).
This seems related to [1,2]. Checked to ensure that dogtag service points to
the default service password policy per [1]:

$ ipa service-show --all dogtag/host

  krbpwdpolicyreference: cn=Default Service Password Policy,cn=services,cn=accounts,dc=REALM

However when listing all the pwpolicies this doesn't seem to exist anywhere? We
only have a single global pwpolicy:

$ ipa pwpolicy-find
  Group: global_policy
----------------------------
Number of entries returned 1
----------------------------

Could this be related to the error? Any pointers on how to trouble shoot?

Thanks in advance.

--Andrew


[1] https://www.redhat.com/archives/freeipa-users/2017-March/msg00178.html
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1404910

More information about the Freeipa-users mailing list