[Freeipa-users] upgrade ipa-server fails changing dogtag key
Andrew E. Bruno
aebruno2 at buffalo.edu
Mon Mar 20 13:52:43 UTC 2017
When yum updating our ipa-server running CentOS 7.3.1611 from
ipa-server-4.4.0-14.el7.centos.1.1.x86_64 to
ipa-server-4.4.0-14.el7.centos.6.x86_64 we got this error:
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
OSError: [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/dogtag.keytab'
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
Inspecting /var/log/ipaupgrade.log shows this error:
2017-03-20T12:58:41Z DEBUG Process finished, return code=0
2017-03-20T12:58:41Z DEBUG stdout=Authenticating as principal root/admin at REALM with password.
2017-03-20T12:58:41Z DEBUG stderr=kadmin.local: Server error while changing dogtag/host at REAM's key
2017-03-20T12:58:41Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-03-20T12:58:41Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run
server.upgrade()
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1863, in upgrade
upgrade_configuration()
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1796, in upgrade_configuration
ca.setup_lightweight_ca_key_retrieval()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1400, in setup_lightweight_ca_key_retrieval
self.__setup_lightweight_ca_key_retrieval_kerberos()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1431, in __setup_lightweight_ca_key_retrieval_kerberos
os.chmod(keytab, 0o600)
2017-03-20T12:58:41Z DEBUG The ipa-server-upgrade command failed, exception: OSError: [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/dogtag.keytab'
The ipa services came back up (kinit is working and can login to the console).
This seems related to [1,2]. Checked to ensure that dogtag service points to
the default service password policy per [1]:
$ ipa service-show --all dogtag/host
krbpwdpolicyreference: cn=Default Service Password Policy,cn=services,cn=accounts,dc=REALM
However when listing all the pwpolicies this doesn't seem to exist anywhere? We
only have a single global pwpolicy:
$ ipa pwpolicy-find
Group: global_policy
----------------------------
Number of entries returned 1
----------------------------
Could this be related to the error? Any pointers on how to trouble shoot?
Thanks in advance.
--Andrew
[1] https://www.redhat.com/archives/freeipa-users/2017-March/msg00178.html
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1404910
More information about the Freeipa-users
mailing list