<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Here you have example</p>
<p>kinit admin<br>
</p>
<p>ldapsearch -Y GSSAPI -b
'cn=certprofiles,cn=ca,dc=<your>,dc=<suffix>' -s base
aci<br>
<br>
</p>
<br>
<div class="moz-cite-prefix">On 11.10.2016 17:48, John Popowitch
wrote:<br>
</div>
<blockquote
cite="mid:8A55E6003C19B34498C07A259B643BA901085956@mbx032-e1-va-6.exch032.serverpod.net"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Times New Roman \, serif";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Thanks, Martin.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">But I'm afraid
you've gone beyond my level of LDAP knowledge.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">How would I
check for that ACI?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">-John<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Martin Basti [<a class="moz-txt-link-freetext" href="mailto:mbasti@redhat.com">mailto:mbasti@redhat.com</a>]
<br>
<b>Sent:</b> Tuesday, October 11, 2016 10:38 AM<br>
<b>To:</b> John Popowitch; <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] FreeIPA v4.2 stopped
working, wants me to run ipa-server-upgrade, but has
errors<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 11.10.2016 17:21, John Popowitch
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D">I agree that
is weird.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Several of
the other managed permissions are updated successfully and
they are very similar.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Yes, I can
try to remove the permission manually.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Is there any
risk in corrupting or breaking the system?<br>
This is, I believe, one of three IPA servers in a
multi-master replication.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">And we run
our production website (basically our company) off of
these servers.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Assuming it's
safe enough to do, could I delete that permission via the
UI or does it need to be directly via LDAP?</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><br>
Upgrade will re-create permission.<br>
<br>
You have to directly using LDAP as Directory Manager<br>
<br>
Also please check in: cn=certprofiles,cn=ca,$SUFFIX<br>
<br>
if you have this ACI there<br>
<br>
aci: (targetattr = "cn || description ||
ipacertprofilestoreissued")(targetfil<br>
ter = "(objectclass=ipacertprofile)")(version 3.0;acl
"permission:System: Mod<br>
ify Certificate Profile";allow (write) groupdn = "<a
moz-do-not-send="true" href="ldap://cn=System">ldap:///cn=System</a>:
Modify C<br>
ertificate
Profile,cn=permissions,cn=pbac,dc=dom-058-017,dc=abc,dc=idm,dc=lab<br>
,dc=eng,dc=brq,dc=redhat,dc=com";)<br>
<br>
This may also cause an issue, so if removing of permission
itself did not help (or permission does not exist) you may
need to remove this ACI<br>
<br>
Martin<br>
<br>
<br>
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Martin Basti [<a moz-do-not-send="true"
href="mailto:mbasti@redhat.com">mailto:mbasti@redhat.com</a>]
<br>
<b>Sent:</b> Tuesday, October 11, 2016 9:47 AM<br>
<b>To:</b> John Popowitch; <a moz-do-not-send="true"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] FreeIPA v4.2 stopped
working, wants me to run ipa-server-upgrade, but has
errors</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p>That's weird because the code is checking if a permission
exists before it tries to add a new one<o:p></o:p></p>
<p>Can you try to remove '<span style="color:#1F497D">System:
Modify Certificate Profile' manually from LDAP and re-run
ipa-server-upgrade?</span><o:p></o:p></p>
<p> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">On 11.10.2016 15:53, John Popowitch
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:38Z
DEBUG Updating managed permission: System: Modify
Certificate Profile</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:38Z
DEBUG Destroyed connection context.ldap2_82077392</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:38Z
ERROR Upgrade failed with This entry already exists</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:38Z
DEBUG Traceback (most recent call last):</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
line 306, in __upgrade</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">
self.modified = (ld.update(self.files) or self.modified)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 905, in update</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">
self._run_updates(all_updates)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 877, in _run_updates</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">
self._run_update_plugin(update['plugin'])</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 852, in _run_update_plugin</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">
restart_ds, updates = self.api.Updater[plugin_name]()</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py",
line 1400, in __call__</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> return
self.execute(**options)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py",
line 433, in execute</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">
anonymous_read_aci)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py",
line 529, in update_permission</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">
ldap.add_entry(entry)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
line 1428, in add_entry</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">
self.conn.add_s(str(entry.dn), attrs.items())</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib64/python2.7/contextlib.py", line 35, in __exit__</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">
self.gen.throw(type, value, traceback)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
line 938, in error_handler</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> raise
errors.DuplicateEntry()</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">DuplicateEntry:
This entry already exists</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:38Z
DEBUG Traceback (most recent call last):</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">
run_step(full_msg, method)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> method()</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
line 314, in __upgrade</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> raise
RuntimeError(e)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">RuntimeError:
This entry already exists</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:38Z
DEBUG [error] RuntimeError: This entry already exists</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:38Z
DEBUG [cleanup]: stopping directory server</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:38Z
DEBUG Starting external process</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:38Z
DEBUG args='/bin/systemctl' 'stop' '<a
moz-do-not-send="true"
href="mailto:dirsrv@AWS-CAPPEX-COM.service">dirsrv@AWS-CAPPEX-COM.service</a>'</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG Process finished, return code=0</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG stdout=</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG stderr=</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG duration: 1 seconds</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG [cleanup]: restoring configuration</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG duration: 0 seconds</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade
manually.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py",
line 171, in execute</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">
return_value = self.run()</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 50, in run</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> raise
admintool.ScriptError(str(e))</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG The ipa-server-upgrade command failed, exception:
ScriptError: ('IPA upgrade failed.', 1)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
ERROR ('IPA upgrade failed.', 1)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Martin Basti [<a moz-do-not-send="true"
href="mailto:mbasti@redhat.com">mailto:mbasti@redhat.com</a>]
<br>
<b>Sent:</b> Tuesday, October 11, 2016 1:53 AM<br>
<b>To:</b> John Popowitch; <a moz-do-not-send="true"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] FreeIPA v4.2
stopped working, wants me to run ipa-server-upgrade,
but has errors</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">On 10.10.2016 23:30, John Popowitch
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hello FreeIPA community.<o:p></o:p></p>
<p class="MsoNormal">I've inherited a group of three FreeIPA
v4.2 servers on CentOS 7.2.<o:p></o:p></p>
<p class="MsoNormal">I had to reboot one of the servers and
now IPA won't run saying, "Upgrade required: please run
ipa-server-upgrade command."<o:p></o:p></p>
<p class="MsoNormal">But when I run ipa-server-upgrade I get
an error:<o:p></o:p></p>
<p class="MsoNormal">ipa: ERROR: Upgrade failed with This
entry already exists<o:p></o:p></p>
<p class="MsoNormal">When I run it in debug mode the last
action before the error is:<o:p></o:p></p>
<p class="MsoNormal">ipa.ipaserver.install.plugins.update_managed_permissions.update_managed_permissions:
DEBUG: Updating managed permission: System: Modify
Certificate Profile<o:p></o:p></p>
<p class="MsoNormal">It appears that several of the other
managed permissions are processed successfully.<o:p></o:p></p>
<p class="MsoNormal">When I look in the UI on one of the
other servers it appears that this permission exists under
IPA Server -> Role Based Access Control ->
Permissions.<o:p></o:p></p>
<p class="MsoNormal">I'm not familiar with FreeIPA so any
help would be greatly appreciated.<o:p></o:p></p>
<p class="MsoNormal">Thanks in advance.<o:p></o:p></p>
<p class="MsoNormal">-John<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><br>
<br>
<br>
<br>
</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><br>
Hello,<br>
<br>
can you post the related part of ipaupgrade.log here?<br>
<br>
Martin</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New Roman ,
serif","serif""> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
</body>
</html>