On Tue, May 04, 2021 at 09:31:17AM -0400, Rob Crittenden via FreeIPA-users
wrote:
> Giovanni Bechis via FreeIPA-users wrote:
> >
> > Hi,
> > running latest FreeIPA upgrade I encountered an error and the freeipa
> > upgrade failed.
> >
> > The upgrade script tries to add [ipa_server_mode] to my sssd.conf domain
> > section but it fails even if /etc/sssd.conf
> > has those options set.
> > Atm I am running ipa-server-4.6.8-5.el7.centos.5.x86_64 and my sssd.conf
> > file is the following:
> >
> > -------------------------------------------------------------------------------------------------------------------------
> > [sssd]
> > domains = domain.tld
> > config_file_version = 2
> > services = nss, ifp, pam, ssh
> >
> > [domain/domain.tld]
> > id_provider = ldap
> > auth_provider = ldap
> > chpass_provider = ldap
> > ldap_uri = ldaps://srv.domain.tld
> > ldap_user_search_base = cn=users,cn=accounts,dc=domain,dc=tld
> > ldap_group_search_base = cn=groups,cn=compat,dc=domain,dc=tld
> > ldap_default_bind_dn = uid=ldapdn,cn=users,cn=compat,dc=domain,dc=tld
> > ldap_default_authtok = XXX
> > ldap_id_use_start_tls = True
> > ldap_tls_cacertdir = /etc/openldap/cacerts
> > ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
> > ldap_tls_reqcert = allow
> > ldap_user_ssh_public_key = ipaSshPubKey
> > cache_credentials = True
> > enumerate = True
> >
> > [ifp]
> > allowed_uids = ipaapi, root
> > -------------------------------------------------------------------------------------------------------------------------
> >
> > I am using FreeIPA only as an ldap web gui, all my services are using ldaps
> > protocol.
> > By commenting the relevant lines in
> > "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py"
> > the upgrade proceeds and all works fine.
> >
> > Is there any way to prevent the upgrade script from crashing every time ?
>
> We need more specific information on what you mean by crash. Seeing the
> upgrade log would help.
>
Sorry, I forgot that part.
even if I add ipa_server and ipa_server_mode to sssd.conf the error doesn't
change.
Commenting the following lines in upgrade.py is a workaround that makes ipa
start and all services work:
domain.set_option('ipa_server_mode', 'True')
domain.set_option('ipa_server', api.env.host)
2021-05-04T07:46:41Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2021-05-04T07:46:41Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 54, in run
server.upgrade()
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 2177, in upgrade
upgrade_configuration()
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 2066, in upgrade_configuration
sssd_update()
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1433, in sssd_update
domain.set_option('ipa_server_mode', 'True')
File "/usr/lib/python2.7/site-packages/SSSDConfig/__init__.py", line 1204, in
set_option
(self.name, option))
2021-05-04T07:46:41Z DEBUG The ipa-server-upgrade command failed, exception:
NoOptionError: Section [domain.tld] has no option [ipa_server_mode]
2021-05-04T07:46:41Z ERROR Unexpected error - see /var/log/ipaupgrade.log for
details:
NoOptionError: Section [domain.tld] has no option [ipa_server_mode]
Thanks
Giovanni
signature.asc
Description: PGP signature
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
