On 5/4/21 7:44 PM, Rob Crittenden via FreeIPA-users wrote:
> Giovanni Bechis wrote:
>> On Tue, May 04, 2021 at 09:31:17AM -0400, Rob Crittenden via FreeIPA-users
>> wrote:
>>> Giovanni Bechis via FreeIPA-users wrote:
>>>>
>>>> Hi,
>>>> running latest FreeIPA upgrade I encountered an error and the freeipa
>>>> upgrade failed.
>>>>
>>>> The upgrade script tries to add [ipa_server_mode] to my sssd.conf domain
>>>> section but it fails even if /etc/sssd.conf
>>>> has those options set.
>>>> Atm I am running ipa-server-4.6.8-5.el7.centos.5.x86_64 and my sssd.conf
>>>> file is the following:
>>>>
>>>> -------------------------------------------------------------------------------------------------------------------------
>>>> [sssd]
>>>> domains = domain.tld
>>>> config_file_version = 2
>>>> services = nss, ifp, pam, ssh
>>>>
>>>> [domain/domain.tld]
>>>> id_provider = ldap
>>>> auth_provider = ldap
>>>> chpass_provider = ldap
>>>> ldap_uri = ldaps://srv.domain.tld
>>>> ldap_user_search_base = cn=users,cn=accounts,dc=domain,dc=tld
>>>> ldap_group_search_base = cn=groups,cn=compat,dc=domain,dc=tld
>>>> ldap_default_bind_dn = uid=ldapdn,cn=users,cn=compat,dc=domain,dc=tld
>>>> ldap_default_authtok = XXX
>>>> ldap_id_use_start_tls = True
>>>> ldap_tls_cacertdir = /etc/openldap/cacerts
>>>> ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
>>>> ldap_tls_reqcert = allow
>>>> ldap_user_ssh_public_key = ipaSshPubKey
>>>> cache_credentials = True
>>>> enumerate = True
>>>>
>>>> [ifp]
>>>> allowed_uids = ipaapi, root
>>>> -------------------------------------------------------------------------------------------------------------------------
>>>>
>>>> I am using FreeIPA only as an ldap web gui, all my services are using
>>>> ldaps protocol.
>>>> By commenting the relevant lines in
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py"
>>>> the upgrade proceeds and all works fine.
>>>>
>>>> Is there any way to prevent the upgrade script from crashing every time ?
>>>
>>> We need more specific information on what you mean by crash. Seeing the
>>> upgrade log would help.
>>>
>> Sorry, I forgot that part.
>> even if I add ipa_server and ipa_server_mode to sssd.conf the error doesn't
>> change.
>> Commenting the following lines in upgrade.py is a workaround that makes ipa
>> start and all services work:
>> domain.set_option('ipa_server_mode', 'True')
>> domain.set_option('ipa_server', api.env.host)
>>
>>
>> 2021-05-04T07:46:41Z ERROR IPA server upgrade failed: Inspect
>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>> 2021-05-04T07:46:41Z DEBUG File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
>> execute
>> return_value = self.run()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
>> line 54, in run
>> server.upgrade()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line
>> 2177, in upgrade
>> upgrade_configuration()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line
>> 2066, in upgrade_configuration
>> sssd_update()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line
>> 1433, in sssd_update
>> domain.set_option('ipa_server_mode', 'True')
>> File "/usr/lib/python2.7/site-packages/SSSDConfig/__init__.py", line 1204,
>> in set_option
>> (self.name, option))
>>
>> 2021-05-04T07:46:41Z DEBUG The ipa-server-upgrade command failed, exception:
>> NoOptionError: Section [domain.tld] has no option [ipa_server_mode]
>> 2021-05-04T07:46:41Z ERROR Unexpected error - see /var/log/ipaupgrade.log
>> for details:
>> NoOptionError: Section [domain.tld] has no option [ipa_server_mode]
>
> It's failing because your id_provider is not ipa.
>
thanks,
after setting id_provider=ipa it fails in a different way:2021-05-05T07:24:14Z DEBUG stderr= 2021-05-05T07:24:14Z INFO [Verifying that CA proxy configuration is correct] 2021-05-05T07:24:14Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2021-05-05T07:24:14Z DEBUG Proxy configuration up-to-date 2021-05-05T07:24:14Z DEBUG Starting external process 2021-05-05T07:24:14Z DEBUG args=pki-server subsystem-show kra 2021-05-05T07:24:14Z DEBUG Process finished, return code=1 2021-05-05T07:24:14Z DEBUG stdout=ERROR: No kra subsystem in instance pki-tomcat. 2021-05-05T07:24:14Z DEBUG stderr= 2021-05-05T07:24:14Z DEBUG Starting pki-tomcatd@pki-tomcat. 2021-05-05T07:24:14Z DEBUG Starting external process 2021-05-05T07:24:14Z DEBUG args=/bin/systemctl start [email protected] 2021-05-05T07:24:15Z DEBUG Process finished, return code=1 2021-05-05T07:24:15Z DEBUG stdout= 2021-05-05T07:24:15Z DEBUG stderr=Job for [email protected] canceled. 2021-05-05T07:24:15Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2021-05-05T07:24:15Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2177, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1883, in upgrade_configuration logger.info('ephemeralRequest is already enabled') File "/usr/lib64/python2.7/contextlib.py", line 24, in __exit__ self.gen.next() File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 1239, in stopped_service service_obj.start(instance_name) File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 190, in start instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 304, in start skip_output=not capture_output) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run raise CalledProcessError(p.returncode, arg_string, str(output))
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
