On 5/5/21 4:38 PM, Rob Crittenden wrote:
> Giovanni Bechis via FreeIPA-users wrote:
>> On 5/4/21 7:44 PM, Rob Crittenden via FreeIPA-users wrote:
>>> Giovanni Bechis wrote:
>>>> On Tue, May 04, 2021 at 09:31:17AM -0400, Rob Crittenden via FreeIPA-users
>>>> wrote:
>>>>> Giovanni Bechis via FreeIPA-users wrote:
>>>>>>
>>>>>> Hi,
>>>>>> running latest FreeIPA upgrade I encountered an error and the freeipa
>>>>>> upgrade failed.
>>>>>>
>>>>>> The upgrade script tries to add [ipa_server_mode] to my sssd.conf domain
>>>>>> section but it fails even if /etc/sssd.conf
>>>>>> has those options set.
>>>>>> Atm I am running ipa-server-4.6.8-5.el7.centos.5.x86_64 and my sssd.conf
>>>>>> file is the following:
>>>>>>
>>>>>> -------------------------------------------------------------------------------------------------------------------------
>>>>>> [sssd]
>>>>>> domains = domain.tld
>>>>>> config_file_version = 2
>>>>>> services = nss, ifp, pam, ssh
>>>>>>
>>>>>> [domain/domain.tld]
>>>>>> id_provider = ldap
>>>>>> auth_provider = ldap
>>>>>> chpass_provider = ldap
>>>>>> ldap_uri = ldaps://srv.domain.tld
>>>>>> ldap_user_search_base = cn=users,cn=accounts,dc=domain,dc=tld
>>>>>> ldap_group_search_base = cn=groups,cn=compat,dc=domain,dc=tld
>>>>>> ldap_default_bind_dn = uid=ldapdn,cn=users,cn=compat,dc=domain,dc=tld
>>>>>> ldap_default_authtok = XXX
>>>>>> ldap_id_use_start_tls = True
>>>>>> ldap_tls_cacertdir = /etc/openldap/cacerts
>>>>>> ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
>>>>>> ldap_tls_reqcert = allow
>>>>>> ldap_user_ssh_public_key = ipaSshPubKey
>>>>>> cache_credentials = True
>>>>>> enumerate = True
>>>>>>
>>>>>> [ifp]
>>>>>> allowed_uids = ipaapi, root
>>>>>> -------------------------------------------------------------------------------------------------------------------------
>>>>>>
>>>>>> I am using FreeIPA only as an ldap web gui, all my services are using
>>>>>> ldaps protocol.
>>>>>> By commenting the relevant lines in
>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py"
>>>>>> the upgrade proceeds and all works fine.
>>>>>>
>>>>>> Is there any way to prevent the upgrade script from crashing every time ?
>>>>>
>>>>> We need more specific information on what you mean by crash. Seeing the
>>>>> upgrade log would help.
>>>>>
>>>> Sorry, I forgot that part.
>>>> even if I add ipa_server and ipa_server_mode to sssd.conf the error
>>>> doesn't change.
>>>> Commenting the following lines in upgrade.py is a workaround that makes
>>>> ipa start and all services work:
>>>> domain.set_option('ipa_server_mode', 'True')
>>>> domain.set_option('ipa_server', api.env.host)
>>>>
>>>>
>>>> 2021-05-04T07:46:41Z ERROR IPA server upgrade failed: Inspect
>>>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>>>> 2021-05-04T07:46:41Z DEBUG File
>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
>>>> execute
>>>> return_value = self.run()
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
>>>> line 54, in run
>>>> server.upgrade()
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>>>> line 2177, in upgrade
>>>> upgrade_configuration()
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>>>> line 2066, in upgrade_configuration
>>>> sssd_update()
>>>> File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>>>> line 1433, in sssd_update
>>>> domain.set_option('ipa_server_mode', 'True')
>>>> File "/usr/lib/python2.7/site-packages/SSSDConfig/__init__.py", line
>>>> 1204, in set_option
>>>> (self.name, option))
>>>>
>>>> 2021-05-04T07:46:41Z DEBUG The ipa-server-upgrade command failed,
>>>> exception: NoOptionError: Section [domain.tld] has no option
>>>> [ipa_server_mode]
>>>> 2021-05-04T07:46:41Z ERROR Unexpected error - see /var/log/ipaupgrade.log
>>>> for details:
>>>> NoOptionError: Section [domain.tld] has no option [ipa_server_mode]
>>>
>>> It's failing because your id_provider is not ipa.
>>>
>> thanks,
>> after setting id_provider=ipa it fails in a different way:
>>
>> 2021-05-05T07:24:14Z DEBUG stderr=
>> 2021-05-05T07:24:14Z INFO [Verifying that CA proxy configuration is correct]
>> 2021-05-05T07:24:14Z DEBUG Loading StateFile from
>> '/var/lib/ipa/sysrestore/sysrestore.state'
>> 2021-05-05T07:24:14Z DEBUG Proxy configuration up-to-date
>> 2021-05-05T07:24:14Z DEBUG Starting external process
>> 2021-05-05T07:24:14Z DEBUG args=pki-server subsystem-show kra
>> 2021-05-05T07:24:14Z DEBUG Process finished, return code=1
>> 2021-05-05T07:24:14Z DEBUG stdout=ERROR: No kra subsystem in instance
>> pki-tomcat.
>>
>> 2021-05-05T07:24:14Z DEBUG stderr=
>> 2021-05-05T07:24:14Z DEBUG Starting pki-tomcatd@pki-tomcat.
>> 2021-05-05T07:24:14Z DEBUG Starting external process
>> 2021-05-05T07:24:14Z DEBUG args=/bin/systemctl start
>> [email protected]
>> 2021-05-05T07:24:15Z DEBUG Process finished, return code=1
>> 2021-05-05T07:24:15Z DEBUG stdout=
>> 2021-05-05T07:24:15Z DEBUG stderr=Job for [email protected]
>> canceled.
>>
>> 2021-05-05T07:24:15Z ERROR IPA server upgrade failed: Inspect
>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>> 2021-05-05T07:24:15Z DEBUG File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
>> execute
>> return_value = self.run()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
>> line 54, in run
>> server.upgrade()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line
>> 2177, in upgrade
>> upgrade_configuration()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line
>> 1883, in upgrade_configuration
>> logger.info('ephemeralRequest is already enabled')
>> File "/usr/lib64/python2.7/contextlib.py", line 24, in __exit__
>> self.gen.next()
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>> line 1239, in stopped_service
>> service_obj.start(instance_name)
>> File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py",
>> line 190, in start
>> instance_name, capture_output=capture_output, wait=wait)
>> File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line
>> 304, in start
>> skip_output=not capture_output)
>> File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in
>> run
>> raise CalledProcessError(p.returncode, arg_string, str(output))
>
> This is unrelated. You'll need to check the system journal/logs and the
> CA logs to determine why it failed to start.
>
disabling ipv6 link local address "fixed" the issue.
Thanks
Giovanni
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
