On 11.10.2016 17:21, John Popowitch wrote:
I agree that is weird.
Several of the other managed permissions are updated successfully and
they are very similar.
Yes, I can try to remove the permission manually.
Is there any risk in corrupting or breaking the system?
This is, I believe, one of three IPA servers in a multi-master
replication.
And we run our production website (basically our company) off of these
servers.
Assuming it's safe enough to do, could I delete that permission via
the UI or does it need to be directly via LDAP?
Upgrade will re-create permission.
You have to directly using LDAP as Directory Manager
Also please check in: cn=certprofiles,cn=ca,$SUFFIX
if you have this ACI there
aci: (targetattr = "cn || description ||
ipacertprofilestoreissued")(targetfil
ter = "(objectclass=ipacertprofile)")(version 3.0;acl
"permission:System: Mod
ify Certificate Profile";allow (write) groupdn = "ldap:///cn=System:
Modify C
ertificate
Profile,cn=permissions,cn=pbac,dc=dom-058-017,dc=abc,dc=idm,dc=lab
,dc=eng,dc=brq,dc=redhat,dc=com";)
This may also cause an issue, so if removing of permission itself did
not help (or permission does not exist) you may need to remove this ACI
Martin
*From:*Martin Basti [mailto:mba...@redhat.com]
*Sent:* Tuesday, October 11, 2016 9:47 AM
*To:* John Popowitch; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me
to run ipa-server-upgrade, but has errors
That's weird because the code is checking if a permission exists
before it tries to add a new one
Can you try to remove 'System: Modify Certificate Profile' manually
from LDAP and re-run ipa-server-upgrade?
On 11.10.2016 15:53, John Popowitch wrote:
2016-10-10T19:51:38Z DEBUG Updating managed permission: System:
Modify Certificate Profile
2016-10-10T19:51:38Z DEBUG Destroyed connection context.ldap2_82077392
2016-10-10T19:51:38Z ERROR Upgrade failed with This entry already
exists
2016-10-10T19:51:38Z DEBUG Traceback (most recent call last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
line 306, in __upgrade
self.modified = (ld.update(self.files) or self.modified)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 905, in update
self._run_updates(all_updates)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 877, in _run_updates
self._run_update_plugin(update['plugin'])
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 852, in _run_update_plugin
restart_ds, updates = self.api.Updater[plugin_name]()
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line
1400, in __call__
return self.execute(**options)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py",
line 433, in execute
anonymous_read_aci)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py",
line 529, in update_permission
ldap.add_entry(entry)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
line 1428, in add_entry
self.conn.add_s(str(entry.dn), attrs.items())
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
line 938, in error_handler
raise errors.DuplicateEntry()
DuplicateEntry: This entry already exists
2016-10-10T19:51:38Z DEBUG Traceback (most recent call last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation
run_step(full_msg, method)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
line 314, in __upgrade
raise RuntimeError(e)
RuntimeError: This entry already exists
2016-10-10T19:51:38Z DEBUG [error] RuntimeError: This entry
already exists
2016-10-10T19:51:38Z DEBUG [cleanup]: stopping directory server
2016-10-10T19:51:38Z DEBUG Starting external process
2016-10-10T19:51:38Z DEBUG args='/bin/systemctl' 'stop'
'dirsrv@AWS-CAPPEX-COM.service <mailto:dirsrv@AWS-CAPPEX-COM.service>'
2016-10-10T19:51:40Z DEBUG Process finished, return code=0
2016-10-10T19:51:40Z DEBUG stdout=
2016-10-10T19:51:40Z DEBUG stderr=
2016-10-10T19:51:40Z DEBUG duration: 1 seconds
2016-10-10T19:51:40Z DEBUG [cleanup]: restoring configuration
2016-10-10T19:51:40Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-10-10T19:51:40Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-10-10T19:51:40Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-10-10T19:51:40Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-10-10T19:51:40Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-10-10T19:51:40Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-10-10T19:51:40Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2016-10-10T19:51:40Z DEBUG duration: 0 seconds
2016-10-10T19:51:40Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2016-10-10T19:51:40Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
171, in execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 50, in run
raise admintool.ScriptError(str(e))
2016-10-10T19:51:40Z DEBUG The ipa-server-upgrade command failed,
exception: ScriptError: ('IPA upgrade failed.', 1)
2016-10-10T19:51:40Z ERROR ('IPA upgrade failed.', 1)
*From:*Martin Basti [mailto:mba...@redhat.com]
*Sent:* Tuesday, October 11, 2016 1:53 AM
*To:* John Popowitch; freeipa-users@redhat.com
<mailto:freeipa-users@redhat.com>
*Subject:* Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants
me to run ipa-server-upgrade, but has errors
On 10.10.2016 23:30, John Popowitch wrote:
Hello FreeIPA community.
I've inherited a group of three FreeIPA v4.2 servers on CentOS
7.2.
I had to reboot one of the servers and now IPA won't run
saying, "Upgrade required: please run ipa-server-upgrade command."
But when I run ipa-server-upgrade I get an error:
ipa: ERROR: Upgrade failed with This entry already exists
When I run it in debug mode the last action before the error is:
ipa.ipaserver.install.plugins.update_managed_permissions.update_managed_permissions:
DEBUG: Updating managed permission: System: Modify Certificate
Profile
It appears that several of the other managed permissions are
processed successfully.
When I look in the UI on one of the other servers it appears
that this permission exists under IPA Server -> Role Based
Access Control -> Permissions.
I'm not familiar with FreeIPA so any help would be greatly
appreciated.
Thanks in advance.
-John
Hello,
can you post the related part of ipaupgrade.log here?
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
