On 03/08/2017 06:06 PM, free...@netnerdz.se wrote:
Hi all!

I'm trying to upgrade my ipa-server to the version in subject and
hitting some bug that seems similar to
https://bugzilla.redhat.com/show_bug.cgi?id=1404910

It is unlikely that it is this bug because the version of IPA with it was never released. BUt the error indeed looks similar.


The yum upgrade process took a bit longer than expected so i ctrl+c

This is never a good idea.


it
and executed the command ipa-server-upgrade

The error message from ipa-server-upgrade is:
8<---
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
OSError: [Errno 2] No such file or directory:
'/etc/pki/pki-tomcat/dogtag.keytab'
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
more information
[root@o-ipa01-r ~]#
8<---


The lines that indicate an error in the /var/log/ipaupgrade.log file is:
8<---
2017-03-07T23:05:38Z DEBUG stdout=Authenticating as principal
root/ad...@netnerdz.se with password.

2017-03-07T23:05:38Z DEBUG stderr=WARNING: no policy specified for
dogtag/o-ipa01-r.ovirt.netnerdz...@netnerdz.se; defaulting to no policy
add_principal: Principal or policy already exists while creating
"dogtag/o-ipa01-r.ovirt.netnerdz...@netnerdz.se".

2017-03-07T23:05:38Z INFO Retrieving keytab
2017-03-07T23:05:38Z DEBUG Starting external process
2017-03-07T23:05:38Z DEBUG args=kadmin.local -q ktadd -k
/etc/pki/pki-tomcat/dogtag.keytab
dogtag/o-ipa01-r.ovirt.netnerdz...@netnerdz.se -x
ipa-setup-override-restrictions
2017-03-07T23:05:48Z DEBUG Process finished, return code=0
2017-03-07T23:05:48Z DEBUG stdout=Authenticating as principal
root/ad...@netnerdz.se with password.

2017-03-07T23:05:48Z DEBUG stderr=kadmin.local: Server error while
changing dogtag/o-ipa01-r.ovirt.netnerdz...@netnerdz.se's key

2017-03-07T23:05:48Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-03-07T23:05:48Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
    return_value = self.run()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run
    server.upgrade()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1863, in upgrade
    upgrade_configuration()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1796, in upgrade_configuration
    ca.setup_lightweight_ca_key_retrieval()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1400, in setup_lightweight_ca_key_retrieval
    self.__setup_lightweight_ca_key_retrieval_kerberos()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1431, in __setup_lightweight_ca_key_retrieval_kerberos
    os.chmod(keytab, 0o600)

2017-03-07T23:05:48Z DEBUG The ipa-server-upgrade command failed,
exception: OSError: [Errno 2] No such file or directory:
'/etc/pki/pki-tomcat/dogtag.keytab'
2017-03-07T23:05:48Z ERROR Unexpected error - see
/var/log/ipaupgrade.log for details:
OSError: [Errno 2] No such file or directory:
'/etc/pki/pki-tomcat/dogtag.keytab'
2017-03-07T23:05:48Z ERROR The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information
8<---


Here's the output from the ipa-server-upgrade command:
[root@o-ipa01-r ~]# ipa-server-upgrade
Upgrading IPA:
  [1/8]: saving configuration
  [2/8]: disabling listeners
  [3/8]: enabling DS global lock
  [4/8]: starting directory server
  [5/8]: updating schema

  [6/8]: upgrading server
  [7/8]: stopping directory server
  [8/8]: restoring configuration
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
/etc/dirsrv/slapd-NETNERDZ-SE/certmap.conf is now managed by IPA. It
will be overwritten. A backup of the original will be made.
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating mod_nss protocol versions]
Protocol versions already updated
[Updating mod_nss cipher suite]
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Exporting KRA agent PEM file]
KRA is not enabled
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Setting up Firefox extension]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Enabling serial autoincrement in DNS]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Checking global forwarding policy in named.conf to avoid conflicts with
automatic empty zones]
Changes to named.conf have been made, restart named
[Upgrading CA schema]
CA schema update complete (no changes)
[Verifying that CA audit signing cert has 2 year validity]
[Update certmonger certificate renewal configuration to version 5]
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
[Ensuring presence of included profiles]
[Add default CA ACL]
Default CA ACL already added
[Set up lightweight CA key retrieval]
Creating principal
Retrieving keytab
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
OSError: [Errno 2] No such file or directory:
'/etc/pki/pki-tomcat/dogtag.keytab'
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
more information
[root@o-ipa01-r ~]#

Everything seems to be working as normal, but this error message worries
me a bit since this is my only ipa server (setting up a secondary master
have been on my todo list).
Can you help me troubleshoot this?
Or should I just setup a replica and propagate it to primary node for
all clients and then reinstall the one that have problem?

Might be worth to check associated pw policies. What is the password policy associated with dogtag service ( krbprincipalname=dogtag/o-ipa01-r.ovirt.netnerdz...@netnerdz.secn=services,cn=accounts,$SUFFIX and how does it look (attribute krbPwdPolicyReference) Does it point to "cn=Default Kerberos Service Password Policy,cn=services,cn=accounts,$SUFFIX", e.g. as defined in (line 45)?:
  https://pagure.io/freeipa/c/6f1d927467e7907fd1991f88388d96c67c9bff61

Does this policy exist?

Also look to /var/log/krb5kdc.log for any interesting messages

Thank you in advance!
//Robert



--
Petr Vobornik

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to