Giovanni Bechis via FreeIPA-users wrote: > > Hi, > running latest FreeIPA upgrade I encountered an error and the freeipa upgrade failed. > > The upgrade script tries to add [ipa_server_mode] to my sssd.conf domain section but it fails even if /etc/sssd.conf > has those options set. > Atm I am running ipa-server-4.6.8-5.el7.centos.5.x86_64 and my sssd.conf file is the following: > > ------------------------------------------------------------------------------------------------------------------------- > [sssd] > domains = domain.tld > config_file_version = 2 > services = nss, ifp, pam, ssh > > [domain/domain.tld] > id_provider = ldap > auth_provider = ldap > chpass_provider = ldap > ldap_uri = ldaps://srv.domain.tld > ldap_user_search_base = cn=users,cn=accounts,dc=domain,dc=tld > ldap_group_search_base = cn=groups,cn=compat,dc=domain,dc=tld > ldap_default_bind_dn = uid=ldapdn,cn=users,cn=compat,dc=domain,dc=tld > ldap_default_authtok = XXX > ldap_id_use_start_tls = True > ldap_tls_cacertdir = /etc/openldap/cacerts > ldap_tls_cacert = /etc/openldap/cacerts/ca.crt > ldap_tls_reqcert = allow > ldap_user_ssh_public_key = ipaSshPubKey > cache_credentials = True > enumerate = True > > [ifp] > allowed_uids = ipaapi, root > ------------------------------------------------------------------------------------------------------------------------- > > I am using FreeIPA only as an ldap web gui, all my services are using ldaps protocol. > By commenting the relevant lines in "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py" > the upgrade proceeds and all works fine. > > Is there any way to prevent the upgrade script from crashing every time ? We need more specific information on what you mean by crash. Seeing the upgrade log would help.

Giovanni Bechis wrote: > On Tue, May 04, 2021 at 09:31:17AM -0400, Rob Crittenden via FreeIPA-users wrote: >> Giovanni Bechis via FreeIPA-users wrote: >>> >>> Hi, >>> running latest FreeIPA upgrade I encountered an error and the freeipa upgrade failed. >>> >>> The upgrade script tries to add [ipa_server_mode] to my sssd.conf domain section but it fails even if /etc/sssd.conf >>> has those options set. >>> Atm I am running ipa-server-4.6.8-5.el7.centos.5.x86_64 and my sssd.conf file is the following: >>> >>> ------------------------------------------------------------------------------------------------------------------------- >>> [sssd] >>> domains = domain.tld >>> config_file_version = 2 >>> services = nss, ifp, pam, ssh >>> >>> [domain/domain.tld] >>> id_provider = ldap >>> auth_provider = ldap >>> chpass_provider = ldap >>> ldap_uri = ldaps://srv.domain.tld >>> ldap_user_search_base = cn=users,cn=accounts,dc=domain,dc=tld >>> ldap_group_search_base = cn=groups,cn=compat,dc=domain,dc=tld >>> ldap_default_bind_dn = uid=ldapdn,cn=users,cn=compat,dc=domain,dc=tld >>> ldap_default_authtok = XXX >>> ldap_id_use_start_tls = True >>> ldap_tls_cacertdir = /etc/openldap/cacerts >>> ldap_tls_cacert = /etc/openldap/cacerts/ca.crt >>> ldap_tls_reqcert = allow >>> ldap_user_ssh_public_key = ipaSshPubKey >>> cache_credentials = True >>> enumerate = True >>> >>> [ifp] >>> allowed_uids = ipaapi, root >>> ------------------------------------------------------------------------------------------------------------------------- >>> >>> I am using FreeIPA only as an ldap web gui, all my services are using ldaps protocol. >>> By commenting the relevant lines in "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py" >>> the upgrade proceeds and all works fine. >>> >>> Is there any way to prevent the upgrade script from crashing every time ? >> >> We need more specific information on what you mean by crash. Seeing the >> upgrade log would help. >> > Sorry, I forgot that part. > even if I add ipa_server and ipa_server_mode to sssd.conf the error doesn't change. > Commenting the following lines in upgrade.py is a workaround that makes ipa start and all services work: > domain.set_option('ipa_server_mode', 'True') > domain.set_option('ipa_server', api.env.host) > > > 2021-05-04T07:46:41Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. > 2021-05-04T07:46:41Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute > return_value = self.run() > File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run > server.upgrade() > File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2177, in upgrade > upgrade_configuration() > File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2066, in upgrade_configuration > sssd_update() > File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1433, in sssd_update > domain.set_option('ipa_server_mode', 'True') > File "/usr/lib/python2.7/site-packages/SSSDConfig/__init__.py", line 1204, in set_option > (self.name, option)) > > 2021-05-04T07:46:41Z DEBUG The ipa-server-upgrade command failed, exception: NoOptionError: Section [domain.tld] has no option [ipa_server_mode] > 2021-05-04T07:46:41Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: > NoOptionError: Section [domain.tld] has no option [ipa_server_mode] It's failing because your id_provider is not ipa.

Giovanni Bechis via FreeIPA-users wrote: > On 5/4/21 7:44 PM, Rob Crittenden via FreeIPA-users wrote: >> Giovanni Bechis wrote: >>> On Tue, May 04, 2021 at 09:31:17AM -0400, Rob Crittenden via FreeIPA-users wrote: >>>> Giovanni Bechis via FreeIPA-users wrote: >>>>> >>>>> Hi, >>>>> running latest FreeIPA upgrade I encountered an error and the freeipa upgrade failed. >>>>> >>>>> The upgrade script tries to add [ipa_server_mode] to my sssd.conf domain section but it fails even if /etc/sssd.conf >>>>> has those options set. >>>>> Atm I am running ipa-server-4.6.8-5.el7.centos.5.x86_64 and my sssd.conf file is the following: >>>>> >>>>> ------------------------------------------------------------------------------------------------------------------------- >>>>> [sssd] >>>>> domains = domain.tld >>>>> config_file_version = 2 >>>>> services = nss, ifp, pam, ssh >>>>> >>>>> [domain/domain.tld] >>>>> id_provider = ldap >>>>> auth_provider = ldap >>>>> chpass_provider = ldap >>>>> ldap_uri = ldaps://srv.domain.tld >>>>> ldap_user_search_base = cn=users,cn=accounts,dc=domain,dc=tld >>>>> ldap_group_search_base = cn=groups,cn=compat,dc=domain,dc=tld >>>>> ldap_default_bind_dn = uid=ldapdn,cn=users,cn=compat,dc=domain,dc=tld >>>>> ldap_default_authtok = XXX >>>>> ldap_id_use_start_tls = True >>>>> ldap_tls_cacertdir = /etc/openldap/cacerts >>>>> ldap_tls_cacert = /etc/openldap/cacerts/ca.crt >>>>> ldap_tls_reqcert = allow >>>>> ldap_user_ssh_public_key = ipaSshPubKey >>>>> cache_credentials = True >>>>> enumerate = True >>>>> >>>>> [ifp] >>>>> allowed_uids = ipaapi, root >>>>> ------------------------------------------------------------------------------------------------------------------------- >>>>> >>>>> I am using FreeIPA only as an ldap web gui, all my services are using ldaps protocol. >>>>> By commenting the relevant lines in "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py" >>>>> the upgrade proceeds and all works fine. >>>>> >>>>> Is there any way to prevent the upgrade script from crashing every time ? >>>> >>>> We need more specific information on what you mean by crash. Seeing the >>>> upgrade log would help. >>>> >>> Sorry, I forgot that part. >>> even if I add ipa_server and ipa_server_mode to sssd.conf the error doesn't change. >>> Commenting the following lines in upgrade.py is a workaround that makes ipa start and all services work: >>> domain.set_option('ipa_server_mode', 'True') >>> domain.set_option('ipa_server', api.env.host) >>> >>> >>> 2021-05-04T07:46:41Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >>> 2021-05-04T07:46:41Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute >>> return_value = self.run() >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run >>> server.upgrade() >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2177, in upgrade >>> upgrade_configuration() >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2066, in upgrade_configuration >>> sssd_update() >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1433, in sssd_update >>> domain.set_option('ipa_server_mode', 'True') >>> File "/usr/lib/python2.7/site-packages/SSSDConfig/__init__.py", line 1204, in set_option >>> (self.name, option)) >>> >>> 2021-05-04T07:46:41Z DEBUG The ipa-server-upgrade command failed, exception: NoOptionError: Section [domain.tld] has no option [ipa_server_mode] >>> 2021-05-04T07:46:41Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: >>> NoOptionError: Section [domain.tld] has no option [ipa_server_mode] >> >> It's failing because your id_provider is not ipa. >> > thanks, > after setting id_provider=ipa it fails in a different way: > > 2021-05-05T07:24:14Z DEBUG stderr= > 2021-05-05T07:24:14Z INFO [Verifying that CA proxy configuration is correct] > 2021-05-05T07:24:14Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' > 2021-05-05T07:24:14Z DEBUG Proxy configuration up-to-date > 2021-05-05T07:24:14Z DEBUG Starting external process > 2021-05-05T07:24:14Z DEBUG args=pki-server subsystem-show kra > 2021-05-05T07:24:14Z DEBUG Process finished, return code=1 > 2021-05-05T07:24:14Z DEBUG stdout=ERROR: No kra subsystem in instance pki-tomcat. > > 2021-05-05T07:24:14Z DEBUG stderr= > 2021-05-05T07:24:14Z DEBUG Starting pki-tomcatd@pki-tomcat. > 2021-05-05T07:24:14Z DEBUG Starting external process > 2021-05-05T07:24:14Z DEBUG args=/bin/systemctl start pki-tomcatd(a)pki-tomcat.service > 2021-05-05T07:24:15Z DEBUG Process finished, return code=1 > 2021-05-05T07:24:15Z DEBUG stdout= > 2021-05-05T07:24:15Z DEBUG stderr=Job for pki-tomcatd(a)pki-tomcat.service canceled. > > 2021-05-05T07:24:15Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. > 2021-05-05T07:24:15Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute > return_value = self.run() > File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run > server.upgrade() > File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2177, in upgrade > upgrade_configuration() > File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1883, in upgrade_configuration > logger.info('ephemeralRequest is already enabled') > File "/usr/lib64/python2.7/contextlib.py", line 24, in __exit__ > self.gen.next() > File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 1239, in stopped_service > service_obj.start(instance_name) > File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 190, in start > instance_name, capture_output=capture_output, wait=wait) > File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 304, in start > skip_output=not capture_output) > File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in run > raise CalledProcessError(p.returncode, arg_string, str(output)) This is unrelated. You'll need to check the system journal/logs and the CA logs to determine why it failed to start.