On 5/4/21 7:44 PM, Rob Crittenden via FreeIPA-users wrote:
Giovanni Bechis wrote:
> On Tue, May 04, 2021 at 09:31:17AM -0400, Rob Crittenden via FreeIPA-users wrote:
>> Giovanni Bechis via FreeIPA-users wrote:
>>>
>>> Hi,
>>> running latest FreeIPA upgrade I encountered an error and the freeipa upgrade
failed.
>>>
>>> The upgrade script tries to add [ipa_server_mode] to my sssd.conf domain
section but it fails even if /etc/sssd.conf
>>> has those options set.
>>> Atm I am running ipa-server-4.6.8-5.el7.centos.5.x86_64 and my sssd.conf file
is the following:
>>>
>>>
-------------------------------------------------------------------------------------------------------------------------
>>> [sssd]
>>> domains = domain.tld
>>> config_file_version = 2
>>> services = nss, ifp, pam, ssh
>>>
>>> [domain/domain.tld]
>>> id_provider = ldap
>>> auth_provider = ldap
>>> chpass_provider = ldap
>>> ldap_uri = ldaps://srv.domain.tld
>>> ldap_user_search_base = cn=users,cn=accounts,dc=domain,dc=tld
>>> ldap_group_search_base = cn=groups,cn=compat,dc=domain,dc=tld
>>> ldap_default_bind_dn = uid=ldapdn,cn=users,cn=compat,dc=domain,dc=tld
>>> ldap_default_authtok = XXX
>>> ldap_id_use_start_tls = True
>>> ldap_tls_cacertdir = /etc/openldap/cacerts
>>> ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
>>> ldap_tls_reqcert = allow
>>> ldap_user_ssh_public_key = ipaSshPubKey
>>> cache_credentials = True
>>> enumerate = True
>>>
>>> [ifp]
>>> allowed_uids = ipaapi, root
>>>
-------------------------------------------------------------------------------------------------------------------------
>>>
>>> I am using FreeIPA only as an ldap web gui, all my services are using ldaps
protocol.
>>> By commenting the relevant lines in
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py"
>>> the upgrade proceeds and all works fine.
>>>
>>> Is there any way to prevent the upgrade script from crashing every time ?
>>
>> We need more specific information on what you mean by crash. Seeing the
>> upgrade log would help.
>>
> Sorry, I forgot that part.
> even if I add ipa_server and ipa_server_mode to sssd.conf the error doesn't
change.
> Commenting the following lines in upgrade.py is a workaround that makes ipa start and
all services work:
> domain.set_option('ipa_server_mode', 'True')
> domain.set_option('ipa_server', api.env.host)
>
>
> 2021-05-04T07:46:41Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log
and run command ipa-server-upgrade manually.
> 2021-05-04T07:46:41Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
> return_value = self.run()
> File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line
54, in run
> server.upgrade()
> File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line
2177, in upgrade
> upgrade_configuration()
> File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line
2066, in upgrade_configuration
> sssd_update()
> File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line
1433, in sssd_update
> domain.set_option('ipa_server_mode', 'True')
> File "/usr/lib/python2.7/site-packages/SSSDConfig/__init__.py", line
1204, in set_option
> (self.name, option))
>
> 2021-05-04T07:46:41Z DEBUG The ipa-server-upgrade command failed, exception:
NoOptionError: Section [domain.tld] has no option [ipa_server_mode]
> 2021-05-04T07:46:41Z ERROR Unexpected error - see /var/log/ipaupgrade.log for
details:
> NoOptionError: Section [domain.tld] has no option [ipa_server_mode]
It's failing because your id_provider is not ipa.
thanks,
after setting id_provider=ipa it fails in a different way:
2021-05-05T07:24:14Z DEBUG stderr=
2021-05-05T07:24:14Z INFO [Verifying that CA proxy configuration is correct]
2021-05-05T07:24:14Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-05-05T07:24:14Z DEBUG Proxy configuration up-to-date
2021-05-05T07:24:14Z DEBUG Starting external process
2021-05-05T07:24:14Z DEBUG args=pki-server subsystem-show kra
2021-05-05T07:24:14Z DEBUG Process finished, return code=1
2021-05-05T07:24:14Z DEBUG stdout=ERROR: No kra subsystem in instance pki-tomcat.
2021-05-05T07:24:14Z DEBUG stderr=
2021-05-05T07:24:14Z DEBUG Starting pki-tomcatd@pki-tomcat.
2021-05-05T07:24:14Z DEBUG Starting external process
2021-05-05T07:24:14Z DEBUG args=/bin/systemctl start pki-tomcatd(a)pki-tomcat.service
2021-05-05T07:24:15Z DEBUG Process finished, return code=1
2021-05-05T07:24:15Z DEBUG stdout=
2021-05-05T07:24:15Z DEBUG stderr=Job for pki-tomcatd(a)pki-tomcat.service canceled.
2021-05-05T07:24:15Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and
run command ipa-server-upgrade manually.
2021-05-05T07:24:15Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line
54, in run
server.upgrade()
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 2177, in upgrade
upgrade_configuration()
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1883, in upgrade_configuration
logger.info('ephemeralRequest is already enabled')
File "/usr/lib64/python2.7/contextlib.py", line 24, in __exit__
self.gen.next()
File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 1239, in stopped_service
service_obj.start(instance_name)
File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line
190, in start
instance_name, capture_output=capture_output, wait=wait)
File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line
304, in start
skip_output=not capture_output)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 563, in
run
raise CalledProcessError(p.returncode, arg_string, str(output))