https://bugzilla.redhat.com/show_bug.cgi?id=803054 (Red Hat Enterprise Linux 6)
Description of problem: IPA upgrades on RHEL6.2 from 2.1.3 to 2.2.0 seems to have an issue after upgrade. # yum -y update 'ipa*' ... # ipactl restart ... # ipa user-find ipa: ERROR: Insufficient access: KDC returned NOT_ALLOWED_TO_DELEGATE I'm hoping this is straightforward and maybe even something I missed but, I also tried updating everything as well as trying this: # ipa-ldap-updater --ldapi /usr/share/ipa/updates/30-s4u2proxy.update ipa : INFO Parsing file /usr/share/ipa/updates/30-s4u2proxy.update ipa : INFO New entry: cn=s4u2proxy,cn=etc,dc=testrelm,dc=com ipa : INFO New entry: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=testrelm,dc=com ipa : ERROR Add failure 'NoneType' object is not callable ipa : INFO New entry: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=testrelm,dc=com ipa : ERROR Add failure 'NoneType' object is not callable ipa : INFO Update complete Version-Release number of selected component (if applicable): RHEL 6.2 pointing to RHEL 6.3 test repo and repo containing IPA 2.2.0-3 rpms. How reproducible: So far, always. Steps to Reproduce: 1. <Install IPA on RHEL6.2 server> 2. kinit admin 3. <add some content (users, groups, etc)> 4. <add yum repo with RHEL 6.3 and 2.2.0-3 rpms> 5. yum -y update 'ipa*' 6. ipactl restart 7. ipa user-find Actual results: command returns the following: ipa: ERROR: Insufficient access: KDC returned NOT_ALLOWED_TO_DELEGATE Expected results: ipa command to run and return normal output. Additional info: /var/log/messages entry: Mar 13 16:49:53 ibm-ls22-05 httpd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC returned error string: NOT_ALLOWED_TO_DELEGATE) /var/log/krb5kdc.log entries: Mar 13 16:49:53 HOSTNAME krb5kdc[17278](info): TGS_REQ (4 etypes {18 17 16 23}) 10.34.54.41: NOT_ALLOWED_TO_DELEGATE: authtime 0, HTTP/hostname.testrelm.com@TESTRELM.COM for ldap/hostname.testrelm.com@TESTRELM.COM, Server error Mar 13 16:49:53 hostname.testrelm.com krb5kdc[17279](info): TGS_REQ (4 etypes {18 17 16 23}) 10.34.54.41: NOT_ALLOWED_TO_DELEGATE: authtime 0, HTTP/hostname.testrelm.com@TESTRELM.COM for ldap/hostname.testrelm.com@TESTRELM.COM, Server error
This is an SELinux policy problem related to 389-ds. During the upgrade the ldapi socket's context is being changed so 389-ds can't be restarted.
Moving to next month iteration.
BZ closed as WORKSFORME:
I am going to go ahead and close this one as WORKSFORME since I cannot reproduce the "symptom" since the following updates:
ipa-server 2.2.0-5 389-ds-base 1.2.10.2-4 selinux-policy-targetd 3.7.19-142
The selinux labelling issue is addressed in bug 799102 and my test results have been posted there.
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/04
Login to comment on this ticket.