#2541 ipa not starting after upgade because of missing data
Closed: Fixed None Opened 12 years ago by dpal.

https://bugzilla.redhat.com/show_bug.cgi?id=803930 (Red Hat Enterprise Linux 6)

Description of problem:

Upgrading from IPA 2.1.3 to 2.2.0 with selinux in Permissive mode leaves IPA in
a state where it won't start.

After "yum -y upgrade 'ipa*'" I see this:

[root@spoore-dvm1 yum.repos.d]# ipactl restart
Restarting Directory Service
Shutting down dirsrv:
    PKI-IPA... server already stopped                      [FAILED]
    TESTRELM-COM... server already stopped                 [FAILED]
  *** Error: 2 instance(s) unsuccessfully stopped          [FAILED]
Starting dirsrv:
    PKI-IPA...                                             [  OK  ]
    TESTRELM-COM...                                        [  OK  ]
Failed to read data from Directory Service: Failed to get list of services to
probe status!
Configured hostname 'spoore-dvm1.testrelm.com' does not match any master server
in LDAP:
No master found because of error: {'matched': 'dc=testrelm,dc=com', 'desc': 'No
such object'}
Shutting down
Shutting down dirsrv:
    PKI-IPA...                                             [  OK  ]
    TESTRELM-COM...                                        [  OK  ]

I'm not sure yet if this is relevant:

[root@spoore-dvm1 log]# grep WARNING ipaupgrade.log
2012-03-16T01:49:12Z WARNING remove: '(target =
"ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,dc=testrelm,dc=com")(version
3.0;acl "permission:Register Entitlements";allow (add) groupdn =
"ldap:///cn=Register Entitlements,cn=permissions,cn=pbac,dc=testrelm,dc=com";)'
not in aci
2012-03-16T01:49:12Z WARNING remove: '(targetattr = "usercertificate")(target =
"ldap:///ipaentitlement=*,cn=entitlements,cn=etc,dc=testrelm,dc=com")(version
3.0;acl "permission:Write Entitlements";allow (write) groupdn =
"ldap:///cn=Write Entitlements,cn=permissions,cn=pbac,dc=testrelm,dc=com";)'
not in aci
2012-03-16T01:49:12Z WARNING remove: '(targetattr = "userpkcs12")(target =
"ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,dc=testrelm,dc=com")(version
3.0;acl "permission:Read Entitlements";allow (read) groupdn = "ldap:///cn=Read
Entitlements,cn=permissions,cn=pbac,dc=testrelm,dc=com";)' not in aci
2012-03-16T01:49:12Z WARNING remove: '60' not in nsslapd-pluginPrecedence


[root@spoore-dvm1 log]# grep ERROR ipaupgrade.log
2012-03-16T01:49:12Z ERROR Add failure 'NoneType' object is not callable




Version-Release number of selected component (if applicable):
RHEL6.2 with IPA 2.1.3 with IPA upgraded to 2.2.0-4

How reproducible:
always on my particular server at least.

Steps to Reproduce:
1. <setup ipa 2.1.3 server on RHEL6.2>
2. setenforce Permissive
3. kinit admin
4. <setup yum repo for rhel6.3 and/or that includes IPA 2.2.0-4>
5. yum -y update 'ipa*'
6. ipactl restart

Actual results:

IPA fails to start with error listed above.

Expected results:

IPA starts cleanly.

Additional info:

Errors in /var/log/dirsrv/slapd-TESTRELM-COM/errors that look like this:
[15/Mar/2012:20:49:18 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to
convert DN cn=TESTRELM.COM to RDN

Not sure if that's relevant.

This is a bug in 389-ds, need to bump n-v-r.

The IPA upgrade process was starting before 389-ds had upgraded the database which caused corruption.

Metadata Update from @dpal:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/03

7 years ago

Login to comment on this ticket.

Metadata