https://bugzilla.redhat.com/show_bug.cgi?id=803930 (Red Hat Enterprise Linux 6)
Description of problem: Upgrading from IPA 2.1.3 to 2.2.0 with selinux in Permissive mode leaves IPA in a state where it won't start. After "yum -y upgrade 'ipa*'" I see this: [root@spoore-dvm1 yum.repos.d]# ipactl restart Restarting Directory Service Shutting down dirsrv: PKI-IPA... server already stopped [FAILED] TESTRELM-COM... server already stopped [FAILED] *** Error: 2 instance(s) unsuccessfully stopped [FAILED] Starting dirsrv: PKI-IPA... [ OK ] TESTRELM-COM... [ OK ] Failed to read data from Directory Service: Failed to get list of services to probe status! Configured hostname 'spoore-dvm1.testrelm.com' does not match any master server in LDAP: No master found because of error: {'matched': 'dc=testrelm,dc=com', 'desc': 'No such object'} Shutting down Shutting down dirsrv: PKI-IPA... [ OK ] TESTRELM-COM... [ OK ] I'm not sure yet if this is relevant: [root@spoore-dvm1 log]# grep WARNING ipaupgrade.log 2012-03-16T01:49:12Z WARNING remove: '(target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,dc=testrelm,dc=com")(version 3.0;acl "permission:Register Entitlements";allow (add) groupdn = "ldap:///cn=Register Entitlements,cn=permissions,cn=pbac,dc=testrelm,dc=com";)' not in aci 2012-03-16T01:49:12Z WARNING remove: '(targetattr = "usercertificate")(target = "ldap:///ipaentitlement=*,cn=entitlements,cn=etc,dc=testrelm,dc=com")(version 3.0;acl "permission:Write Entitlements";allow (write) groupdn = "ldap:///cn=Write Entitlements,cn=permissions,cn=pbac,dc=testrelm,dc=com";)' not in aci 2012-03-16T01:49:12Z WARNING remove: '(targetattr = "userpkcs12")(target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,dc=testrelm,dc=com")(version 3.0;acl "permission:Read Entitlements";allow (read) groupdn = "ldap:///cn=Read Entitlements,cn=permissions,cn=pbac,dc=testrelm,dc=com";)' not in aci 2012-03-16T01:49:12Z WARNING remove: '60' not in nsslapd-pluginPrecedence [root@spoore-dvm1 log]# grep ERROR ipaupgrade.log 2012-03-16T01:49:12Z ERROR Add failure 'NoneType' object is not callable Version-Release number of selected component (if applicable): RHEL6.2 with IPA 2.1.3 with IPA upgraded to 2.2.0-4 How reproducible: always on my particular server at least. Steps to Reproduce: 1. <setup ipa 2.1.3 server on RHEL6.2> 2. setenforce Permissive 3. kinit admin 4. <setup yum repo for rhel6.3 and/or that includes IPA 2.2.0-4> 5. yum -y update 'ipa*' 6. ipactl restart Actual results: IPA fails to start with error listed above. Expected results: IPA starts cleanly. Additional info: Errors in /var/log/dirsrv/slapd-TESTRELM-COM/errors that look like this: [15/Mar/2012:20:49:18 -0500] ldif2dbm - _get_and_add_parent_rdns: Failed to convert DN cn=TESTRELM.COM to RDN Not sure if that's relevant.
This is a bug in 389-ds, need to bump n-v-r.
The IPA upgrade process was starting before 389-ds had upgraded the database which caused corruption.
attachment freeipa-rcrit-995-dbupgrade.patch
master: 00ce15b[[BR]] ipa-2-2: 92961a6
Metadata Update from @dpal: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/03
Login to comment on this ticket.