When upgrading IPA from 4.2.3-2 to git version from either 4-3 or master and raising domain level to 1 the replica promotion fails during initial replication setup with the following error:
INSUFFICIENT_ACCESS: {'info': "Insufficient 'write' privilege to the 'nsds5BeginReplicaRefresh' attribute of entry 'cn=metoreplica1.ipa.test,cn=replica,cn=dc\\3dipa\\2cdc\\3dtest,cn=mapping tree,cn=config'.\n", 'desc': 'Insufficient access'}
{{{/var/log/ipareplica-install.log}}} contains the following traceback:
packages/ipaserver/install/server/replicainstall.py", line 1553, in main promote(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 372, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1275, in promote promote=True, pkcs12_info=dirsrv_pkcs12_info) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 120, in install_replica_ds promote=promote, File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 398, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 447, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 437, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 413, in __setup_replica repl.setup_promote_replication(self.master_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1596, in setup_promote_replication ret = self.start_replication(r_conn, master=False) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 975, in start_replication conn.modify_s(dn, mod) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1647, in modify_s return self.conn.modify_s(dn, modlist) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 364, in modify_s return self.result(msgid,all=1,timeout=self.timeout) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 465, in result resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 469, in result2 resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 476, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 483, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) 2016-01-05T13:40:09Z DEBUG The ipa-replica-install command failed, exception: INSUFFICIENT_ACCESS: {'info': "Insufficient 'write' privilege to the 'nsds5BeginReplicaRefresh' attribute of entry 'cn=metoreplica1.ipa.test,cn=replica,cn=dc\\3dipa\\2cdc\\3dtest,cn=mapping tree,cn=config'.\n", 'desc': 'Insufficient access'} 2016-01-05T13:40:09Z ERROR {'info': "Insufficient 'write' privilege to the 'nsds5BeginReplicaRefresh' attribute of entry 'cn=metoreplica1.ipa.test,cn=replica,cn=dc\\3dipa\\2cdc\\3dtest,cn=mapping tree,cn=config'.\n", 'desc': 'Insufficient access'} 2016-01-05T13:40:09Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Steps to reproduce:
1.) install freeipa 4.2.3-2 master and upgrade it 2.) raise domain level to 1 in order to enable replica promotion 3.) install freeipa from current master/ipa-4-3 branch on replica 4.) run ipa-replica-install on replica
Expected outcome:
replica install finished succesfully
Actual outcome:
replica install fails on {{{[28/43]: setting up initial replication}}} step during DS configuration.
The issue is caused by the incorrect update of replication ACIs during upgrade introduced by commit 6ea868e. When pre-4.3 IPA server is upgraded, the ACIs from {{{cn="$SUFFIX",cn=mapping tree,cn=config}}} and {{{cn=o\3Dipaca,cn=mapping tree,cn=config}}} are removed but never added back to the parent entry like during fresh install. Hence after upgrade there are no ACIs that permit manipulating replication agreements during replica install.
master:
ipa-4-3:
Metadata Update from @mbabinsk: - Issue assigned to mbabinsk - Issue set to the milestone: FreeIPA 4.3.1
Login to comment on this ticket.