On ti, 17 loka 2017, Alexander Bokovoy via FreeIPA-users wrote:
On ti, 17 loka 2017, Johannes Brandstetter via FreeIPA-users wrote:
Hi,
I'm trying to upgrade FreeIPA through ipa-server-upgrade from 4.4 to 4.5. The command fails with an "ACIError: Insufficient access:" . I find in the kdc log that it complains about " Database module does not match KDC version - while initializing database for realm..."
Does anybody know how to fix this?
You should make sure your system is fully upgraded. Not just 'yum install freeipa-server' to upgrade but all related packages too. In particular, MIT Kerberos has database driver version that may change with a version update and we have to rebuild FreeIPA driver against it.
Some more info: $ cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core)
$ tail /var/log/krb5kdc.log krb5kdc: Server error - while fetching master key K/M for realm XXX krb5kdc: Database module does not match KDC version - while initializing database for realm XXX
$ sudo less /var/log/ipaupgrade.log 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-16T13:04:13Z DEBUG duration: 0 seconds 2017-10-16T13:04:13Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2017-10-16T13:04:14Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1896, in upgrade data_upgrade.create_instance() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 124, in create_instance runtime=90) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 96, in __start api.Backend.ldap2.connect() File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 190, in create_connection client_controls=clientctrls) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1111, in external_bind '', auth_tokens, server_controls, client_controls) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1007, in error_handler raise errors.ACIError(info=info)
2017-10-16T13:04:14Z DEBUG The ipa-server-upgrade command failed, exception: ACIError: Insufficient access: 2017-10-16T13:04:14Z ERROR Insufficient access: 2017-10-16T13:04:14Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
$ sudo less /var/log/yum.log Oct 16 05:36:02 Updated: ipa-common-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:36:02 Updated: ipa-client-common-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:36:25 Updated: libipa_hbac-1.15.2-50.el7_4.2.x86_64 Oct 16 05:36:53 Updated: python-libipa_hbac-1.15.2-50.el7_4.2.x86_64 Oct 16 05:36:55 Updated: python2-ipalib-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:36:55 Updated: python2-ipaclient-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:37:23 Updated: ipa-python-compat-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:38:43 Updated: ipa-server-common-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:38:44 Updated: python2-ipaserver-4.5.0-21.el7.centos.1.2.noarch Oct 16 05:38:44 Updated: sssd-ipa-1.15.2-50.el7_4.2.x86_64 Oct 16 05:39:01 Installed: ipa-client-4.5.0-21.el7.centos.1.2.x86_64 Oct 16 05:39:28 Updated: ipsilon-tools-ipa-2.0.2-5.el7.centos.noarch Oct 16 05:39:29 Updated: ipa-server-4.5.0-21.el7.centos.1.2.x86_64 Oct 16 05:40:48 Erased: ipa-admintools-4.4.0-14.el7.centos.7.noarch Oct 16 05:19:30 Updated: krb5-libs-1.15.1-8.el7.x86_64 Oct 16 05:19:30 Updated: krb5-workstation-1.15.1-8.el7.x86_64 Oct 16 05:19:31 Updated: krb5-server-1.15.1-8.el7.x86_64 Oct 16 05:19:31 Updated: krb5-pkinit-1.15.1-8.el7.x86_64 Oct 16 05:38:22 Updated: sssd-krb5-common-1.15.2-50.el7_4.2.x86_64 Oct 16 05:38:57 Updated: sssd-krb5-1.15.2-50.el7_4.2.x86_64
According to this log, ipa-server was updated before krb5-server was updated, so if upgrade code did run before krb5-server upgrade, the error message and a failure can be explained by that.
I'm not sure what is your actual timezone and how these times in ipaupgrade.log and yum.log can be co-related though.
You may want to run ipa-server-upgrade directly.