On Fri, Jun 4, 2021 at 10:11 PM Robert Kudyba via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
After upgrading to Fedora 34 and freeipa-server-4.9.3-2.fc34.x86_64, we're seeing the below errors. I found a previous post that mentions a user had these during a migration but we finished the migration a while ago: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/GGGKFTI52IONWUDQRTFZ4NBLX3AGEJQC/

ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

ipa cert-find shows 10 certs and all have a status of VALID. Apache logs do not have any errors. And the ipaupgrade.log ends with INFO The ipa-server-upgrade command was successful

Jun  3 18:14:03 ourschoolipa-dnskeysyncd[5025]: ipa-dnskeysyncd: ERROR    syncrepl_poll: LDAP error ({'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': []})
Hi,
the above error is logged when 389ds is restarted, because the daemon ipa-dnskeysyncd looses its connection. It's harmless as the daemon should restart 60s later.
 
Jun  3 18:14:06 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:06.994125936 -0400] - ERR - allow_operation - Component identity is NULL
Jun  3 18:14:10 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:10.899216572 -0400] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher AES
Jun  3 18:14:10 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:10.955942900 -0400] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped.  To recover the encrypted contents, keep the wrapped symmetric key value.
Jun  3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.022213263 -0400] - ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption.
Jun  3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.090020323 -0400] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES
Jun  3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.177952423 -0400] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup!
Jun  3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.875367301 -0400] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=sub,dc=domain,dc=ourschool,dc=edu--no CoS Templates found, which should be added before the CoS Definition.
Jun  3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.961081967 -0400] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds!
Jun  3 18:14:17 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:17.740194095 -0400] - ERR - schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=sub,dc=domain,dc=ourschool,dc=edu
Jun  3 18:14:17 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:17.818774136 -0400] - ERR - schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=sub,dc=domain,dc=ourschool,dc=edu
Jun  3 18:14:18 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:18.804889621 -0400] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=sub,dc=domain,dc=ourschool,dc=edu
Jun  3 18:14:18 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:18.873391357 -0400] - ERR - schema-compat-plugin - Finished plugin initialization.

Jun  3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.577526585 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ad,cn=etc,dc=sub,dc=domain,dc=ourschool,dc=edu does not exist
Jun  3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.599342179 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=sub,dc=domain,dc=ourschool,dc=edu does not exist

It is a known issue, already discussed in this mailing list: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/thread/GZG2ECQOO2XBZ3ZBAIMQLWPAR2FFFYPA/

HTH,
flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure