After upgrading to Fedora 34 and freeipa-server-4.9.3-2.fc34.x86_64, we're seeing the below errors. I found a previous post that mentions a user had these during a migration but we finished the migration a while ago: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
ipa cert-find shows 10 certs and all have a status of VALID. Apache logs do not have any errors. And the ipaupgrade.log ends with INFO The ipa-server-upgrade command was successful
Jun 3 18:14:03 ourschoolipa-dnskeysyncd[5025]: ipa-dnskeysyncd: ERROR syncrepl_poll: LDAP error ({'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': []}) Jun 3 18:14:06 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:06.994125936 -0400] - ERR - allow_operation - Component identity is NULL Jun 3 18:14:10 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:10.899216572 -0400] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher AES Jun 3 18:14:10 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:10.955942900 -0400] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.022213263 -0400] - ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption. Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.090020323 -0400] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.177952423 -0400] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.875367301 -0400] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=sub,dc=domain,dc=ourschool,dc=edu--no CoS Templates found, which should be added before the CoS Definition. Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.961081967 -0400] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Jun 3 18:14:17 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:17.740194095 -0400] - ERR - schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=sub,dc=domain,dc=ourschool,dc=edu Jun 3 18:14:17 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:17.818774136 -0400] - ERR - schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=sub,dc=domain,dc=ourschool,dc=edu Jun 3 18:14:18 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:18.804889621 -0400] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=sub,dc=domain,dc=ourschool,dc=edu Jun 3 18:14:18 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:18.873391357 -0400] - ERR - schema-compat-plugin - Finished plugin initialization.
Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.577526585 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ad,cn=etc,dc=sub,dc=domain,dc=ourschool,dc=edu does not exist Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.599342179 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=sub,dc=domain,dc=ourschool,dc=edu does not exist
On Fri, Jun 4, 2021 at 10:11 PM Robert Kudyba via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
After upgrading to Fedora 34 and freeipa-server-4.9.3-2.fc34.x86_64, we're seeing the below errors. I found a previous post that mentions a user had these during a migration but we finished the migration a while ago: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
ipa cert-find shows 10 certs and all have a status of VALID. Apache logs do not have any errors. And the ipaupgrade.log ends with INFO The ipa-server-upgrade command was successful
Jun 3 18:14:03 ourschoolipa-dnskeysyncd[5025]: ipa-dnskeysyncd: ERROR syncrepl_poll: LDAP error ({'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': []})
Hi, the above error is logged when 389ds is restarted, because the daemon ipa-dnskeysyncd looses its connection. It's harmless as the daemon should restart 60s later.
Jun 3 18:14:06 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:06.994125936 -0400] - ERR - allow_operation - Component identity is NULL Jun 3 18:14:10 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:10.899216572 -0400] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher AES Jun 3 18:14:10 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:10.955942900 -0400] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.022213263 -0400] - ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption. Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.090020323 -0400] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.177952423 -0400] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.875367301 -0400] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=sub,dc=domain,dc=ourschool,dc=edu--no CoS Templates found, which should be added before the CoS Definition. Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.961081967 -0400] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Jun 3 18:14:17 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:17.740194095 -0400] - ERR - schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=sub,dc=domain,dc=ourschool,dc=edu Jun 3 18:14:17 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:17.818774136 -0400] - ERR - schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=sub,dc=domain,dc=ourschool,dc=edu Jun 3 18:14:18 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:18.804889621 -0400] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=sub,dc=domain,dc=ourschool,dc=edu Jun 3 18:14:18 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:18.873391357 -0400] - ERR - schema-compat-plugin - Finished plugin initialization.
Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.577526585 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ad,cn=etc,dc=sub,dc=domain,dc=ourschool,dc=edu does not exist Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.599342179 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=sub,dc=domain,dc=ourschool,dc=edu does not exist
It is a known issue, already discussed in this mailing list: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
HTH, flo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
freeipa-users@lists.fedorahosted.org