Bug 1026677
Summary: | Attempt to run ipa-client-install fails with /etc/pki/nssdb/libnssckbi.so: cannot open shared object file: No such file or directory (PR_LOAD_LIBRARY_ERROR) | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Pazdziora <jpazdziora> | ||||
Component: | nss | Assignee: | Elio Maldonado Batiz <emaldona> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | David Spurek <dspurek> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 7.0 | CC: | ebenes, eparis, hkario, jpazdziora, kengert, ksiddiqu, mkosek, rcritten, rrelyea, tlavigne | ||||
Target Milestone: | beta | Keywords: | Regression | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | nss-3.15.2-8.el7 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2014-06-13 11:41:23 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Jan Pazdziora
2013-11-05 08:40:25 UTC
*** Bug 1026676 has been marked as a duplicate of this bug. *** I can confirm I reproduce this issue as well, with: nss-3.15.2-7.el7.x86_64 ipa-client-3.3.3-1.el7.x86_64 However, I suspect this is a NSS regression, when I downgraded NSS to nss-3.15.1-4.el7.x86_64, client installation started working again: [nss-3.15.1-4.el7]# yum downgrade * ... ---> Package nss.x86_64 0:3.15.1-4.el7 will be a downgrade ---> Package nss.x86_64 0:3.15.2-7.el7 will be erased ---> Package nss-devel.x86_64 0:3.15.1-4.el7 will be a downgrade ---> Package nss-devel.x86_64 0:3.15.2-7.el7 will be erased ---> Package nss-sysinit.x86_64 0:3.15.1-4.el7 will be a downgrade ---> Package nss-sysinit.x86_64 0:3.15.2-7.el7 will be erased ---> Package nss-tools.x86_64 0:3.15.1-4.el7 will be a downgrade ---> Package nss-tools.x86_64 0:3.15.2-7.el7 will be erased ... Complete! # ipa-client-install -p admin -w Secret123 WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd Discovery was successful! Hostname: vm-052.example.com Realm: EXAMLE.COM DNS Domain: example.com IPA Server: vm-119.example.com BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Continue to configure the system with these values? [no]: y Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Successfully retrieved CA cert Subject: CN=Certificate Authority,O=EXAMLE.COM Issuer: CN=Certificate Authority,O=EXAMLE.COM Valid From: Fri Nov 01 18:33:30 2013 UTC Valid Until: Tue Nov 01 18:33:30 2033 UTC Enrolled in IPA realm EXAMLE.COM Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMLE.COM Hostname (vm-052.example.com) not found in DNS Failed to update DNS records. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. No NSS error this time. Moving to nss component. It's puzzling that it attempts to access file /etc/pki/nssdb/libnssckbi.so Bob said he can think of code potentially trying to load it, but that code shouldn't be fatal. Martin, after you downgrade to the working package, what does ls -l /etc/pki/nssdb/libnssckbi.so say? # rpm -q nss nss-3.15.1-4.el7.x86_64 # ls -l /etc/pki/nssdb/libnssckbi.so ls: cannot access /etc/pki/nssdb/libnssckbi.so: No such file or directory # ls -l /etc/pki/nssdb/ total 124 -rw-r--r--. 1 root root 65536 Nov 5 13:48 cert8.db -rw-r--r--. 1 root root 9216 Aug 13 07:40 cert9.db -rw-r--r--. 1 root root 16384 Nov 5 13:48 key3.db -rw-r--r--. 1 root root 11264 Aug 13 07:40 key4.db -rw-r--r--. 1 root root 451 Oct 11 17:59 pkcs11.txt -rw-r--r--. 1 root root 16384 Jan 12 2010 secmod.db > 3. On RHEL 7 machine, point the resolv.conf to the IP address of that
> IPA server: echo nameserver 10.11.12.13 > /etc/resolv.conf
We don't have our own RHEL 7 that runs a compatible server.
The server address you have provided 10.11.12.13
doesn't seem to be reachable for me.
Can you please provide us with a real, existing server that we can debug against?
martin, do you have an ipa server up and running we can test against? Can you confirm that the upgrade/downgrade of nss that fixed the problem was on the client or the server? (In reply to Eric Paris from comment #11) > Can you confirm that the upgrade/downgrade of nss that fixed the problem was > on the client or the server? I tested only on client, on server we will need to do a check as well. When you have a fixed nss and want to check yourselves, you should be able to verify pretty easily with: # yum install ipa-server # ipa-server-install Created attachment 820035 [details]
ignore setpolicy result
Comment on attachment 820035 [details]
ignore setpolicy result
r+ rrelyea
(In reply to Martin Kosek from comment #5) > I can confirm I reproduce this issue as well, with: > nss-3.15.2-7.el7.x86_64 > ipa-client-3.3.3-1.el7.x86_64 > > However, I suspect this is a NSS regression, when I downgraded NSS to > nss-3.15.1-4.el7.x86_64, client installation started working again: [...] > No NSS error this time. Moving to nss component. Well, either that, or ipa-client should catch up with the latest nss changes? (In reply to Kai Engert (:kaie) from comment #9) > > 3. On RHEL 7 machine, point the resolv.conf to the IP address of that > > IPA server: echo nameserver 10.11.12.13 > /etc/resolv.conf > > We don't have our own RHEL 7 that runs a compatible server. You don't need to have IdM on RHEL 7 -- in fact, I saw it when enrolling against IdM on RHEL 6. > The server address you have provided 10.11.12.13 > doesn't seem to be reachable for me. Right, that's just example. Use any IPA server. If anyone is interested, a scratch build that incorporates Kai's patch along with Eric Paris's correction to one of my patches is available at https://brewweb.devel.redhat.com/taskinfo?taskID=6532388 (In reply to Jan Pazdziora from comment #16) > (In reply to Martin Kosek from comment #5) ... > > No NSS error this time. Moving to nss component. > > Well, either that, or ipa-client should catch up with the latest nss changes? Catch up how? I am not against updating ipa-client to catch up on the latest and greatest NSS, I just need to have some resources what needs to be done. In this case, I think that calls to python-nss caused the traceback - should python-nss then be updated? (In reply to Martin Kosek from comment #19) > > Catch up how? I am not against updating ipa-client to catch up on the latest > and greatest NSS, I just need to have some resources what needs to be done. > In this case, I think that calls to python-nss caused the traceback - should > python-nss then be updated? I don't know. ;-) (In reply to Elio Maldonado Batiz from comment #18) > If anyone is interested, a scratch build that incorporates Kai's patch along > with Eric Paris's correction to one of my patches is available at > https://brewweb.devel.redhat.com/taskinfo?taskID=6532388 I tested installation of both IPA server and IPA client and it worked fine with nss-3.15.2-7.1.el7.nossl2.1.x86_64. I was installing a replica on RHEL-70 using a replica file created on RHEL-6.5 and faced installation failure. [2/34]: creating directory server instance ipa : CRITICAL failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpXDfDAI' returned non-zero exit status 1 ipa : CRITICAL Failed to restart the directory server (). See the installation log for details. [3/34]: adding default schema snippet from /var/log/message: ============================== Nov 6 16:59:31 dhcp207-176 ns-slapd: [06/Nov/2013:16:59:31 +051800] - SSL alert: Security Initialization: Unable to set SSL export policy (Netscape Portable Runtime error -5977 - Failure to load dynamic library.) Nov 6 16:59:31 dhcp207-176 ns-slapd: [06/Nov/2013:16:59:31 +051800] - ERROR: NSS Initialization Failed. Nov 6 16:59:31 dhcp207-176 systemd: dirsrv: main process exited, code=exited, status=1/FAILURE Nov 6 16:59:31 dhcp207-176 systemd: Unit dirsrv entered failed state. Then, i updated nss bits with patches provided in comment 18 and replica installation is successful now. filed an upstream bug This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |