Bug 1749001
| Summary: | "Failed to flush the sssd cache" error message observed during ipa upgrade process | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Nikhil Dehadrai <ndehadra> |
| Component: | shadow-utils | Assignee: | Iker Pedrosa <ipedrosa> |
| Status: | CLOSED ERRATA | QA Contact: | shridhar <sgadekar> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.1 | CC: | d.abad, dapospis, dlavu, grajaiya, ipedrosa, jhrozek, lslebodn, mzidek, pbrezina, sgadekar, tscherf |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | sync-to-jira qetodo | ||
| Fixed In Version: | shadow-utils-4.6-12.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 14:59:58 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Nikhil Dehadrai
2019-09-04 16:20:50 UTC
Jakub, should the sssd cache flush be completely silenced in shadow-utils? And in this concrete case the ldb messages could indicate a real problem, do you have an idea what happens here? (In reply to Tomas Mraz from comment #2) > Jakub, should the sssd cache flush be completely silenced in shadow-utils? > I believe it can be and it was probably a mistake from me since the start to not silence them. I'm fine with doing that upstream (unless someone else wants to submit the patch). > And in this concrete case the ldb messages could indicate a real problem, do > you have an idea what happens here? The most important thing is that even if sssd is not running or not responding due to a bug, libc just falls back to using nss_files. In most cases, the warnings are really just warnings, one thing I saw recently during some distribution (so, offline) upgrade was that sssd was not yet upgraded, so its database was using an older format that would have been upgraded when the sssd service starts, but packages were being installed, so sss_cache was being called from useradd and sss_cache was printing messages that said "database too old, start sssd to upgrade it". In this case, it seems like a variant of what I saw above. Some package that ships an LDB module (ldb is the cache that sssd uses) drops a module compiled against a newer version of LDB. And ldb on initialization errors if there are any modules that can't be used, so in this case the cache wouldn't have been dropped. I'm not sure if this could be solved by some magic in requires or ordering, maybe Lukas who is already in the CC list would know better. (In reply to Jakub Hrozek from comment #4) > (In reply to Tomas Mraz from comment #2) > > Jakub, should the sssd cache flush be completely silenced in shadow-utils? > > > > I believe it can be and it was probably a mistake from me since the start to > not silence them. I'm fine with doing that upstream (unless someone else > wants to submit the patch). As you were the original author it will be probably best if you submit this change upstream as well. (In reply to Jakub Hrozek from comment #4) > (In reply to Tomas Mraz from comment #2) > > Jakub, should the sssd cache flush be completely silenced in shadow-utils? > > > > I believe it can be and it was probably a mistake from me since the start to > not silence them. I'm fine with doing that upstream (unless someone else > wants to submit the patch). > I'm planning to work on this bugzilla and I wonder what do you mean by "silence them". Were you thinking about deleting the print lines or maybe filtering them? (In reply to Iker Pedrosa from comment #6) > (In reply to Jakub Hrozek from comment #4) > > (In reply to Tomas Mraz from comment #2) > > > Jakub, should the sssd cache flush be completely silenced in shadow-utils? > > > > > > > I believe it can be and it was probably a mistake from me since the start to > > not silence them. I'm fine with doing that upstream (unless someone else > > wants to submit the patch). > > > > I'm planning to work on this bugzilla and I wonder what do you mean by > "silence them". Were you thinking about deleting the print lines or maybe > filtering them? Sorry I totally forgot about this bug after I moved away from SSSD. What I had in mind was just to not print stderr originally. We also witness a case that has a slightly different log, upgrading different package: ~~~ Running scriptlet: cockpit-ws-211.3-1.el8.x86_64 221/618 ldb: module version mismatch in ../../modules/asq.c : ldb_version=1.5.4 module_version=2.0.7 ldb: failed to initialise module /usr/lib64/ldb/modules/ldb/asq.so : Unavailable Could not open available domains groupadd: sss_cache exited with status 5 groupadd: Failed to flush the sssd cache. ldb: module version mismatch in ../../modules/asq.c : ldb_version=1.5.4 module_version=2.0.7 ldb: failed to initialise module /usr/lib64/ldb/modules/ldb/asq.so : Unavailable Could not open available domains groupadd: sss_cache exited with status 5 groupadd: Failed to flush the sssd cache. ldb: module version mismatch in ../../modules/asq.c : ldb_version=1.5.4 module_version=2.0.7 ldb: failed to initialise module /usr/lib64/ldb/modules/ldb/asq.so : Unavailable Could not open available domains useradd: sss_cache exited with status 5 useradd: Failed to flush the sssd cache. ldb: module version mismatch in ../../modules/asq.c : ldb_version=1.5.4 module_version=2.0.7 ldb: failed to initialise module /usr/lib64/ldb/modules/ldb/asq.so : Unavailable Could not open available domains useradd: sss_cache exited with status 5 useradd: Failed to flush the sssd cache. Upgrading : cockpit-ws-211.3-1.el8.x86_64 221/618 Running scriptlet: cockpit-ws-211.3-1.el8.x86_64 221/618 ~~~ Hi, Similar issue for us, with flatpak: ~~~ Running scriptlet: flatpak-1.6.2-2.el8.x86_64 405/1522 ldb: module version mismatch in ../../modules/asq.c : ldb_version=1.5.4 module_version=2.0.7 ldb: failed to initialise module /usr/lib64/ldb/modules/ldb/asq.so : Unavailable Could not open available domains groupadd: sss_cache exited with status 5 groupadd: Failed to flush the sssd cache. ldb: module version mismatch in ../../modules/asq.c : ldb_version=1.5.4 module_version=2.0.7 ldb: failed to initialise module /usr/lib64/ldb/modules/ldb/asq.so : Unavailable Could not open available domains groupadd: sss_cache exited with status 5 groupadd: Failed to flush the sssd cache. ldb: module version mismatch in ../../modules/asq.c : ldb_version=1.5.4 module_version=2.0.7 ldb: failed to initialise module /usr/lib64/ldb/modules/ldb/asq.so : Unavailable Could not open available domains useradd: sss_cache exited with status 5 useradd: Failed to flush the sssd cache. ldb: module version mismatch in ../../modules/asq.c : ldb_version=1.5.4 module_version=2.0.7 ldb: failed to initialise module /usr/lib64/ldb/modules/ldb/asq.so : Unavailable Could not open available domains useradd: sss_cache exited with status 5 useradd: Failed to flush the sssd cache. ~~~ Happy to help if required! * master:
* e84df9e163e133eb11a2728024ff3e3440592cf8 - lib/sssd: redirect warning message to file
Tested with following data: shadow-utils-2:4.6-11.el8 ]# rpm -q ipa-server ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64 o]# ipa-server-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. Version 4.8.7 This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the NTP client (chronyd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. Do you want to configure integrated DNS (BIND)? [no]: Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [ci-vm-10-0-137.ad.baseos.qe]: The host name ci-vm-10-0-137.ad.baseos.qe does not match the value ci-vm-10-0-137-187.hosted.upshift.rdu2.redhat.com obtained by reverse [.....] Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: disabling Schema Compat [6/10]: starting directory server [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. [....] unable to resolve host name ci-vm-10-0-137.ad.baseos.qe. to IP address, ipa-ca DNS record will be incomplete unable to resolve host name ci-vm-10-0-137.ad.baseos.qe. to IP address, ipa-ca DNS record will be incomplete Please add records in this file to your DNS system: /tmp/ipa.system.records.e5tdck75.db ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password The ipa-server-install command was successful [root@ci-vm-10-0-137- tmp.4kk3U8rLDo]# [root@ci-vm-10-0-137- tmp.4kk3U8rLDo]# rpm -Uvh shadow-utils-4.6-12.el8.x86_64.rpm Verifying... ################################# [100%] Preparing... ################################# [100%] Updating / installing... 1:shadow-utils-2:4.6-12.el8 ################################# [ 50%] Cleaning up / removing... 2:shadow-utils-2:4.6-11.el8 ################################# [100%] [root@ci-vm-10-0-137- tmp.4kk3U8rLDo]# dnf update ipa-server Updating Subscription Management repositories. Unable to read consumer identity This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Last metadata expiration check: 0:02:51 ago on Tue 17 Nov 2020 07:16:47 AM EST. Dependencies resolved. =================================================================================================================================================================================================================== Package Architecture Version Repository Size =================================================================================================================================================================================================================== Upgrading: ipa-client x86_64 4.8.7-13.module+el8.3.0+8376+0bba7131 rhel-AppStream1 272 k ipa-client-common noarch 4.8.7-13.module+el8.3.0+8376+0bba7131 rhel-AppStream1 178 k ipa-common noarch 4.8.7-13.module+el8.3.0+8376+0bba7131 rhel-AppStream1 744 k ipa-selinux noarch 4.8.7-13.module+el8.3.0+8376+0bba7131 rhel-AppStream1 171 k ipa-server x86_64 4.8.7-13.module+el8.3.0+8376+0bba7131 rhel-AppStream1 523 k ipa-server-common noarch 4.8.7-13.module+el8.3.0+8376+0bba7131 rhel-AppStream1 604 k python3-ipaclient noarch 4.8.7-13.module+el8.3.0+8376+0bba7131 rhel-AppStream1 680 k python3-ipalib noarch 4.8.7-13.module+el8.3.0+8376+0bba7131 rhel-AppStream1 719 k python3-ipaserver noarch 4.8.7-13.module+el8.3.0+8376+0bba7131 rhel-AppStream1 1.5 M Transaction Summary =================================================================================================================================================================================================================== Upgrade 9 Packages Total download size: 5.3 M Is this ok [y/N]: y Downloading Packages: (1/9): ipa-client-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64.rpm 1.5 MB/s | 272 kB 00:00 (2/9): ipa-client-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm 1.0 MB/s | 178 kB 00:00 (3/9): ipa-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm 4.0 MB/s | 744 kB 00:00 (4/9): ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm 19 MB/s | 171 kB 00:00 (5/9): ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64.rpm 38 MB/s | 523 kB 00:00 (6/9): ipa-server-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm 35 MB/s | 604 kB 00:00 (7/9): python3-ipaclient-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm 31 MB/s | 680 kB 00:00 (8/9): python3-ipalib-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm 31 MB/s | 719 kB 00:00 (9/9): python3-ipaserver-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm 64 MB/s | 1.5 MB 00:00 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 24 MB/s | 5.3 MB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: ipa-client-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 1/1 Upgrading : ipa-client-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 1/18 Running scriptlet: ipa-server-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 2/18 Upgrading : ipa-server-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 2/18 Running scriptlet: ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 3/18 Upgrading : ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 3/18 Running scriptlet: ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 3/18 Upgrading : ipa-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 4/18 Upgrading : python3-ipalib-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 5/18 Upgrading : python3-ipaclient-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 6/18 Upgrading : ipa-client-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 7/18 Running scriptlet: ipa-client-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 7/18 Upgrading : python3-ipaserver-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 8/18 Running scriptlet: ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 9/18 Upgrading : ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 9/18 Running scriptlet: ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 9/18 Running scriptlet: ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64 10/18 Cleanup : ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64 10/18 Cleanup : python3-ipaserver-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 11/18 Cleanup : ipa-client-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64 12/18 Cleanup : python3-ipaclient-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 13/18 Cleanup : python3-ipalib-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 14/18 Cleanup : ipa-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 15/18 Cleanup : ipa-server-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 16/18 Cleanup : ipa-client-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 17/18 Cleanup : ipa-selinux-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 18/18 Running scriptlet: ipa-selinux-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 18/18 Running scriptlet: ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 18/18 Running scriptlet: ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 18/18 Running scriptlet: ipa-selinux-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 18/18 Verifying : ipa-client-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 1/18 Verifying : ipa-client-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64 2/18 Verifying : ipa-client-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 3/18 Verifying : ipa-client-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 4/18 Verifying : ipa-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 5/18 Verifying : ipa-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 6/18 Verifying : ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 7/18 Verifying : ipa-selinux-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 8/18 Verifying : ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 9/18 Verifying : ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64 10/18 Verifying : ipa-server-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 11/18 Verifying : ipa-server-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 12/18 Verifying : python3-ipaclient-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 13/18 Verifying : python3-ipaclient-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 14/18 Verifying : python3-ipalib-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 15/18 Verifying : python3-ipalib-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 16/18 Verifying : python3-ipaserver-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 17/18 Verifying : python3-ipaserver-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 18/18 Installed products updated. Upgraded: ipa-client-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 ipa-client-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch ipa-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 ipa-server-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch python3-ipaclient-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch python3-ipalib-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch python3-ipaserver-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch Complete! ------------------------------------ No "Failed to flush the sssd cache"message observed. marking verified. tested with following data: [root@ci-vm-10-0-139-48 bz1788696-userdel-mistakes-unrelated-user-process-with-a-namespaced-one-preventing-user-removal]# ipa-server-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. Version 4.8.7 This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the NTP client (chronyd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. Do you want to configure integrated DNS (BIND)? [no]: Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [ci-vm-10-0-139-48.hosted.upshift.rdu2.redhat.com]: [.........] Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: disabling Schema Compat [6/10]: starting directory server [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Restarting the KDC Configuring client side components This program will set up IPA client. Version 4.8.7 Using existing certificate '/etc/ipa/ca.crt'. Client hostname: ci-vm-10-0-139-48.hosted.upshift.rdu2.redhat.com Realm: HOSTED.UPSHIFT.RDU2.REDHAT.COM DNS Domain: hosted.upshift.rdu2.redhat.com IPA Server: ci-vm-10-0-139-48.hosted.upshift.rdu2.redhat.com BaseDN: dc=hosted,dc=upshift,dc=rdu2,dc=redhat,dc=com Configured sudoers in /etc/authselect/user-nsswitch.conf Configured /etc/sssd/sssd.conf Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring hosted.upshift.rdu2.redhat.com as NIS domain. Client configuration complete. The ipa-client-install command was successful Please add records in this file to your DNS system: /tmp/ipa.system.records.anpumjl5.db ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password The ipa-server-install command was successful [root@ci-vm-10-0-139-48 bz1788696-userdel-mistakes-unrelated-user-process-with-a-namespaced-one-preventing-user-removal]# rpm -q shadow-utils-4.6-12.el8.x86_64.rpm warning: shadow-utils-4.6-12.el8.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY shadow-utils-4.6-12.el8.x86_64 [root@ci-vm-10-0-139-48 bz1788696-userdel-mistakes-unrelated-user-process-with-a-namespaced-one-preventing-user-removal]# rpm -q shadow-utils shadow-utils-4.6-11.el8.x86_64 [root@ci-vm-10-0-139-48 bz1788696-userdel-mistakes-unrelated-user-process-with-a-namespaced-one-preventing-user-removal]# rpm -Uvh shadow-utils-4.6-12.el8.x86_64.rpm warning: shadow-utils-4.6-12.el8.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY Verifying... ################################# [100%] Preparing... ################################# [100%] Updating / installing... 1:shadow-utils-2:4.6-12.el8 ################################# [ 50%] Cleaning up / removing... 2:shadow-utils-2:4.6-11.el8 ################################# [100%] [root@ci-vm-10-0-139-48 bz1788696-userdel-mistakes-unrelated-user-process-with-a-namespaced-one-preventing-user-removal]# vim /etc/yum.repos.d/rhel.repo [root@ci-vm-10-0-139-48 bz1788696-userdel-mistakes-unrelated-user-process-with-a-namespaced-one-preventing-user-removal]# dnf update ipa-server Updating Subscription Management repositories. Unable to read consumer identity This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. rhel 24 MB/s | 2.3 MB 00:00 rhel-AppStream 46 MB/s | 6.5 MB 00:00 Last metadata expiration check: 0:00:01 ago on Thu 10 Dec 2020 07:08:38 AM EST. Dependencies resolved. =================================================================================================================================================================================================================== Package Architecture Version Repository Size =================================================================================================================================================================================================================== Upgrading: ipa-client x86_64 4.8.7-13.module+el8.3.0+8376+0bba7131 rhel-AppStream 272 k ipa-client-common noarch 4.8.7-13.module+el8.3.0+8376+0bba7131 rhel-AppStream 178 k ipa-common noarch 4.8.7-13.module+el8.3.0+8376+0bba7131 rhel-AppStream 744 k ipa-selinux noarch 4.8.7-13.module+el8.3.0+8376+0bba7131 rhel-AppStream 171 k ipa-server x86_64 4.8.7-13.module+el8.3.0+8376+0bba7131 rhel-AppStream 523 k ipa-server-common noarch 4.8.7-13.module+el8.3.0+8376+0bba7131 rhel-AppStream 604 k python3-ipaclient noarch 4.8.7-13.module+el8.3.0+8376+0bba7131 rhel-AppStream 680 k python3-ipalib noarch 4.8.7-13.module+el8.3.0+8376+0bba7131 rhel-AppStream 719 k python3-ipaserver noarch 4.8.7-13.module+el8.3.0+8376+0bba7131 rhel-AppStream 1.5 M Transaction Summary =================================================================================================================================================================================================================== Upgrade 9 Packages Total download size: 5.3 M Is this ok [y/N]: y Downloading Packages: (1/9): ipa-client-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm 4.4 MB/s | 178 kB 00:00 (2/9): ipa-client-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64.rpm 5.7 MB/s | 272 kB 00:00 (3/9): ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm 15 MB/s | 171 kB 00:00 (4/9): ipa-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm 12 MB/s | 744 kB 00:00 (5/9): ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64.rpm 25 MB/s | 523 kB 00:00 (6/9): ipa-server-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm 17 MB/s | 604 kB 00:00 (7/9): python3-ipaclient-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm 20 MB/s | 680 kB 00:00 (8/9): python3-ipalib-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm 22 MB/s | 719 kB 00:00 (9/9): python3-ipaserver-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm 51 MB/s | 1.5 MB 00:00 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 44 MB/s | 5.3 MB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: ipa-client-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 1/1 Upgrading : ipa-client-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 1/18 Running scriptlet: ipa-server-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 2/18 Upgrading : ipa-server-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 2/18 Running scriptlet: ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 3/18 Upgrading : ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 3/18 Running scriptlet: ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 3/18 Upgrading : ipa-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 4/18 Upgrading : python3-ipalib-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 5/18 Upgrading : python3-ipaclient-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 6/18 Upgrading : ipa-client-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 7/18 Running scriptlet: ipa-client-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 7/18 Upgrading : python3-ipaserver-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 8/18 Running scriptlet: ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 9/18 Upgrading : ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 9/18 Running scriptlet: ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 9/18 Running scriptlet: ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64 10/18 Cleanup : ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64 10/18 Cleanup : python3-ipaserver-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 11/18 Cleanup : ipa-client-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64 12/18 Cleanup : python3-ipaclient-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 13/18 Cleanup : python3-ipalib-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 14/18 Cleanup : ipa-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 15/18 Cleanup : ipa-server-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 16/18 Cleanup : ipa-client-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 17/18 Cleanup : ipa-selinux-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 18/18 Running scriptlet: ipa-selinux-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 18/18 Running scriptlet: ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 18/18 Running scriptlet: ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 18/18 ^Z [1]+ Stopped dnf update ipa-server [root@ci-vm-10-0-139-48 bz1788696-userdel-mistakes-unrelated-user-process-with-a-namespaced-one-preventing-user-removal]# less /var/log/messages [root@ci-vm-10-0-139-48 bz1788696-userdel-mistakes-unrelated-user-process-with-a-namespaced-one-preventing-user-removal]# fg dnf update ipa-server Running scriptlet: ipa-selinux-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 18/18 Verifying : ipa-client-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 1/18 Verifying : ipa-client-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64 2/18 Verifying : ipa-client-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 3/18 Verifying : ipa-client-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 4/18 Verifying : ipa-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 5/18 Verifying : ipa-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 6/18 Verifying : ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 7/18 Verifying : ipa-selinux-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 8/18 Verifying : ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 9/18 Verifying : ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64 10/18 Verifying : ipa-server-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 11/18 Verifying : ipa-server-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 12/18 Verifying : python3-ipaclient-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 13/18 Verifying : python3-ipaclient-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 14/18 Verifying : python3-ipalib-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 15/18 Verifying : python3-ipalib-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 16/18 Verifying : python3-ipaserver-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch 17/18 Verifying : python3-ipaserver-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch 18/18 Installed products updated. Upgraded: ipa-client-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 ipa-client-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch ipa-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64 ipa-server-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch python3-ipaclient-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch python3-ipalib-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch python3-ipaserver-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch Complete! No "Failed to flush the sssd cache" message observed during ipa upgrade process. Marking verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (shadow-utils bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1650 |