|Summary:||After upgrading ipa package, ipa server fails to start with dirsrv init error (/usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so: undefined symbol: gost_yescrypt_pwd_storage_scheme_init)|
|Product:||Red Hat Enterprise Linux 8||Reporter:||jchurro <jose.churro>|
|Component:||389-ds-base||Assignee:||thierry bordaz <tbordaz>|
|Status:||VERIFIED ---||QA Contact:||RHDS QE <ds-qe-bugs>|
|Version:||CentOS Stream||CC:||aadhikar, abokovoy, bsmejkal, bstinson, contact, dexter, jwboyer, ldap-maint, mreynolds, progier, sgouvern, tbordaz, wdh|
|Fixed In Version:||389-ds-base-126.96.36.199-3.module+el8.7.0+15600+347cafc6||Doc Type:||If docs needed, set a value|
|Doc Text:||Story Points:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description jchurro 2021-11-14 11:10:42 UTC
Description of problem: After making upgrade of CentOS Stream 8 where 386-ds-base was also upgraded, dirsrv fails to start with error "symload_report_error - Netscape Portable Runtime error -5975: /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so: undefined symbol: gost_yescrypt_pwd_storage_scheme_init" Version-Release number of selected component (if applicable): ns-slapd 389 Project 389-Directory/188.8.131.52 B2021.279.1440 389-ds-base-184.108.40.206-10.module_el8.5.0+946+51aba098.x86_64 : 389 Directory Server (base) Repo : appstream Matched from: Other : *ns-slapd How reproducible: Server with only software necessary to run IPA Server. Made upgrade to last dirsrv version in Stream 8 Additional Info: [14/Nov/2021:10:22:51.400480566 +0000] - ERR - symload_report_error - Netscape Portable Runtime error -5975: /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so: undefined symbol: gost_yescrypt_pwd_storage_scheme_init [14/Nov/2021:10:22:51.402226687 +0000] - ERR - symload_report_error - Could not load symbol "gost_yescrypt_pwd_storage_scheme_init" from "libpwdstorage-plugin" for plugin GOST_YESCRYPT [14/Nov/2021:10:22:51.402838695 +0000] - ERR - slapd_bootstrap_config - The plugin entry [cn=GOST_YESCRYPT,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-INFO-XXXXXX-PT/dse.ldif was invalid. Failed to load plugin's init function. [14/Nov/2021:10:22:51.403429402 +0000] - EMERG - main - The configuration files in directory /etc/dirsrv/slapd-INFO-XXXXXX-PT could not be read or were not found. Please refer to the error log or output for more information.
Comment 1 Alexander Bokovoy 2021-11-15 06:05:12 UTC
GOST_YESCRYPT is not supported in RHEL anymore. It looks like 389-ds lacks removal of the configuration when a plugin gets disabled. you can disable it manually with # dsconf INFO-XXXXXX-PT plugin set GOST_YESCRYPT --enabled off
Comment 2 Arjen Heidinga 2021-11-15 12:51:40 UTC
Unfortunatly this did not work. The configuration was rolled-back sundaymorning, now I tried upgrading, prior to the update I ran the command (successful) however after the update the issue persists. Removing the relevant seciton from the dse.ldif file 'solves' the issue, but it 'feels' wrong.
Comment 3 thierry bordaz 2021-11-15 14:44:49 UTC
My understanding is that early centos 8.5 builds (220.127.116.11-2 and 18.104.22.168-7) contained invalid GOST_YESCRYPT password storage support. This support was completely removed in 22.214.171.124-10 (https://git.centos.org/rpms/389-ds-base/c/0381070f4db756c9771576582981e332aab5d141?branch=c8s-stream-1.4) with removal of config GOST plugin entry and GOST init plugin callback gost_yescrypt_pwd_storage_scheme_init. So if an instance was created with early 8.5 builds, a plugin entry (dn: cn=GOST_YESCRYPT,cn=Password Storage Schemes,cn=plugins,cn=config) was created. Then the upgrade removed the init callback and startup fails. A quick relief is by editing dse.ldif and removing cn=GOST_YESCRYPT,cn=Password Storage Schemes,cn=plugins,cn=config. A fix is to remove that entry during upgrade.
Comment 4 thierry bordaz 2021-11-15 15:00:32 UTC
(In reply to Arjen Heidinga from comment #2) > Unfortunatly this did not work. The configuration was rolled-back > sundaymorning, now I tried upgrading, prior to the update I ran the command > (successful) however after the update the issue persists. Removing the > relevant seciton from the dse.ldif file 'solves' the issue, but it 'feels' > wrong. Indeed even if a plugin is disabled, the server tries first to load its init function. If it fails to load it, plugin setup fails and server can not start.
Comment 8 jchurro 2021-11-15 19:33:42 UTC
I removed the GOST_YESCRYPT plugin lines from dse.ldif and the problem was solved. IPA is back again. I think that future upgrades should remove these lines from dse.ldif file.
Comment 12 W. de Heiden 2021-11-17 16:14:32 UTC
Bug confirmed on CentOS Stream release 8 Workaround confirmed as working also :)
Comment 15 thierry bordaz 2021-11-24 18:05:00 UTC
Fix pushed upstream => POST
Comment 16 thierry bordaz 2022-06-10 12:02:42 UTC
Fixed in 389-ds-base-126.96.36.199-3.module+el8.7.0+15600+347cafc6 => MODIFIED
Comment 22 Akshay Adhikari 2022-08-05 16:26:13 UTC
Build Tested: 389-ds-base-188.8.131.52-3.module+el8.7.0+15600+347cafc6.x86_64 # dsconf test plugin show entryuuid dn: cn=entryuuid,cn=plugins,cn=config cn: entryuuid nsslapd-pluginDescription: none nsslapd-pluginEnabled: on nsslapd-pluginId: none nsslapd-pluginInitfunc: entryuuid_plugin_init nsslapd-pluginPath: libentryuuid-plugin nsslapd-pluginType: betxnpreoperation nsslapd-pluginVendor: none nsslapd-pluginVersion: none objectClass: top objectClass: nsSlapdPlugin # dsctl test stop Instance "test" has been stopped # mv /usr/lib64/dirsrv/plugins/libentryuuid-plugin.so /usr/lib64/dirsrv/plugins/libentryuuid-plugin.so.sav # dsctl test start Instance "test" has been started Error logs: [05/Aug/2022:12:17:20.026001169 -0400] - ERR - symload_report_error - Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libentryuuid-plugin.so: cannot open shared object file: No such file or directory [05/Aug/2022:12:17:20.054125155 -0400] - ERR - symload_report_error - Could not open library "/usr/lib64/dirsrv/plugins/libentryuuid-plugin.so" for plugin entryuuid [05/Aug/2022:12:17:20.056785832 -0400] - ERR - plugin_setup - "entryuuid" plugin in library "libentryuuid-plugin" not initialized and ignored I can see the server is running even after restart, Marking it as VERIFIED.