Bug 2023056

Summary: After upgrading ipa package, ipa server fails to start with dirsrv init error (/usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so: undefined symbol: gost_yescrypt_pwd_storage_scheme_init)
Product: Red Hat Enterprise Linux 8 Reporter: jchurro <jose.churro>
Component: 389-ds-baseAssignee: thierry bordaz <tbordaz>
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: CentOS StreamCC: aadhikar, abokovoy, bsmejkal, bstinson, contact, dexter, jwboyer, ldap-maint, mreynolds, progier, sgouvern, tbordaz, wdh
Target Milestone: rcKeywords: Triaged
Target Release: 8.7   
Hardware: x86_64   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: 389-ds-base-1.4.3.30-3.module+el8.7.0+15600+347cafc6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-08 09:38:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description jchurro 2021-11-14 11:10:42 UTC 
Description of problem:

After making upgrade of CentOS Stream 8 where 386-ds-base was also upgraded, dirsrv fails to start with error

"symload_report_error - Netscape Portable Runtime error -5975: /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so: undefined symbol: gost_yescrypt_pwd_storage_scheme_init"

Version-Release number of selected component (if applicable):

ns-slapd
389 Project
389-Directory/1.4.3.231 B2021.279.1440

389-ds-base-1.4.3.23-10.module_el8.5.0+946+51aba098.x86_64 : 389 Directory Server (base)
Repo        : appstream
Matched from:
Other       : *ns-slapd


How reproducible:

Server with only software necessary to run IPA Server. Made upgrade to last dirsrv version in Stream 8

Additional Info:

[14/Nov/2021:10:22:51.400480566 +0000] - ERR - symload_report_error - Netscape Portable Runtime error -5975: /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so: undefined symbol: gost_yescrypt_pwd_storage_scheme_init
[14/Nov/2021:10:22:51.402226687 +0000] - ERR - symload_report_error - Could not load symbol "gost_yescrypt_pwd_storage_scheme_init" from "libpwdstorage-plugin" for plugin GOST_YESCRYPT
[14/Nov/2021:10:22:51.402838695 +0000] - ERR - slapd_bootstrap_config - The plugin entry [cn=GOST_YESCRYPT,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-INFO-XXXXXX-PT/dse.ldif was invalid. Failed to load plugin's init function.
[14/Nov/2021:10:22:51.403429402 +0000] - EMERG - main - The configuration files in directory /etc/dirsrv/slapd-INFO-XXXXXX-PT could not be read or were not found.  Please refer to the error log or output for more information.
Comment 1 Alexander Bokovoy 2021-11-15 06:05:12 UTC 
GOST_YESCRYPT is not supported in RHEL anymore. It looks like 389-ds lacks removal of the configuration when a plugin gets disabled.

you can disable it manually with

# dsconf INFO-XXXXXX-PT plugin set GOST_YESCRYPT --enabled off
Comment 2 Arjen Heidinga 2021-11-15 12:51:40 UTC 
Unfortunatly this did not work. The configuration was rolled-back sundaymorning, now I tried upgrading, prior to the update I ran the command (successful) however after the update the issue persists. Removing the relevant seciton from the dse.ldif file 'solves' the issue, but it 'feels' wrong.
Comment 3 thierry bordaz 2021-11-15 14:44:49 UTC 
My understanding is that early centos 8.5 builds (1.4.3.23-2 and 1.4.3.23-7) contained invalid GOST_YESCRYPT password storage support. This support was completely removed in 1.4.3.23-10 (https://git.centos.org/rpms/389-ds-base/c/0381070f4db756c9771576582981e332aab5d141?branch=c8s-stream-1.4) with removal of config GOST plugin entry and GOST init plugin callback gost_yescrypt_pwd_storage_scheme_init.

So if an instance was created with early 8.5 builds, a plugin entry (dn: cn=GOST_YESCRYPT,cn=Password Storage Schemes,cn=plugins,cn=config) was created. Then the upgrade removed the init callback and startup fails.
A quick relief is by editing dse.ldif and removing cn=GOST_YESCRYPT,cn=Password Storage Schemes,cn=plugins,cn=config.

A fix is to remove that entry during upgrade.
Comment 4 thierry bordaz 2021-11-15 15:00:32 UTC 
(In reply to Arjen Heidinga from comment #2)
> Unfortunatly this did not work. The configuration was rolled-back
> sundaymorning, now I tried upgrading, prior to the update I ran the command
> (successful) however after the update the issue persists. Removing the
> relevant seciton from the dse.ldif file 'solves' the issue, but it 'feels'
> wrong.

Indeed even if a plugin is disabled, the server tries first to load its init function. If it fails to load it, plugin setup fails and server can not start.
Comment 8 jchurro 2021-11-15 19:33:42 UTC 
I removed the GOST_YESCRYPT plugin lines from dse.ldif and the problem was solved. IPA is back again. I think that future upgrades should remove these lines from dse.ldif file.
Comment 12 W. de Heiden 2021-11-17 16:14:32 UTC 
Bug confirmed on CentOS Stream release 8
Workaround confirmed as working also :)
Comment 15 thierry bordaz 2021-11-24 18:05:00 UTC 
Fix pushed upstream => POST
Comment 16 thierry bordaz 2022-06-10 12:02:42 UTC 
Fixed in 389-ds-base-1.4.3.30-3.module+el8.7.0+15600+347cafc6 => MODIFIED
Comment 22 Akshay Adhikari 2022-08-05 16:26:13 UTC 
Build Tested: 389-ds-base-1.4.3.30-3.module+el8.7.0+15600+347cafc6.x86_64

# dsconf test plugin show entryuuid
dn: cn=entryuuid,cn=plugins,cn=config
cn: entryuuid
nsslapd-pluginDescription: none
nsslapd-pluginEnabled: on
nsslapd-pluginId: none
nsslapd-pluginInitfunc: entryuuid_plugin_init
nsslapd-pluginPath: libentryuuid-plugin
nsslapd-pluginType: betxnpreoperation
nsslapd-pluginVendor: none
nsslapd-pluginVersion: none
objectClass: top
objectClass: nsSlapdPlugin

# dsctl test stop
Instance "test" has been stopped

# mv /usr/lib64/dirsrv/plugins/libentryuuid-plugin.so /usr/lib64/dirsrv/plugins/libentryuuid-plugin.so.sav
# dsctl test start
Instance "test" has been started

Error logs:
[05/Aug/2022:12:17:20.026001169 -0400] - ERR - symload_report_error - Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libentryuuid-plugin.so: cannot open shared object file: No such file or directory
[05/Aug/2022:12:17:20.054125155 -0400] - ERR - symload_report_error - Could not open library "/usr/lib64/dirsrv/plugins/libentryuuid-plugin.so" for plugin entryuuid
[05/Aug/2022:12:17:20.056785832 -0400] - ERR - plugin_setup - "entryuuid" plugin in library "libentryuuid-plugin" not initialized and ignored

I can see the server is running even after restart, Marking it as VERIFIED.
Comment 24 errata-xmlrpc 2022-11-08 09:38:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7552