RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1026677 - Attempt to run ipa-client-install fails with /etc/pki/nssdb/libnssckbi.so: cannot open shared object file: No such file or directory (PR_LOAD_LIBRARY_ERROR)
Summary: Attempt to run ipa-client-install fails with /etc/pki/nssdb/libnssckbi.so: ca...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss
Version: 7.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: beta
: ---
Assignee: Elio Maldonado Batiz
QA Contact: David Spurek
URL:
Whiteboard:
: 1026676 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-05 08:40 UTC by Jan Pazdziora
Modified: 2015-03-02 05:28 UTC (History)
10 users (show)

Fixed In Version: nss-3.15.2-8.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 11:41:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
ignore setpolicy result (707 bytes, patch)
2013-11-05 22:01 UTC, Kai Engert (:kaie) (inactive account) 		rrelyea: review+
Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Mozilla Foundation 935597 0 -- NEW Need a test to make sure NSS_SetDomesticPolicy, NSS_SetExportPolicy, NSS_SetFrancePolicy return success. 2021-02-01 17:22:38 UTC

Description Jan Pazdziora 2013-11-05 08:40:25 UTC 
Description of problem:

Attempting to run ipa-client-install on RHEL 7 (against IdM on RHEL 6).

I get

Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
Cannot connect to the server due to generic error: cannot connect to 'https://ipa.example.com/ipa/xml': /etc/pki/nssdb/libnssckbi.so: cannot open shared object file: No such file or directory (PR_LOAD_LIBRARY_ERROR) Failure to load dynamic library.
Installation failed. Rolling back changes.

Version-Release number of selected component (if applicable):

# rpm -q ipa-client
ipa-client-3.3.3-1.el7.x86_64

How reproducible:

Seen once, suspect deterministic.

Steps to Reproduce:
1. Have an IPA/IdM server configured with domain example.com and realm EXAMPLE.COM.
2. On RHEL 7 machine, run yum install -y ipa-client.
3. On RHEL 7 machine, point the resolv.conf to the IP address of that IPA server: echo nameserver 10.11.12.13 > /etc/resolv.conf
4. Run ipa-client-install --domain example.com

Actual results:

#  ipa-client-install --domain example.com
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Hostname: the.real.machine.company.net
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipa.example.com
BaseDN: dc=example,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
    Valid From:  Mon Oct 14 02:14:11 2013 UTC
    Valid Until: Fri Oct 14 02:14:11 2033 UTC

Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
Cannot connect to the server due to generic error: cannot connect to 'https://ipa.example.com/ipa/xml': /etc/pki/nssdb/libnssckbi.so: cannot open shared object file: No such file or directory (PR_LOAD_LIBRARY_ERROR) Failure to load dynamic library.
Installation failed. Rolling back changes.
Unenrolling client from IPA server
Unenrolling host failed: Error getting default Kerberos realm: Configuration file does not specify default realm.

Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.

Expected results:

No error, client IPA-enrolled.

Additional info:
Comment 4 Jan Pazdziora 2013-11-05 10:11:55 UTC 
*** Bug 1026676 has been marked as a duplicate of this bug. ***
Comment 5 Martin Kosek 2013-11-05 11:46:35 UTC 
I can confirm I reproduce this issue as well, with:
nss-3.15.2-7.el7.x86_64
ipa-client-3.3.3-1.el7.x86_64

However, I suspect this is a NSS regression, when I downgraded NSS to nss-3.15.1-4.el7.x86_64, client installation started working again:

[nss-3.15.1-4.el7]# yum downgrade *
...
---> Package nss.x86_64 0:3.15.1-4.el7 will be a downgrade
---> Package nss.x86_64 0:3.15.2-7.el7 will be erased
---> Package nss-devel.x86_64 0:3.15.1-4.el7 will be a downgrade
---> Package nss-devel.x86_64 0:3.15.2-7.el7 will be erased
---> Package nss-sysinit.x86_64 0:3.15.1-4.el7 will be a downgrade
---> Package nss-sysinit.x86_64 0:3.15.2-7.el7 will be erased
---> Package nss-tools.x86_64 0:3.15.1-4.el7 will be a downgrade
---> Package nss-tools.x86_64 0:3.15.2-7.el7 will be erased
...
Complete!

# ipa-client-install -p admin -w Secret123
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Hostname: vm-052.example.com
Realm: EXAMLE.COM
DNS Domain: example.com
IPA Server: vm-119.example.com
BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

Continue to configure the system with these values? [no]: y
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=EXAMLE.COM
    Issuer:      CN=Certificate Authority,O=EXAMLE.COM
    Valid From:  Fri Nov 01 18:33:30 2013 UTC
    Valid Until: Tue Nov 01 18:33:30 2033 UTC

Enrolled in IPA realm EXAMLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMLE.COM
Hostname (vm-052.example.com) not found in DNS
Failed to update DNS records.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.


No NSS error this time. Moving to nss component.
Comment 7 Kai Engert (:kaie) (inactive account) 2013-11-05 18:33:10 UTC 
It's puzzling that it attempts to access file
  /etc/pki/nssdb/libnssckbi.so

Bob said he can think of code potentially trying to load it, but that code shouldn't be fatal.

Martin, after you downgrade to the working package, what does
  ls -l /etc/pki/nssdb/libnssckbi.so
say?
Comment 8 Martin Kosek 2013-11-05 18:49:28 UTC 
# rpm -q nss
nss-3.15.1-4.el7.x86_64

# ls -l /etc/pki/nssdb/libnssckbi.so
ls: cannot access /etc/pki/nssdb/libnssckbi.so: No such file or directory

# ls -l /etc/pki/nssdb/
total 124
-rw-r--r--. 1 root root 65536 Nov  5 13:48 cert8.db
-rw-r--r--. 1 root root  9216 Aug 13 07:40 cert9.db
-rw-r--r--. 1 root root 16384 Nov  5 13:48 key3.db
-rw-r--r--. 1 root root 11264 Aug 13 07:40 key4.db
-rw-r--r--. 1 root root   451 Oct 11 17:59 pkcs11.txt
-rw-r--r--. 1 root root 16384 Jan 12  2010 secmod.db
Comment 9 Kai Engert (:kaie) (inactive account) 2013-11-05 19:08:50 UTC 
> 3. On RHEL 7 machine, point the resolv.conf to the IP address of that 
>    IPA server: echo nameserver 10.11.12.13 > /etc/resolv.conf


We don't have our own RHEL 7 that runs a compatible server.

The server address you have provided 10.11.12.13
doesn't seem to be reachable for me.

Can you please provide us with a real, existing server that we can debug against?
Comment 10 Bob Relyea 2013-11-05 19:10:25 UTC 
martin, do you have an ipa server up and running we can test against?
Comment 11 Eric Paris 2013-11-05 19:51:02 UTC 
Can you confirm that the upgrade/downgrade of nss that fixed the problem was on the client or the server?
Comment 13 Martin Kosek 2013-11-05 20:58:37 UTC 
(In reply to Eric Paris from comment #11)
> Can you confirm that the upgrade/downgrade of nss that fixed the problem was
> on the client or the server?

I tested only on client, on server we will need to do a check as well.

When you have a fixed nss and want to check yourselves, you should be able to verify pretty easily with: 

# yum install ipa-server
# ipa-server-install
Comment 14 Kai Engert (:kaie) (inactive account) 2013-11-05 22:01:14 UTC 
Created attachment 820035 [details]
ignore setpolicy result
Comment 15 Bob Relyea 2013-11-05 22:55:26 UTC 
Comment on attachment 820035 [details]
ignore setpolicy result

r+ rrelyea
Comment 16 Jan Pazdziora 2013-11-06 01:16:52 UTC 
(In reply to Martin Kosek from comment #5)
> I can confirm I reproduce this issue as well, with:
> nss-3.15.2-7.el7.x86_64
> ipa-client-3.3.3-1.el7.x86_64
> 
> However, I suspect this is a NSS regression, when I downgraded NSS to
> nss-3.15.1-4.el7.x86_64, client installation started working again:

[...]

> No NSS error this time. Moving to nss component.

Well, either that, or ipa-client should catch up with the latest nss changes?
Comment 17 Jan Pazdziora 2013-11-06 01:18:07 UTC 
(In reply to Kai Engert (:kaie) from comment #9)
> > 3. On RHEL 7 machine, point the resolv.conf to the IP address of that 
> >    IPA server: echo nameserver 10.11.12.13 > /etc/resolv.conf
> 
> We don't have our own RHEL 7 that runs a compatible server.

You don't need to have IdM on RHEL 7 -- in fact, I saw it when enrolling against IdM on RHEL 6.

> The server address you have provided 10.11.12.13
> doesn't seem to be reachable for me.

Right, that's just example. Use any IPA server.
Comment 18 Elio Maldonado Batiz 2013-11-06 02:37:00 UTC 
If anyone is interested, a scratch build that incorporates Kai's patch along with Eric Paris's correction to one of my patches is available at
https://brewweb.devel.redhat.com/taskinfo?taskID=6532388
Comment 19 Martin Kosek 2013-11-06 07:32:47 UTC 
(In reply to Jan Pazdziora from comment #16)
> (In reply to Martin Kosek from comment #5)
...
> > No NSS error this time. Moving to nss component.
> 
> Well, either that, or ipa-client should catch up with the latest nss changes?

Catch up how? I am not against updating ipa-client to catch up on the latest and greatest NSS, I just need to have some resources what needs to be done. In this case, I think that calls to python-nss caused the traceback - should python-nss then be updated?
Comment 20 Jan Pazdziora 2013-11-06 08:03:45 UTC 
(In reply to Martin Kosek from comment #19)
> 
> Catch up how? I am not against updating ipa-client to catch up on the latest
> and greatest NSS, I just need to have some resources what needs to be done.
> In this case, I think that calls to python-nss caused the traceback - should
> python-nss then be updated?

I don't know. ;-)
Comment 21 Martin Kosek 2013-11-06 08:22:39 UTC 
(In reply to Elio Maldonado Batiz from comment #18)
> If anyone is interested, a scratch build that incorporates Kai's patch along
> with Eric Paris's correction to one of my patches is available at
> https://brewweb.devel.redhat.com/taskinfo?taskID=6532388

I tested installation of both IPA server and IPA client and it worked fine with nss-3.15.2-7.1.el7.nossl2.1.x86_64.
Comment 22 Kaleem 2013-11-06 09:25:36 UTC 
I was installing a replica on RHEL-70 using a replica file created on RHEL-6.5 and faced installation failure.

  [2/34]: creating directory server instance
ipa         : CRITICAL failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpXDfDAI' returned non-zero exit status 1
ipa         : CRITICAL Failed to restart the directory server (). See the installation log for details.
  [3/34]: adding default schema

snippet from /var/log/message:
==============================
Nov  6 16:59:31 dhcp207-176 ns-slapd: [06/Nov/2013:16:59:31 +051800] - SSL alert: Security Initialization: Unable to set SSL export policy (Netscape Portable Runtime error -5977 - Failure to load dynamic library.)
Nov  6 16:59:31 dhcp207-176 ns-slapd: [06/Nov/2013:16:59:31 +051800] - ERROR: NSS Initialization Failed.
Nov  6 16:59:31 dhcp207-176 systemd: dirsrv: main process exited, code=exited, status=1/FAILURE
Nov  6 16:59:31 dhcp207-176 systemd: Unit dirsrv entered failed state.


Then, i updated nss bits with patches provided in comment 18 and replica installation is successful now.
Comment 27 Kai Engert (:kaie) (inactive account) 2013-11-06 17:23:48 UTC 
filed an upstream bug
Comment 31 Ludek Smid 2014-06-13 11:41:23 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.