1749001 – "Failed to flush the sssd cache" error message observed during ipa upgrade process

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1749001 - "Failed to flush the sssd cache" error message observed during ipa upgrade process

Summary: "Failed to flush the sssd cache" error message observed during ipa upgrade pr...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	shadow-utils
Sub Component:
Version:	8.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Iker Pedrosa
QA Contact:	shridhar
Docs Contact:
URL:
Whiteboard:	sync-to-jira qetodo
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-09-04 16:20 UTC by Nikhil Dehadrai
Modified:	2023-12-15 16:46 UTC (History)
CC List:	11 users (show)
Fixed In Version:	shadow-utils-4.6-12.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-18 14:59:58 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	SSSD-2251	0	None	None	None	2023-12-15 16:46:53 UTC
Red Hat Product Errata	RHBA-2021:1650	0	None	None	None	2021-05-18 15:00:03 UTC

Description Nikhil Dehadrai 2019-09-04 16:20:50 UTC

Description of problem:
"Failed to flush the sssd cache" error message observed during ipa upgrade process

Version-Release number of selected component (if applicable):
ipa-server-4.8.0-10.module+el8.1.0+4098+f286395e.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Setup IPA server at RHEL80 version
2. Use the latest repo for RHEL 8.1
3. Upgrade the ipa -server using 'yum -y update'

Actual results:
1. Ipa upgrade is successsful
# tail -1 /var/log/ipaupgrade.log 
2019-09-04T14:09:31Z INFO The ipa-server-upgrade command was successful

2.During upgrade process at the console, following error message is observed

  Upgrading        : postfix-2:3.3.1-9.el8.x86_64                                                              442/947 
  Running scriptlet: postfix-2:3.3.1-9.el8.x86_64                                                              442/947 
  Running scriptlet: rng-tools-6.6-3.el8.x86_64                                                                443/947 
ldb: module version mismatch in ../modules/paged_results.c : ldb_version=1.5.4 module_version=1.4.2
ldb: failed to initialise module /usr/lib64/ldb/modules/ldb/paged_results.so : Unavailable
Could not open available domains
useradd: sss_cache exited with status 5
useradd: Failed to flush the sssd cache.
ldb: module version mismatch in ../modules/paged_results.c : ldb_version=1.5.4 module_version=1.4.2
ldb: failed to initialise module /usr/lib64/ldb/modules/ldb/paged_results.so : Unavailable
Could not open available domains
useradd: sss_cache exited with status 5
useradd: Failed to flush the sssd cache.

  Upgrading        : rng-tools-6.6-3.el8.x86_64                                                                443/947 
  Running scriptlet: rng-tools-6.6-3.el8.x86_64                                                                443/947 

Expected results:
No error message should be observed

Additional info:

Comment 2 Tomas Mraz 2019-09-05 08:46:36 UTC

Jakub, should the sssd cache flush be completely silenced in shadow-utils?

And in this concrete case the ldb messages could indicate a real problem, do you have an idea what happens here?

Comment 4 Jakub Hrozek 2019-09-09 07:46:02 UTC

(In reply to Tomas Mraz from comment #2)
> Jakub, should the sssd cache flush be completely silenced in shadow-utils?
> 

I believe it can be and it was probably a mistake from me since the start to not silence them. I'm fine with doing that upstream (unless someone else wants to submit the patch).

> And in this concrete case the ldb messages could indicate a real problem, do
> you have an idea what happens here?

The most important thing is that even if sssd is not running or not responding due to a bug, libc just falls back to using nss_files. In most cases, the warnings are really just warnings, one thing I saw recently during some distribution (so, offline) upgrade was that sssd was not yet upgraded, so its database was using an older format that would have been upgraded when the sssd service starts, but packages were being installed, so sss_cache was being called from useradd and sss_cache was printing messages that said "database too old, start sssd to upgrade it".

In this case, it seems like a variant of what I saw above. Some package that ships an LDB module (ldb is the cache that sssd uses) drops a module compiled against a newer version of LDB. And ldb on initialization errors if there are any modules that can't be used, so in this case the cache wouldn't have been dropped. I'm not sure if this could be solved by some magic in requires or ordering, maybe Lukas who is already in the CC list would know better.

Comment 5 Tomas Mraz 2019-09-09 08:50:05 UTC

(In reply to Jakub Hrozek from comment #4)
> (In reply to Tomas Mraz from comment #2)
> > Jakub, should the sssd cache flush be completely silenced in shadow-utils?
> > 
> 
> I believe it can be and it was probably a mistake from me since the start to
> not silence them. I'm fine with doing that upstream (unless someone else
> wants to submit the patch).

As you were the original author it will be probably best if you submit this change upstream as well.

Comment 6 Iker Pedrosa 2020-04-22 13:28:53 UTC

(In reply to Jakub Hrozek from comment #4)
> (In reply to Tomas Mraz from comment #2)
> > Jakub, should the sssd cache flush be completely silenced in shadow-utils?
> > 
> 
> I believe it can be and it was probably a mistake from me since the start to
> not silence them. I'm fine with doing that upstream (unless someone else
> wants to submit the patch).
> 

I'm planning to work on this bugzilla and I wonder what do you mean by "silence them". Were you thinking about deleting the print lines or maybe filtering them?

Comment 7 Jakub Hrozek 2020-05-07 18:17:19 UTC

(In reply to Iker Pedrosa from comment #6)
> (In reply to Jakub Hrozek from comment #4)
> > (In reply to Tomas Mraz from comment #2)
> > > Jakub, should the sssd cache flush be completely silenced in shadow-utils?
> > > 
> > 
> > I believe it can be and it was probably a mistake from me since the start to
> > not silence them. I'm fine with doing that upstream (unless someone else
> > wants to submit the patch).
> > 
> 
> I'm planning to work on this bugzilla and I wonder what do you mean by
> "silence them". Were you thinking about deleting the print lines or maybe
> filtering them?

Sorry I totally forgot about this bug after I moved away from SSSD. What I had in mind was just to not print stderr originally.

Comment 8 Ding-Yi Chen 2020-07-08 07:02:59 UTC

We also witness a case that has a slightly different log, upgrading different package:

~~~
  Running scriptlet: cockpit-ws-211.3-1.el8.x86_64                      221/618
ldb: module version mismatch in ../../modules/asq.c : ldb_version=1.5.4 module_version=2.0.7
ldb: failed to initialise module /usr/lib64/ldb/modules/ldb/asq.so : Unavailable
Could not open available domains
groupadd: sss_cache exited with status 5
groupadd: Failed to flush the sssd cache.
ldb: module version mismatch in ../../modules/asq.c : ldb_version=1.5.4 module_version=2.0.7
ldb: failed to initialise module /usr/lib64/ldb/modules/ldb/asq.so : Unavailable
Could not open available domains
groupadd: sss_cache exited with status 5
groupadd: Failed to flush the sssd cache.
ldb: module version mismatch in ../../modules/asq.c : ldb_version=1.5.4 module_version=2.0.7
ldb: failed to initialise module /usr/lib64/ldb/modules/ldb/asq.so : Unavailable
Could not open available domains
useradd: sss_cache exited with status 5
useradd: Failed to flush the sssd cache.
ldb: module version mismatch in ../../modules/asq.c : ldb_version=1.5.4 module_version=2.0.7
ldb: failed to initialise module /usr/lib64/ldb/modules/ldb/asq.so : Unavailable
Could not open available domains
useradd: sss_cache exited with status 5
useradd: Failed to flush the sssd cache.

  Upgrading        : cockpit-ws-211.3-1.el8.x86_64                      221/618
  Running scriptlet: cockpit-ws-211.3-1.el8.x86_64                      221/618
~~~

Comment 9 d.abad 2020-07-21 07:26:23 UTC

Hi,

Similar issue for us, with flatpak:

~~~
Running scriptlet: flatpak-1.6.2-2.el8.x86_64 405/1522
ldb: module version mismatch in ../../modules/asq.c : ldb_version=1.5.4 module_version=2.0.7
ldb: failed to initialise module /usr/lib64/ldb/modules/ldb/asq.so : Unavailable
Could not open available domains
groupadd: sss_cache exited with status 5
groupadd: Failed to flush the sssd cache.
ldb: module version mismatch in ../../modules/asq.c : ldb_version=1.5.4 module_version=2.0.7
ldb: failed to initialise module /usr/lib64/ldb/modules/ldb/asq.so : Unavailable
Could not open available domains
groupadd: sss_cache exited with status 5
groupadd: Failed to flush the sssd cache.
ldb: module version mismatch in ../../modules/asq.c : ldb_version=1.5.4 module_version=2.0.7
ldb: failed to initialise module /usr/lib64/ldb/modules/ldb/asq.so : Unavailable
Could not open available domains
useradd: sss_cache exited with status 5
useradd: Failed to flush the sssd cache.
ldb: module version mismatch in ../../modules/asq.c : ldb_version=1.5.4 module_version=2.0.7
ldb: failed to initialise module /usr/lib64/ldb/modules/ldb/asq.so : Unavailable
Could not open available domains
useradd: sss_cache exited with status 5
useradd: Failed to flush the sssd cache.
~~~

Happy to help if required!

Comment 11 Iker Pedrosa 2020-10-05 07:02:33 UTC

* master:
    * e84df9e163e133eb11a2728024ff3e3440592cf8 - lib/sssd: redirect warning message to file

Comment 14 shridhar 2020-11-17 13:28:40 UTC

Tested with following data:

shadow-utils-2:4.6-11.el8 

]# rpm -q ipa-server
ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64

o]# ipa-server-install

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.8.7

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the NTP client (chronyd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

Do you want to configure integrated DNS (BIND)? [no]: 

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [ci-vm-10-0-137.ad.baseos.qe]: 

The host name ci-vm-10-0-137.ad.baseos.qe does not match the value ci-vm-10-0-137-187.hosted.upshift.rdu2.redhat.com obtained by reverse 

[.....]

Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: disabling Schema Compat
  [6/10]: starting directory server
  [7/10]: upgrading server
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server
Done.

[....]

unable to resolve host name ci-vm-10-0-137.ad.baseos.qe. to IP address, ipa-ca DNS record will be incomplete
unable to resolve host name ci-vm-10-0-137.ad.baseos.qe. to IP address, ipa-ca DNS record will be incomplete
Please add records in this file to your DNS system: /tmp/ipa.system.records.e5tdck75.db
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		UDP Ports:
		  * 88, 464: kerberos
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful
[root@ci-vm-10-0-137- tmp.4kk3U8rLDo]# 

[root@ci-vm-10-0-137- tmp.4kk3U8rLDo]# rpm -Uvh shadow-utils-4.6-12.el8.x86_64.rpm 
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:shadow-utils-2:4.6-12.el8        ################################# [ 50%]
Cleaning up / removing...
   2:shadow-utils-2:4.6-11.el8        ################################# [100%]


[root@ci-vm-10-0-137- tmp.4kk3U8rLDo]# dnf update ipa-server
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

Last metadata expiration check: 0:02:51 ago on Tue 17 Nov 2020 07:16:47 AM EST.
Dependencies resolved.
===================================================================================================================================================================================================================
 Package                                          Architecture                          Version                                                               Repository                                      Size
===================================================================================================================================================================================================================
Upgrading:
 ipa-client                                       x86_64                                4.8.7-13.module+el8.3.0+8376+0bba7131                                 rhel-AppStream1                                272 k
 ipa-client-common                                noarch                                4.8.7-13.module+el8.3.0+8376+0bba7131                                 rhel-AppStream1                                178 k
 ipa-common                                       noarch                                4.8.7-13.module+el8.3.0+8376+0bba7131                                 rhel-AppStream1                                744 k
 ipa-selinux                                      noarch                                4.8.7-13.module+el8.3.0+8376+0bba7131                                 rhel-AppStream1                                171 k
 ipa-server                                       x86_64                                4.8.7-13.module+el8.3.0+8376+0bba7131                                 rhel-AppStream1                                523 k
 ipa-server-common                                noarch                                4.8.7-13.module+el8.3.0+8376+0bba7131                                 rhel-AppStream1                                604 k
 python3-ipaclient                                noarch                                4.8.7-13.module+el8.3.0+8376+0bba7131                                 rhel-AppStream1                                680 k
 python3-ipalib                                   noarch                                4.8.7-13.module+el8.3.0+8376+0bba7131                                 rhel-AppStream1                                719 k
 python3-ipaserver                                noarch                                4.8.7-13.module+el8.3.0+8376+0bba7131                                 rhel-AppStream1                                1.5 M

Transaction Summary
===================================================================================================================================================================================================================
Upgrade  9 Packages

Total download size: 5.3 M
Is this ok [y/N]: y
Downloading Packages:
(1/9): ipa-client-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64.rpm                                                                                                                 1.5 MB/s | 272 kB     00:00    
(2/9): ipa-client-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm                                                                                                          1.0 MB/s | 178 kB     00:00    
(3/9): ipa-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm                                                                                                                 4.0 MB/s | 744 kB     00:00    
(4/9): ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm                                                                                                                 19 MB/s | 171 kB     00:00    
(5/9): ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64.rpm                                                                                                                  38 MB/s | 523 kB     00:00    
(6/9): ipa-server-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm                                                                                                           35 MB/s | 604 kB     00:00    
(7/9): python3-ipaclient-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm                                                                                                           31 MB/s | 680 kB     00:00    
(8/9): python3-ipalib-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm                                                                                                              31 MB/s | 719 kB     00:00    
(9/9): python3-ipaserver-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm                                                                                                           64 MB/s | 1.5 MB     00:00    
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                               24 MB/s | 5.3 MB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                           1/1 
  Running scriptlet: ipa-client-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                            1/1 
  Upgrading        : ipa-client-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                           1/18 
  Running scriptlet: ipa-server-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                           2/18 
  Upgrading        : ipa-server-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                           2/18 
  Running scriptlet: ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                                 3/18 
  Upgrading        : ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                                 3/18 
  Running scriptlet: ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                                 3/18 
  Upgrading        : ipa-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                                  4/18 
  Upgrading        : python3-ipalib-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                              5/18 
  Upgrading        : python3-ipaclient-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                           6/18 
  Upgrading        : ipa-client-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64                                                                                                                                  7/18 
  Running scriptlet: ipa-client-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64                                                                                                                                  7/18 
  Upgrading        : python3-ipaserver-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                           8/18 
  Running scriptlet: ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64                                                                                                                                  9/18 
  Upgrading        : ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64                                                                                                                                  9/18 
  Running scriptlet: ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64                                                                                                                                  9/18 
  Running scriptlet: ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64                                                                                                                                 10/18 
  Cleanup          : ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64                                                                                                                                 10/18 
  Cleanup          : python3-ipaserver-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                          11/18 
  Cleanup          : ipa-client-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64                                                                                                                                 12/18 
  Cleanup          : python3-ipaclient-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                          13/18 
  Cleanup          : python3-ipalib-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                             14/18 
  Cleanup          : ipa-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                                 15/18 
  Cleanup          : ipa-server-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                          16/18 
  Cleanup          : ipa-client-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                          17/18 
  Cleanup          : ipa-selinux-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                                18/18 
  Running scriptlet: ipa-selinux-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                                18/18 
  Running scriptlet: ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                                18/18 
  Running scriptlet: ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64                                                                                                                                 18/18 
  Running scriptlet: ipa-selinux-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                                18/18 
  Verifying        : ipa-client-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64                                                                                                                                  1/18 
  Verifying        : ipa-client-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64                                                                                                                                  2/18 
  Verifying        : ipa-client-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                           3/18 
  Verifying        : ipa-client-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                           4/18 
  Verifying        : ipa-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                                  5/18 
  Verifying        : ipa-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                                  6/18 
  Verifying        : ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                                 7/18 
  Verifying        : ipa-selinux-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                                 8/18 
  Verifying        : ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64                                                                                                                                  9/18 
  Verifying        : ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64                                                                                                                                 10/18 
  Verifying        : ipa-server-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                          11/18 
  Verifying        : ipa-server-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                          12/18 
  Verifying        : python3-ipaclient-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                          13/18 
  Verifying        : python3-ipaclient-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                          14/18 
  Verifying        : python3-ipalib-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                             15/18 
  Verifying        : python3-ipalib-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                             16/18 
  Verifying        : python3-ipaserver-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                          17/18 
  Verifying        : python3-ipaserver-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                          18/18 
Installed products updated.

Upgraded:
  ipa-client-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64               ipa-client-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch        ipa-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch              
  ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch              ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64               ipa-server-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch       
  python3-ipaclient-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch        python3-ipalib-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch           python3-ipaserver-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch       

Complete!

------------------------------------

No "Failed to flush the sssd cache"message observed.  

marking verified.

Comment 19 shridhar 2020-12-10 12:35:04 UTC

tested with following data:

[root@ci-vm-10-0-139-48 bz1788696-userdel-mistakes-unrelated-user-process-with-a-namespaced-one-preventing-user-removal]# ipa-server-install 

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.8.7

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the NTP client (chronyd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

Do you want to configure integrated DNS (BIND)? [no]: 

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [ci-vm-10-0-139-48.hosted.upshift.rdu2.redhat.com]: 

[.........]

Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: disabling Schema Compat
  [6/10]: starting directory server
  [7/10]: upgrading server
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server
Done.
Restarting the KDC
Configuring client side components
This program will set up IPA client.
Version 4.8.7

Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: ci-vm-10-0-139-48.hosted.upshift.rdu2.redhat.com
Realm: HOSTED.UPSHIFT.RDU2.REDHAT.COM
DNS Domain: hosted.upshift.rdu2.redhat.com
IPA Server: ci-vm-10-0-139-48.hosted.upshift.rdu2.redhat.com
BaseDN: dc=hosted,dc=upshift,dc=rdu2,dc=redhat,dc=com

Configured sudoers in /etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring hosted.upshift.rdu2.redhat.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

Please add records in this file to your DNS system: /tmp/ipa.system.records.anpumjl5.db
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		UDP Ports:
		  * 88, 464: kerberos
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful
[root@ci-vm-10-0-139-48 bz1788696-userdel-mistakes-unrelated-user-process-with-a-namespaced-one-preventing-user-removal]# rpm -q shadow-utils-4.6-12.el8.x86_64.rpm 
warning: shadow-utils-4.6-12.el8.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
shadow-utils-4.6-12.el8.x86_64
[root@ci-vm-10-0-139-48 bz1788696-userdel-mistakes-unrelated-user-process-with-a-namespaced-one-preventing-user-removal]# rpm -q shadow-utils
shadow-utils-4.6-11.el8.x86_64
[root@ci-vm-10-0-139-48 bz1788696-userdel-mistakes-unrelated-user-process-with-a-namespaced-one-preventing-user-removal]# rpm -Uvh shadow-utils-4.6-12.el8.x86_64.rpm 
warning: shadow-utils-4.6-12.el8.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:shadow-utils-2:4.6-12.el8        ################################# [ 50%]
Cleaning up / removing...
   2:shadow-utils-2:4.6-11.el8        ################################# [100%]
[root@ci-vm-10-0-139-48 bz1788696-userdel-mistakes-unrelated-user-process-with-a-namespaced-one-preventing-user-removal]# vim /etc/yum.repos.d/rhel.repo 
[root@ci-vm-10-0-139-48 bz1788696-userdel-mistakes-unrelated-user-process-with-a-namespaced-one-preventing-user-removal]# dnf update ipa-server
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

rhel                                                                                                                                                                                24 MB/s | 2.3 MB     00:00    
rhel-AppStream                                                                                                                                                                      46 MB/s | 6.5 MB     00:00    
Last metadata expiration check: 0:00:01 ago on Thu 10 Dec 2020 07:08:38 AM EST.
Dependencies resolved.
===================================================================================================================================================================================================================
 Package                                          Architecture                          Version                                                                Repository                                     Size
===================================================================================================================================================================================================================
Upgrading:
 ipa-client                                       x86_64                                4.8.7-13.module+el8.3.0+8376+0bba7131                                  rhel-AppStream                                272 k
 ipa-client-common                                noarch                                4.8.7-13.module+el8.3.0+8376+0bba7131                                  rhel-AppStream                                178 k
 ipa-common                                       noarch                                4.8.7-13.module+el8.3.0+8376+0bba7131                                  rhel-AppStream                                744 k
 ipa-selinux                                      noarch                                4.8.7-13.module+el8.3.0+8376+0bba7131                                  rhel-AppStream                                171 k
 ipa-server                                       x86_64                                4.8.7-13.module+el8.3.0+8376+0bba7131                                  rhel-AppStream                                523 k
 ipa-server-common                                noarch                                4.8.7-13.module+el8.3.0+8376+0bba7131                                  rhel-AppStream                                604 k
 python3-ipaclient                                noarch                                4.8.7-13.module+el8.3.0+8376+0bba7131                                  rhel-AppStream                                680 k
 python3-ipalib                                   noarch                                4.8.7-13.module+el8.3.0+8376+0bba7131                                  rhel-AppStream                                719 k
 python3-ipaserver                                noarch                                4.8.7-13.module+el8.3.0+8376+0bba7131                                  rhel-AppStream                                1.5 M

Transaction Summary
===================================================================================================================================================================================================================
Upgrade  9 Packages

Total download size: 5.3 M
Is this ok [y/N]: y
Downloading Packages:
(1/9): ipa-client-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm                                                                                                          4.4 MB/s | 178 kB     00:00    
(2/9): ipa-client-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64.rpm                                                                                                                 5.7 MB/s | 272 kB     00:00    
(3/9): ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm                                                                                                                 15 MB/s | 171 kB     00:00    
(4/9): ipa-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm                                                                                                                  12 MB/s | 744 kB     00:00    
(5/9): ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64.rpm                                                                                                                  25 MB/s | 523 kB     00:00    
(6/9): ipa-server-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm                                                                                                           17 MB/s | 604 kB     00:00    
(7/9): python3-ipaclient-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm                                                                                                           20 MB/s | 680 kB     00:00    
(8/9): python3-ipalib-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm                                                                                                              22 MB/s | 719 kB     00:00    
(9/9): python3-ipaserver-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch.rpm                                                                                                           51 MB/s | 1.5 MB     00:00    
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                               44 MB/s | 5.3 MB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                           1/1 
  Running scriptlet: ipa-client-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                            1/1 
  Upgrading        : ipa-client-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                           1/18 
  Running scriptlet: ipa-server-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                           2/18 
  Upgrading        : ipa-server-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                           2/18 
  Running scriptlet: ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                                 3/18 
  Upgrading        : ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                                 3/18 
  Running scriptlet: ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                                 3/18 
  Upgrading        : ipa-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                                  4/18 
  Upgrading        : python3-ipalib-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                              5/18 
  Upgrading        : python3-ipaclient-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                           6/18 
  Upgrading        : ipa-client-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64                                                                                                                                  7/18 
  Running scriptlet: ipa-client-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64                                                                                                                                  7/18 
  Upgrading        : python3-ipaserver-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                           8/18 
  Running scriptlet: ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64                                                                                                                                  9/18 
  Upgrading        : ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64                                                                                                                                  9/18 
  Running scriptlet: ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64                                                                                                                                  9/18 
  Running scriptlet: ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64                                                                                                                                 10/18 
  Cleanup          : ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64                                                                                                                                 10/18 
  Cleanup          : python3-ipaserver-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                          11/18 
  Cleanup          : ipa-client-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64                                                                                                                                 12/18 
  Cleanup          : python3-ipaclient-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                          13/18 
  Cleanup          : python3-ipalib-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                             14/18 
  Cleanup          : ipa-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                                 15/18 
  Cleanup          : ipa-server-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                          16/18 
  Cleanup          : ipa-client-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                          17/18 
  Cleanup          : ipa-selinux-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                                18/18 
  Running scriptlet: ipa-selinux-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                                18/18 
  Running scriptlet: ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                                18/18 
  Running scriptlet: ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64                                                                                                                                 18/18 
^Z
[1]+  Stopped                 dnf update ipa-server
[root@ci-vm-10-0-139-48 bz1788696-userdel-mistakes-unrelated-user-process-with-a-namespaced-one-preventing-user-removal]# less /var/log/messages 
[root@ci-vm-10-0-139-48 bz1788696-userdel-mistakes-unrelated-user-process-with-a-namespaced-one-preventing-user-removal]# fg
dnf update ipa-server
  Running scriptlet: ipa-selinux-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                                18/18 
  Verifying        : ipa-client-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64                                                                                                                                  1/18 
  Verifying        : ipa-client-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64                                                                                                                                  2/18 
  Verifying        : ipa-client-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                           3/18 
  Verifying        : ipa-client-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                           4/18 
  Verifying        : ipa-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                                  5/18 
  Verifying        : ipa-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                                  6/18 
  Verifying        : ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                                 7/18 
  Verifying        : ipa-selinux-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                                 8/18 
  Verifying        : ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64                                                                                                                                  9/18 
  Verifying        : ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64                                                                                                                                 10/18 
  Verifying        : ipa-server-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                          11/18 
  Verifying        : ipa-server-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                          12/18 
  Verifying        : python3-ipaclient-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                          13/18 
  Verifying        : python3-ipaclient-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                          14/18 
  Verifying        : python3-ipalib-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                             15/18 
  Verifying        : python3-ipalib-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                             16/18 
  Verifying        : python3-ipaserver-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch                                                                                                                          17/18 
  Verifying        : python3-ipaserver-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch                                                                                                                          18/18 
Installed products updated.

Upgraded:
  ipa-client-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64               ipa-client-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch        ipa-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch              
  ipa-selinux-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch              ipa-server-4.8.7-13.module+el8.3.0+8376+0bba7131.x86_64               ipa-server-common-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch       
  python3-ipaclient-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch        python3-ipalib-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch           python3-ipaserver-4.8.7-13.module+el8.3.0+8376+0bba7131.noarch       

Complete!



No "Failed to flush the sssd cache" message observed during ipa upgrade process.
Marking verified.

Comment 21 errata-xmlrpc 2021-05-18 14:59:58 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (shadow-utils bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1650

Note You need to log in before you can comment on or make changes to this bug.