1973634 – IPA installation fails on s390x with 389-ds-base-1.4.3.8-4.module+el8.3.0+7193+dfd1e8ad.s390x

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1973634 - IPA installation fails on s390x with 389-ds-base-1.4.3.8-4.module+el8.3.0+7193+dfd1e8ad.s390x

Summary: IPA installation fails on s390x with 389-ds-base-1.4.3.8-4.module+el8.3.0+719...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	8.3
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	beta
Target Release:	---
Assignee:	mreynolds
QA Contact:	RHDS QE
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:	1977231 1980063
TreeView+	depends on / blocked

Reported:	2021-06-18 10:48 UTC by Viktor Ashirov
Modified:	2021-11-09 22:32 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1977231 1980063 (view as bug list)
Environment:
Last Closed:	2021-11-09 18:12:23 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	389ds 389-ds-base issues 4563	None	None	None	2021-08-27 15:55:29 UTC
Github	389ds 389-ds-base pull 4818	None	open	Issue 4563 - Failure on s390x: 'Fails to split RDN "o=pki-tomcat-CA"…	2021-06-29 13:14:37 UTC
Red Hat Product Errata	RHBA-2021:4203	None	None	None	2021-11-09 18:12:49 UTC

Description Viktor Ashirov 2021-06-18 10:48:01 UTC

Description of problem:
IPA installation fails on s390x starting with 389-ds-base-1.4.3.8-4.module+el8.3.0+7193+dfd1e8ad.s390x and later versions.

Version-Release number of selected component (if applicable):
389-ds-base-1.4.3.8-4.module+el8.3.0+7193+dfd1e8ad.s390x

How reproducible:
always

Steps to Reproduce:
1. On s390x machine run 
ipa-server-install --domain=ipa.test --realm=IPA.TEST --ds-password=password --admin-password=password --hostname=$(hostname -f) --no-forwarders --allow-zone-overlap --setup-dns -U

Actual results:

Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/44]: creating directory server instance
  [2/44]: configure autobind for root
  [3/44]: stopping directory server
  [4/44]: updating configuration in dse.ldif
  [5/44]: starting directory server
  [6/44]: adding default schema
  [7/44]: enabling memberof plugin
  [8/44]: enabling winsync plugin
  [9/44]: configure password logging
  [10/44]: configuring replication version plugin
  [11/44]: enabling IPA enrollment plugin
  [12/44]: configuring uniqueness plugin
  [13/44]: configuring uuid plugin
  [14/44]: configuring modrdn plugin
  [15/44]: configuring DNS plugin
  [16/44]: enabling entryUSN plugin
  [17/44]: configuring lockout plugin
  [18/44]: configuring topology plugin
  [19/44]: creating indices
  [20/44]: enabling referential integrity plugin
  [21/44]: configuring certmap.conf
  [22/44]: configure new location for managed entries
  [23/44]: configure dirsrv ccache and keytab
  [24/44]: enabling SASL mapping fallback
  [25/44]: restarting directory server
  [26/44]: adding sasl mappings to the directory
  [27/44]: adding default layout
Failed to load bootstrap-template.ldif: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpfl6ylgw6', '-H', 'ldapi://%2Frun%2Fslapd-IPA-TEST.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-IPA-TEST.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n')
  [error] CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpfl6ylgw6', '-H', 'ldapi://%2Frun%2Fslapd-IPA-TEST.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-IPA-TEST.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n')
CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpfl6ylgw6', '-H', 'ldapi://%2Frun%2Fslapd-IPA-TEST.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-IPA-TEST.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n')
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Expected results:
ipa-server-install succeeds.

Additional info:

Downgrading packages to 
389-ds-base-1.4.3.8-3.module+el8.3.0+6935+6f68b788.s390x
python3-libs-3.6.8-15.1.el8.s390x
platform-python-3.6.8-15.1.el8.s390x
allows installation to proceed.

Comment 1 Viktor Ashirov 2021-06-18 11:04:52 UTC

In the error log I see 
[18/Jun/2021:06:39:33.072172531 -0400] - ERR - entry_get_rdn_mods - Fails to split RDN "uid=admin,cn=users,cn=accounts,dc=ipa,dc=test" into components
[18/Jun/2021:06:39:33.072627657 -0400] - ERR - memberof-plugin - memberof_postop_add - Failed to add dn(cn=admins,cn=groups,cn=accounts,dc=ipa,dc=test), error (1)

entry_get_rdn_mods comes from 
https://github.com/389ds/389-ds-base/commit/2ccd0bed4
https://bugzilla.redhat.com/show_bug.cgi?id=1647017

Comment 16 sgouvern 2021-07-22 16:44:34 UTC

With s390x + 389-ds-base-1.4.3.23-6.module+el8.5.0+11842+2f4233e8.s390x

# PYTHONPATH=src/lib389/ py.test dirsrvtests/tests/suites/replication/conflict_resolve_test.py 
=================================================== test session starts ===================================================
platform linux -- Python 3.6.8, pytest-6.2.4, py-1.10.0, pluggy-0.13.1
389-ds-base: 1.4.3.23-6.module+el8.5.0+11842+2f4233e8
nss: 3.53.1-17.el8_3
nspr: 4.25.0-2.el8_2
openldap: 2.4.46-17.el8
cyrus-sasl: 2.1.27-5.el8
FIPS: disabled
rootdir: /mnt/tests/ds/dirsrvtests, configfile: pytest.ini
collected 8 items                                                                                                         

================================================== 4 passed, 4 xfailed, 20 warnings in 236.13s (0:03:56) ===================================================

Comment 17 sgouvern 2021-07-22 17:44:56 UTC

Too, with s390x + 389-ds-base-1.4.3.23-6.module+el8.5.0+11842+2f4233e8.s390x

The ipa-server-install command that was failing now succeeds :

# ipa-server-install --domain=ipa.test --realm=IPA.TEST --ds-password=password --admin-password=password --hostname=$(hostname -f) --no-forwarders --allow-zone-overlap --setup-dns -U
...
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/41]: creating directory server instance
  [2/41]: tune ldbm plugin
  [3/41]: adding default schema
  [4/41]: enabling memberof plugin
  [5/41]: enabling winsync plugin
  [6/41]: configure password logging
  [7/41]: configuring replication version plugin
  [8/41]: enabling IPA enrollment plugin
  [9/41]: configuring uniqueness plugin
  [10/41]: configuring uuid plugin
  [11/41]: configuring modrdn plugin
  [12/41]: configuring DNS plugin
  [13/41]: enabling entryUSN plugin
  [14/41]: configuring lockout plugin
  [15/41]: configuring topology plugin
  [16/41]: creating indices
  [17/41]: enabling referential integrity plugin
  [18/41]: configuring certmap.conf
  [19/41]: configure new location for managed entries
  [20/41]: configure dirsrv ccache and keytab
  [21/41]: enabling SASL mapping fallback
  [22/41]: restarting directory server
  [23/41]: adding sasl mappings to the directory
  [24/41]: adding default layout
  [25/41]: adding delegation layout
  [26/41]: creating container for managed entries
  [27/41]: configuring user private groups
  [28/41]: configuring netgroups from hostgroups
  [29/41]: creating default Sudo bind user
  [30/41]: creating default Auto Member layout
  [31/41]: adding range check plugin
  [32/41]: creating default HBAC rule allow_all
  [33/41]: adding entries for topology management
  [34/41]: initializing group membership
  [35/41]: adding master entry
  [36/41]: initializing domain level
  [37/41]: configuring Posix uid/gid generation
  [38/41]: adding replication acis
  [39/41]: activating sidgen plugin
  [40/41]: activating extdom plugin
  [41/41]: configuring directory to start on boot
Done configuring directory server (dirsrv).
...
The ipa-server-install command was successful


And more detailed output of dirsrvtests/tests/suites/replication/conflict_resolve_test.py :
=================================================================== test session starts ====================================================================
platform linux -- Python 3.6.8, pytest-6.2.4, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3.6
cachedir: .pytest_cache
389-ds-base: 1.4.3.23-6.module+el8.5.0+11842+2f4233e8
nss: 3.53.1-17.el8_3
nspr: 4.25.0-2.el8_2
openldap: 2.4.46-17.el8
cyrus-sasl: 2.1.27-5.el8
FIPS: disabled
rootdir: /mnt/tests/ds/dirsrvtests, configfile: pytest.ini
collected 8 items                                                                                                                                          

dirsrvtests/tests/suites/replication/conflict_resolve_test.py::TestTwoSuppliers::test_add_modrdn PASSED                                              [ 12%]
dirsrvtests/tests/suites/replication/conflict_resolve_test.py::TestTwoSuppliers::test_complex_add_modify_modrdn_delete PASSED                        [ 25%]
dirsrvtests/tests/suites/replication/conflict_resolve_test.py::TestTwoSuppliers::test_memberof_groups XFAIL (Issue 49591 - work in progress)         [ 37%]
dirsrvtests/tests/suites/replication/conflict_resolve_test.py::TestTwoSuppliers::test_managed_entries XFAIL (Issue 49591 - work in progress)         [ 50%]
dirsrvtests/tests/suites/replication/conflict_resolve_test.py::TestTwoSuppliers::test_nested_entries_with_children XFAIL (Issue 49591 - work in ...) [ 62%]
dirsrvtests/tests/suites/replication/conflict_resolve_test.py::TestTwoSuppliers::test_conflict_attribute_multi_valued PASSED                         [ 75%]
dirsrvtests/tests/suites/replication/conflict_resolve_test.py::TestTwoSuppliers::test_conflict_attribute_single_valued PASSED                        [ 87%]
dirsrvtests/tests/suites/replication/conflict_resolve_test.py::TestThreeSuppliers::test_nested_entries XFAIL (Issue 49591 - work in progress)        [100%]
================================================== 4 passed, 4 xfailed, 16 warnings in 232.22s (0:03:52) ===================================================


dirsrvtests/tests/suites/replication/conflict_resolve_test.py::TestTwoSuppliers::test_conflict_attribute_multi_valued PASSED                        
dirsrvtests/tests/suites/replication/conflict_resolve_test.py::TestTwoSuppliers::test_conflict_attribute_single_valued PASSED                       

marking as verified:tested

Comment 21 sgouvern 2021-07-23 16:30:57 UTC

As per comment 17 marking as VERIFIED

Comment 23 errata-xmlrpc 2021-11-09 18:12:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds-base bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4203

Note You need to log in before you can comment on or make changes to this bug.