Bug 2023056 - After upgrading ipa package, ipa server fails to start with dirsrv init error (/usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so: undefined symbol: gost_yescrypt_pwd_storage_scheme_init)
Summary: After upgrading ipa package, ipa server fails to start with dirsrv init error...
Keywords:
Status: ON_QA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: 389-ds-base
Version: CentOS Stream
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: rc
: 8.7
Assignee: thierry bordaz
QA Contact: RHDS QE
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-11-14 11:10 UTC by jchurro
Modified: 2022-06-10 12:08 UTC (History)
11 users (show)

Fixed In Version: 389-ds-base-1.4.3.30-3.module+el8.7.0+15600+347cafc6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 5008 0 None open If a non critical plugin can not be loaded/initialized, bootstrap should succeeds 2021-11-17 15:52:51 UTC
Red Hat Issue Tracker IDMDS-1797 0 None None None 2021-11-17 15:53:48 UTC
Red Hat Issue Tracker IDMDS-2263 0 None None None 2022-05-09 06:52:47 UTC
Red Hat Issue Tracker RHELPLAN-102678 0 None None None 2021-11-14 11:11:04 UTC

Description jchurro 2021-11-14 11:10:42 UTC
Description of problem:

After making upgrade of CentOS Stream 8 where 386-ds-base was also upgraded, dirsrv fails to start with error

"symload_report_error - Netscape Portable Runtime error -5975: /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so: undefined symbol: gost_yescrypt_pwd_storage_scheme_init"

Version-Release number of selected component (if applicable):

ns-slapd
389 Project
389-Directory/1.4.3.231 B2021.279.1440

389-ds-base-1.4.3.23-10.module_el8.5.0+946+51aba098.x86_64 : 389 Directory Server (base)
Repo        : appstream
Matched from:
Other       : *ns-slapd


How reproducible:

Server with only software necessary to run IPA Server. Made upgrade to last dirsrv version in Stream 8

Additional Info:

[14/Nov/2021:10:22:51.400480566 +0000] - ERR - symload_report_error - Netscape Portable Runtime error -5975: /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so: undefined symbol: gost_yescrypt_pwd_storage_scheme_init
[14/Nov/2021:10:22:51.402226687 +0000] - ERR - symload_report_error - Could not load symbol "gost_yescrypt_pwd_storage_scheme_init" from "libpwdstorage-plugin" for plugin GOST_YESCRYPT
[14/Nov/2021:10:22:51.402838695 +0000] - ERR - slapd_bootstrap_config - The plugin entry [cn=GOST_YESCRYPT,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-INFO-XXXXXX-PT/dse.ldif was invalid. Failed to load plugin's init function.
[14/Nov/2021:10:22:51.403429402 +0000] - EMERG - main - The configuration files in directory /etc/dirsrv/slapd-INFO-XXXXXX-PT could not be read or were not found.  Please refer to the error log or output for more information.

Comment 1 Alexander Bokovoy 2021-11-15 06:05:12 UTC
GOST_YESCRYPT is not supported in RHEL anymore. It looks like 389-ds lacks removal of the configuration when a plugin gets disabled.

you can disable it manually with

# dsconf INFO-XXXXXX-PT plugin set GOST_YESCRYPT --enabled off

Comment 2 Arjen Heidinga 2021-11-15 12:51:40 UTC
Unfortunatly this did not work. The configuration was rolled-back sundaymorning, now I tried upgrading, prior to the update I ran the command (successful) however after the update the issue persists. Removing the relevant seciton from the dse.ldif file 'solves' the issue, but it 'feels' wrong.

Comment 3 thierry bordaz 2021-11-15 14:44:49 UTC
My understanding is that early centos 8.5 builds (1.4.3.23-2 and 1.4.3.23-7) contained invalid GOST_YESCRYPT password storage support. This support was completely removed in 1.4.3.23-10 (https://git.centos.org/rpms/389-ds-base/c/0381070f4db756c9771576582981e332aab5d141?branch=c8s-stream-1.4) with removal of config GOST plugin entry and GOST init plugin callback gost_yescrypt_pwd_storage_scheme_init.

So if an instance was created with early 8.5 builds, a plugin entry (dn: cn=GOST_YESCRYPT,cn=Password Storage Schemes,cn=plugins,cn=config) was created. Then the upgrade removed the init callback and startup fails.
A quick relief is by editing dse.ldif and removing cn=GOST_YESCRYPT,cn=Password Storage Schemes,cn=plugins,cn=config.

A fix is to remove that entry during upgrade.

Comment 4 thierry bordaz 2021-11-15 15:00:32 UTC
(In reply to Arjen Heidinga from comment #2)
> Unfortunatly this did not work. The configuration was rolled-back
> sundaymorning, now I tried upgrading, prior to the update I ran the command
> (successful) however after the update the issue persists. Removing the
> relevant seciton from the dse.ldif file 'solves' the issue, but it 'feels'
> wrong.

Indeed even if a plugin is disabled, the server tries first to load its init function. If it fails to load it, plugin setup fails and server can not start.

Comment 8 jchurro 2021-11-15 19:33:42 UTC
I removed the GOST_YESCRYPT plugin lines from dse.ldif and the problem was solved. IPA is back again. I think that future upgrades should remove these lines from dse.ldif file.

Comment 12 W. de Heiden 2021-11-17 16:14:32 UTC
Bug confirmed on CentOS Stream release 8
Workaround confirmed as working also :)

Comment 15 thierry bordaz 2021-11-24 18:05:00 UTC
Fix pushed upstream => POST

Comment 16 thierry bordaz 2022-06-10 12:02:42 UTC
Fixed in 389-ds-base-1.4.3.30-3.module+el8.7.0+15600+347cafc6 => MODIFIED


Note You need to log in before you can comment on or make changes to this bug.