2023056 – After upgrading ipa package, ipa server fails to start with dirsrv init error (/usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so: undefined symbol: gost_yescrypt_pwd_storage_scheme_init)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2023056 - After upgrading ipa package, ipa server fails to start with dirsrv init error (/usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so: undefined symbol: gost_yescrypt_pwd_storage_scheme_init)

Summary: After upgrading ipa package, ipa server fails to start with dirsrv init error...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	CentOS Stream
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	8.7
Assignee:	thierry bordaz
QA Contact:	RHDS QE
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-11-14 11:10 UTC by jchurro
Modified:	2022-11-08 10:29 UTC (History)
CC List:	13 users (show)
Fixed In Version:	389-ds-base-1.4.3.30-3.module+el8.7.0+15600+347cafc6
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-11-08 09:38:12 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	389ds 389-ds-base issues 5008	None	open	If a non critical plugin can not be loaded/initialized, bootstrap should succeeds	2021-11-17 15:52:51 UTC
Red Hat Issue Tracker	IDMDS-1797	None	None	None	2021-11-17 15:53:48 UTC
Red Hat Issue Tracker	IDMDS-2263	None	None	None	2022-05-09 06:52:47 UTC
Red Hat Issue Tracker	RHELPLAN-102678	None	None	None	2021-11-14 11:11:04 UTC
Red Hat Product Errata	RHBA-2022:7552	None	None	None	2022-11-08 09:38:51 UTC

Description jchurro 2021-11-14 11:10:42 UTC

Description of problem:

After making upgrade of CentOS Stream 8 where 386-ds-base was also upgraded, dirsrv fails to start with error

"symload_report_error - Netscape Portable Runtime error -5975: /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so: undefined symbol: gost_yescrypt_pwd_storage_scheme_init"

Version-Release number of selected component (if applicable):

ns-slapd
389 Project
389-Directory/1.4.3.231 B2021.279.1440

389-ds-base-1.4.3.23-10.module_el8.5.0+946+51aba098.x86_64 : 389 Directory Server (base)
Repo        : appstream
Matched from:
Other       : *ns-slapd


How reproducible:

Server with only software necessary to run IPA Server. Made upgrade to last dirsrv version in Stream 8

Additional Info:

[14/Nov/2021:10:22:51.400480566 +0000] - ERR - symload_report_error - Netscape Portable Runtime error -5975: /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so: undefined symbol: gost_yescrypt_pwd_storage_scheme_init
[14/Nov/2021:10:22:51.402226687 +0000] - ERR - symload_report_error - Could not load symbol "gost_yescrypt_pwd_storage_scheme_init" from "libpwdstorage-plugin" for plugin GOST_YESCRYPT
[14/Nov/2021:10:22:51.402838695 +0000] - ERR - slapd_bootstrap_config - The plugin entry [cn=GOST_YESCRYPT,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-INFO-XXXXXX-PT/dse.ldif was invalid. Failed to load plugin's init function.
[14/Nov/2021:10:22:51.403429402 +0000] - EMERG - main - The configuration files in directory /etc/dirsrv/slapd-INFO-XXXXXX-PT could not be read or were not found.  Please refer to the error log or output for more information.

Comment 1 Alexander Bokovoy 2021-11-15 06:05:12 UTC

GOST_YESCRYPT is not supported in RHEL anymore. It looks like 389-ds lacks removal of the configuration when a plugin gets disabled.

you can disable it manually with

# dsconf INFO-XXXXXX-PT plugin set GOST_YESCRYPT --enabled off

Comment 2 Arjen Heidinga 2021-11-15 12:51:40 UTC

Unfortunatly this did not work. The configuration was rolled-back sundaymorning, now I tried upgrading, prior to the update I ran the command (successful) however after the update the issue persists. Removing the relevant seciton from the dse.ldif file 'solves' the issue, but it 'feels' wrong.

Comment 3 thierry bordaz 2021-11-15 14:44:49 UTC

My understanding is that early centos 8.5 builds (1.4.3.23-2 and 1.4.3.23-7) contained invalid GOST_YESCRYPT password storage support. This support was completely removed in 1.4.3.23-10 (https://git.centos.org/rpms/389-ds-base/c/0381070f4db756c9771576582981e332aab5d141?branch=c8s-stream-1.4) with removal of config GOST plugin entry and GOST init plugin callback gost_yescrypt_pwd_storage_scheme_init.

So if an instance was created with early 8.5 builds, a plugin entry (dn: cn=GOST_YESCRYPT,cn=Password Storage Schemes,cn=plugins,cn=config) was created. Then the upgrade removed the init callback and startup fails.
A quick relief is by editing dse.ldif and removing cn=GOST_YESCRYPT,cn=Password Storage Schemes,cn=plugins,cn=config.

A fix is to remove that entry during upgrade.

Comment 4 thierry bordaz 2021-11-15 15:00:32 UTC

(In reply to Arjen Heidinga from comment #2)
> Unfortunatly this did not work. The configuration was rolled-back
> sundaymorning, now I tried upgrading, prior to the update I ran the command
> (successful) however after the update the issue persists. Removing the
> relevant seciton from the dse.ldif file 'solves' the issue, but it 'feels'
> wrong.

Indeed even if a plugin is disabled, the server tries first to load its init function. If it fails to load it, plugin setup fails and server can not start.

Comment 8 jchurro 2021-11-15 19:33:42 UTC

I removed the GOST_YESCRYPT plugin lines from dse.ldif and the problem was solved. IPA is back again. I think that future upgrades should remove these lines from dse.ldif file.

Comment 12 W. de Heiden 2021-11-17 16:14:32 UTC

Bug confirmed on CentOS Stream release 8
Workaround confirmed as working also :)

Comment 15 thierry bordaz 2021-11-24 18:05:00 UTC

Fix pushed upstream => POST

Comment 16 thierry bordaz 2022-06-10 12:02:42 UTC

Fixed in 389-ds-base-1.4.3.30-3.module+el8.7.0+15600+347cafc6 => MODIFIED

Comment 22 Akshay Adhikari 2022-08-05 16:26:13 UTC

Build Tested: 389-ds-base-1.4.3.30-3.module+el8.7.0+15600+347cafc6.x86_64

# dsconf test plugin show entryuuid
dn: cn=entryuuid,cn=plugins,cn=config
cn: entryuuid
nsslapd-pluginDescription: none
nsslapd-pluginEnabled: on
nsslapd-pluginId: none
nsslapd-pluginInitfunc: entryuuid_plugin_init
nsslapd-pluginPath: libentryuuid-plugin
nsslapd-pluginType: betxnpreoperation
nsslapd-pluginVendor: none
nsslapd-pluginVersion: none
objectClass: top
objectClass: nsSlapdPlugin

# dsctl test stop
Instance "test" has been stopped

# mv /usr/lib64/dirsrv/plugins/libentryuuid-plugin.so /usr/lib64/dirsrv/plugins/libentryuuid-plugin.so.sav
# dsctl test start
Instance "test" has been started

Error logs:
[05/Aug/2022:12:17:20.026001169 -0400] - ERR - symload_report_error - Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libentryuuid-plugin.so: cannot open shared object file: No such file or directory
[05/Aug/2022:12:17:20.054125155 -0400] - ERR - symload_report_error - Could not open library "/usr/lib64/dirsrv/plugins/libentryuuid-plugin.so" for plugin entryuuid
[05/Aug/2022:12:17:20.056785832 -0400] - ERR - plugin_setup - "entryuuid" plugin in library "libentryuuid-plugin" not initialized and ignored

I can see the server is running even after restart, Marking it as VERIFIED.

Comment 24 errata-xmlrpc 2022-11-08 09:38:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7552

Note You need to log in before you can comment on or make changes to this bug.