Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
After upgrading ipa package, ipa server fails to start with dirsrv init error (/usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so: undefined symbol: gost_yescrypt_pwd_storage_scheme_init)
Description of problem:
After making upgrade of CentOS Stream 8 where 386-ds-base was also upgraded, dirsrv fails to start with error
"symload_report_error - Netscape Portable Runtime error -5975: /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so: undefined symbol: gost_yescrypt_pwd_storage_scheme_init"
Version-Release number of selected component (if applicable):
ns-slapd
389 Project
389-Directory/1.4.3.231 B2021.279.1440
389-ds-base-1.4.3.23-10.module_el8.5.0+946+51aba098.x86_64 : 389 Directory Server (base)
Repo : appstream
Matched from:
Other : *ns-slapd
How reproducible:
Server with only software necessary to run IPA Server. Made upgrade to last dirsrv version in Stream 8
Additional Info:
[14/Nov/2021:10:22:51.400480566 +0000] - ERR - symload_report_error - Netscape Portable Runtime error -5975: /usr/lib64/dirsrv/plugins/libpwdstorage-plugin.so: undefined symbol: gost_yescrypt_pwd_storage_scheme_init
[14/Nov/2021:10:22:51.402226687 +0000] - ERR - symload_report_error - Could not load symbol "gost_yescrypt_pwd_storage_scheme_init" from "libpwdstorage-plugin" for plugin GOST_YESCRYPT
[14/Nov/2021:10:22:51.402838695 +0000] - ERR - slapd_bootstrap_config - The plugin entry [cn=GOST_YESCRYPT,cn=Password Storage Schemes,cn=plugins,cn=config] in the configfile /etc/dirsrv/slapd-INFO-XXXXXX-PT/dse.ldif was invalid. Failed to load plugin's init function.
[14/Nov/2021:10:22:51.403429402 +0000] - EMERG - main - The configuration files in directory /etc/dirsrv/slapd-INFO-XXXXXX-PT could not be read or were not found. Please refer to the error log or output for more information.
Comment 1Alexander Bokovoy
2021-11-15 06:05:12 UTC
GOST_YESCRYPT is not supported in RHEL anymore. It looks like 389-ds lacks removal of the configuration when a plugin gets disabled.
you can disable it manually with
# dsconf INFO-XXXXXX-PT plugin set GOST_YESCRYPT --enabled off
Unfortunatly this did not work. The configuration was rolled-back sundaymorning, now I tried upgrading, prior to the update I ran the command (successful) however after the update the issue persists. Removing the relevant seciton from the dse.ldif file 'solves' the issue, but it 'feels' wrong.
My understanding is that early centos 8.5 builds (1.4.3.23-2 and 1.4.3.23-7) contained invalid GOST_YESCRYPT password storage support. This support was completely removed in 1.4.3.23-10 (https://git.centos.org/rpms/389-ds-base/c/0381070f4db756c9771576582981e332aab5d141?branch=c8s-stream-1.4) with removal of config GOST plugin entry and GOST init plugin callback gost_yescrypt_pwd_storage_scheme_init.
So if an instance was created with early 8.5 builds, a plugin entry (dn: cn=GOST_YESCRYPT,cn=Password Storage Schemes,cn=plugins,cn=config) was created. Then the upgrade removed the init callback and startup fails.
A quick relief is by editing dse.ldif and removing cn=GOST_YESCRYPT,cn=Password Storage Schemes,cn=plugins,cn=config.
A fix is to remove that entry during upgrade.
(In reply to Arjen Heidinga from comment #2)
> Unfortunatly this did not work. The configuration was rolled-back
> sundaymorning, now I tried upgrading, prior to the update I ran the command
> (successful) however after the update the issue persists. Removing the
> relevant seciton from the dse.ldif file 'solves' the issue, but it 'feels'
> wrong.
Indeed even if a plugin is disabled, the server tries first to load its init function. If it fails to load it, plugin setup fails and server can not start.
I removed the GOST_YESCRYPT plugin lines from dse.ldif and the problem was solved. IPA is back again. I think that future upgrades should remove these lines from dse.ldif file.
Build Tested: 389-ds-base-1.4.3.30-3.module+el8.7.0+15600+347cafc6.x86_64
# dsconf test plugin show entryuuid
dn: cn=entryuuid,cn=plugins,cn=config
cn: entryuuid
nsslapd-pluginDescription: none
nsslapd-pluginEnabled: on
nsslapd-pluginId: none
nsslapd-pluginInitfunc: entryuuid_plugin_init
nsslapd-pluginPath: libentryuuid-plugin
nsslapd-pluginType: betxnpreoperation
nsslapd-pluginVendor: none
nsslapd-pluginVersion: none
objectClass: top
objectClass: nsSlapdPlugin
# dsctl test stop
Instance "test" has been stopped
# mv /usr/lib64/dirsrv/plugins/libentryuuid-plugin.so /usr/lib64/dirsrv/plugins/libentryuuid-plugin.so.sav
# dsctl test start
Instance "test" has been started
Error logs:
[05/Aug/2022:12:17:20.026001169 -0400] - ERR - symload_report_error - Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/plugins/libentryuuid-plugin.so: cannot open shared object file: No such file or directory
[05/Aug/2022:12:17:20.054125155 -0400] - ERR - symload_report_error - Could not open library "/usr/lib64/dirsrv/plugins/libentryuuid-plugin.so" for plugin entryuuid
[05/Aug/2022:12:17:20.056785832 -0400] - ERR - plugin_setup - "entryuuid" plugin in library "libentryuuid-plugin" not initialized and ignored
I can see the server is running even after restart, Marking it as VERIFIED.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2022:7552