903758 – upgrading IPA from 2.2 to 3.0 sees certmonger errors

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 903758 - upgrading IPA from 2.2 to 3.0 sees certmonger errors

Summary: upgrading IPA from 2.2 to 3.0 sees certmonger errors

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:	902474
Blocks:	905536
TreeView+	depends on / blocked

Reported:	2013-01-24 19:13 UTC by Scott Poore
Modified:	2013-10-07 19:01 UTC (History)
CC List:	10 users (show)
Fixed In Version:	ipa-3.0.0-24.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:	902474
Environment:
Last Closed:	2013-02-21 09:32:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0528	0	normal	SHIPPED_LIVE	Low: ipa security, bug fix and enhancement update	2013-02-21 08:22:21 UTC

Internal Links: 1195849

Description Scott Poore 2013-01-24 19:13:02 UTC

+++ This bug was initially created as a clone of Bug #902474 +++

Description of problem:

When upgrading IPA from 2.2 (RHEL6.3) to 3.0 (from RHEL6.4 repos), I'm seeing certmonger errors:

  Updating   : ipa-server-3.0.0-22.el6.x86_64                                                                49/89 
certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n auditSigningCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" -P XXXXXXXX' returned non-zero exit status 1
certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n ocspSigningCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" -P XXXXXXXX' returned non-zero exit status 1
certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n subsystemCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" -P XXXXXXXX' returned non-zero exit status 1
certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n Server-Cert cert-pki-ca -c dogtag-ipa-renew-agent -P XXXXXXXX' returned non-zero exit status 1
Unable to find certmonger request ID for auditSigning Cert
  Updating   : ipa-server-selinux-3.0.0-22.el6.x86_64                                                        50/89 

Before the update I pre-updated certmonger to be sure that the dogtag-ipa-renew-agent CA was there.

[root@rhel6-5 ~]# yum update certmonger
...
Updated:
  certmonger.x86_64 0:0.61-3.el6                                                                                   

Dependency Updated:
  libtalloc.x86_64 0:2.0.7-2.el6                          libtevent.x86_64 0:0.9.17-1.el6                         

Complete!

[root@rhel6-5 ~]# getcert list-cas
CA 'SelfSign':
	is-default: no
	ca-type: INTERNAL:SELF
	next-serial-number: 01
CA 'IPA':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/ipa-submit
CA 'certmaster':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/certmaster-submit
CA 'dogtag-ipa-renew-agent':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit


I also checked the state of some directories before the ipa-server update:

[root@rhel6-5 ~]# ls -ld /var/lib/pki-ca
drwxrwx---. 11 pkiuser pkiuser 4096 Jan 21 12:59 /var/lib/pki-ca

[root@rhel6-5 ~]# ls -ld /var/lib/pki-ca/alias/
drwxrwx---. 2 pkiuser pkiuser 4096 Jan 21 12:59 /var/lib/pki-ca/alias/

[root@rhel6-5 ~]# ls -ld /var/lib/pki-ca/alias
drwxrwx---. 2 pkiuser pkiuser 4096 Jan 21 12:59 /var/lib/pki-ca/alias

Yet, I see this in ipaupgrade.log:

2013-01-21T18:17:13Z DEBUG args=/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n auditSigningCert cert-p
ki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert
 "auditSigningCert cert-pki-ca" -P XXXXXXXX
2013-01-21T18:17:13Z DEBUG stdout=The location "/var/lib/pki-ca/alias" must be a directory.

2013-01-21T18:17:13Z DEBUG stderr=
2013-01-21T18:17:13Z ERROR certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n auditSigningCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" -P XXXXXXXX' returned non-zero exit status 1


Version-Release number of selected component (if applicable):
RHEL6.3 IPA 2.2 -> 3.0 upgrade:

ipa-server-3.0.0-22.el6.x86_64
certmonger-0.61-3.el6.x86_64


How reproducible:
always

Steps to Reproduce:
1.  Install IPA on RHEL6.3 server
2.  add RHEL6.4 repos
3.  yum -y update certmonger
4.  yum -y update ipa-server
  
Actual results:

shows error above.

Expected results:

no error.

Additional info:

--- Additional comment from RHEL Product and Program Management on 2013-01-21 14:03:39 EST ---

Since this bug report was entered in bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Scott Poore on 2013-01-21 15:40:01 EST ---

running additional tests working with Rob on this:

1.  pre-update certmonger, restart messagebus, restart certmonger, update ipa-server:

failed with same error.

2.  pre-update certmonger and messagebus, restart messagebus, restart certmonger, update ipa-server:

failed with same error.

--- Additional comment from Rob Crittenden on 2013-01-21 17:06:56 EST ---

I notice that downgrading to certmonger-0.56-1 and running 'getcert list-cas' still lists dogtag-ipa-renew-agent as an available CA type even though its underlying provider file is gone.

I wasn't able to make this go away via various restarts of certmonger/messagebus.

--- Additional comment from Rob Crittenden on 2013-01-21 17:33:55 EST ---

Found it in a file in /var/lib/certmonger/cas

--- Additional comment from Rob Crittenden on 2013-01-21 18:36:40 EST ---

selinux-policy-3.7.19-193.el6.noarch

Looks like SELinux exceptions:

type=AVC msg=audit(1358810171.195:87): avc:  denied  { search } for  pid=9243 comm="certmonger" name="pki-ca" dev=dm-0 ino=5659 scontext=unconfined_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_ca_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1358810171.195:87): avc:  denied  { getattr } for  pid=9243 comm="certmonger" path="/var/lib/pki-ca/alias" dev=dm-0 ino=5660 scontext=unconfined_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_ca_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1358810171.201:88): avc:  denied  { getattr } for  pid=9793 comm="certmonger" path="/var/lib/pki-ca/alias/cert8.db" dev=dm-0 ino=5977 scontext=unconfined_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_ca_var_lib_t:s0 tclass=file
type=AVC msg=audit(1358810171.201:89): avc:  denied  { read } for  pid=9793 comm="certmonger" name="cert8.db" dev=dm-0 ino=5977 scontext=unconfined_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_ca_var_lib_t:s0 tclass=file
type=AVC msg=audit(1358810171.201:89): avc:  denied  { open } for  pid=9793 comm="certmonger" name="cert8.db" dev=dm-0 ino=5977 scontext=unconfined_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_ca_var_lib_t:s0 tclass=file
type=AVC msg=audit(1358810171.213:90): avc:  denied  { write } for  pid=9794 comm="certmonger" name="cert8.db" dev=dm-0 ino=5977 scontext=unconfined_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_ca_var_lib_t:s0 tclass=file

--- Additional comment from Scott Poore on 2013-01-21 18:44:07 EST ---

And I saw similar for a beaker test job:

----
time->Sun Jan 20 11:14:57 2013

type=SYSCALL msg=audit(1358698497.969:606): arch=c000003e syscall=4 success=no exit=-13 a0=2507660 a1=7fff722d10f0 a2=7fff722d10f0 a3=3011139180 items=0 ppid=1 pid=13659 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certmonger" exe=2F7573722F7362696E2F636572746D6F6E676572202864656C6574656429 subj=unconfined_u:system_r:certmonger_t:s0 key=(null)

type=AVC msg=audit(1358698497.969:606): avc:  denied  { search } for  pid=13659 comm="certmonger" name="pki-ca" dev=dm-0 ino=2624285 scontext=unconfined_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_ca_var_lib_t:s0 tclass=dir

----
time->Sun Jan 20 11:14:57 2013

type=SYSCALL msg=audit(1358698497.940:605): arch=c000003e syscall=4 success=no exit=-13 a0=2507660 a1=7fff722d10f0 a2=7fff722d10f0 a3=7fff722d0e70 items=0 ppid=1 pid=13659 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certmonger" exe=2F7573722F7362696E2F636572746D6F6E676572202864656C6574656429 subj=unconfined_u:system_r:certmonger_t:s0 key=(null)

type=AVC msg=audit(1358698497.940:605): avc:  denied  { search } for  pid=13659 comm="certmonger" name="pki-ca" dev=dm-0 ino=2624285 scontext=unconfined_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_ca_var_lib_t:s0 tclass=dir

----
time->Sun Jan 20 11:14:57 2013

type=SYSCALL msg=audit(1358698497.995:607): arch=c000003e syscall=4 success=no exit=-13 a0=2507660 a1=7fff722d10f0 a2=7fff722d10f0 a3=3011139180 items=0 ppid=1 pid=13659 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certmonger" exe=2F7573722F7362696E2F636572746D6F6E676572202864656C6574656429 subj=unconfined_u:system_r:certmonger_t:s0 key=(null)

type=AVC msg=audit(1358698497.995:607): avc:  denied  { search } for  pid=13659 comm="certmonger" name="pki-ca" dev=dm-0 ino=2624285 scontext=unconfined_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_ca_var_lib_t:s0 tclass=dir

----
time->Sun Jan 20 11:14:58 2013

type=SYSCALL msg=audit(1358698498.084:608): arch=c000003e syscall=4 success=no exit=-13 a0=2509680 a1=7fff722d10f0 a2=7fff722d10f0 a3=3011139180 items=0 ppid=1 pid=13659 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certmonger" exe=2F7573722F7362696E2F636572746D6F6E676572202864656C6574656429 subj=unconfined_u:system_r:certmonger_t:s0 key=(null)

type=AVC msg=audit(1358698498.084:608): avc:  denied  { search } for  pid=13659 comm="certmonger" name="pki-ca" dev=dm-0 ino=2624285 scontext=unconfined_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_ca_var_lib_t:s0 tclass=dir

--- Additional comment from Miroslav Grepl on 2013-01-22 01:19:13 EST ---

We label it in Fedora as

# matchpathcon /var/lib/pki-ca/alias/cert8.d
/var/lib/pki-ca/alias/cert8.d	system_u:object_r:pki_tomcat_cert_t:s0

and call

optional_policy(`
    pki_rw_tomcat_cert(certmonger_t)
')

--- Additional comment from Matthew Harmsen on 2013-01-22 18:11:19 EST ---

alee checked the following into the 'IPA_v2_RHEL_6_ERRATA_BRANCH':

    * commit ca5fa67a0d0797d1f4c54bbd4d9db3661eaeb8c9
      Author: Ade Lee <alee>
      Date:   Tue Jan 22 11:15:16 2013 -0800

          Resolves #902474 - upgrading IPA from 2.2 to 3.0 sees certmonger errors

--- Additional comment from errata-xmlrpc on 2013-01-22 18:33:12 EST ---

Bug report changed to ON_QA status by Errata System.
A QE request has been submitted for advisory RHSA-2012:13959-06
http://errata.devel.redhat.com/errata/show/13959

--- Additional comment from Scott Poore on 2013-01-23 15:56:21 EST ---

hmm...I no longer see the AVCs but, do still see the error messages when I do an initial upgade.  Because of how my tests work, I install, upgrade, uninstall/downgrade, and start over to test something else.  Well, on subsequent tests, I do not see the error.

So, testing to confirm if the certmonger errors are SELinux related, I 

1. rebuilt a VM to rhel6.3
2. install 2.2 version of IPA
3. pointed to 6.4 repos
4. setenforce 0
5. semodule -DB # disable don't audit rules to pick up more
6. yum -u update ipa-server

Then I see same errors as originally posted.

Will post logs too.

--- Additional comment from Scott Poore on 2013-01-23 15:58:45 EST ---

Created attachment 686265 [details]
audit log from ipa upgade after selinux set to permissive and disabling don't audit

--- Additional comment from Scott Poore on 2013-01-23 16:00:13 EST ---

Created attachment 686267 [details]
ipa upgrade log with certmonger failures

--- Additional comment from Scott Poore on 2013-01-23 16:53:18 EST ---

Ok, from fresh install:

[root@rhel6-2 ~]# rpm -q ipa-server
ipa-server-2.2.0-16.el6.x86_64


[root@rhel6-2 ~]# ipa-getcert list-cas
CA 'IPA':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/ipa-submit
[root@rhel6-2 ~]# getcert list-cas
CA 'SelfSign':
	is-default: no
	ca-type: INTERNAL:SELF
	next-serial-number: 01
CA 'IPA':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/ipa-submit
CA 'certmaster':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/certmaster-submit

add repos and the update just dbus and certmonger:

[root@rhel6-2 ~]# yum -y update dbus certmonger
Loaded plugins: product-id, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity

This machine has not been registered and therefore has
no access to security and other critical updates. Please
register using subscription-manager.

Repository 'rhel63-optional' is missing name in configuration, using id
beaker-client                                                                   | 1.3 kB     00:00     
beaker-client/primary                                                           | 7.2 kB     00:00     
beaker-client                                                                                    35/35
mytestrepo1                                                                     | 3.9 kB     00:00     
mytestrepo1/primary_db                                                          | 3.1 MB     00:02     
mytestrepo2                                                                     | 3.7 kB     00:00     
mytestrepo2/primary_db                                                          | 1.3 MB     00:01     
mytestrepo3                                                                     | 1.3 kB     00:00     
mytestrepo3/primary                                                             | 3.6 kB     00:00     
mytestrepo3                                                                                        7/7
mytestrepo4                                                                     | 1.3 kB     00:00     
mytestrepo4/primary                                                             | 4.3 kB     00:00     
mytestrepo4                                                                                      13/13
mytestrepo5                                                                     | 3.9 kB     00:00     
mytestrepo5/primary_db                                                          | 3.2 MB     00:02     
rhel63-optional                                                                 | 3.8 kB     00:00     
rhel63-optional/primary_db                                                      | 1.3 MB     00:01     
rhel63z                                                                         | 2.2 kB     00:00     
rhel63z/primary_db                                                              | 4.0 MB     00:03     
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package certmonger.x86_64 0:0.56-1.el6 will be updated
---> Package certmonger.x86_64 0:0.61-3.el6 will be an update
--> Processing Dependency: libtevent.so.0(TEVENT_0.9.9)(64bit) for package: certmonger-0.61-3.el6.x86_64
--> Processing Dependency: libtalloc.so.2(TALLOC_2.0.2)(64bit) for package: certmonger-0.61-3.el6.x86_64
--> Running transaction check
---> Package libtalloc.x86_64 0:2.0.1-1.1.el6 will be updated
---> Package libtalloc.x86_64 0:2.0.7-2.el6 will be an update
---> Package libtevent.x86_64 0:0.9.8-8.el6 will be updated
---> Package libtevent.x86_64 0:0.9.17-1.el6 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================
 Package                 Arch                Version                    Repository                Size
=======================================================================================================
Updating:
 certmonger              x86_64              0.61-3.el6                 mytestrepo1              280 k
Updating for dependencies:
 libtalloc               x86_64              2.0.7-2.el6                mytestrepo1               20 k
 libtevent               x86_64              0.9.17-1.el6               mytestrepo1               24 k

Transaction Summary
=======================================================================================================
Upgrade       3 Package(s)

Total download size: 324 k
Downloading Packages:
(1/3): certmonger-0.61-3.el6.x86_64.rpm                                         | 280 kB     00:00     
(2/3): libtalloc-2.0.7-2.el6.x86_64.rpm                                         |  20 kB     00:00     
(3/3): libtevent-0.9.17-1.el6.x86_64.rpm                                        |  24 kB     00:00     
-------------------------------------------------------------------------------------------------------
Total                                                                  273 kB/s | 324 kB     00:01     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : libtalloc-2.0.7-2.el6.x86_64                                                        1/6 
  Updating   : libtevent-0.9.17-1.el6.x86_64                                                       2/6 
  Updating   : certmonger-0.61-3.el6.x86_64                                                        3/6 
  Cleanup    : certmonger-0.56-1.el6.x86_64                                                        4/6 
  Cleanup    : libtevent-0.9.8-8.el6.x86_64                                                        5/6 
  Cleanup    : libtalloc-2.0.1-1.1.el6.x86_64                                                      6/6 
mytestrepo1/productid                                                           | 1.7 kB     00:00     
mytestrepo5/productid                                                           | 1.7 kB     00:00     
Installed products updated.
  Verifying  : libtevent-0.9.17-1.el6.x86_64                                                       1/6 
  Verifying  : certmonger-0.61-3.el6.x86_64                                                        2/6 
  Verifying  : libtalloc-2.0.7-2.el6.x86_64                                                        3/6 
  Verifying  : certmonger-0.56-1.el6.x86_64                                                        4/6 
  Verifying  : libtalloc-2.0.1-1.1.el6.x86_64                                                      5/6 
  Verifying  : libtevent-0.9.8-8.el6.x86_64                                                        6/6 

Updated:
  certmonger.x86_64 0:0.61-3.el6                                                                       

Dependency Updated:
  libtalloc.x86_64 0:2.0.7-2.el6                    libtevent.x86_64 0:0.9.17-1.el6                   

Complete!
[root@rhel6-2 ~]# getcert list-cas
CA 'SelfSign':
	is-default: no
	ca-type: INTERNAL:SELF
	next-serial-number: 01
CA 'IPA':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/ipa-submit
CA 'certmaster':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/certmaster-submit
CA 'dogtag-ipa-renew-agent':
	is-default: no
	ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit

[root@rhel6-2 ~]# rpm -q ipa-server
ipa-server-2.2.0-16.el6.x86_64

[root@rhel6-2 ~]# service messagebus restart
Stopping system message bus:                               [  OK  ]
Starting system message bus:                               [  OK  ]

[root@rhel6-2 ~]# service certmonger restart
Stopping certmonger:                                       [  OK  ]
Starting certmonger:                                       [  OK  ]

[root@rhel6-2 ~]# ls /var/lib/certmonger/cas/
20130107174444  20130107174445  20130107174445-1

[root@rhel6-2 ~]# cat /var/lib/certmonger/cas/*
id=SelfSign
ca_is_default=0
ca_type=INTERNAL:SELF
ca_internal_serial=01
id=IPA
ca_is_default=0
ca_type=EXTERNAL
ca_external_helper=/usr/libexec/certmonger/ipa-submit
id=certmaster
ca_is_default=0
ca_type=EXTERNAL
ca_external_helper=/usr/libexec/certmonger/certmaster-submit

SO...at this point, getcert listcas does show dogtag-ipa-renew-agent but, there doesn't appear to be a file for it in /var/lib/certmonger/cas.

Now, to note, if I upgrade, downgrade, upgade again, that file is left behind...I'm testing what happens if it's removed before initial install and before upgade.  will post update  when done

--- Additional comment from Scott Poore on 2013-01-23 17:12:50 EST ---

ok, I uninstalled/downgraded and cleaned up /var/lib/certmonger/cas/ by deleting the 4 files that matched the CAs.  Then I did install and finally upgrade.  Now I also see the errors I was seeing on initial install only.

Will test more before upgrade to see what's there and what can be done.

--- Additional comment from Scott Poore on 2013-01-23 17:41:04 EST ---

Ok, twice in a row now when I pre-update certmonger and dbus (like in comment #13), I no longer see that error.  Testing on a freshly installed server instead of re-running from reverted virsh snapshot to see if I see the same.

--- Additional comment from Scott Poore on 2013-01-23 22:07:40 EST ---

Ok, I've run tests several different times and so far, now it does look like I no longer see those errors is if upgrade certmonger and dbus first.

Comment 1 Scott Poore 2013-01-24 19:22:28 UTC

Ok, running testing with pre-update with debugging:

yum --rpmverbosity=debug -y update certmonger

This showed certmonger's postun running service certmonger condrestart:

D:     erase: %postun(certmonger-0.56-1.el6.x86_64) scriptlet start
D:     erase: %postun(certmonger-0.56-1.el6.x86_64)	execv(/bin/sh) pid 2121
+ test 1 -gt 0
+ /sbin/service certmonger condrestart
+ exit 0

In the normal full ipa-server update, that was occuring AFTER ipa-server post ran ipa-upgradeconfig.  This caused the issue we saw with certmonger failures.  So when certmonger pre-updated, it worked.

Comment 4 Rob Crittenden 2013-01-24 21:13:21 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3378

Comment 5 Martin Kosek 2013-01-25 09:51:55 UTC

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/41d11f443bebc0a1303980363a4f751bfdbf2c12
ipa-3-1: https://fedorahosted.org/freeipa/changeset/771624bb72af1d0df8aa3cf3c5a71ae28ab590d3
ipa-3-0: https://fedorahosted.org/freeipa/changeset/2b6ea84c774f033061006f21127dda2941c7be98

Comment 8 Scott Poore 2013-01-25 15:20:49 UTC

Verified.

Version ::

ipa-server-2.2.0-16.el6.x86_64
upgrade to:
ipa-server-3.0.0-24.el6.x86_64

Manual Test Results ::

Below I do not see the certmonger errors I was seeing before.

[root@rhel6-2 yum.local.d]# rpm -q ipa-server
ipa-server-2.2.0-16.el6.x86_64

[root@rhel6-2 yum.local.d]# yum -y update ipa-server
Loaded plugins: product-id, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity

This machine has not been registered and therefore has
no access to security and other critical updates. Please
register using subscription-manager.

Repository 'rhel63-optional' is missing name in configuration, using id
beaker-client                                                                   | 1.3 kB     00:00     
beaker-client/primary                                                           | 7.2 kB     00:00     
beaker-client                                                                                    35/35
mylocal                                                                         | 2.9 kB     00:00 ... 
mylocal/primary_db                                                              |  11 kB     00:00 ... 
mytestrepo1                                                                     | 3.9 kB     00:00     
mytestrepo1/primary_db                                                          | 3.1 MB     00:02     
mytestrepo2                                                                     | 3.7 kB     00:00     
mytestrepo2/primary_db                                                          | 1.3 MB     00:01     
mytestrepo3                                                                     | 1.3 kB     00:00     
mytestrepo3/primary                                                             | 3.6 kB     00:00     
mytestrepo3                                                                                        7/7
mytestrepo4                                                                     | 1.3 kB     00:00     
mytestrepo4/primary                                                             | 4.3 kB     00:00     
mytestrepo4                                                                                      13/13
mytestrepo5                                                                     | 3.9 kB     00:00     
mytestrepo5/primary_db                                                          | 3.2 MB     00:02     
rhel63-optional                                                                 | 3.8 kB     00:00     
rhel63-optional/primary_db                                                      | 1.3 MB     00:01     
rhel63z                                                                         | 2.2 kB     00:00     
rhel63z/primary_db                                                              | 4.0 MB     00:03     
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package ipa-server.x86_64 0:2.2.0-16.el6 will be updated
--> Processing Dependency: ipa-server = 2.2.0-16.el6 for package: ipa-server-selinux-2.2.0-16.el6.x86_64
--> Processing Dependency: ipa-server = 2.2.0-16.el6 for package: ipa-server-selinux-2.2.0-16.el6.x86_64
---> Package ipa-server.x86_64 0:3.0.0-24.el6 will be an update
--> Processing Dependency: ipa-python = 3.0.0-24.el6 for package: ipa-server-3.0.0-24.el6.x86_64
--> Processing Dependency: ipa-client = 3.0.0-24.el6 for package: ipa-server-3.0.0-24.el6.x86_64
--> Processing Dependency: ipa-admintools = 3.0.0-24.el6 for package: ipa-server-3.0.0-24.el6.x86_64
--> Processing Dependency: selinux-policy >= 3.7.19-193 for package: ipa-server-3.0.0-24.el6.x86_64
--> Processing Dependency: selinux-policy >= 3.7.19-193 for package: ipa-server-3.0.0-24.el6.x86_64
--> Processing Dependency: pki-silent >= 9.0.3-30 for package: ipa-server-3.0.0-24.el6.x86_64
--> Processing Dependency: pki-setup >= 9.0.3-30 for package: ipa-server-3.0.0-24.el6.x86_64
--> Processing Dependency: pki-ca >= 9.0.3-30 for package: ipa-server-3.0.0-24.el6.x86_64
--> Processing Dependency: pki-ca >= 9.0.3-30 for package: ipa-server-3.0.0-24.el6.x86_64
--> Processing Dependency: mod_nss >= 1.0.8-18 for package: ipa-server-3.0.0-24.el6.x86_64
--> Processing Dependency: krb5-server >= 1.10 for package: ipa-server-3.0.0-24.el6.x86_64
--> Processing Dependency: certmonger >= 0.61-3 for package: ipa-server-3.0.0-24.el6.x86_64
--> Processing Dependency: 389-ds-base >= 1.2.11.14 for package: ipa-server-3.0.0-24.el6.x86_64
--> Processing Dependency: libtalloc.so.2(TALLOC_2.0.2)(64bit) for package: ipa-server-3.0.0-24.el6.x86_64
--> Processing Dependency: libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit) for package: ipa-server-3.0.0-24.el6.x86_64
--> Processing Dependency: libndr.so.0(NDR_0.0.1)(64bit) for package: ipa-server-3.0.0-24.el6.x86_64
--> Processing Dependency: libndr-nbt.so.0(NDR_NBT_0.0.1)(64bit) for package: ipa-server-3.0.0-24.el6.x86_64
--> Processing Dependency: libndr-krb5pac.so.0(NDR_KRB5PAC_0.0.1)(64bit) for package: ipa-server-3.0.0-24.el6.x86_64
--> Processing Dependency: libsamba-util.so.0()(64bit) for package: ipa-server-3.0.0-24.el6.x86_64
--> Processing Dependency: libndr.so.0()(64bit) for package: ipa-server-3.0.0-24.el6.x86_64
--> Processing Dependency: libndr-nbt.so.0()(64bit) for package: ipa-server-3.0.0-24.el6.x86_64
--> Processing Dependency: libndr-krb5pac.so.0()(64bit) for package: ipa-server-3.0.0-24.el6.x86_64
--> Running transaction check
---> Package 389-ds-base.x86_64 0:1.2.10.2-20.el6_3 will be updated
---> Package 389-ds-base.x86_64 0:1.2.11.15-10.el6 will be an update
--> Processing Dependency: 389-ds-base-libs = 1.2.11.15-10.el6 for package: 389-ds-base-1.2.11.15-10.el6.x86_64
--> Processing Dependency: perl-Socket6 for package: 389-ds-base-1.2.11.15-10.el6.x86_64
--> Processing Dependency: perl-NetAddr-IP for package: 389-ds-base-1.2.11.15-10.el6.x86_64
--> Processing Dependency: perl(NetAddr::IP::Util) for package: 389-ds-base-1.2.11.15-10.el6.x86_64
---> Package certmonger.x86_64 0:0.56-1.el6 will be updated
---> Package certmonger.x86_64 0:0.61-3.el6 will be an update
--> Processing Dependency: libtevent.so.0(TEVENT_0.9.9)(64bit) for package: certmonger-0.61-3.el6.x86_64
---> Package ipa-admintools.x86_64 0:2.2.0-16.el6 will be updated
---> Package ipa-admintools.x86_64 0:3.0.0-24.el6 will be an update
---> Package ipa-client.x86_64 0:2.2.0-16.el6 will be updated
---> Package ipa-client.x86_64 0:3.0.0-24.el6 will be an update
--> Processing Dependency: sssd >= 1.9.2-25 for package: ipa-client-3.0.0-24.el6.x86_64
--> Processing Dependency: libsss_autofs for package: ipa-client-3.0.0-24.el6.x86_64
---> Package ipa-python.x86_64 0:2.2.0-16.el6 will be updated
---> Package ipa-python.x86_64 0:3.0.0-24.el6 will be an update
---> Package ipa-server-selinux.x86_64 0:2.2.0-16.el6 will be updated
---> Package ipa-server-selinux.x86_64 0:3.0.0-24.el6 will be an update
---> Package krb5-server.x86_64 0:1.9-33.el6_3.3 will be updated
---> Package krb5-server.x86_64 0:1.10.3-10.el6 will be an update
beaker-client/filelists                                                         | 8.9 kB     00:00     
mylocal/filelists_db                                                            |  11 kB     00:00 ... 
mytestrepo1/filelists_db                                                        | 3.7 MB     00:02     
mytestrepo2/filelists_db                                                        | 2.0 MB     00:01     
mytestrepo3/filelists                                                           | 6.4 kB     00:00     
mytestrepo4/filelists                                                           |  16 kB     00:00     
mytestrepo5/filelists_db                                                        | 3.8 MB     00:06     
rhel63-optional/filelists_db                                                    | 2.0 MB     00:01     
rhel63z/filelists_db                                                            | 7.3 MB     00:04     
--> Processing Dependency: krb5-libs = 1.10.3-10.el6 for package: krb5-server-1.10.3-10.el6.x86_64
--> Processing Dependency: libverto.so.0(verto_0_MIT)(64bit) for package: krb5-server-1.10.3-10.el6.x86_64
--> Processing Dependency: libverto-k5ev.so.0(verto_k5ev_0_MIT)(64bit) for package: krb5-server-1.10.3-10.el6.x86_64
--> Processing Dependency: libkdb5.so.6(kdb5_6_MIT)(64bit) for package: krb5-server-1.10.3-10.el6.x86_64
--> Processing Dependency: libverto.so.0()(64bit) for package: krb5-server-1.10.3-10.el6.x86_64
--> Processing Dependency: libverto-k5ev.so.0()(64bit) for package: krb5-server-1.10.3-10.el6.x86_64
--> Processing Dependency: libkdb5.so.6()(64bit) for package: krb5-server-1.10.3-10.el6.x86_64
---> Package libtalloc.x86_64 0:2.0.1-1.1.el6 will be updated
---> Package libtalloc.x86_64 0:2.0.7-2.el6 will be an update
---> Package mod_nss.x86_64 0:1.0.8-15.el6 will be updated
---> Package mod_nss.x86_64 0:1.0.8-18.el6 will be an update
--> Processing Dependency: nss >= 3.14.0.0 for package: mod_nss-1.0.8-18.el6.x86_64
--> Processing Dependency: httpd >= 2.2.15-24 for package: mod_nss-1.0.8-18.el6.x86_64
--> Processing Dependency: libssl3.so(NSS_3.14)(64bit) for package: mod_nss-1.0.8-18.el6.x86_64
---> Package pki-ca.noarch 0:9.0.3-24.el6 will be updated
---> Package pki-ca.noarch 0:9.0.3-30.el6 will be an update
--> Processing Dependency: pki-selinux = 9.0.3-30.el6 for package: pki-ca-9.0.3-30.el6.noarch
--> Processing Dependency: pki-common = 9.0.3-30.el6 for package: pki-ca-9.0.3-30.el6.noarch
---> Package pki-setup.noarch 0:9.0.3-24.el6 will be updated
---> Package pki-setup.noarch 0:9.0.3-30.el6 will be an update
---> Package pki-silent.noarch 0:9.0.3-24.el6 will be updated
---> Package pki-silent.noarch 0:9.0.3-30.el6 will be an update
---> Package samba4-libs.x86_64 0:4.0.0-53.el6.rc4 will be installed
--> Processing Dependency: libtdb.so.1(TDB_1.2.2)(64bit) for package: samba4-libs-4.0.0-53.el6.rc4.x86_64
--> Processing Dependency: libtdb.so.1(TDB_1.2.1)(64bit) for package: samba4-libs-4.0.0-53.el6.rc4.x86_64
--> Processing Dependency: libpytalloc-util.so.2(PYTALLOC_UTIL_2.0.6)(64bit) for package: samba4-libs-4.0.0-53.el6.rc4.x86_64
--> Processing Dependency: libldb.so.1(LDB_1.1.1)(64bit) for package: samba4-libs-4.0.0-53.el6.rc4.x86_64
--> Processing Dependency: libldb.so.1(LDB_0.9.23)(64bit) for package: samba4-libs-4.0.0-53.el6.rc4.x86_64
--> Processing Dependency: libldb.so.1(LDB_0.9.15)(64bit) for package: samba4-libs-4.0.0-53.el6.rc4.x86_64
--> Processing Dependency: libldb.so.1(LDB_0.9.10)(64bit) for package: samba4-libs-4.0.0-53.el6.rc4.x86_64
--> Processing Dependency: libpytalloc-util.so.2()(64bit) for package: samba4-libs-4.0.0-53.el6.rc4.x86_64
--> Processing Dependency: libldb.so.1()(64bit) for package: samba4-libs-4.0.0-53.el6.rc4.x86_64
---> Package selinux-policy.noarch 0:3.7.19-155.el6_3.13 will be updated
--> Processing Dependency: selinux-policy = 3.7.19-155.el6_3.13 for package: selinux-policy-targeted-3.7.19-155.el6_3.13.noarch
--> Processing Dependency: selinux-policy = 3.7.19-155.el6_3.13 for package: selinux-policy-targeted-3.7.19-155.el6_3.13.noarch
---> Package selinux-policy.noarch 0:3.7.19-194.el6 will be an update
--> Running transaction check
---> Package 389-ds-base-libs.x86_64 0:1.2.10.2-20.el6_3 will be updated
---> Package 389-ds-base-libs.x86_64 0:1.2.11.15-10.el6 will be an update
---> Package httpd.x86_64 0:2.2.15-15.el6_2.1 will be updated
---> Package httpd.x86_64 0:2.2.15-26.el6 will be an update
--> Processing Dependency: httpd-tools = 2.2.15-26.el6 for package: httpd-2.2.15-26.el6.x86_64
---> Package krb5-libs.x86_64 0:1.9-33.el6_3.3 will be updated
--> Processing Dependency: libkdb5.so.5()(64bit) for package: krb5-workstation-1.9-33.el6_3.3.x86_64
--> Processing Dependency: libkdb5.so.5(kdb5_5_MIT)(64bit) for package: krb5-workstation-1.9-33.el6_3.3.x86_64
--> Processing Dependency: krb5-libs = 1.9-33.el6_3.3 for package: krb5-pkinit-openssl-1.9-33.el6_3.3.x86_64
--> Processing Dependency: krb5-libs = 1.9-33.el6_3.3 for package: krb5-workstation-1.9-33.el6_3.3.x86_64
---> Package krb5-libs.x86_64 0:1.10.3-10.el6 will be an update
---> Package libldb.x86_64 0:0.9.10-23.el6 will be updated
---> Package libldb.x86_64 0:1.1.13-3.el6 will be an update
---> Package libsss_autofs.x86_64 0:1.9.2-74.el6 will be installed
---> Package libtdb.x86_64 0:1.2.1-3.el6 will be updated
---> Package libtdb.x86_64 0:1.2.10-1.el6 will be an update
---> Package libtevent.x86_64 0:0.9.8-8.el6 will be updated
---> Package libtevent.x86_64 0:0.9.17-1.el6 will be an update
---> Package nss.x86_64 0:3.13.5-1.el6_3 will be updated
--> Processing Dependency: nss = 3.13.5-1.el6_3 for package: nss-sysinit-3.13.5-1.el6_3.x86_64
--> Processing Dependency: nss = 3.13.5-1.el6_3 for package: nss-tools-3.13.5-1.el6_3.x86_64
---> Package nss.x86_64 0:3.14.0.0-12.el6 will be an update
--> Processing Dependency: nss-util >= 3.14.0.0 for package: nss-3.14.0.0-12.el6.x86_64
--> Processing Dependency: nspr >= 4.9.2 for package: nss-3.14.0.0-12.el6.x86_64
--> Processing Dependency: libnssutil3.so(NSSUTIL_3.14)(64bit) for package: nss-3.14.0.0-12.el6.x86_64
---> Package perl-NetAddr-IP.x86_64 0:4.027-7.el6 will be installed
---> Package perl-Socket6.x86_64 0:0.23-3.el6 will be installed
---> Package pki-common.noarch 0:9.0.3-24.el6 will be updated
---> Package pki-common.noarch 0:9.0.3-30.el6 will be an update
--> Processing Dependency: pki-symkey = 9.0.3-30.el6 for package: pki-common-9.0.3-30.el6.noarch
--> Processing Dependency: pki-java-tools = 9.0.3-30.el6 for package: pki-common-9.0.3-30.el6.noarch
---> Package pki-selinux.noarch 0:9.0.3-24.el6 will be updated
---> Package pki-selinux.noarch 0:9.0.3-30.el6 will be an update
---> Package pytalloc.x86_64 0:2.0.7-2.el6 will be installed
---> Package selinux-policy-targeted.noarch 0:3.7.19-155.el6_3.13 will be updated
---> Package selinux-policy-targeted.noarch 0:3.7.19-194.el6 will be an update
---> Package sssd.x86_64 0:1.8.0-32.el6 will be updated
---> Package sssd.x86_64 0:1.9.2-74.el6 will be an update
--> Processing Dependency: sssd-client(x86-64) = 1.9.2-74.el6 for package: sssd-1.9.2-74.el6.x86_64
--> Processing Dependency: libsss_idmap(x86-64) = 1.9.2-74.el6 for package: sssd-1.9.2-74.el6.x86_64
--> Processing Dependency: libipa_hbac(x86-64) = 1.9.2-74.el6 for package: sssd-1.9.2-74.el6.x86_64
--> Processing Dependency: libsss_idmap.so.0()(64bit) for package: sssd-1.9.2-74.el6.x86_64
--> Running transaction check
---> Package httpd-tools.x86_64 0:2.2.15-15.el6_2.1 will be updated
---> Package httpd-tools.x86_64 0:2.2.15-26.el6 will be an update
---> Package krb5-pkinit-openssl.x86_64 0:1.9-33.el6_3.3 will be obsoleted
---> Package krb5-pkinit-openssl.x86_64 0:1.9-33.el6_3.3 will be updated
---> Package krb5-pkinit-openssl.x86_64 0:1.10.3-10.el6 will be obsoleting
---> Package krb5-workstation.x86_64 0:1.9-33.el6_3.3 will be updated
---> Package krb5-workstation.x86_64 0:1.10.3-10.el6 will be an update
---> Package libipa_hbac.x86_64 0:1.8.0-32.el6 will be updated
--> Processing Dependency: libipa_hbac = 1.8.0-32.el6 for package: libipa_hbac-python-1.8.0-32.el6.x86_64
---> Package libipa_hbac.x86_64 0:1.9.2-74.el6 will be an update
---> Package libsss_idmap.x86_64 0:1.9.2-74.el6 will be installed
---> Package nspr.x86_64 0:4.9.1-2.el6_3 will be updated
---> Package nspr.x86_64 0:4.9.2-1.el6 will be an update
---> Package nss-sysinit.x86_64 0:3.13.5-1.el6_3 will be updated
---> Package nss-sysinit.x86_64 0:3.14.0.0-12.el6 will be an update
---> Package nss-tools.x86_64 0:3.13.5-1.el6_3 will be updated
---> Package nss-tools.x86_64 0:3.14.0.0-12.el6 will be an update
---> Package nss-util.x86_64 0:3.13.5-1.el6_3 will be updated
---> Package nss-util.x86_64 0:3.14.0.0-2.el6 will be an update
---> Package pki-java-tools.noarch 0:9.0.3-24.el6 will be updated
---> Package pki-java-tools.noarch 0:9.0.3-30.el6 will be an update
--> Processing Dependency: pki-util = 9.0.3-30.el6 for package: pki-java-tools-9.0.3-30.el6.noarch
--> Processing Dependency: pki-native-tools = 9.0.3-30.el6 for package: pki-java-tools-9.0.3-30.el6.noarch
---> Package pki-symkey.x86_64 0:9.0.3-24.el6 will be updated
---> Package pki-symkey.x86_64 0:9.0.3-30.el6 will be an update
---> Package sssd-client.x86_64 0:1.8.0-32.el6 will be updated
---> Package sssd-client.x86_64 0:1.9.2-74.el6 will be an update
--> Running transaction check
---> Package libipa_hbac-python.x86_64 0:1.8.0-32.el6 will be updated
---> Package libipa_hbac-python.x86_64 0:1.9.2-74.el6 will be an update
---> Package pki-native-tools.x86_64 0:9.0.3-24.el6 will be updated
---> Package pki-native-tools.x86_64 0:9.0.3-30.el6 will be an update
---> Package pki-util.noarch 0:9.0.3-24.el6 will be updated
---> Package pki-util.noarch 0:9.0.3-30.el6 will be an update
--> Processing Conflict: ipa-server-3.0.0-24.el6.x86_64 conflicts bind-dyndb-ldap < 2.3-2
--> Restarting Dependency Resolution with new changes.
--> Running transaction check
---> Package bind-dyndb-ldap.x86_64 0:1.1.0-0.9.b1.el6_3.1 will be updated
---> Package bind-dyndb-ldap.x86_64 0:2.3-2.el6 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================
 Package                          Arch            Version                   Repository            Size
=======================================================================================================
Installing:
 krb5-pkinit-openssl              x86_64          1.10.3-10.el6             mytestrepo1          117 k
     replacing  krb5-pkinit-openssl.x86_64 1.9-33.el6_3.3
Updating:
 bind-dyndb-ldap                  x86_64          2.3-2.el6                 mytestrepo1           68 k
 ipa-server                       x86_64          3.0.0-24.el6              mylocal              1.1 M
Installing for dependencies:
 libsss_autofs                    x86_64          1.9.2-74.el6              mytestrepo1           81 k
 libsss_idmap                     x86_64          1.9.2-74.el6              mytestrepo1           80 k
 perl-NetAddr-IP                  x86_64          4.027-7.el6               mytestrepo1           96 k
 perl-Socket6                     x86_64          0.23-3.el6                mytestrepo1           23 k
 pytalloc                         x86_64          2.0.7-2.el6               mytestrepo1          9.5 k
 samba4-libs                      x86_64          4.0.0-53.el6.rc4          mytestrepo1          4.0 M
Updating for dependencies:
 389-ds-base                      x86_64          1.2.11.15-10.el6          mytestrepo1          1.5 M
 389-ds-base-libs                 x86_64          1.2.11.15-10.el6          mytestrepo1          390 k
 certmonger                       x86_64          0.61-3.el6                mytestrepo1          280 k
 httpd                            x86_64          2.2.15-26.el6             mytestrepo1          821 k
 httpd-tools                      x86_64          2.2.15-26.el6             mytestrepo1           72 k
 ipa-admintools                   x86_64          3.0.0-24.el6              mylocal               61 k
 ipa-client                       x86_64          3.0.0-24.el6              mylocal              137 k
 ipa-python                       x86_64          3.0.0-24.el6              mylocal              918 k
 ipa-server-selinux               x86_64          3.0.0-24.el6              mylocal               60 k
 krb5-libs                        x86_64          1.10.3-10.el6             mytestrepo1          760 k
 krb5-server                      x86_64          1.10.3-10.el6             mytestrepo1          2.0 M
 krb5-workstation                 x86_64          1.10.3-10.el6             mytestrepo1          804 k
 libipa_hbac                      x86_64          1.9.2-74.el6              mytestrepo1           78 k
 libipa_hbac-python               x86_64          1.9.2-74.el6              mytestrepo1           72 k
 libldb                           x86_64          1.1.13-3.el6              mytestrepo1          111 k
 libtalloc                        x86_64          2.0.7-2.el6               mytestrepo1           20 k
 libtdb                           x86_64          1.2.10-1.el6              mytestrepo1           33 k
 libtevent                        x86_64          0.9.17-1.el6              mytestrepo1           24 k
 mod_nss                          x86_64          1.0.8-18.el6              mytestrepo1           86 k
 nspr                             x86_64          4.9.2-1.el6               mytestrepo1          111 k
 nss                              x86_64          3.14.0.0-12.el6           mytestrepo1          770 k
 nss-sysinit                      x86_64          3.14.0.0-12.el6           mytestrepo1           34 k
 nss-tools                        x86_64          3.14.0.0-12.el6           mytestrepo1          735 k
 nss-util                         x86_64          3.14.0.0-2.el6            mytestrepo1           62 k
 pki-ca                           noarch          9.0.3-30.el6              mytestrepo4          204 k
 pki-common                       noarch          9.0.3-30.el6              mytestrepo4          2.3 M
 pki-java-tools                   noarch          9.0.3-30.el6              mytestrepo4          123 k
 pki-native-tools                 x86_64          9.0.3-30.el6              mytestrepo4          121 k
 pki-selinux                      noarch          9.0.3-30.el6              mytestrepo4           61 k
 pki-setup                        noarch          9.0.3-30.el6              mytestrepo4           80 k
 pki-silent                       noarch          9.0.3-30.el6              mytestrepo4          265 k
 pki-symkey                       x86_64          9.0.3-30.el6              mytestrepo4           55 k
 pki-util                         noarch          9.0.3-30.el6              mytestrepo4          492 k
 selinux-policy                   noarch          3.7.19-194.el6            mytestrepo1          1.7 M
 selinux-policy-targeted          noarch          3.7.19-194.el6            mytestrepo1          2.8 M
 sssd                             x86_64          1.9.2-74.el6              mytestrepo1          3.6 M
 sssd-client                      x86_64          1.9.2-74.el6              mytestrepo1          117 k

Transaction Summary
=======================================================================================================
Install       7 Package(s)
Upgrade      39 Package(s)

Total download size: 27 M
Downloading Packages:
(1/46): 389-ds-base-1.2.11.15-10.el6.x86_64.rpm                                 | 1.5 MB     00:01     
(2/46): 389-ds-base-libs-1.2.11.15-10.el6.x86_64.rpm                            | 390 kB     00:00     
(3/46): bind-dyndb-ldap-2.3-2.el6.x86_64.rpm                                    |  68 kB     00:00     
(4/46): certmonger-0.61-3.el6.x86_64.rpm                                        | 280 kB     00:00     
(5/46): httpd-2.2.15-26.el6.x86_64.rpm                                          | 821 kB     00:00     
(6/46): httpd-tools-2.2.15-26.el6.x86_64.rpm                                    |  72 kB     00:00     
(12/46): krb5-libs-1.10.3-10.el6.x86_64.rpm                                     | 760 kB     00:00     
(13/46): krb5-pkinit-openssl-1.10.3-10.el6.x86_64.rpm                           | 117 kB     00:00     
(14/46): krb5-server-1.10.3-10.el6.x86_64.rpm                                   | 2.0 MB     00:01     
(15/46): krb5-workstation-1.10.3-10.el6.x86_64.rpm                              | 804 kB     00:00     
(16/46): libipa_hbac-1.9.2-74.el6.x86_64.rpm                                    |  78 kB     00:00     
(17/46): libipa_hbac-python-1.9.2-74.el6.x86_64.rpm                             |  72 kB     00:00     
(18/46): libldb-1.1.13-3.el6.x86_64.rpm                                         | 111 kB     00:00     
(19/46): libsss_autofs-1.9.2-74.el6.x86_64.rpm                                  |  81 kB     00:00     
(20/46): libsss_idmap-1.9.2-74.el6.x86_64.rpm                                   |  80 kB     00:00     
(21/46): libtalloc-2.0.7-2.el6.x86_64.rpm                                       |  20 kB     00:00     
(22/46): libtdb-1.2.10-1.el6.x86_64.rpm                                         |  33 kB     00:00     
(23/46): libtevent-0.9.17-1.el6.x86_64.rpm                                      |  24 kB     00:00     
(24/46): mod_nss-1.0.8-18.el6.x86_64.rpm                                        |  86 kB     00:00     
(25/46): nspr-4.9.2-1.el6.x86_64.rpm                                            | 111 kB     00:00     
(26/46): nss-3.14.0.0-12.el6.x86_64.rpm                                         | 770 kB     00:00     
(27/46): nss-sysinit-3.14.0.0-12.el6.x86_64.rpm                                 |  34 kB     00:00     
(28/46): nss-tools-3.14.0.0-12.el6.x86_64.rpm                                   | 735 kB     00:00     
(29/46): nss-util-3.14.0.0-2.el6.x86_64.rpm                                     |  62 kB     00:00     
(30/46): perl-NetAddr-IP-4.027-7.el6.x86_64.rpm                                 |  96 kB     00:00     
(31/46): perl-Socket6-0.23-3.el6.x86_64.rpm                                     |  23 kB     00:00     
(32/46): pki-ca-9.0.3-30.el6.noarch.rpm                                         | 204 kB     00:02     
(33/46): pki-common-9.0.3-30.el6.noarch.rpm                                     | 2.3 MB     00:04     
(34/46): pki-java-tools-9.0.3-30.el6.noarch.rpm                                 | 123 kB     00:01     
(35/46): pki-native-tools-9.0.3-30.el6.x86_64.rpm                               | 121 kB     00:01     
(36/46): pki-selinux-9.0.3-30.el6.noarch.rpm                                    |  61 kB     00:00     
(37/46): pki-setup-9.0.3-30.el6.noarch.rpm                                      |  80 kB     00:01     
(38/46): pki-silent-9.0.3-30.el6.noarch.rpm                                     | 265 kB     00:02     
(39/46): pki-symkey-9.0.3-30.el6.x86_64.rpm                                     |  55 kB     00:04     
(40/46): pki-util-9.0.3-30.el6.noarch.rpm                                       | 492 kB     00:04     
(41/46): pytalloc-2.0.7-2.el6.x86_64.rpm                                        | 9.5 kB     00:00     
(42/46): samba4-libs-4.0.0-53.el6.rc4.x86_64.rpm                                | 4.0 MB     00:05     
(43/46): selinux-policy-3.7.19-194.el6.noarch.rpm                               | 1.7 MB     00:01     
(44/46): selinux-policy-targeted-3.7.19-194.el6.noarch.rpm                      | 2.8 MB     00:01     
(45/46): sssd-1.9.2-74.el6.x86_64.rpm                                           | 3.6 MB     00:02     
(46/46): sssd-client-1.9.2-74.el6.x86_64.rpm                                    | 117 kB     00:00     
-------------------------------------------------------------------------------------------------------
Total                                                                  456 kB/s |  27 MB     01:01     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : krb5-libs-1.10.3-10.el6.x86_64                                                     1/86 
  Updating   : nspr-4.9.2-1.el6.x86_64                                                            2/86 
  Updating   : nss-util-3.14.0.0-2.el6.x86_64                                                     3/86 
  Updating   : nss-sysinit-3.14.0.0-12.el6.x86_64                                                 4/86 
  Updating   : nss-3.14.0.0-12.el6.x86_64                                                         5/86 
  Updating   : libtalloc-2.0.7-2.el6.x86_64                                                       6/86 
  Updating   : libtevent-0.9.17-1.el6.x86_64                                                      7/86 
  Updating   : nss-tools-3.14.0.0-12.el6.x86_64                                                   8/86 
  Updating   : libtdb-1.2.10-1.el6.x86_64                                                         9/86 
  Updating   : libldb-1.1.13-3.el6.x86_64                                                        10/86 
  Updating   : certmonger-0.61-3.el6.x86_64                                                      11/86 
  Updating   : libipa_hbac-1.9.2-74.el6.x86_64                                                   12/86 
  Updating   : pki-setup-9.0.3-30.el6.noarch                                                     13/86 
  Updating   : selinux-policy-3.7.19-194.el6.noarch                                              14/86 
  Updating   : selinux-policy-targeted-3.7.19-194.el6.noarch                                     15/86 
  Updating   : pki-selinux-9.0.3-30.el6.noarch                                                   16/86 
  Updating   : libipa_hbac-python-1.9.2-74.el6.x86_64                                            17/86 
  Updating   : ipa-python-3.0.0-24.el6.x86_64                                                    18/86 
  Updating   : pki-native-tools-9.0.3-30.el6.x86_64                                              19/86 
  Installing : pytalloc-2.0.7-2.el6.x86_64                                                       20/86 
  Installing : samba4-libs-4.0.0-53.el6.rc4.x86_64                                               21/86 
  Updating   : 389-ds-base-libs-1.2.11.15-10.el6.x86_64                                          22/86 
  Updating   : pki-symkey-9.0.3-30.el6.x86_64                                                    23/86 
  Updating   : sssd-client-1.9.2-74.el6.x86_64                                                   24/86 
  Updating   : krb5-workstation-1.10.3-10.el6.x86_64                                             25/86 
  Updating   : krb5-server-1.10.3-10.el6.x86_64                                                  26/86 
  Updating   : httpd-tools-2.2.15-26.el6.x86_64                                                  27/86 
  Updating   : httpd-2.2.15-26.el6.x86_64                                                        28/86 
  Updating   : mod_nss-1.0.8-18.el6.x86_64                                                       29/86 
warning: /etc/httpd/conf.d/nss.conf created as /etc/httpd/conf.d/nss.conf.rpmnew
  Installing : libsss_autofs-1.9.2-74.el6.x86_64                                                 30/86 
  Installing : perl-NetAddr-IP-4.027-7.el6.x86_64                                                31/86 
  Installing : libsss_idmap-1.9.2-74.el6.x86_64                                                  32/86 
  Updating   : sssd-1.9.2-74.el6.x86_64                                                          33/86 
  Updating   : ipa-client-3.0.0-24.el6.x86_64                                                    34/86 
  Updating   : ipa-admintools-3.0.0-24.el6.x86_64                                                35/86 
  Updating   : pki-util-9.0.3-30.el6.noarch                                                      36/86 
  Updating   : pki-java-tools-9.0.3-30.el6.noarch                                                37/86 
  Updating   : pki-common-9.0.3-30.el6.noarch                                                    38/86 
  Updating   : pki-ca-9.0.3-30.el6.noarch                                                        39/86 
  Updating   : pki-silent-9.0.3-30.el6.noarch                                                    40/86 
  Installing : perl-Socket6-0.23-3.el6.x86_64                                                    41/86 
  Updating   : 389-ds-base-1.2.11.15-10.el6.x86_64                                               42/86 
  Updating   : ipa-server-3.0.0-24.el6.x86_64                                                    43/86 
  Updating   : ipa-server-selinux-3.0.0-24.el6.x86_64                                            44/86 
  Updating   : bind-dyndb-ldap-2.3-2.el6.x86_64                                                  45/86 
  Installing : krb5-pkinit-openssl-1.10.3-10.el6.x86_64                                          46/86 
  Cleanup    : ipa-server-selinux-2.2.0-16.el6.x86_64                                            47/86 
  Cleanup    : ipa-server-2.2.0-16.el6.x86_64                                                    48/86 
  Cleanup    : ipa-admintools-2.2.0-16.el6.x86_64                                                49/86 
  Cleanup    : pki-ca-9.0.3-24.el6.noarch                                                        50/86 
  Cleanup    : pki-selinux-9.0.3-24.el6.noarch                                                   51/86 
  Cleanup    : selinux-policy-targeted-3.7.19-155.el6_3.13.noarch                                52/86 
  Cleanup    : pki-silent-9.0.3-24.el6.noarch                                                    53/86 
  Cleanup    : 389-ds-base-1.2.10.2-20.el6_3.x86_64                                              54/86 
  Cleanup    : mod_nss-1.0.8-15.el6.x86_64                                                       55/86 
  Cleanup    : ipa-client-2.2.0-16.el6.x86_64                                                    56/86 
  Cleanup    : pki-common-9.0.3-24.el6.noarch                                                    57/86 
  Cleanup    : sssd-1.8.0-32.el6.x86_64                                                          58/86 
  Cleanup    : certmonger-0.56-1.el6.x86_64                                                      59/86 
  Cleanup    : pki-symkey-9.0.3-24.el6.x86_64                                                    60/86 
  Cleanup    : 389-ds-base-libs-1.2.10.2-20.el6_3.x86_64                                         61/86 
  Cleanup    : pki-java-tools-9.0.3-24.el6.noarch                                                62/86 
  Cleanup    : pki-native-tools-9.0.3-24.el6.x86_64                                              63/86 
  Cleanup    : nss-tools-3.13.5-1.el6_3.x86_64                                                   64/86 
  Cleanup    : nss-sysinit-3.13.5-1.el6_3.x86_64                                                 65/86 
  Cleanup    : nss-3.13.5-1.el6_3.x86_64                                                         66/86 
  Cleanup    : libldb-0.9.10-23.el6.x86_64                                                       67/86 
  Cleanup    : libtevent-0.9.8-8.el6.x86_64                                                      68/86 
  Cleanup    : nss-util-3.13.5-1.el6_3.x86_64                                                    69/86 
  Cleanup    : ipa-python-2.2.0-16.el6.x86_64                                                    70/86 
  Cleanup    : libipa_hbac-python-1.8.0-32.el6.x86_64                                            71/86 
  Cleanup    : krb5-workstation-1.9-33.el6_3.3.x86_64                                            72/86 
  Cleanup    : httpd-2.2.15-15.el6_2.1.x86_64                                                    73/86 
  Cleanup    : krb5-pkinit-openssl-1.9-33.el6_3.3.x86_64                                         74/86 
  Cleanup    : krb5-server-1.9-33.el6_3.3.x86_64                                                 75/86 
  Cleanup    : pki-util-9.0.3-24.el6.noarch                                                      76/86 
  Cleanup    : pki-setup-9.0.3-24.el6.noarch                                                     77/86 
  Cleanup    : selinux-policy-3.7.19-155.el6_3.13.noarch                                         78/86 
  Cleanup    : krb5-libs-1.9-33.el6_3.3.x86_64                                                   79/86 
  Cleanup    : httpd-tools-2.2.15-15.el6_2.1.x86_64                                              80/86 
  Cleanup    : libipa_hbac-1.8.0-32.el6.x86_64                                                   81/86 
  Cleanup    : nspr-4.9.1-2.el6_3.x86_64                                                         82/86 
  Cleanup    : libtalloc-2.0.1-1.1.el6.x86_64                                                    83/86 
  Cleanup    : libtdb-1.2.1-3.el6.x86_64                                                         84/86 
  Cleanup    : sssd-client-1.8.0-32.el6.x86_64                                                   85/86 
  Cleanup    : bind-dyndb-ldap-1.1.0-0.9.b1.el6_3.1.x86_64                                       86/86 
Installed products updated.
  Verifying  : pki-common-9.0.3-30.el6.noarch                                                     1/86 
  Verifying  : libipa_hbac-python-1.9.2-74.el6.x86_64                                             2/86 
  Verifying  : ipa-server-3.0.0-24.el6.x86_64                                                     3/86 
  Verifying  : nss-3.14.0.0-12.el6.x86_64                                                         4/86 
  Verifying  : ipa-server-selinux-3.0.0-24.el6.x86_64                                             5/86 
  Verifying  : 389-ds-base-libs-1.2.11.15-10.el6.x86_64                                           6/86 
  Verifying  : perl-Socket6-0.23-3.el6.x86_64                                                     7/86 
  Verifying  : pki-java-tools-9.0.3-30.el6.noarch                                                 8/86 
  Verifying  : ipa-admintools-3.0.0-24.el6.x86_64                                                 9/86 
  Verifying  : pytalloc-2.0.7-2.el6.x86_64                                                       10/86 
  Verifying  : nss-tools-3.14.0.0-12.el6.x86_64                                                  11/86 
  Verifying  : pki-util-9.0.3-30.el6.noarch                                                      12/86 
  Verifying  : selinux-policy-3.7.19-194.el6.noarch                                              13/86 
  Verifying  : sssd-client-1.9.2-74.el6.x86_64                                                   14/86 
  Verifying  : ipa-client-3.0.0-24.el6.x86_64                                                    15/86 
  Verifying  : nss-sysinit-3.14.0.0-12.el6.x86_64                                                16/86 
  Verifying  : ipa-python-3.0.0-24.el6.x86_64                                                    17/86 
  Verifying  : bind-dyndb-ldap-2.3-2.el6.x86_64                                                  18/86 
  Verifying  : nss-util-3.14.0.0-2.el6.x86_64                                                    19/86 
  Verifying  : pki-setup-9.0.3-30.el6.noarch                                                     20/86 
  Verifying  : httpd-2.2.15-26.el6.x86_64                                                        21/86 
  Verifying  : krb5-workstation-1.10.3-10.el6.x86_64                                             22/86 
  Verifying  : libipa_hbac-1.9.2-74.el6.x86_64                                                   23/86 
  Verifying  : 389-ds-base-1.2.11.15-10.el6.x86_64                                               24/86 
  Verifying  : pki-symkey-9.0.3-30.el6.x86_64                                                    25/86 
  Verifying  : libtalloc-2.0.7-2.el6.x86_64                                                      26/86 
  Verifying  : libldb-1.1.13-3.el6.x86_64                                                        27/86 
  Verifying  : libtevent-0.9.17-1.el6.x86_64                                                     28/86 
  Verifying  : krb5-server-1.10.3-10.el6.x86_64                                                  29/86 
  Verifying  : libsss_idmap-1.9.2-74.el6.x86_64                                                  30/86 
  Verifying  : selinux-policy-targeted-3.7.19-194.el6.noarch                                     31/86 
  Verifying  : libtdb-1.2.10-1.el6.x86_64                                                        32/86 
  Verifying  : perl-NetAddr-IP-4.027-7.el6.x86_64                                                33/86 
  Verifying  : mod_nss-1.0.8-18.el6.x86_64                                                       34/86 
  Verifying  : libsss_autofs-1.9.2-74.el6.x86_64                                                 35/86 
  Verifying  : certmonger-0.61-3.el6.x86_64                                                      36/86 
  Verifying  : krb5-pkinit-openssl-1.10.3-10.el6.x86_64                                          37/86 
  Verifying  : pki-ca-9.0.3-30.el6.noarch                                                        38/86 
  Verifying  : pki-silent-9.0.3-30.el6.noarch                                                    39/86 
  Verifying  : krb5-libs-1.10.3-10.el6.x86_64                                                    40/86 
  Verifying  : httpd-tools-2.2.15-26.el6.x86_64                                                  41/86 
  Verifying  : nspr-4.9.2-1.el6.x86_64                                                           42/86 
  Verifying  : pki-selinux-9.0.3-30.el6.noarch                                                   43/86 
  Verifying  : samba4-libs-4.0.0-53.el6.rc4.x86_64                                               44/86 
  Verifying  : sssd-1.9.2-74.el6.x86_64                                                          45/86 
  Verifying  : pki-native-tools-9.0.3-30.el6.x86_64                                              46/86 
  Verifying  : selinux-policy-targeted-3.7.19-155.el6_3.13.noarch                                47/86 
  Verifying  : libipa_hbac-python-1.8.0-32.el6.x86_64                                            48/86 
  Verifying  : ipa-python-2.2.0-16.el6.x86_64                                                    49/86 
  Verifying  : ipa-client-2.2.0-16.el6.x86_64                                                    50/86 
  Verifying  : pki-native-tools-9.0.3-24.el6.x86_64                                              51/86 
  Verifying  : pki-common-9.0.3-24.el6.noarch                                                    52/86 
  Verifying  : bind-dyndb-ldap-1.1.0-0.9.b1.el6_3.1.x86_64                                       53/86 
  Verifying  : httpd-tools-2.2.15-15.el6_2.1.x86_64                                              54/86 
  Verifying  : certmonger-0.56-1.el6.x86_64                                                      55/86 
  Verifying  : ipa-server-selinux-2.2.0-16.el6.x86_64                                            56/86 
  Verifying  : mod_nss-1.0.8-15.el6.x86_64                                                       57/86 
  Verifying  : pki-selinux-9.0.3-24.el6.noarch                                                   58/86 
  Verifying  : nss-tools-3.13.5-1.el6_3.x86_64                                                   59/86 
  Verifying  : pki-symkey-9.0.3-24.el6.x86_64                                                    60/86 
  Verifying  : nspr-4.9.1-2.el6_3.x86_64                                                         61/86 
  Verifying  : pki-silent-9.0.3-24.el6.noarch                                                    62/86 
  Verifying  : httpd-2.2.15-15.el6_2.1.x86_64                                                    63/86 
  Verifying  : nss-util-3.13.5-1.el6_3.x86_64                                                    64/86 
  Verifying  : libldb-0.9.10-23.el6.x86_64                                                       65/86 
  Verifying  : 389-ds-base-1.2.10.2-20.el6_3.x86_64                                              66/86 
  Verifying  : pki-java-tools-9.0.3-24.el6.noarch                                                67/86 
  Verifying  : ipa-server-2.2.0-16.el6.x86_64                                                    68/86 
  Verifying  : libtevent-0.9.8-8.el6.x86_64                                                      69/86 
  Verifying  : pki-ca-9.0.3-24.el6.noarch                                                        70/86 
  Verifying  : libtalloc-2.0.1-1.1.el6.x86_64                                                    71/86 
  Verifying  : pki-util-9.0.3-24.el6.noarch                                                      72/86 
  Verifying  : sssd-client-1.8.0-32.el6.x86_64                                                   73/86 
  Verifying  : krb5-workstation-1.9-33.el6_3.3.x86_64                                            74/86 
  Verifying  : libipa_hbac-1.8.0-32.el6.x86_64                                                   75/86 
  Verifying  : krb5-pkinit-openssl-1.9-33.el6_3.3.x86_64                                         76/86 
  Verifying  : krb5-pkinit-openssl-1.9-33.el6_3.3.x86_64                                         77/86 
  Verifying  : ipa-admintools-2.2.0-16.el6.x86_64                                                78/86 
  Verifying  : libtdb-1.2.1-3.el6.x86_64                                                         79/86 
  Verifying  : selinux-policy-3.7.19-155.el6_3.13.noarch                                         80/86 
  Verifying  : 389-ds-base-libs-1.2.10.2-20.el6_3.x86_64                                         81/86 
  Verifying  : pki-setup-9.0.3-24.el6.noarch                                                     82/86 
  Verifying  : nss-3.13.5-1.el6_3.x86_64                                                         83/86 
  Verifying  : krb5-server-1.9-33.el6_3.3.x86_64                                                 84/86 
  Verifying  : krb5-libs-1.9-33.el6_3.3.x86_64                                                   85/86 
  Verifying  : nss-sysinit-3.13.5-1.el6_3.x86_64                                                 86/86 
  Verifying  : sssd-1.8.0-32.el6.x86_64                                                          87/86 

Installed:
  krb5-pkinit-openssl.x86_64 0:1.10.3-10.el6                                                           

Dependency Installed:
  libsss_autofs.x86_64 0:1.9.2-74.el6               libsss_idmap.x86_64 0:1.9.2-74.el6                
  perl-NetAddr-IP.x86_64 0:4.027-7.el6              perl-Socket6.x86_64 0:0.23-3.el6                  
  pytalloc.x86_64 0:2.0.7-2.el6                     samba4-libs.x86_64 0:4.0.0-53.el6.rc4             

Updated:
  bind-dyndb-ldap.x86_64 0:2.3-2.el6                  ipa-server.x86_64 0:3.0.0-24.el6                 

Dependency Updated:
  389-ds-base.x86_64 0:1.2.11.15-10.el6                389-ds-base-libs.x86_64 0:1.2.11.15-10.el6     
  certmonger.x86_64 0:0.61-3.el6                       httpd.x86_64 0:2.2.15-26.el6                   
  httpd-tools.x86_64 0:2.2.15-26.el6                   ipa-admintools.x86_64 0:3.0.0-24.el6           
  ipa-client.x86_64 0:3.0.0-24.el6                     ipa-python.x86_64 0:3.0.0-24.el6               
  ipa-server-selinux.x86_64 0:3.0.0-24.el6             krb5-libs.x86_64 0:1.10.3-10.el6               
  krb5-server.x86_64 0:1.10.3-10.el6                   krb5-workstation.x86_64 0:1.10.3-10.el6        
  libipa_hbac.x86_64 0:1.9.2-74.el6                    libipa_hbac-python.x86_64 0:1.9.2-74.el6       
  libldb.x86_64 0:1.1.13-3.el6                         libtalloc.x86_64 0:2.0.7-2.el6                 
  libtdb.x86_64 0:1.2.10-1.el6                         libtevent.x86_64 0:0.9.17-1.el6                
  mod_nss.x86_64 0:1.0.8-18.el6                        nspr.x86_64 0:4.9.2-1.el6                      
  nss.x86_64 0:3.14.0.0-12.el6                         nss-sysinit.x86_64 0:3.14.0.0-12.el6           
  nss-tools.x86_64 0:3.14.0.0-12.el6                   nss-util.x86_64 0:3.14.0.0-2.el6               
  pki-ca.noarch 0:9.0.3-30.el6                         pki-common.noarch 0:9.0.3-30.el6               
  pki-java-tools.noarch 0:9.0.3-30.el6                 pki-native-tools.x86_64 0:9.0.3-30.el6         
  pki-selinux.noarch 0:9.0.3-30.el6                    pki-setup.noarch 0:9.0.3-30.el6                
  pki-silent.noarch 0:9.0.3-30.el6                     pki-symkey.x86_64 0:9.0.3-30.el6               
  pki-util.noarch 0:9.0.3-30.el6                       selinux-policy.noarch 0:3.7.19-194.el6         
  selinux-policy-targeted.noarch 0:3.7.19-194.el6      sssd.x86_64 0:1.9.2-74.el6                     
  sssd-client.x86_64 0:1.9.2-74.el6                   

Replaced:
  krb5-pkinit-openssl.x86_64 0:1.9-33.el6_3.3                                                          

Complete!
[root@rhel6-2 yum.local.d]# 

[root@rhel6-2 yum.local.d]# ausearch -m avc
<no matches>

Automated Test Results (manually run) ::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: upgrade_bz_903758: upgrading IPA from 2.2 to 3.0 sees certmonger errors
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [09:19:18] ::  Machine in recipe is MASTER
:: [   PASS   ] :: File '/var/log/ipaupgrade.log' should not contain 'ERROR certmonger failed to start tracking certificate:.*dogtag-ipa-renew-agent'
:: [   PASS   ] :: BZ 903758 not found

Comment 12 errata-xmlrpc 2013-02-21 09:32:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html

Note You need to log in before you can comment on or make changes to this bug.