After having seen a lot of SERVFAIL for named-pkcs11 resolutions (resulting in a very slow name resolution) I choose to restart all services to start debugging from a clean state. Well, careful what you wish for. Dirsrv no longer starts, and the errors I see begin with:
INFO - bdb_start - Resizing db cache size: 161433681 -> 161433517 ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher AES ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption. ERR - memberof-plugin - memberof_config - Error 53: The ipaOwner configuration attribute must be set to an attribute defined to use either the Distinguished Name or Name and Optional UID syntax. (illegal value: memberOfGroupAttr) ERR - memberof-plugin - memberof_postop_start - Configuration failed (Server is unwilling to perform) ERR - plugin_dependency_startall - Failed to start betxnpostoperation plugin MemberOf Plugin ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! ====== The last update was to enable dnssec on the server. That seems to have worked fine, ods have been creating/updating keys as expected. I then see a lot of WARN about key dn's missing: WARN - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=domain,dc=tld So reading/consistency of the opened files is definitely not working. This is followed by ERR - NSACLPlugin - __aclp__init_targetattr - targetattr "ipapwddictcheck" does not exist in schema. Please add attributeTypes "ipapwddictcheck" to schema if necessary. I feel like the best way forward is to grab a copy of a replica and start from there, Before I do that, I would love to understand what may be missing, because of it cannot "decrypt" the ldap, I'm not sure what a new copy requiring the same encryption would do? This is the version running. Name : ipa-server Version : 4.9.13 Release : 18.module+el8.10.0+23403+cc1f9b40 // Peter
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
