Hi,
On Fri, Nov 28, 2025 at 4:52 AM Peter Larsen via FreeIPA-users < [email protected]> wrote: > After having seen a lot of SERVFAIL for named-pkcs11 resolutions > (resulting in a very slow name resolution) I choose to restart all services > to start debugging from a clean state. > Well, careful what you wish for. Dirsrv no longer starts, and the errors I > see begin with: > > INFO - bdb_start - Resizing db cache size: 161433681 -> 161433517 > ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher AES > ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the > private key; Cert might have been renewed since > the key is wrapped. To recover the encrypted contents, keep the wrapped > symmetric key value. > ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES > ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the > private key; Cert might have been renewed since > the key is wrapped. To recover the encrypted contents, keep the wrapped > symmetric key value. > ERR - attrcrypt_init - All prepared ciphers are not available. Please > disable attribute encryption. > ERR - memberof-plugin - memberof_config - Error 53: The ipaOwner > configuration attribute must be set to an attribute > defined to use either the Distinguished Name or Name and Optional UID > syntax. (illegal value: memberOfGroupAttr) > ERR - memberof-plugin - memberof_postop_start - Configuration failed > (Server is unwilling to perform) > ERR - plugin_dependency_startall - Failed to start betxnpostoperation > plugin MemberOf Plugin > ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in > about 5 seconds after the server startup! > ====== > > The last update was to enable dnssec on the server. That seems to have > worked fine, ods have been creating/updating keys as expected. > > I then see a lot of WARN about key dn's missing: > WARN - NSACLPlugin - acl_parse - The ACL target > cn=groups,cn=compat,dc=domain,dc=tld > > So reading/consistency of the opened files is definitely not working. > > This is followed by > > ERR - NSACLPlugin - __aclp__init_targetattr - targetattr "ipapwddictcheck" > does not exist in schema. Please add attributeTypes "ipapwddictcheck" to > schema if necessary. > > This attribute type was added with this commit: https://github.com/freeipa/freeipa/commit/892fea881a6ceef80affd6d6a3fb9b5afafa969b#diff-f5a44cd4a6c130ee38678799b39cfe47d236d42dd40b68ed7cec5db61d9802df on master branch and also on ipa-4-12. If you need this attribute it's probably because you added a more recent replica in the topology and the replication started updating the schema. You can try to manually edit /etc/dirsrv/slapd-IPA-TEST/schema/60basev2.ldif in order to add the attribute definition, and restart the server. Please make sure to make a copy first. flo I feel like the best way forward is to grab a copy of a replica and start > from there, Before I do that, I would love to understand what may be > missing, because of it cannot "decrypt" the ldap, I'm not sure what a new > copy requiring the same encryption would do? > > This is the version running. > > Name : ipa-server > Version : 4.9.13 > Release : 18.module+el8.10.0+23403+cc1f9b40 > > // Peter > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
