On Няд, 05 кас 2025, Brian J. Murrell via FreeIPA-users wrote:

On Sun, 2025-10-05 at 13:39 +0300, Alexander Bokovoy via FreeIPA-users wrote:

...

Please read the release notes for 4.12.5 release: https://www.freeipa.org/release-notes/4-12-5.html

Specifically, Red Hat's knowledge base articles mentioned there.

Pity that those are locked behind a Red Hat account login.

Red Hat developer account gives you the same rights for these articles and it is free to register on developer.redhat.com.

This topic (SIDs for users are required) was discussed on this very mailing list for good part of the past five years.

Your deployment has at least one user with a POSIX UID outside of the IPA ID ranges with associated SID namespace:

Oct 05 22:31:11 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:11.530693672 -0400] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... Oct 05 22:31:11 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:11.754504866 -0400] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 533]: Cannot convert Posix ID [10] into an unused SID. Oct 05 22:31:11 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:11.806069857 -0400] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. Oct 05 22:31:11 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:11.889609452 -0400] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32].

Lack of a SID associated with a user account means we cannot create a PAC entry for this user when issuing a Kerberos ticket. The reason why we enforce PAC presence is because PAC structure contains a critical information about the user and its group membership. It also contains several additional checksums that allow to detect manipulation of the Kerberos ticket itself by an attacker.

The problem we have to deal with is a combination of cryptographic issues and identity confusion across different environments. Originally Kerberos tickets only contained an information about the Kerberos principal itself, without its tie to underlying operating environment. Over years, it became clear that some parts of the Kerberos tickets can be attacked through middle-man manipulations. Those attacks were not possible to protect against by a traditional approach because signatures used to validate the ticket content did not include those modified bits.

Luckily, Microsoft introduced so-called PAC (privilege access certificate) authorisation data structure about 25 years ago that is extensible and has own signatures to validate that its content is not tampered with.

PAC itself was for very long time tied to the Microsoft's way of storing AD identity details in the ticket and thus there are expectations that a particular part of the PAC structure is also present in the ticket. This is the part that contains SIDs.

Some of these issues were present for long time and occasionally surface as CVEs, most known ones are CVE-2020-17049 and CVE-2022-37967 for Active Directory's implementation of Kerberos protocol. Later, one of signatures in PAC was also attacked due to pre-imaging problem with MD4 cipher key.

PAC container is now used to store at least two additional signature fields to detect tampering of the parts of the Kerberos ticket outside of the PAC. It also contains additional fields that allow to communicate more information about the requester: with their help, KDC can record who and how requested the original ticket, preventing critical modifications after the ticket was issued. Additionally, session keys are not not allowed to use older ciphers, like RC4-HMAC.

In RHEL 8 version of FreeIPA we did not have MIT Kerberos KDC infrastructure that would have allowed us to add some of those signatures. We had to be creative and at FOSDEM 2024 IAM devroom Julien Rische, our Kerberos maintainer, explained how this was solved: https://archive.fosdem.org/2024/schedule/event/fosdem-2024-2681-fixing-a-ker...

The second part of the problem is identity confusion. When you don't have PAC, it is impossible to clarify who was the user that the client requested the ticket for and who it was issued to, due to the nature of Kerberos protocol operations. With PAC and additional structures inside it, we can cross check the information and apply certain logic that would prevent these issues. This is why we now enforce use of PAC in the default installation (came to RHEL 8 as part of RHEL 8.4+), even if you are not using trust to Active Directory.

The issue we recently closed done with FreeIPA 4.12.5 release and which fix was backported down to RHEL 7 and RHEL 8 is in the same topic. When a malicious client intentionally asks for a Kerberos ticket without PAC, MIT Kerberos KDC will happily issue such ticket, for compatibility and interoperability reasons. These were set before the additional checksums were added to PAC structure, so they predate CVE-2020-17049 and CVE-2022-37967 attacks. Additionally, we found a bug in 389-ds directory server's implementation of the uniqueness enforcement plugin that allowed certain manipulations of the database entries for existing enrolled clients that, in turn, allowed to exploit the 'ticket without PAC' feature.

Since PAC is now mandatory, you have to have SIDs associated with user accounts.

Fortunately I have an account. Pity for those that do not and are getting hit by this update by Red Hat within a minor version even.

In any any case, the solution suggested there doesn't work (here):

# kinit admin Password for admin@EXAMPLE.COM: [root@server ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_HLUjJfd Default principal: admin@EXAMPLE.COM

Valid starting Expires Service principal 2025-10-05 22:29:31 2025-10-06 21:54:00 krbtgt/EXAMPLE.COM@EXAMPLE.COM # ipa config-mod --enable-sid --add-sids ipa: ERROR: Failed to call DBus # klist Ticket cache: KEYRING:persistent:0:krb_ccache_HLUjJfd Default principal: admin@EXAMPLE.COM

Valid starting Expires Service principal 2025-10-05 22:30:34 2025-10-06 21:54:00 HTTP/server.example.com@EXAMPLE.COM 2025-10-05 22:29:31 2025-10-06 21:54:00 krbtgt/EXAMPLE.COM@EXAMPLE.COM [root@server ~]# ipa config-mod --enable-sid --add-sids ipa: ERROR: Failed to call DBus

Here is the journal (with as much noise as I could find removed) during the above:

Oct 05 22:12:17 server.example.com saslauthd[2092507]: pam_unix(imap:auth): check pass; user unknown Oct 05 22:12:17 server.example.com saslauthd[2092507]: pam_unix(imap:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Oct 05 22:12:19 server.example.com saslauthd[2092507]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Oct 05 22:12:19 server.example.com saslauthd[2092507]: : auth failure: [user=no-reply] [service=imap] [realm=example.com] [mech=pam] [reason=PAM auth error] Oct 05 22:12:23 server.example.com saslauthd[2092505]: pam_unix(imap:auth): check pass; user unknown Oct 05 22:12:23 server.example.com saslauthd[2092505]: pam_unix(imap:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Oct 05 22:12:25 server.example.com saslauthd[2092505]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Oct 05 22:12:25 server.example.com saslauthd[2092505]: : auth failure: [user=no-reply] [service=imap] [realm=example.com] [mech=pam] [reason=PAM auth error] Oct 05 22:12:28 server.example.com saslauthd[2092507]: pam_unix(imap:auth): check pass; user unknown Oct 05 22:12:28 server.example.com saslauthd[2092507]: pam_unix(imap:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Oct 05 22:12:31 server.example.com saslauthd[2092507]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Oct 05 22:12:31 server.example.com saslauthd[2092507]: : auth failure: [user=no-reply] [service=imap] [realm=example.com] [mech=pam] [reason=PAM auth error] Oct 05 22:12:42 server.example.com saslauthd[2092508]: pam_unix(imap:auth): check pass; user unknown Oct 05 22:12:42 server.example.com saslauthd[2092508]: pam_unix(imap:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Oct 05 22:12:44 server.example.com saslauthd[2092508]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Oct 05 22:12:44 server.example.com saslauthd[2092508]: : auth failure: [user=no-reply] [service=imap] [realm=example.com] [mech=pam] [reason=PAM auth error] Oct 05 22:18:13 server.example.com saslauthd[2092508]: pam_unix(imap:auth): check pass; user unknown Oct 05 22:18:13 server.example.com saslauthd[2092508]: pam_unix(imap:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Oct 05 22:18:15 server.example.com saslauthd[2092508]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Oct 05 22:18:15 server.example.com saslauthd[2092508]: : auth failure: [user=no-reply] [service=imap] [realm=example.com] [mech=pam] [reason=PAM auth error] Oct 05 22:18:19 server.example.com saslauthd[2092506]: pam_unix(imap:auth): check pass; user unknown Oct 05 22:18:19 server.example.com saslauthd[2092506]: pam_unix(imap:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Oct 05 22:18:21 server.example.com saslauthd[2092506]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Oct 05 22:18:21 server.example.com saslauthd[2092506]: : auth failure: [user=no-reply] [service=imap] [realm=example.com] [mech=pam] [reason=PAM auth error] Oct 05 22:18:24 server.example.com saslauthd[2092505]: pam_unix(imap:auth): check pass; user unknown Oct 05 22:18:24 server.example.com saslauthd[2092505]: pam_unix(imap:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Oct 05 22:18:26 server.example.com saslauthd[2092505]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Oct 05 22:18:26 server.example.com saslauthd[2092505]: : auth failure: [user=no-reply] [service=imap] [realm=example.com] [mech=pam] [reason=PAM auth error] Oct 05 22:18:37 server.example.com saslauthd[2092507]: pam_unix(imap:auth): check pass; user unknown Oct 05 22:18:37 server.example.com saslauthd[2092507]: pam_unix(imap:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Oct 05 22:18:39 server.example.com saslauthd[2092507]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Oct 05 22:18:39 server.example.com saslauthd[2092507]: : auth failure: [user=no-reply] [service=imap] [realm=example.com] [mech=pam] [reason=PAM auth error] Oct 05 22:30:45 server.example.com ns-slapd[3419543]: [05/Oct/2025:22:30:45.025916230 -0400] - INFO - op_thread_cleanup - slapd shutting down - signaling operation threads - op stack size 48 max work q size 34 max work q stack size 34 Oct 05 22:30:45 server.example.com ns-slapd[3419543]: [05/Oct/2025:22:30:45.269528591 -0400] - INFO - slapd_daemon - slapd shutting down - closing down internal subsystems and plugins Oct 05 22:30:46 server.example.com ns-slapd[3419543]: [05/Oct/2025:22:30:46.267107945 -0400] - INFO - bdb_pre_close - Waiting for 5 database threads to stop Oct 05 22:30:46 server.example.com dbus-daemon[1811]: [system] Activating via systemd: service name='org.fedoraproject.Setroubleshootd' unit='setroubleshootd.service' requested by ':1.72' (uid=0 pid=1365 comm="/usr/sbin/sedispatch " label="system_u:system_r:auditd_t:s0") Oct 05 22:30:48 server.example.com ns-slapd[3419543]: [05/Oct/2025:22:30:48.017486340 -0400] - INFO - bdb_pre_close - All database threads now stopped Oct 05 22:30:51 server.example.com dbus-daemon[1811]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Oct 05 22:30:53 server.example.com ipa-dnskeysyncd[3420151]: ipa-dnskeysyncd: ERROR syncrepl_poll: LDAP error ({'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': []}) Oct 05 22:30:54 server.example.com ns-slapd[3419543]: [05/Oct/2025:22:30:54.681272510 -0400] - INFO - ldbm_back_instance_set_destructor - Set of instances destroyed Oct 05 22:30:54 server.example.com ns-slapd[3419543]: [05/Oct/2025:22:30:54.802175804 -0400] - INFO - connection_post_shutdown_cleanup - slapd shutting down - freed 34 work q stack objects - freed 50 op stack objects Oct 05 22:30:54 server.example.com ns-slapd[3419543]: [05/Oct/2025:22:30:54.879484858 -0400] - INFO - main - slapd stopped. Oct 05 22:30:55 server.example.com setroubleshoot[3726695]: AnalyzeThread.run(): Cancel pending alarm Oct 05 22:30:55 server.example.com systemd[1]: ipa-dnskeysyncd.service: Main process exited, code=exited, status=1/FAILURE Oct 05 22:30:55 server.example.com systemd[1]: ipa-dnskeysyncd.service: Failed with result 'exit-code'. Oct 05 22:30:59 server.example.com dbus-daemon[1811]: [system] Activating service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.168011' (uid=985 pid=3726695 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="system_u:system_r:setroubleshootd_t:s0") (using servicehelper) Oct 05 22:30:59 server.example.com dbus-daemon[1811]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged' Oct 05 22:31:00 server.example.com systemd[1]: dirsrv@EXAMPLE-COM.service: Succeeded. Oct 05 22:31:02 server.example.com setroubleshoot[3726695]: SELinux is preventing systemctl from getattr access on the filesystem /. For complete SELinux messages run: sealert -l 9e381eda-edb0-43f1-8254-cc8cef70df65 Oct 05 22:31:02 server.example.com setroubleshoot[3726695]: SELinux is preventing systemctl from getattr access on the filesystem /.

                                                           *****  Plugin catchall (100. confidence) suggests   **************************

                                                           If you believe that systemctl should be allowed getattr access on the  filesystem by default.
                                                           Then you should report this as a bug.
                                                           You can generate a local policy module to allow this access.
                                                           Do
                                                           allow this access for now by executing:
                                                           # ausearch -c 'systemctl' --raw | audit2allow -M my-systemctl
                                                           # semodule -X 300 -i my-systemctl.pp

Oct 05 22:31:02 server.example.com setroubleshoot[3726695]: AnalyzeThread.run(): Set alarm timeout to 10 Oct 05 22:31:03 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:03.485579559 -0400] - INFO - slapd_extract_cert - CA CERT NAME: EXAMPLE.COM IPA CA Oct 05 22:31:03 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:03.767367886 -0400] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Oct 05 22:31:03 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:03.923513233 -0400] - INFO - slapd_extract_cert - SERVER CERT NAME: Server-Cert Oct 05 22:31:04 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:04.219338498 -0400] - INFO - Security Initialization - SSL info: Enabling default cipher set. Oct 05 22:31:04 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:04.266979003 -0400] - INFO - Security Initialization - SSL info: Configured NSS Ciphers Oct 05 22:31:04 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:04.317087928 -0400] - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled Oct 05 22:31:04 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:04.367098089 -0400] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled Oct 05 22:31:04 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:04.417336317 -0400] - INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled Oct 05 22:31:04 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:04.489263251 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Oct 05 22:31:04 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:04.534559041 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Oct 05 22:31:04 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:04.626477672 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled Oct 05 22:31:04 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:04.714513700 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Oct 05 22:31:04 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:04.810223851 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Oct 05 22:31:04 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:04.860334673 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Oct 05 22:31:04 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:04.939440620 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Oct 05 22:31:04 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:04.985597169 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Oct 05 22:31:05 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:05.080981709 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Oct 05 22:31:05 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:05.197083659 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled Oct 05 22:31:05 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:05.246234040 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled Oct 05 22:31:05 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:05.304818861 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Oct 05 22:31:05 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:05.389397483 -0400] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Oct 05 22:31:05 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:05.463257597 -0400] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Oct 05 22:31:05 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:05.538601244 -0400] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Oct 05 22:31:05 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:05.597262719 -0400] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Oct 05 22:31:05 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:05.647350713 -0400] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Oct 05 22:31:05 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:05.722610923 -0400] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Oct 05 22:31:05 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:05.773061307 -0400] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Oct 05 22:31:05 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:05.847829995 -0400] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Oct 05 22:31:05 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:05.890024772 -0400] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Oct 05 22:31:05 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:05.973418139 -0400] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA: enabled Oct 05 22:31:06 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:06.084319498 -0400] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Oct 05 22:31:06 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:06.142531622 -0400] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA: enabled Oct 05 22:31:06 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:06.192631943 -0400] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Oct 05 22:31:06 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:06.281591368 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.3 Oct 05 22:31:06 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:06.369860392 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.3 Oct 05 22:31:06 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:06.411855976 -0400] - INFO - main - 389-Directory/1.4.3.39 B2025.254.1138 starting up Oct 05 22:31:06 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:06.453288999 -0400] - INFO - main - Setting the maximum file descriptor limit to: 262144 Oct 05 22:31:07 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:07.466269174 -0400] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds Oct 05 22:31:07 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:07.578815222 -0400] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Oct 05 22:31:07 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:07.627261591 -0400] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Oct 05 22:31:07 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:07.719564798 -0400] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Oct 05 22:31:07 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:07.785053566 -0400] - NOTICE - ldbm_back_start - found 16023608k physical memory Oct 05 22:31:07 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:07.877663240 -0400] - NOTICE - ldbm_back_start - found 11418308k available Oct 05 22:31:07 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:07.981564039 -0400] - NOTICE - ldbm_back_start - cache autosizing: db cache: 1001475k Oct 05 22:31:08 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:08.122650906 -0400] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 917504k Oct 05 22:31:08 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:08.202400578 -0400] - NOTICE - ldbm_back_start - cache autosizing: userRoot dn cache (3 total): 131072k Oct 05 22:31:08 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:08.269619054 -0400] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 917504k Oct 05 22:31:08 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:08.357949849 -0400] - NOTICE - ldbm_back_start - cache autosizing: ipaca dn cache (3 total): 131072k Oct 05 22:31:08 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:08.408210274 -0400] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 917504k Oct 05 22:31:08 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:08.458334827 -0400] - NOTICE - ldbm_back_start - cache autosizing: changelog dn cache (3 total): 131072k Oct 05 22:31:08 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:08.508401340 -0400] - NOTICE - ldbm_back_start - total cache size: 4246736384 B; Oct 05 22:31:08 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:08.868423128 -0400] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Oct 05 22:31:09 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:09.009983446 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=example,dc=com does not exist Oct 05 22:31:09 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:09.093187169 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=example,dc=com does not exist Oct 05 22:31:09 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:09.143407246 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=example,dc=com does not exist Oct 05 22:31:09 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:09.210145475 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=example,dc=com does not exist Oct 05 22:31:09 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:09.260904819 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=example,dc=com does not exist Oct 05 22:31:09 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:09.360976616 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:31:09 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:09.402217056 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:31:09 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:09.469168577 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:31:09 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:09.560905092 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:31:09 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:09.602649483 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:31:09 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:09.644305590 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:31:09 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:09.686078695 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:31:09 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:09.753064450 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:31:09 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:09.794966914 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:31:09 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:09.853203426 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:31:09 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:09.895737068 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:31:10 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:10.206799297 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not exist Oct 05 22:31:10 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:10.245917130 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not exist Oct 05 22:31:10 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:10.450842708 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist Oct 05 22:31:10 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:10.491697592 -0400] - INFO - slapi_vattrspi_regattr - Because krbPwdPolicyReference is a new registered virtual attribute , nsslapd-ignore-virtual-attrs was set to 'off' Oct 05 22:31:10 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:10.553122897 -0400] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which should be added before the CoS Definition. Oct 05 22:31:10 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:10.899301485 -0400] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/server.example.com@EXAMPLE.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) Oct 05 22:31:11 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:11.042433464 -0400] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Oct 05 22:31:11 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:11.080079163 -0400] - INFO - validate_num_config_reservedescriptors - reserve descriptors changed from 64 to 231 Oct 05 22:31:11 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:11.121821955 -0400] - INFO - connection_table_new - conntablesize:64000 Oct 05 22:31:11 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:11.189210866 -0400] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests Oct 05 22:31:11 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:11.230274405 -0400] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests Oct 05 22:31:11 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:11.271968257 -0400] - INFO - slapd_daemon - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests Oct 05 22:31:11 server.example.com ldapmodify[3726777]: DIGEST-MD5 common mech free Oct 05 22:31:11 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:11.530693672 -0400] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... Oct 05 22:31:11 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:11.754504866 -0400] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 533]: Cannot convert Posix ID [10] into an unused SID. Oct 05 22:31:11 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:11.806069857 -0400] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. Oct 05 22:31:11 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:11.889609452 -0400] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32]. Oct 05 22:31:13 server.example.com systemd[1]: setroubleshootd.service: Succeeded. Oct 05 22:31:16 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:16.145360656 -0400] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=example,dc=com Oct 05 22:31:16 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:31:16.199480265 -0400] - ERR - schema-compat-plugin - Finished plugin initialization. Oct 05 22:31:55 server.example.com systemd[1]: ipa-dnskeysyncd.service: Service RestartSec=1min expired, scheduling restart. Oct 05 22:31:55 server.example.com systemd[1]: ipa-dnskeysyncd.service: Scheduled restart job, restart counter is at 1. Oct 05 22:31:56 server.example.com ipa-dnskeysyncd[3726839]: ipa-dnskeysyncd: INFO To increase debugging set debug=True in dns.conf See default.conf(5) for details Oct 05 22:31:58 server.example.com ipa-dnskeysyncd[3726839]: ipa-dnskeysyncd: INFO LDAP bind... Oct 05 22:31:58 server.example.com ipa-dnskeysyncd[3726839]: ipa-dnskeysyncd: INFO Commencing sync process Oct 05 22:31:58 server.example.com ipa-dnskeysyncd[3726839]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Oct 05 22:32:02 server.example.com platform-python[3726845]: Configuration.cpp(96): Missing log.level in configuration. Using default value: INFO Oct 05 22:32:02 server.example.com platform-python[3726845]: Configuration.cpp(96): Missing slots.mechanisms in configuration. Using default value: ALL Oct 05 22:32:02 server.example.com platform-python[3726845]: Configuration.cpp(124): Missing slots.removable in configuration. Using default value: false Oct 05 22:32:02 server.example.com dbus-daemon[1811]: [system] Activating via systemd: service name='org.fedoraproject.Setroubleshootd' unit='setroubleshootd.service' requested by ':1.72' (uid=0 pid=1365 comm="/usr/sbin/sedispatch " label="system_u:system_r:auditd_t:s0") Oct 05 22:32:02 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:32:02.844710214 -0400] - INFO - op_thread_cleanup - slapd shutting down - signaling operation threads - op stack size 2 max work q size 2 max work q stack size 2 Oct 05 22:32:02 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:32:02.970635926 -0400] - INFO - slapd_daemon - slapd shutting down - waiting for 1 thread to terminate Oct 05 22:32:03 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:32:03.083631335 -0400] - INFO - slapd_daemon - slapd shutting down - closing down internal subsystems and plugins Oct 05 22:32:03 server.example.com dbus-daemon[1811]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Oct 05 22:32:04 server.example.com setroubleshoot[3726887]: AnalyzeThread.run(): Cancel pending alarm Oct 05 22:32:05 server.example.com dbus-daemon[1811]: [system] Activating service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.168026' (uid=985 pid=3726887 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="system_u:system_r:setroubleshootd_t:s0") (using servicehelper) Oct 05 22:32:05 server.example.com dbus-daemon[1811]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged' Oct 05 22:32:06 server.example.com setroubleshoot[3726887]: SELinux is preventing systemctl from getattr access on the filesystem /. For complete SELinux messages run: sealert -l 9e381eda-edb0-43f1-8254-cc8cef70df65 Oct 05 22:32:06 server.example.com setroubleshoot[3726887]: SELinux is preventing systemctl from getattr access on the filesystem /.

                                                           *****  Plugin catchall (100. confidence) suggests   **************************

                                                           If you believe that systemctl should be allowed getattr access on the  filesystem by default.
                                                           Then you should report this as a bug.
                                                           You can generate a local policy module to allow this access.
                                                           Do
                                                           allow this access for now by executing:
                                                           # ausearch -c 'systemctl' --raw | audit2allow -M my-systemctl
                                                           # semodule -X 300 -i my-systemctl.pp

Oct 05 22:32:06 server.example.com setroubleshoot[3726887]: AnalyzeThread.run(): Set alarm timeout to 10 Oct 05 22:32:13 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:32:13.440343371 -0400] - INFO - bdb_pre_close - Waiting for 5 database threads to stop Oct 05 22:32:14 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:32:14.181117121 -0400] - INFO - bdb_pre_close - All database threads now stopped Oct 05 22:32:14 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:32:14.355126744 -0400] - INFO - ldbm_back_instance_set_destructor - Set of instances destroyed Oct 05 22:32:14 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:32:14.404560032 -0400] - INFO - connection_post_shutdown_cleanup - slapd shutting down - freed 2 work q stack objects - freed 4 op stack objects Oct 05 22:32:14 server.example.com ns-slapd[3726738]: [05/Oct/2025:22:32:14.454015755 -0400] - INFO - main - slapd stopped. Oct 05 22:32:14 server.example.com platform-python[3726839]: detected unhandled Python exception in '/usr/libexec/ipa/ipa-dnskeysyncd' Oct 05 22:32:16 server.example.com systemd[1]: dirsrv@EXAMPLE-COM.service: Succeeded. Oct 05 22:32:16 server.example.com ipa-dnskeysyncd[3726839]: Traceback (most recent call last): Oct 05 22:32:16 server.example.com ipa-dnskeysyncd[3726839]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 130, in <module> Oct 05 22:32:16 server.example.com ipa-dnskeysyncd[3726839]: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): Oct 05 22:32:16 server.example.com ipa-dnskeysyncd[3726839]: File "/usr/lib64/python3.6/site-packages/ldap/syncrepl.py", line 465, in syncrepl_poll Oct 05 22:32:16 server.example.com ipa-dnskeysyncd[3726839]: self.syncrepl_refreshdone() Oct 05 22:32:16 server.example.com ipa-dnskeysyncd[3726839]: File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/keysyncer.py", line 126, in syncrepl_refreshdone Oct 05 22:32:16 server.example.com ipa-dnskeysyncd[3726839]: self.hsm_replica_sync() Oct 05 22:32:16 server.example.com ipa-dnskeysyncd[3726839]: File "/usr/lib/python3.6/site-packages/ipaserver/dnssec/keysyncer.py", line 192, in hsm_replica_sync Oct 05 22:32:16 server.example.com ipa-dnskeysyncd[3726839]: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA]) Oct 05 22:32:16 server.example.com ipa-dnskeysyncd[3726839]: File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in run Oct 05 22:32:16 server.example.com ipa-dnskeysyncd[3726839]: p.returncode, arg_string, output_log, error_log Oct 05 22:32:16 server.example.com ipa-dnskeysyncd[3726839]: ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/libexec/ipa/ipa-dnskeysync-replica'] returned non-zero exit status 1: "ipa-dnskeysync-replica: INFO To increase debugging set debug=True in dns.conf See default.conf(5) for details\nipa-dnskeysync-replica: ERROR LDAP server is down: cannot connect to 'ldapi://%2Frun%2Fslapd-EXAMPLE-COM.socket': Connection reset by peer\n") Oct 05 22:32:16 server.example.com systemd[1]: ipa-dnskeysyncd.service: Main process exited, code=exited, status=1/FAILURE Oct 05 22:32:16 server.example.com systemd[1]: ipa-dnskeysyncd.service: Failed with result 'exit-code'. Oct 05 22:32:16 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:16.695927840 -0400] - INFO - slapd_extract_cert - CA CERT NAME: EXAMPLE.COM IPA CA Oct 05 22:32:16 server.example.com systemd[1]: setroubleshootd.service: Succeeded. Oct 05 22:32:17 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:17.092452511 -0400] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Oct 05 22:32:17 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:17.279604704 -0400] - INFO - slapd_extract_cert - SERVER CERT NAME: Server-Cert Oct 05 22:32:17 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:17.945423352 -0400] - INFO - Security Initialization - SSL info: Enabling default cipher set. Oct 05 22:32:18 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:18.153089500 -0400] - INFO - Security Initialization - SSL info: Configured NSS Ciphers Oct 05 22:32:18 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:18.336100046 -0400] - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled Oct 05 22:32:18 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:18.498114331 -0400] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled Oct 05 22:32:18 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:18.615208755 -0400] - INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled Oct 05 22:32:18 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:18.790719632 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Oct 05 22:32:18 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:18.857871078 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Oct 05 22:32:19 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:19.000003307 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled Oct 05 22:32:19 server.example.com sssd_be[3404906]: Backend is offline Oct 05 22:32:19 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:19.225362290 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Oct 05 22:32:19 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:19.368506556 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Oct 05 22:32:19 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:19.502023339 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Oct 05 22:32:19 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:19.602144319 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Oct 05 22:32:19 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:19.668927559 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Oct 05 22:32:19 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:19.794031134 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Oct 05 22:32:19 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:19.885921091 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled Oct 05 22:32:19 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:19.994398896 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled Oct 05 22:32:20 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:20.102883433 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Oct 05 22:32:20 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:20.219679636 -0400] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Oct 05 22:32:20 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:20.336688942 -0400] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Oct 05 22:32:20 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:20.469996623 -0400] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Oct 05 22:32:20 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:20.545441124 -0400] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Oct 05 22:32:20 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:20.637203324 -0400] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Oct 05 22:32:20 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:20.745908617 -0400] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Oct 05 22:32:20 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:20.871177487 -0400] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Oct 05 22:32:20 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:20.979627188 -0400] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Oct 05 22:32:21 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:21.179804810 -0400] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Oct 05 22:32:21 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:21.288725770 -0400] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA: enabled Oct 05 22:32:21 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:21.347141232 -0400] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Oct 05 22:32:21 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:21.413964961 -0400] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA: enabled Oct 05 22:32:21 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:21.489063658 -0400] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Oct 05 22:32:21 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:21.589753403 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.3 Oct 05 22:32:21 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:21.656310791 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.3 Oct 05 22:32:21 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:21.781628467 -0400] - INFO - main - 389-Directory/1.4.3.39 B2025.254.1138 starting up Oct 05 22:32:21 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:21.915024006 -0400] - INFO - main - Setting the maximum file descriptor limit to: 262144 Oct 05 22:32:23 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:23.010983738 -0400] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds Oct 05 22:32:23 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:23.086207009 -0400] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Oct 05 22:32:23 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:23.188750776 -0400] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Oct 05 22:32:23 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:23.287901380 -0400] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Oct 05 22:32:23 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:23.371228487 -0400] - NOTICE - ldbm_back_start - found 16023608k physical memory Oct 05 22:32:23 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:23.450597048 -0400] - NOTICE - ldbm_back_start - found 11550492k available Oct 05 22:32:23 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:23.535109088 -0400] - NOTICE - ldbm_back_start - cache autosizing: db cache: 1001475k Oct 05 22:32:23 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:23.627077079 -0400] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 917504k Oct 05 22:32:23 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:23.727566082 -0400] - NOTICE - ldbm_back_start - cache autosizing: userRoot dn cache (3 total): 131072k Oct 05 22:32:23 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:23.819562974 -0400] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 917504k Oct 05 22:32:23 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:23.886774125 -0400] - NOTICE - ldbm_back_start - cache autosizing: ipaca dn cache (3 total): 131072k Oct 05 22:32:23 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:23.978814822 -0400] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 917504k Oct 05 22:32:24 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:24.045591863 -0400] - NOTICE - ldbm_back_start - cache autosizing: changelog dn cache (3 total): 131072k Oct 05 22:32:24 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:24.129238627 -0400] - NOTICE - ldbm_back_start - total cache size: 4246736384 B; Oct 05 22:32:24 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:24.267232294 -0400] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Oct 05 22:32:24 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:24.357548476 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=example,dc=com does not exist Oct 05 22:32:24 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:24.422623675 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=example,dc=com does not exist Oct 05 22:32:24 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:24.547907102 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=example,dc=com does not exist Oct 05 22:32:24 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:24.631511909 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=example,dc=com does not exist Oct 05 22:32:24 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:24.690151510 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=example,dc=com does not exist Oct 05 22:32:24 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:24.740626981 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:32:24 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:24.848931682 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:32:24 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:24.932859277 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:32:25 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:25.066925855 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:32:25 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:25.167146108 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:32:25 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:25.300618180 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:32:25 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:25.359350936 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:32:25 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:25.426463511 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:32:25 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:25.527088025 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:32:25 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:25.610680736 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:32:25 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:25.669854175 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:32:25 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:25.765600799 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not exist Oct 05 22:32:25 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:25.828845087 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not exist Oct 05 22:32:25 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:25.992764828 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist Oct 05 22:32:26 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:26.083061936 -0400] - INFO - slapi_vattrspi_regattr - Because krbPwdPolicyReference is a new registered virtual attribute , nsslapd-ignore-virtual-attrs was set to 'off' Oct 05 22:32:26 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:26.155166397 -0400] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which should be added before the CoS Definition. Oct 05 22:32:26 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:26.451656515 -0400] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/server.example.com@EXAMPLE.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) Oct 05 22:32:26 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:26.560182890 -0400] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Oct 05 22:32:26 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:26.608684542 -0400] - INFO - validate_num_config_reservedescriptors - reserve descriptors changed from 64 to 231 Oct 05 22:32:26 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:26.667281393 -0400] - INFO - connection_table_new - conntablesize:64000 Oct 05 22:32:26 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:26.817862827 -0400] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests Oct 05 22:32:26 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:26.876010504 -0400] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests Oct 05 22:32:27 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:27.001152221 -0400] - INFO - slapd_daemon - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests Oct 05 22:32:27 server.example.com ldapmodify[3727036]: DIGEST-MD5 common mech free Oct 05 22:32:27 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:27.359538861 -0400] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... Oct 05 22:32:27 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:27.581024803 -0400] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 533]: Cannot convert Posix ID [10] into an unused SID. Oct 05 22:32:27 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:27.677458301 -0400] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. Oct 05 22:32:27 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:27.813856487 -0400] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32]. Oct 05 22:32:28 server.example.com dbus-daemon[1811]: [system] Activating service name='org.freedesktop.problems' requested by ':1.168032' (uid=0 pid=3727063 comm="/usr/libexec/platform-python /usr/bin/abrt-action-" label="system_u:system_r:abrt_t:s0-s0:c0.c1023") (using servicehelper) Oct 05 22:32:30 server.example.com dbus-daemon[1811]: [system] Successfully activated service 'org.freedesktop.problems' Oct 05 22:32:31 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:31.582885802 -0400] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=example,dc=com Oct 05 22:32:31 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:32:31.657444867 -0400] - ERR - schema-compat-plugin - Finished plugin initialization. Oct 05 22:33:02 server.example.com sssd_be[3404906]: Backend is online Oct 05 22:33:16 server.example.com systemd[1]: ipa-dnskeysyncd.service: Service RestartSec=1min expired, scheduling restart. Oct 05 22:33:16 server.example.com systemd[1]: ipa-dnskeysyncd.service: Scheduled restart job, restart counter is at 2. Oct 05 22:33:17 server.example.com ipa-dnskeysyncd[3727108]: ipa-dnskeysyncd: INFO To increase debugging set debug=True in dns.conf See default.conf(5) for details Oct 05 22:33:19 server.example.com ipa-dnskeysyncd[3727108]: ipa-dnskeysyncd: INFO LDAP bind... Oct 05 22:33:19 server.example.com ipa-dnskeysyncd[3727108]: ipa-dnskeysyncd: INFO Commencing sync process Oct 05 22:33:19 server.example.com ipa-dnskeysyncd[3727108]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Oct 05 22:33:22 server.example.com platform-python[3727112]: Configuration.cpp(96): Missing log.level in configuration. Using default value: INFO Oct 05 22:33:22 server.example.com platform-python[3727112]: Configuration.cpp(96): Missing slots.mechanisms in configuration. Using default value: ALL Oct 05 22:33:22 server.example.com platform-python[3727112]: Configuration.cpp(124): Missing slots.removable in configuration. Using default value: false Oct 05 22:37:34 server.example.com systemd[1]: dummy-identd@623-10.75.22.247:113-198.235.24.26:57794.service: Succeeded. Oct 05 22:37:36 server.example.com dbus-daemon[1811]: [system] Activating via systemd: service name='org.fedoraproject.Setroubleshootd' unit='setroubleshootd.service' requested by ':1.72' (uid=0 pid=1365 comm="/usr/sbin/sedispatch " label="system_u:system_r:auditd_t:s0") Oct 05 22:37:36 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:37:36.536697733 -0400] - INFO - op_thread_cleanup - slapd shutting down - signaling operation threads - op stack size 7 max work q size 2 max work q stack size 2 Oct 05 22:37:36 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:37:36.593042086 -0400] - INFO - slapd_daemon - slapd shutting down - closing down internal subsystems and plugins Oct 05 22:37:36 server.example.com dbus-daemon[1811]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Oct 05 22:37:37 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:37:37.221961710 -0400] - INFO - bdb_pre_close - Waiting for 5 database threads to stop Oct 05 22:37:38 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:37:38.087821118 -0400] - INFO - bdb_pre_close - All database threads now stopped Oct 05 22:37:38 server.example.com setroubleshoot[3727353]: AnalyzeThread.run(): Cancel pending alarm Oct 05 22:37:38 server.example.com ipa-dnskeysyncd[3727108]: ipa-dnskeysyncd: ERROR syncrepl_poll: LDAP error ({'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': []}) Oct 05 22:37:38 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:37:38.466828760 -0400] - INFO - ldbm_back_instance_set_destructor - Set of instances destroyed Oct 05 22:37:38 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:37:38.524525531 -0400] - INFO - connection_post_shutdown_cleanup - slapd shutting down - freed 2 work q stack objects - freed 7 op stack objects Oct 05 22:37:38 server.example.com ns-slapd[3726996]: [05/Oct/2025:22:37:38.598948982 -0400] - INFO - main - slapd stopped. Oct 05 22:37:38 server.example.com systemd[1]: ipa-dnskeysyncd.service: Main process exited, code=exited, status=1/FAILURE Oct 05 22:37:38 server.example.com systemd[1]: ipa-dnskeysyncd.service: Failed with result 'exit-code'. Oct 05 22:37:39 server.example.com dbus-daemon[1811]: [system] Activating service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.168048' (uid=985 pid=3727353 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="system_u:system_r:setroubleshootd_t:s0") (using servicehelper) Oct 05 22:37:40 server.example.com dbus-daemon[1811]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged' Oct 05 22:37:41 server.example.com setroubleshoot[3727353]: SELinux is preventing systemctl from getattr access on the filesystem /. For complete SELinux messages run: sealert -l 9e381eda-edb0-43f1-8254-cc8cef70df65 Oct 05 22:37:41 server.example.com setroubleshoot[3727353]: SELinux is preventing systemctl from getattr access on the filesystem /.

                                                           *****  Plugin catchall (100. confidence) suggests   **************************

                                                           If you believe that systemctl should be allowed getattr access on the  filesystem by default.
                                                           Then you should report this as a bug.
                                                           You can generate a local policy module to allow this access.
                                                           Do
                                                           allow this access for now by executing:
                                                           # ausearch -c 'systemctl' --raw | audit2allow -M my-systemctl
                                                           # semodule -X 300 -i my-systemctl.pp

Oct 05 22:37:41 server.example.com setroubleshoot[3727353]: AnalyzeThread.run(): Set alarm timeout to 10 Oct 05 22:37:41 server.example.com systemd[1]: dirsrv@EXAMPLE-COM.service: Succeeded. Oct 05 22:37:42 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:42.340060511 -0400] - INFO - slapd_extract_cert - CA CERT NAME: EXAMPLE.COM IPA CA Oct 05 22:37:42 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:42.460527605 -0400] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Oct 05 22:37:42 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:42.630190667 -0400] - INFO - slapd_extract_cert - SERVER CERT NAME: Server-Cert Oct 05 22:37:42 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:42.962547018 -0400] - INFO - Security Initialization - SSL info: Enabling default cipher set. Oct 05 22:37:43 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:43.046774337 -0400] - INFO - Security Initialization - SSL info: Configured NSS Ciphers Oct 05 22:37:43 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:43.163491511 -0400] - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled Oct 05 22:37:43 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:43.271927506 -0400] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled Oct 05 22:37:43 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:43.355431395 -0400] - INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled Oct 05 22:37:43 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:43.413836276 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled Oct 05 22:37:43 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:43.513945433 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled Oct 05 22:37:43 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:43.616265715 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled Oct 05 22:37:43 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:43.691467889 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Oct 05 22:37:43 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:43.749911078 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled Oct 05 22:37:43 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:43.858347249 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled Oct 05 22:37:43 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:43.983654123 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled Oct 05 22:37:44 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:44.060712697 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled Oct 05 22:37:44 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:44.127475740 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled Oct 05 22:37:44 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:44.202573563 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled Oct 05 22:37:44 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:44.302651932 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled Oct 05 22:37:44 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:44.386103901 -0400] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled Oct 05 22:37:44 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:44.486180282 -0400] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled Oct 05 22:37:44 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:44.579081876 -0400] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled Oct 05 22:37:44 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:44.665213352 -0400] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled Oct 05 22:37:44 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:44.757005141 -0400] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled Oct 05 22:37:44 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:44.840419043 -0400] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled Oct 05 22:37:44 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:44.965529687 -0400] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled Oct 05 22:37:45 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:45.059700105 -0400] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled Oct 05 22:37:45 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:45.184820450 -0400] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled Oct 05 22:37:45 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:45.268258904 -0400] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled Oct 05 22:37:45 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:45.349830088 -0400] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA: enabled Oct 05 22:37:45 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:45.441560982 -0400] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled Oct 05 22:37:45 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:45.558303104 -0400] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA: enabled Oct 05 22:37:45 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:45.641898097 -0400] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled Oct 05 22:37:45 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:45.749936323 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.3 Oct 05 22:37:45 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:45.827559431 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.3 Oct 05 22:37:45 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:45.936250422 -0400] - INFO - main - 389-Directory/1.4.3.39 B2025.254.1138 starting up Oct 05 22:37:46 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:46.011057447 -0400] - INFO - main - Setting the maximum file descriptor limit to: 262144 Oct 05 22:37:47 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:47.097132587 -0400] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 2048 rounds Oct 05 22:37:47 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:47.147943785 -0400] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Oct 05 22:37:47 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:47.225546806 -0400] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Oct 05 22:37:47 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:47.324760767 -0400] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000 Oct 05 22:37:47 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:47.391146930 -0400] - NOTICE - ldbm_back_start - found 16023608k physical memory Oct 05 22:37:47 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:47.470470537 -0400] - NOTICE - ldbm_back_start - found 11411956k available Oct 05 22:37:47 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:47.553932694 -0400] - NOTICE - ldbm_back_start - cache autosizing: db cache: 1001475k Oct 05 22:37:47 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:47.663901124 -0400] - NOTICE - ldbm_back_start - cache autosizing: userRoot entry cache (3 total): 917504k Oct 05 22:37:47 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:47.772538534 -0400] - NOTICE - ldbm_back_start - cache autosizing: userRoot dn cache (3 total): 131072k Oct 05 22:37:47 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:47.889321884 -0400] - NOTICE - ldbm_back_start - cache autosizing: ipaca entry cache (3 total): 917504k Oct 05 22:37:47 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:47.997741757 -0400] - NOTICE - ldbm_back_start - cache autosizing: ipaca dn cache (3 total): 131072k Oct 05 22:37:48 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:48.131200608 -0400] - NOTICE - ldbm_back_start - cache autosizing: changelog entry cache (3 total): 917504k Oct 05 22:37:48 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:48.231267899 -0400] - NOTICE - ldbm_back_start - cache autosizing: changelog dn cache (3 total): 131072k Oct 05 22:37:48 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:48.306633320 -0400] - NOTICE - ldbm_back_start - total cache size: 4246736384 B; Oct 05 22:37:48 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:48.497356626 -0400] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! Oct 05 22:37:48 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:48.634437759 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=example,dc=com does not exist Oct 05 22:37:48 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:48.765382891 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=example,dc=com does not exist Oct 05 22:37:48 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:48.848817646 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=example,dc=com does not exist Oct 05 22:37:48 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:48.943756601 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=example,dc=com does not exist Oct 05 22:37:49 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:49.018793289 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=example,dc=com does not exist Oct 05 22:37:49 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:49.127597503 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:37:49 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:49.210676087 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:37:49 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:49.311831255 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:37:49 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:49.378791455 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:37:49 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:49.544729372 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:37:49 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:49.697339524 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:37:49 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:49.789043002 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:37:49 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:49.872426667 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:37:49 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:49.972583722 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:37:50 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:50.055464974 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:37:50 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:50.163882998 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=example,dc=com does not exist Oct 05 22:37:50 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:50.242169855 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not exist Oct 05 22:37:50 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:50.325550775 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com does not exist Oct 05 22:37:50 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:50.495690437 -0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist Oct 05 22:37:50 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:50.588487771 -0400] - INFO - slapi_vattrspi_regattr - Because krbPwdPolicyReference is a new registered virtual attribute , nsslapd-ignore-virtual-attrs was set to 'off' Oct 05 22:37:50 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:50.668680563 -0400] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which should be added before the CoS Definition. Oct 05 22:37:50 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:50.864870299 -0400] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/server.example.com@EXAMPLE.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) Oct 05 22:37:50 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:50.969483272 -0400] - INFO - validate_num_config_reservedescriptors - reserve descriptors changed from 64 to 231 Oct 05 22:37:51 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:51.044941348 -0400] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! Oct 05 22:37:51 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:51.136631896 -0400] - INFO - connection_table_new - conntablesize:64000 Oct 05 22:37:51 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:51.290605689 -0400] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests Oct 05 22:37:51 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:51.380731529 -0400] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests Oct 05 22:37:51 server.example.com systemd[1]: setroubleshootd.service: Succeeded. Oct 05 22:37:51 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:51.509841964 -0400] - INFO - slapd_daemon - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests Oct 05 22:37:51 server.example.com ldapmodify[3727470]: DIGEST-MD5 common mech free Oct 05 22:37:51 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:51.719731955 -0400] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... Oct 05 22:37:51 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:51.963509837 -0400] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 533]: Cannot convert Posix ID [10] into an unused SID. Oct 05 22:37:52 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:52.059796528 -0400] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. Oct 05 22:37:52 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:52.126719622 -0400] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32]. Oct 05 22:37:55 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:55.990752127 -0400] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=example,dc=com Oct 05 22:37:56 server.example.com ns-slapd[3727433]: [05/Oct/2025:22:37:56.062592800 -0400] - ERR - schema-compat-plugin - Finished plugin initialization. Oct 05 22:38:38 server.example.com systemd[1]: ipa-dnskeysyncd.service: Service RestartSec=1min expired, scheduling restart. Oct 05 22:38:38 server.example.com systemd[1]: ipa-dnskeysyncd.service: Scheduled restart job, restart counter is at 3. Oct 05 22:38:39 server.example.com ipa-dnskeysyncd[3727487]: ipa-dnskeysyncd: INFO To increase debugging set debug=True in dns.conf See default.conf(5) for details Oct 05 22:38:42 server.example.com ipa-dnskeysyncd[3727487]: ipa-dnskeysyncd: INFO LDAP bind... Oct 05 22:38:42 server.example.com ipa-dnskeysyncd[3727487]: ipa-dnskeysyncd: INFO Commencing sync process Oct 05 22:38:42 server.example.com ipa-dnskeysyncd[3727487]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Oct 05 22:38:45 server.example.com platform-python[3727504]: Configuration.cpp(96): Missing log.level in configuration. Using default value: INFO Oct 05 22:38:45 server.example.com platform-python[3727504]: Configuration.cpp(96): Missing slots.mechanisms in configuration. Using default value: ALL Oct 05 22:38:45 server.example.com platform-python[3727504]: Configuration.cpp(124): Missing slots.removable in configuration. Using default value: false Oct 05 22:40:01 server.example.com systemd[1]: sysstat-collect.service: Succeeded.

Cheers, b.

-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue