On Fri, Jun 4, 2021 at 10:11 PM Robert Kudyba via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
After upgrading to Fedora 34 and freeipa-server-4.9.3-2.fc34.x86_64,
we're
seeing the below errors. I found a previous post that mentions a user had
these during a migration but we finished the migration a while ago:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
ipa cert-find shows 10 certs and all have a status of VALID. Apache logs
do not have any errors. And the ipaupgrade.log ends with INFO The
ipa-server-upgrade command was successful
Jun 3 18:14:03 ourschoolipa-dnskeysyncd[5025]: ipa-dnskeysyncd: ERROR
syncrepl_poll: LDAP error ({'result': -1, 'desc': "Can't
contact LDAP
server", 'ctrls': []})
Hi,
the above error is logged when 389ds is restarted, because the daemon
ipa-dnskeysyncd looses its connection. It's harmless as the daemon should
restart 60s later.
Jun 3 18:14:06 ourschoolns-slapd[17715]:
[03/Jun/2021:18:14:06.994125936
-0400] - ERR - allow_operation - Component identity is NULL
Jun 3 18:14:10 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:10.899216572
-0400] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher AES
Jun 3 18:14:10 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:10.955942900
-0400] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with
the private key; Cert might have been renewed since the key is wrapped. To
recover the encrypted contents, keep the wrapped symmetric key value.
Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.022213263
-0400] - ERR - attrcrypt_init - All prepared ciphers are not available.
Please disable attribute encryption.
Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.090020323
-0400] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES
Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.177952423
-0400] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree
scan in about 5 seconds after the server startup!
Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.875367301
-0400] - ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition
cn=Password Policy,cn=accounts,dc=sub,dc=domain,dc=ourschool,dc=edu--no CoS
Templates found, which should be added before the CoS Definition.
Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.961081967
-0400] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will
start in about 5 seconds!
Jun 3 18:14:17 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:17.740194095
-0400] - ERR - schema-compat-plugin - warning: no entries set up under
ou=sudoers,dc=sub,dc=domain,dc=ourschool,dc=edu
Jun 3 18:14:17 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:17.818774136
-0400] - ERR - schema-compat-plugin - warning: no entries set up under
cn=ng, cn=compat,dc=sub,dc=domain,dc=ourschool,dc=edu
Jun 3 18:14:18 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:18.804889621
-0400] - ERR - schema-compat-plugin - warning: no entries set up under
cn=computers, cn=compat,dc=sub,dc=domain,dc=ourschool,dc=edu
Jun 3 18:14:18 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:18.873391357
-0400] - ERR - schema-compat-plugin - Finished plugin initialization.
Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.577526585
-0400] - WARN - NSACLPlugin - acl_parse - The ACL target
cn=ad,cn=etc,dc=sub,dc=domain,dc=ourschool,dc=edu does not exist
Jun 3 18:14:11 ourschoolns-slapd[17715]: [03/Jun/2021:18:14:11.599342179
-0400] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=sub,dc=domain,dc=ourschool,dc=edu
does not exist
It is a known issue, already discussed in this mailing list:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
HTH,
flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure