[Pkg-freeipa-devel] FreeIPA 4.3.1

Diane Trout diane at ghic.org
Wed May 18 04:07:10 UTC 2016


First off, thank you for updating FreeIPA I'm really looking forward to
having it available in Debian. I noticed you had packaged FreeIPA 4.3.1
in git, and thought I'd give it a try. (Using
version d4252bb77704a1344c8b306da187df18f9a59b0d)

With 4.3.1 on a systemd based VM I've run into a few problems so far.

Since its not released yet, I'm not sure if I should be filing bugs in
the Debian BTS yet.

* dogtag-pki race condition

When doing:

ipa-server-install --setup-dns 
                   --forwarder <dns1> \
                   --forwarder <dns2> \
                   --forwarder <dns3> \
                   --ip-address <vm private ipv4 address> \
                   --ip-address <vm public 6to4 ipv6 address> \
                   -n <domain name> \
                   -R <DOMAIN NAME> \
                   --hostaname ipa.<domain name> \
                   --auto-reverse \
                   -p "$(cat dm.pass)" \
                   -a "$(cat admin.pas)" 

I found there's a race condition between

 [24/28]: restarting certificate server


 [25/28]: migrating certificate profiles to LDAP

Step 25 starts trying to talk to the tomcat pki server, but it hasn't
finished restarted yet so it crashes being unable to connect to "https:
//ipa. name>:8443/ca/rest/account/login. (I got around it by control-
Zing the install process and waiting for the pki server to finish

* There's a problem where Debian seems to be confused where libsofthsm2
is located.

An earlier build of Freeipa 4.3.1 was looking for libsofthsm2 in a
multiarch directory, the current build looks in /usr/lib/libsofthsm
however bind9 1:9.10.3.dfsg.P4-10 is  looking for libsofthsm2 in the
multiarch directory so if you enabled dnssec bind9 named-pkcs11 wont

(Temporary solved by symlinking /usr/lib/libsofthsm to /usr/lib/x86_64-
linux-gnu/libsofthsm) But some package probably needs fixing or tighter
version requirements.

* ipa plugins 

A small bug, while poking around various ipa commands I found ipa
plugins throws an exception.

root at ipa:/etc/samba# ipa plugins
ipa: ERROR: non-public: KeyError: 'count'
Traceback (most recent call last):

Hope the testing is helpful,

More information about the Pkg-freeipa-devel mailing list