[Pkg-freeipa-devel] FreeIPA 4.3.1
tjaalton at debian.org
Wed May 18 04:52:16 UTC 2016
On 18.05.2016 07:07, Diane Trout wrote:
> First off, thank you for updating FreeIPA I'm really looking forward to
> having it available in Debian. I noticed you had packaged FreeIPA 4.3.1
> in git, and thought I'd give it a try. (Using
> version d4252bb77704a1344c8b306da187df18f9a59b0d)
> With 4.3.1 on a systemd based VM I've run into a few problems so far.
> Since its not released yet, I'm not sure if I should be filing bugs in
> the Debian BTS yet.
> * dogtag-pki race condition
> When doing:
> ipa-server-install --setup-dns
> --forwarder <dns1> \
> --forwarder <dns2> \
> --forwarder <dns3> \
> --ip-address <vm private ipv4 address> \
> --ip-address <vm public 6to4 ipv6 address> \
> -n <domain name> \
> -R <DOMAIN NAME> \
> --hostaname ipa.<domain name> \
> --auto-reverse \
> -p "$(cat dm.pass)" \
> -a "$(cat admin.pas)"
> I found there's a race condition between
> [24/28]: restarting certificate server
> [25/28]: migrating certificate profiles to LDAP
> Step 25 starts trying to talk to the tomcat pki server, but it hasn't
> finished restarted yet so it crashes being unable to connect to "https:
> //ipa. name>:8443/ca/rest/account/login. (I got around it by control-
> Zing the install process and waiting for the pki server to finish
So the restart task probably returns too soon. I guess that's because
tomcat doesn't use systemd.. no idea how to fix properly on freeipa
side, I haven't hit this.
> * There's a problem where Debian seems to be confused where libsofthsm2
> is located.
> An earlier build of Freeipa 4.3.1 was looking for libsofthsm2 in a
> multiarch directory, the current build looks in /usr/lib/libsofthsm
> however bind9 1:9.10.3.dfsg.P4-10 is looking for libsofthsm2 in the
> multiarch directory so if you enabled dnssec bind9 named-pkcs11 wont
It should still use the multiarch dir, this is from
MULTIARCH = sysconfig.get_config_var('MULTIARCH')
LIBSOFTHSM2_SO = "/usr/lib/%s/softhsm/libsofthsm2.so" % MULTIARCH
where do you see /usr/lib/libsofthsm being used?
> * ipa plugins
> A small bug, while poking around various ipa commands I found ipa
> plugins throws an exception.
> root at ipa:/etc/samba# ipa plugins
> ipa: ERROR: non-public: KeyError: 'count'
> Traceback (most recent call last):
Ok, can reproduce, no idea yet. You can file a bug about this at least.
More information about the Pkg-freeipa-devel