[Pkg-freeipa-devel] FreeIPA 4.3.1

Timo Aaltonen tjaalton at debian.org
Wed May 18 04:52:16 UTC 2016 

On 18.05.2016 07:07, Diane Trout wrote:
> Hello!
> 
> First off, thank you for updating FreeIPA I'm really looking forward to
> having it available in Debian. I noticed you had packaged FreeIPA 4.3.1
> in git, and thought I'd give it a try. (Using
> version d4252bb77704a1344c8b306da187df18f9a59b0d)
> 
> With 4.3.1 on a systemd based VM I've run into a few problems so far.
> 
> Since its not released yet, I'm not sure if I should be filing bugs in
> the Debian BTS yet.
> 
> * dogtag-pki race condition
> 
> When doing:
> 
> ipa-server-install --setup-dns 
>                    --forwarder <dns1> \
>                    --forwarder <dns2> \
>                    --forwarder <dns3> \
>                    --ip-address <vm private ipv4 address> \
>                    --ip-address <vm public 6to4 ipv6 address> \
>                    -n <domain name> \
>                    -R <DOMAIN NAME> \
>                    --hostaname ipa.<domain name> \
>                    --auto-reverse \
>                    -p "$(cat dm.pass)" \
>                    -a "$(cat admin.pas)" 
> 
> I found there's a race condition between
> 
>  [24/28]: restarting certificate server
> 
> and 
> 
>  [25/28]: migrating certificate profiles to LDAP
> 
> Step 25 starts trying to talk to the tomcat pki server, but it hasn't
> finished restarted yet so it crashes being unable to connect to "https:
> //ipa. name>:8443/ca/rest/account/login. (I got around it by control-
> Zing the install process and waiting for the pki server to finish
> restarting.

So the restart task probably returns too soon. I guess that's because
tomcat doesn't use systemd.. no idea how to fix properly on freeipa
side, I haven't hit this.

> * There's a problem where Debian seems to be confused where libsofthsm2
> is located.
> 
> An earlier build of Freeipa 4.3.1 was looking for libsofthsm2 in a
> multiarch directory, the current build looks in /usr/lib/libsofthsm
> however bind9 1:9.10.3.dfsg.P4-10 is  looking for libsofthsm2 in the
> multiarch directory so if you enabled dnssec bind9 named-pkcs11 wont
> start.

It should still use the multiarch dir, this is from
ipaplatform/debian/paths.py:

MULTIARCH = sysconfig.get_config_var('MULTIARCH')
...
    LIBSOFTHSM2_SO = "/usr/lib/%s/softhsm/libsofthsm2.so" % MULTIARCH

where do you see /usr/lib/libsofthsm being used?

> * ipa plugins 
> 
> A small bug, while poking around various ipa commands I found ipa
> plugins throws an exception.
> 
> root at ipa:/etc/samba# ipa plugins
> ipa: ERROR: non-public: KeyError: 'count'
> Traceback (most recent call last):

Ok, can reproduce, no idea yet. You can file a bug about this at least.


-- 
t

More information about the Pkg-freeipa-devel mailing list