[Freeipa] [Bug 2061055] Re: Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default
Yeah, I could live with that -- but TBH I still consider this mostly a bug in openssh. querying the status of sshd.service really should work. Arch, RHEL, Fedora, OpenSUSE etc. all call this sshd.service. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/2061055 Title: Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default Status in freeipa package in Ubuntu: New Status in openssh package in Ubuntu: New Bug description: Joining a FreeIPA domain reconfigures SSH. E.g. it enables GSSAPI authentication in /etc/ssh/sshd_config.d/04-ipa.conf . After that, it tries to restart sshd, but that fails as "sshd.service" is not a thing on Ubuntu: 2024-04-12T03:10:57Z DEBUG args=['/bin/systemctl', 'is-active', 'sshd.service'] 2024-04-12T03:10:57Z DEBUG Process finished, return code=4 (in /var/log/ipaclient-install.log) While that could be changed in freeipa, I'd argue that this is really a bug in Ubuntu's openssh package. Many upstream software, Ansible scripts etc. assume that the service is "sshd.service". In Debian/Ubuntu the primary unit is "ssh.service", but it has an `[Install] Alias=sshd.service`. That works in Debian because there sshd.service *actually* gets enabled by default, and ssh.socket isn't. But Ubuntu moved to socket activation (which is good!), so that ssh.socket is running by default. But that means that ssh.service never gets "systemctl enable"d, and hence the alias never gets set up: # systemctl status sshd.service Unit sshd.service could not be found. So if ssh.service is already running, it never gets restarted by "ipa- client-install". It would be really good to make that alias work by default -- if nothing else, just ship the symlink in the .deb, or create the symlink manually in the postinst? freeipa-client 4.10.2-2ubuntu3 openssh-server 1:9.6p1-3ubuntu12 Note: we have tested this functionality in Cockpit on Ubuntu for a long time already. But until very recently we had a workaround to force the creation of that alias: https://github.com/cockpit-project/bots/commit/3bf1b20f3fa5fe202b9710b3fe78d2133ba03f5d We dropped it because it broke image builds due to some bugs in openssh's postinst, but it was a bad one anyway: actual users don't have that hack, and it hides bugs like this. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/2061055/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2061055] Re: Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default
Timo: It doesn't fail on Debian. See the "That works in Debian because.." in the description (TL/DR: Debian doesn't enable ssh.socket, but ssh.service, which sets up the symlink) ** Description changed: Joining a FreeIPA domain reconfigures SSH. E.g. it enables GSSAPI authentication in /etc/ssh/sshd_config.d/04-ipa.conf . After that, it tries to restart sshd, but that fails as "sshd.service" is not a thing on Ubuntu: 2024-04-12T03:10:57Z DEBUG args=['/bin/systemctl', 'is-active', 'sshd.service'] 2024-04-12T03:10:57Z DEBUG Process finished, return code=4 (in /var/log/ipaclient-install.log) While that could be changed in freeipa, I'd argue that this is really a bug in Ubuntu's openssh package. Many upstream software, Ansible scripts etc. assume that the service is "sshd.service". In Debian/Ubuntu the primary unit is "ssh.service", but it has an `[Install] Alias=sshd.service`. That works in Debian because there sshd.service *actually* gets enabled by default, and ssh.socket isn't. But Ubuntu moved to socket activation (which is good!), so that ssh.socket is running by default. But that means that ssh.service never gets "systemctl enable"d, and hence the alias never gets set up: # systemctl status sshd.service Unit sshd.service could not be found. So if ssh.service is already running, it never gets restarted by "ipa- client-install". It would be really good to make that alias work by default -- if nothing - else, just create the symlink manually in the postinst? + else, just ship the symlink in the .deb, or create the symlink manually + in the postinst? freeipa-client 4.10.2-2ubuntu3 openssh-server 1:9.6p1-3ubuntu12 - Note: we have tested this functionality in Cockpit on Ubuntu for a long time already. But until very recently we had a workaround to force the creation of that alias: https://github.com/cockpit-project/bots/commit/3bf1b20f3fa5fe202b9710b3fe78d2133ba03f5d We dropped it because it broke image builds due to some bugs in openssh's postinst, but it was a bad one anyway: actual users don't have that hack, and it hides bugs like this. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/2061055 Title: Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default Status in freeipa package in Ubuntu: New Status in openssh package in Ubuntu: New Bug description: Joining a FreeIPA domain reconfigures SSH. E.g. it enables GSSAPI authentication in /etc/ssh/sshd_config.d/04-ipa.conf . After that, it tries to restart sshd, but that fails as "sshd.service" is not a thing on Ubuntu: 2024-04-12T03:10:57Z DEBUG args=['/bin/systemctl', 'is-active', 'sshd.service'] 2024-04-12T03:10:57Z DEBUG Process finished, return code=4 (in /var/log/ipaclient-install.log) While that could be changed in freeipa, I'd argue that this is really a bug in Ubuntu's openssh package. Many upstream software, Ansible scripts etc. assume that the service is "sshd.service". In Debian/Ubuntu the primary unit is "ssh.service", but it has an `[Install] Alias=sshd.service`. That works in Debian because there sshd.service *actually* gets enabled by default, and ssh.socket isn't. But Ubuntu moved to socket activation (which is good!), so that ssh.socket is running by default. But that means that ssh.service never gets "systemctl enable"d, and hence the alias never gets set up: # systemctl status sshd.service Unit sshd.service could not be found. So if ssh.service is already running, it never gets restarted by "ipa- client-install". It would be really good to make that alias work by default -- if nothing else, just ship the symlink in the .deb, or create the symlink manually in the postinst? freeipa-client 4.10.2-2ubuntu3 openssh-server 1:9.6p1-3ubuntu12 Note: we have tested this functionality in Cockpit on Ubuntu for a long time already. But until very recently we had a workaround to force the creation of that alias: https://github.com/cockpit-project/bots/commit/3bf1b20f3fa5fe202b9710b3fe78d2133ba03f5d We dropped it because it broke image builds due to some bugs in openssh's postinst, but it was a bad one anyway: actual users don't have that hack, and it hides bugs like this. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/2061055/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1946244] Re: When installing/uninstalling with realmd, uninstalling crashes with ScriptError
Confirmed in current noble. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1946244 Title: When installing/uninstalling with realmd, uninstalling crashes with ScriptError Status in freeipa package in Ubuntu: New Status in freeipa source package in Bionic: New Status in freeipa source package in Hirsute: Won't Fix Status in freeipa package in Debian: New Bug description: ProblemType: Crash DistroRelease: Ubuntu 21.04 PackageVersion: python3-ipaclient 4.8.6-1ubuntu5 SourcePackage: freeipa Architecture: amd64 Joining a FreeIPA domain with plain ipa-client-install works well: # ipa-client-install -p admin --password=SECRET --no-ntp [...] The ipa-client-install command was successful And leaving it again with "ipa-client-install --uninstall" also works. However, when doing this through realmd (which configures some additional useful stuff), it causes a crash: # realm join Password for admin: This works fine: # realm list cockpit.lan type: kerberos realm-name: COCKPIT.LAN domain-name: cockpit.lan configured: kerberos-member server-software: ipa client-software: sssd required-package: freeipa-client required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss login-formats: %u...@cockpit.lan login-policy: allow-realm-logins But leaving fails: # realm leave See: journalctl REALMD_OPERATION=r152.3671 realm: Couldn't leave realm: Running ipa-client-install failed root@x0:~# echo $? 1 The crash from /var/log/ipaclient-uninstall.log: 2021-10-06T15:48:22Z INFO Client uninstall complete. 2021-10-06T15:48:22Z DEBUG File "/usr/lib/python3/dist-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3/dist-packages/ipapython/install/cli.py", line 340, in run return cfgr.run() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 418, in step = lambda: next(self.__gen) File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 418, in step = lambda: next(self.__gen) File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File
[Freeipa] [Bug 2061055] [NEW] Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default
Public bug reported: Joining a FreeIPA domain reconfigures SSH. E.g. it enables GSSAPI authentication in /etc/ssh/sshd_config.d/04-ipa.conf . After that, it tries to restart sshd, but that fails as "sshd.service" is not a thing on Ubuntu: 2024-04-12T03:10:57Z DEBUG args=['/bin/systemctl', 'is-active', 'sshd.service'] 2024-04-12T03:10:57Z DEBUG Process finished, return code=4 (in /var/log/ipaclient-install.log) While that could be changed in freeipa, I'd argue that this is really a bug in Ubuntu's openssh package. Many upstream software, Ansible scripts etc. assume that the service is "sshd.service". In Debian/Ubuntu the primary unit is "ssh.service", but it has an `[Install] Alias=sshd.service`. That works in Debian because there sshd.service *actually* gets enabled by default, and ssh.socket isn't. But Ubuntu moved to socket activation (which is good!), so that ssh.socket is running by default. But that means that ssh.service never gets "systemctl enable"d, and hence the alias never gets set up: # systemctl status sshd.service Unit sshd.service could not be found. So if ssh.service is already running, it never gets restarted by "ipa- client-install". It would be really good to make that alias work by default -- if nothing else, just create the symlink manually in the postinst? freeipa-client 4.10.2-2ubuntu3 openssh-server 1:9.6p1-3ubuntu12 Note: we have tested this functionality in Cockpit on Ubuntu for a long time already. But until very recently we had a workaround to force the creation of that alias: https://github.com/cockpit-project/bots/commit/3bf1b20f3fa5fe202b9710b3fe78d2133ba03f5d We dropped it because it broke image builds due to some bugs in openssh's postinst, but it was a bad one anyway: actual users don't have that hack, and it hides bugs like this. ** Affects: freeipa (Ubuntu) Importance: Undecided Status: New ** Affects: openssh (Ubuntu) Importance: Undecided Status: New ** Also affects: openssh (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/2061055 Title: Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default Status in freeipa package in Ubuntu: New Status in openssh package in Ubuntu: New Bug description: Joining a FreeIPA domain reconfigures SSH. E.g. it enables GSSAPI authentication in /etc/ssh/sshd_config.d/04-ipa.conf . After that, it tries to restart sshd, but that fails as "sshd.service" is not a thing on Ubuntu: 2024-04-12T03:10:57Z DEBUG args=['/bin/systemctl', 'is-active', 'sshd.service'] 2024-04-12T03:10:57Z DEBUG Process finished, return code=4 (in /var/log/ipaclient-install.log) While that could be changed in freeipa, I'd argue that this is really a bug in Ubuntu's openssh package. Many upstream software, Ansible scripts etc. assume that the service is "sshd.service". In Debian/Ubuntu the primary unit is "ssh.service", but it has an `[Install] Alias=sshd.service`. That works in Debian because there sshd.service *actually* gets enabled by default, and ssh.socket isn't. But Ubuntu moved to socket activation (which is good!), so that ssh.socket is running by default. But that means that ssh.service never gets "systemctl enable"d, and hence the alias never gets set up: # systemctl status sshd.service Unit sshd.service could not be found. So if ssh.service is already running, it never gets restarted by "ipa- client-install". It would be really good to make that alias work by default -- if nothing else, just create the symlink manually in the postinst? freeipa-client 4.10.2-2ubuntu3 openssh-server 1:9.6p1-3ubuntu12 Note: we have tested this functionality in Cockpit on Ubuntu for a long time already. But until very recently we had a workaround to force the creation of that alias: https://github.com/cockpit-project/bots/commit/3bf1b20f3fa5fe202b9710b3fe78d2133ba03f5d We dropped it because it broke image builds due to some bugs in openssh's postinst, but it was a bad one anyway: actual users don't have that hack, and it hides bugs like this. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/2061055/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1946244] Re: When installing/uninstalling with realmd, uninstalling crashes with ScriptError
Confirmed in jammy as well. https://logs.cockpit- project.org/logs/pull-17182-20220325-080131-1b8abf94-ubuntu-2204/log.html#303-2 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1946244 Title: When installing/uninstalling with realmd, uninstalling crashes with ScriptError Status in freeipa package in Ubuntu: New Status in freeipa source package in Bionic: New Status in freeipa source package in Hirsute: Won't Fix Status in freeipa package in Debian: New Bug description: ProblemType: Crash DistroRelease: Ubuntu 21.04 PackageVersion: python3-ipaclient 4.8.6-1ubuntu5 SourcePackage: freeipa Architecture: amd64 Joining a FreeIPA domain with plain ipa-client-install works well: # ipa-client-install -p admin --password=SECRET --no-ntp [...] The ipa-client-install command was successful And leaving it again with "ipa-client-install --uninstall" also works. However, when doing this through realmd (which configures some additional useful stuff), it causes a crash: # realm join Password for admin: This works fine: # realm list cockpit.lan type: kerberos realm-name: COCKPIT.LAN domain-name: cockpit.lan configured: kerberos-member server-software: ipa client-software: sssd required-package: freeipa-client required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss login-formats: %u...@cockpit.lan login-policy: allow-realm-logins But leaving fails: # realm leave See: journalctl REALMD_OPERATION=r152.3671 realm: Couldn't leave realm: Running ipa-client-install failed root@x0:~# echo $? 1 The crash from /var/log/ipaclient-uninstall.log: 2021-10-06T15:48:22Z INFO Client uninstall complete. 2021-10-06T15:48:22Z DEBUG File "/usr/lib/python3/dist-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3/dist-packages/ipapython/install/cli.py", line 340, in run return cfgr.run() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 418, in step = lambda: next(self.__gen) File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 418, in step = lambda: next(self.__gen) File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File
[Freeipa] [Bug 1946244] Re: When installing/uninstalling with realmd, uninstalling crashes with ScriptError
Still confirmed on 21.10, and also Debian testing; I filed a Debian bug and linked it. ** Bug watch added: Debian Bug tracker #1008209 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008209 ** Also affects: freeipa (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008209 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1946244 Title: When installing/uninstalling with realmd, uninstalling crashes with ScriptError Status in freeipa package in Ubuntu: New Status in freeipa source package in Bionic: New Status in freeipa source package in Hirsute: Won't Fix Status in freeipa package in Debian: Unknown Bug description: ProblemType: Crash DistroRelease: Ubuntu 21.04 PackageVersion: python3-ipaclient 4.8.6-1ubuntu5 SourcePackage: freeipa Architecture: amd64 Joining a FreeIPA domain with plain ipa-client-install works well: # ipa-client-install -p admin --password=SECRET --no-ntp [...] The ipa-client-install command was successful And leaving it again with "ipa-client-install --uninstall" also works. However, when doing this through realmd (which configures some additional useful stuff), it causes a crash: # realm join Password for admin: This works fine: # realm list cockpit.lan type: kerberos realm-name: COCKPIT.LAN domain-name: cockpit.lan configured: kerberos-member server-software: ipa client-software: sssd required-package: freeipa-client required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss login-formats: %u...@cockpit.lan login-policy: allow-realm-logins But leaving fails: # realm leave See: journalctl REALMD_OPERATION=r152.3671 realm: Couldn't leave realm: Running ipa-client-install failed root@x0:~# echo $? 1 The crash from /var/log/ipaclient-uninstall.log: 2021-10-06T15:48:22Z INFO Client uninstall complete. 2021-10-06T15:48:22Z DEBUG File "/usr/lib/python3/dist-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3/dist-packages/ipapython/install/cli.py", line 340, in run return cfgr.run() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 418, in step = lambda: next(self.__gen) File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3/dist-packages/ipapython/install/core.py",
[Freeipa] [Bug 1966181] Re: ipa-client-install fails on restarting non-existing chrony.service
A-ha! I wasn't seeing things after all. Our test images install the "systemd-timesyncd" package (as we also run tests against that), and that removes the chrony package and installs the mask: # apt install systemd-timesyncd Reading package lists... Done Building dependency tree... Done Reading state information... Done The following packages will be REMOVED: chrony The following NEW packages will be installed: systemd-timesyncd 0 upgraded, 1 newly installed, 1 to remove and 0 not upgraded. Need to get 30.8 kB of archives. After this operation, 364 kB disk space will be freed. Do you want to continue? [Y/n] y Get:1 http://archive.ubuntu.com/ubuntu impish-updates/main amd64 systemd-timesyncd amd64 248.3-1ubuntu8.2 [30.8 kB] Fetched 30.8 kB in 0s (82.3 kB/s) dpkg: chrony: dependency problems, but removing anyway as you requested: systemd depends on systemd-timesyncd | time-daemon; however: Package systemd-timesyncd is not installed. Package time-daemon is not installed. Package systemd-timesyncd which provides time-daemon is not installed. Package chrony which provides time-daemon is to be removed. # ls -l /etc/systemd/system/chrony.service lrwxrwxrwx 1 root root 9 Mar 24 12:16 /etc/systemd/system/chrony.service -> /dev/null Mystery solved! So, sorry for the noise! ** Changed in: freeipa (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1966181 Title: ipa-client-install fails on restarting non-existing chrony.service Status in freeipa package in Ubuntu: Invalid Status in freeipa package in Debian: New Bug description: DistroRelease: Ubuntu 21.10 Package: freeipa-client 4.8.6-1ubuntu6 This is a bug that just doesn't want to die -- the package *really* should grow an autopkgtest that checks if a basic ipa-client-install actually works. It's very similar to bug 1890786 except that it now fails on "chrony.service", not "chronyd.service": # ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --principal admin -W This program will set up FreeIPA client. Version 4.8.6 WARNING: conflicting time synchronization service 'ntp' will be disabled in favor of chronyd Discovery was successful! Do you want to configure chrony with NTP server or pool address? [no]: Client hostname: x0.cockpit.lan Realm: COCKPIT.LAN DNS Domain: cockpit.lan IPA Server: f0.cockpit.lan BaseDN: dc=cockpit,dc=lan Continue to configure the system with these values? [no]: yes Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. CalledProcessError(Command ['/bin/systemctl', 'restart', 'chrony.service'] returned non-zero exit status 5: 'Failed to restart chrony.service: Unit chrony.service not found.\n') The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information This also happens if I say "yes" to the NTP question. Now, the chrony package is indeed rather weird/broken: | root@x0:~# find /etc/systemd -name '*chrony*' | xargs ls -l | lrwxrwxrwx 1 root root 9 Mar 24 05:54 /etc/systemd/system/chrony.service -> /dev/null | lrwxrwxrwx 1 root root 34 Mar 23 04:31 /etc/systemd/system/chronyd.service -> /lib/systemd/system/chrony.service | lrwxrwxrwx 1 root root 34 Mar 23 04:31 /etc/systemd/system/multi-user.target.wants/chrony.service -> /lib/systemd/system/chrony.service | # systemctl status chrony chronyd | Warning: The unit file, source configuration file or drop-ins of chronyd.service changed on disk. Run 'systemctl daemon-reload' to relo> | ○ chrony.service | Loaded: masked (Reason: Unit chrony.service is masked.) | Active: inactive (dead) | | ○ chronyd.service | Loaded: error (Reason: Unit chronyd.service failed to load properly, please adjust/correct and reload service manager: File exists) | Active: inactive (dead) Again, this is unconfigured and out of the box -- the idea is that FreeIPA sets up everything and configures NTP/chrony/etc. to listen to the FreeIPA server. Purging chrony doesn't really help, though: | dpkg -P chrony | # no '*chrony*' files in /etc any more Exactly the same failure, and it still tries to configure chrony even though it's not there any more: | WARNING: conflicting time synchronization service 'ntp' will be disabled in favor of chronyd | | Discovery was successful! | Do you want to configure chrony with NTP server or pool address? [no]: yes | Enter NTP source server addresses separated by comma, or press Enter to skip: | Enter a NTP source pool address, or press Enter to skip: | Client hostname: x0.cockpit.lan | Realm: COCKPIT.LAN | DNS Domain: cockpit.lan | IPA Server: f0.cockpit.lan | BaseDN: dc=cockpit,dc=lan | | Continue to configure the system
[Freeipa] [Bug 1966181] Re: ipa-client-install fails on restarting non-existing chrony.service
Hello Timo, I'm not actually sure where these /etc/systemd/system/chrony* files come from (in particular the mask). They are not owned by any package, nor does chrony's postinst seem to create it (but maybe through a helper, they are not exactly simple -- some weird interaction with the SysV compat code?). The chronyd.service link is created by the Alias=chronyd.service in chrony.service, and systemd creates that when enabling the service. My debian-testing VM has that chrony.service → /dev/null mask link right after a fresh install and boot, no IPA script was running yet. But I just saw that I apparently mixed up my VMs when reporting this here -- my ubuntu-stable VM does not have chrony installed at all (even though freeipa-client recommends it, and I don't use --no-install-recommends). I'll investigate this more thoroughly, chase down what creates that pesky chrony.service masking, and report back here. Thanks, and sorry for the noise so far! -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1966181 Title: ipa-client-install fails on restarting non-existing chrony.service Status in freeipa package in Ubuntu: New Status in freeipa package in Debian: New Bug description: DistroRelease: Ubuntu 21.10 Package: freeipa-client 4.8.6-1ubuntu6 This is a bug that just doesn't want to die -- the package *really* should grow an autopkgtest that checks if a basic ipa-client-install actually works. It's very similar to bug 1890786 except that it now fails on "chrony.service", not "chronyd.service": # ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --principal admin -W This program will set up FreeIPA client. Version 4.8.6 WARNING: conflicting time synchronization service 'ntp' will be disabled in favor of chronyd Discovery was successful! Do you want to configure chrony with NTP server or pool address? [no]: Client hostname: x0.cockpit.lan Realm: COCKPIT.LAN DNS Domain: cockpit.lan IPA Server: f0.cockpit.lan BaseDN: dc=cockpit,dc=lan Continue to configure the system with these values? [no]: yes Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. CalledProcessError(Command ['/bin/systemctl', 'restart', 'chrony.service'] returned non-zero exit status 5: 'Failed to restart chrony.service: Unit chrony.service not found.\n') The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information This also happens if I say "yes" to the NTP question. Now, the chrony package is indeed rather weird/broken: | root@x0:~# find /etc/systemd -name '*chrony*' | xargs ls -l | lrwxrwxrwx 1 root root 9 Mar 24 05:54 /etc/systemd/system/chrony.service -> /dev/null | lrwxrwxrwx 1 root root 34 Mar 23 04:31 /etc/systemd/system/chronyd.service -> /lib/systemd/system/chrony.service | lrwxrwxrwx 1 root root 34 Mar 23 04:31 /etc/systemd/system/multi-user.target.wants/chrony.service -> /lib/systemd/system/chrony.service | # systemctl status chrony chronyd | Warning: The unit file, source configuration file or drop-ins of chronyd.service changed on disk. Run 'systemctl daemon-reload' to relo> | ○ chrony.service | Loaded: masked (Reason: Unit chrony.service is masked.) | Active: inactive (dead) | | ○ chronyd.service | Loaded: error (Reason: Unit chronyd.service failed to load properly, please adjust/correct and reload service manager: File exists) | Active: inactive (dead) Again, this is unconfigured and out of the box -- the idea is that FreeIPA sets up everything and configures NTP/chrony/etc. to listen to the FreeIPA server. Purging chrony doesn't really help, though: | dpkg -P chrony | # no '*chrony*' files in /etc any more Exactly the same failure, and it still tries to configure chrony even though it's not there any more: | WARNING: conflicting time synchronization service 'ntp' will be disabled in favor of chronyd | | Discovery was successful! | Do you want to configure chrony with NTP server or pool address? [no]: yes | Enter NTP source server addresses separated by comma, or press Enter to skip: | Enter a NTP source pool address, or press Enter to skip: | Client hostname: x0.cockpit.lan | Realm: COCKPIT.LAN | DNS Domain: cockpit.lan | IPA Server: f0.cockpit.lan | BaseDN: dc=cockpit,dc=lan | | Continue to configure the system with these values? [no]: yes | Synchronizing time | No SRV records of NTP servers found and no NTP server or pool address was provided. | Using default chrony configuration. | CalledProcessError(Command ['/bin/systemctl', 'restart', 'chrony.service'] returned non-zero exit status 5: 'Failed to restart chrony.service: Unit chrony.service +not found.\n') | The ipa-client-install command failed. See
[Freeipa] [Bug 1890786] Re: ipa-client-install fails on restarting non-existing chronyd.service
This is *still* broken on Ubuntu 21.10 and Debian testing. However, it is subtly different, I filed bug 1966181 about it. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1890786 Title: ipa-client-install fails on restarting non-existing chronyd.service Status in freeipa package in Ubuntu: Fix Released Status in freeipa source package in Focal: Confirmed Bug description: DistroRelease: Ubuntu 20.10 Package: freeipa-client 4.8.6-1ubuntu2 Client install fails: * LANG=C /usr/sbin/ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W --force-ntpd Option --force-ntpd has been deprecated and will be removed in a future release. Discovery was successful! Client hostname: x0.cockpit.lan Realm: COCKPIT.LAN DNS Domain: cockpit.lan IPA Server: f0.cockpit.lan BaseDN: dc=cockpit,dc=lan Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. CalledProcessError(Command ['/bin/systemctl', 'restart', 'chronyd.service'] returned non-zero exit status 5: 'Failed to restart chronyd.service: Unit chronyd.service not found.\n') The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information /var/log/ipaclient-install.log basically says the same, just with a giant Traceback for CalledProcessError. freeipa-client could depend on chronyd, but IMHO it would be better to make this non-fatal. If one uses systemd-timesyncd (as we do by default in Ubuntu), that should be fine? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1890786/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1966181] [NEW] ipa-client-install fails on restarting non-existing chrony.service
Public bug reported: DistroRelease: Ubuntu 21.10 Package: freeipa-client 4.8.6-1ubuntu6 This is a bug that just doesn't want to die -- the package *really* should grow an autopkgtest that checks if a basic ipa-client-install actually works. It's very similar to bug 1890786 except that it now fails on "chrony.service", not "chronyd.service": # ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --principal admin -W This program will set up FreeIPA client. Version 4.8.6 WARNING: conflicting time synchronization service 'ntp' will be disabled in favor of chronyd Discovery was successful! Do you want to configure chrony with NTP server or pool address? [no]: Client hostname: x0.cockpit.lan Realm: COCKPIT.LAN DNS Domain: cockpit.lan IPA Server: f0.cockpit.lan BaseDN: dc=cockpit,dc=lan Continue to configure the system with these values? [no]: yes Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. CalledProcessError(Command ['/bin/systemctl', 'restart', 'chrony.service'] returned non-zero exit status 5: 'Failed to restart chrony.service: Unit chrony.service not found.\n') The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information This also happens if I say "yes" to the NTP question. Now, the chrony package is indeed rather weird/broken: | root@x0:~# find /etc/systemd -name '*chrony*' | xargs ls -l | lrwxrwxrwx 1 root root 9 Mar 24 05:54 /etc/systemd/system/chrony.service -> /dev/null | lrwxrwxrwx 1 root root 34 Mar 23 04:31 /etc/systemd/system/chronyd.service -> /lib/systemd/system/chrony.service | lrwxrwxrwx 1 root root 34 Mar 23 04:31 /etc/systemd/system/multi-user.target.wants/chrony.service -> /lib/systemd/system/chrony.service | # systemctl status chrony chronyd | Warning: The unit file, source configuration file or drop-ins of chronyd.service changed on disk. Run 'systemctl daemon-reload' to relo> | ○ chrony.service | Loaded: masked (Reason: Unit chrony.service is masked.) | Active: inactive (dead) | | ○ chronyd.service | Loaded: error (Reason: Unit chronyd.service failed to load properly, please adjust/correct and reload service manager: File exists) | Active: inactive (dead) Again, this is unconfigured and out of the box -- the idea is that FreeIPA sets up everything and configures NTP/chrony/etc. to listen to the FreeIPA server. Purging chrony doesn't really help, though: | dpkg -P chrony | # no '*chrony*' files in /etc any more Exactly the same failure, and it still tries to configure chrony even though it's not there any more: | WARNING: conflicting time synchronization service 'ntp' will be disabled in favor of chronyd | | Discovery was successful! | Do you want to configure chrony with NTP server or pool address? [no]: yes | Enter NTP source server addresses separated by comma, or press Enter to skip: | Enter a NTP source pool address, or press Enter to skip: | Client hostname: x0.cockpit.lan | Realm: COCKPIT.LAN | DNS Domain: cockpit.lan | IPA Server: f0.cockpit.lan | BaseDN: dc=cockpit,dc=lan | | Continue to configure the system with these values? [no]: yes | Synchronizing time | No SRV records of NTP servers found and no NTP server or pool address was provided. | Using default chrony configuration. | CalledProcessError(Command ['/bin/systemctl', 'restart', 'chrony.service'] returned non-zero exit status 5: 'Failed to restart chrony.service: Unit chrony.service +not found.\n') | The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information ** Affects: freeipa (Ubuntu) Importance: Undecided Status: New ** Affects: freeipa (Debian) Importance: Unknown Status: Unknown ** Bug watch added: Debian Bug tracker #1008195 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008195 ** Also affects: freeipa (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008195 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1966181 Title: ipa-client-install fails on restarting non-existing chrony.service Status in freeipa package in Ubuntu: New Status in freeipa package in Debian: Unknown Bug description: DistroRelease: Ubuntu 21.10 Package: freeipa-client 4.8.6-1ubuntu6 This is a bug that just doesn't want to die -- the package *really* should grow an autopkgtest that checks if a basic ipa-client-install actually works. It's very similar to bug 1890786 except that it now fails on "chrony.service", not "chronyd.service": # ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --principal admin -W This program will set up FreeIPA client. Version 4.8.6 WARNING: conflicting time synchronization service 'ntp' will be disabled in favor of chronyd Discovery was
[Freeipa] [Bug 1890786] Re: ipa-client-install fails on restarting non-existing chronyd.service
** Also affects: freeipa (Ubuntu Focal) Importance: Undecided Status: New -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1890786 Title: ipa-client-install fails on restarting non-existing chronyd.service Status in freeipa package in Ubuntu: Fix Released Status in freeipa source package in Focal: Confirmed Bug description: DistroRelease: Ubuntu 20.10 Package: freeipa-client 4.8.6-1ubuntu2 Client install fails: * LANG=C /usr/sbin/ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W --force-ntpd Option --force-ntpd has been deprecated and will be removed in a future release. Discovery was successful! Client hostname: x0.cockpit.lan Realm: COCKPIT.LAN DNS Domain: cockpit.lan IPA Server: f0.cockpit.lan BaseDN: dc=cockpit,dc=lan Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. CalledProcessError(Command ['/bin/systemctl', 'restart', 'chronyd.service'] returned non-zero exit status 5: 'Failed to restart chronyd.service: Unit chronyd.service not found.\n') The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information /var/log/ipaclient-install.log basically says the same, just with a giant Traceback for CalledProcessError. freeipa-client could depend on chronyd, but IMHO it would be better to make this non-fatal. If one uses systemd-timesyncd (as we do by default in Ubuntu), that should be fine? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1890786/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1913231] Re: ipa-client-install fails on restarting non-existing chronyd.service
*** This bug is a duplicate of bug 1890786 *** https://bugs.launchpad.net/bugs/1890786 Let's handle this in bug 1890786 instead, I added a focal task and will close this as a duplicate. ** This bug has been marked a duplicate of bug 1890786 ipa-client-install fails on restarting non-existing chronyd.service -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1913231 Title: ipa-client-install fails on restarting non-existing chronyd.service Status in freeipa package in Ubuntu: New Bug description: This is basically a request to have the bug resolved at https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1890786 fixed in Ubuntu 20.04. Version 4.8.6-1ubuntu3 has the fix, but Ubuntu 20.04 is still stuck at 4.8.6-1ubuntu2. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1913231/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1946244] Re: When installing/uninstalling with realmd, uninstalling crashes with
For completeness, this is /var/log/ipaclient-install from the successful "realm join". ** Attachment added: "ipaclient-install.log from realmd join" https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1946244/+attachment/5531110/+files/ipaclient-install.log ** Summary changed: - When installing/uninstalling with realmd, uninstalling crashes with + When installing/uninstalling with realmd, uninstalling crashes with ScriptError ** Also affects: freeipa (Ubuntu Hirsute) Importance: Undecided Status: New ** Also affects: freeipa (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1946244 Title: When installing/uninstalling with realmd, uninstalling crashes with ScriptError Status in freeipa package in Ubuntu: New Status in freeipa source package in Bionic: New Status in freeipa source package in Hirsute: New Bug description: ProblemType: Crash DistroRelease: Ubuntu 21.04 PackageVersion: python3-ipaclient 4.8.6-1ubuntu5 SourcePackage: freeipa Architecture: amd64 Joining a FreeIPA domain with plain ipa-client-install works well: # ipa-client-install -p admin --password=SECRET --no-ntp [...] The ipa-client-install command was successful And leaving it again with "ipa-client-install --uninstall" also works. However, when doing this through realmd (which configures some additional useful stuff), it causes a crash: # realm join Password for admin: This works fine: # realm list cockpit.lan type: kerberos realm-name: COCKPIT.LAN domain-name: cockpit.lan configured: kerberos-member server-software: ipa client-software: sssd required-package: freeipa-client required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss login-formats: %u...@cockpit.lan login-policy: allow-realm-logins But leaving fails: # realm leave See: journalctl REALMD_OPERATION=r152.3671 realm: Couldn't leave realm: Running ipa-client-install failed root@x0:~# echo $? 1 The crash from /var/log/ipaclient-uninstall.log: 2021-10-06T15:48:22Z INFO Client uninstall complete. 2021-10-06T15:48:22Z DEBUG File "/usr/lib/python3/dist-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3/dist-packages/ipapython/install/cli.py", line 340, in run return cfgr.run() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 418, in step = lambda: next(self.__gen) File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File
[Freeipa] [Bug 1946244] [NEW] When installing/uninstalling with realmd, uninstalling crashes with ScriptError
Public bug reported: ProblemType: Crash DistroRelease: Ubuntu 21.04 PackageVersion: python3-ipaclient 4.8.6-1ubuntu5 SourcePackage: freeipa Architecture: amd64 Joining a FreeIPA domain with plain ipa-client-install works well: # ipa-client-install -p admin --password=SECRET --no-ntp [...] The ipa-client-install command was successful And leaving it again with "ipa-client-install --uninstall" also works. However, when doing this through realmd (which configures some additional useful stuff), it causes a crash: # realm join Password for admin: This works fine: # realm list cockpit.lan type: kerberos realm-name: COCKPIT.LAN domain-name: cockpit.lan configured: kerberos-member server-software: ipa client-software: sssd required-package: freeipa-client required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss login-formats: %u...@cockpit.lan login-policy: allow-realm-logins But leaving fails: # realm leave See: journalctl REALMD_OPERATION=r152.3671 realm: Couldn't leave realm: Running ipa-client-install failed root@x0:~# echo $? 1 The crash from /var/log/ipaclient-uninstall.log: 2021-10-06T15:48:22Z INFO Client uninstall complete. 2021-10-06T15:48:22Z DEBUG File "/usr/lib/python3/dist-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3/dist-packages/ipapython/install/cli.py", line 340, in run return cfgr.run() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 418, in step = lambda: next(self.__gen) File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 418, in step = lambda: next(self.__gen) File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3/dist-packages/ipapython/install/common.py", line 73, in _uninstall for unused in self._uninstaller(self.parent): File "/usr/lib/python3/dist-packages/ipaclient/install/client.py", line 3825, in main uninstall(self) File "/usr/lib/python3/dist-packages/ipaclient/install/client.py", line 3528, in uninstall raise ScriptError(rval=rv) 2021-10-06T15:48:22Z DEBUG The ipa-client-install command failed, exception: ScriptError: Ubuntu 20.04 LTS is affected the same way. Note that this crash does *not*
[Freeipa] [Bug 1890786] [NEW] ipa-client-install fails on restarting non-existing chronyd.service
Public bug reported: DistroRelease: Ubuntu 20.10 Package: freeipa-client 4.8.6-1ubuntu2 Client install fails: * LANG=C /usr/sbin/ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W --force-ntpd Option --force-ntpd has been deprecated and will be removed in a future release. Discovery was successful! Client hostname: x0.cockpit.lan Realm: COCKPIT.LAN DNS Domain: cockpit.lan IPA Server: f0.cockpit.lan BaseDN: dc=cockpit,dc=lan Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. CalledProcessError(Command ['/bin/systemctl', 'restart', 'chronyd.service'] returned non-zero exit status 5: 'Failed to restart chronyd.service: Unit chronyd.service not found.\n') The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information /var/log/ipaclient-install.log basically says the same, just with a giant Traceback for CalledProcessError. freeipa-client could depend on chronyd, but IMHO it would be better to make this non-fatal. If one uses systemd-timesyncd (as we do by default in Ubuntu), that should be fine? ** Affects: freeipa (Ubuntu) Importance: Undecided Status: New ** Tags: groovy ** Tags added: groovy -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1890786 Title: ipa-client-install fails on restarting non-existing chronyd.service Status in freeipa package in Ubuntu: New Bug description: DistroRelease: Ubuntu 20.10 Package: freeipa-client 4.8.6-1ubuntu2 Client install fails: * LANG=C /usr/sbin/ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W --force-ntpd Option --force-ntpd has been deprecated and will be removed in a future release. Discovery was successful! Client hostname: x0.cockpit.lan Realm: COCKPIT.LAN DNS Domain: cockpit.lan IPA Server: f0.cockpit.lan BaseDN: dc=cockpit,dc=lan Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. CalledProcessError(Command ['/bin/systemctl', 'restart', 'chronyd.service'] returned non-zero exit status 5: 'Failed to restart chronyd.service: Unit chronyd.service not found.\n') The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information /var/log/ipaclient-install.log basically says the same, just with a giant Traceback for CalledProcessError. freeipa-client could depend on chronyd, but IMHO it would be better to make this non-fatal. If one uses systemd-timesyncd (as we do by default in Ubuntu), that should be fine? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1890786/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1693154] Re: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library
Using the reproduction steps in the description, I re-confirmed that
with the current zesty version joining the domain fails because of that
missing directory. After installing freeipa-{client,common} from
-proposed, joining the domain now succeeds.
** Tags removed: verification-needed-zesty
** Tags added: verification-done-zesty
** Tags removed: verification-needed
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1693154
Title:
ipa-client-install fails: kinit: Included profile directory could not
be read while initializing Kerberos 5 library
Status in freeipa package in Ubuntu:
Fix Released
Status in freeipa source package in Zesty:
Fix Committed
Status in kerberos-configs package in Debian:
New
Bug description:
[Impact]
ipa-client-install fails because it modifies /etc/krb5.conf to include
/etc/krb5.conf.d which doesn't exist, so kinit fails.
The (temporary) fix is to add /etc/krb5.conf.d directory to freeipa-
client.
[Test case]
Enroll an IPA client with ipa-client-install, it should pass.
[Regression potential]
None, this is a safe addition.
[original description]
Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS) wrt.
joining a FreeIPA kerberos server. I am running a server on 10.111.112.100 with
a COCKPIT.LAN domain (from the "ipa-*" image on
https://fedorapeople.org/groups/cockpit/images/), and realmd.service fails.
Running ipa-client-install manually shows why:
$ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd
sssd-tools packagekit
$ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf
$ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN
--mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W
--force-ntpd -w foobarfoo
Discovery was successful!
Client hostname: autopkgtest
Realm: COCKPIT.LAN
DNS Domain: cockpit.lan
IPA Server: f0.cockpit.lan
BaseDN: dc=cockpit,dc=lan
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please
check that 123 UDP port is opened.
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly
after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed: kinit: Included profile directory could not
be read while initializing Kerberos 5 library
Installation failed. Rolling back changes.
IPA client is not configured on this system.
stracing shows that it tries to access /etc/krb5.conf.d/ which does
not exist. mkdir'ing this is sufficient to fix it.
I'm not entirely sure if this is really in freeipa-client or krb5-user
(kinit), but running "kinit -f ad...@cockpit.lan" directly succeeds.
ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: freeipa-client 4.4.3-3ubuntu2
ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11
Uname: Linux 4.10.0-21-generic x86_64
ApportVersion: 2.20.4-0ubuntu4.1
Architecture: amd64
Date: Wed May 24 09:30:57 2017
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_DIR=
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: freeipa
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1693154/+subscriptions
___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1693154] Re: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library
Splendid, thanks Timo! -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1693154 Title: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library Status in freeipa package in Ubuntu: Fix Released Status in freeipa source package in Zesty: New Status in kerberos-configs package in Debian: New Bug description: Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS) wrt. joining a FreeIPA kerberos server. I am running a server on 10.111.112.100 with a COCKPIT.LAN domain (from the "ipa-*" image on https://fedorapeople.org/groups/cockpit/images/), and realmd.service fails. Running ipa-client-install manually shows why: $ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd sssd-tools packagekit $ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf $ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W --force-ntpd -w foobarfoo Discovery was successful! Client hostname: autopkgtest Realm: COCKPIT.LAN DNS Domain: cockpit.lan IPA Server: f0.cockpit.lan BaseDN: dc=cockpit,dc=lan Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library Installation failed. Rolling back changes. IPA client is not configured on this system. stracing shows that it tries to access /etc/krb5.conf.d/ which does not exist. mkdir'ing this is sufficient to fix it. I'm not entirely sure if this is really in freeipa-client or krb5-user (kinit), but running "kinit -f ad...@cockpit.lan" directly succeeds. ProblemType: Bug DistroRelease: Ubuntu 17.04 Package: freeipa-client 4.4.3-3ubuntu2 ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11 Uname: Linux 4.10.0-21-generic x86_64 ApportVersion: 2.20.4-0ubuntu4.1 Architecture: amd64 Date: Wed May 24 09:30:57 2017 ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: freeipa UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1693154/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1693154] [NEW] ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library
Public bug reported: Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS) wrt. joining a FreeIPA kerberos server. I am running a server on 10.111.112.100 with a COCKPIT.LAN domain (from the "ipa-*" image on https://fedorapeople.org/groups/cockpit/images/), and realmd.service fails. Running ipa-client-install manually shows why: $ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd sssd-tools packagekit $ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf $ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W --force-ntpd -w foobarfoo Discovery was successful! Client hostname: autopkgtest Realm: COCKPIT.LAN DNS Domain: cockpit.lan IPA Server: f0.cockpit.lan BaseDN: dc=cockpit,dc=lan Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library Installation failed. Rolling back changes. IPA client is not configured on this system. stracing shows that it tries to access /etc/krb5.conf.d/ which does not exist. mkdir'ing this is sufficient to fix it. I'm not entirely sure if this is really in freeipa-client or krb5-user (kinit), but running "kinit -f ad...@cockpit.lan" directly succeeds. ProblemType: Bug DistroRelease: Ubuntu 17.04 Package: freeipa-client 4.4.3-3ubuntu2 ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11 Uname: Linux 4.10.0-21-generic x86_64 ApportVersion: 2.20.4-0ubuntu4.1 Architecture: amd64 Date: Wed May 24 09:30:57 2017 ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: freeipa UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: freeipa (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug zesty -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1693154 Title: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library Status in freeipa package in Ubuntu: New Bug description: Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS) wrt. joining a FreeIPA kerberos server. I am running a server on 10.111.112.100 with a COCKPIT.LAN domain (from the "ipa-*" image on https://fedorapeople.org/groups/cockpit/images/), and realmd.service fails. Running ipa-client-install manually shows why: $ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd sssd-tools packagekit $ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf $ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W --force-ntpd -w foobarfoo Discovery was successful! Client hostname: autopkgtest Realm: COCKPIT.LAN DNS Domain: cockpit.lan IPA Server: f0.cockpit.lan BaseDN: dc=cockpit,dc=lan Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library Installation failed. Rolling back changes. IPA client is not configured on this system. stracing shows that it tries to access /etc/krb5.conf.d/ which does not exist. mkdir'ing this is sufficient to fix it. I'm not entirely sure if this is really in freeipa-client or krb5-user (kinit), but running "kinit -f ad...@cockpit.lan" directly succeeds. ProblemType: Bug DistroRelease: Ubuntu 17.04 Package: freeipa-client 4.4.3-3ubuntu2 ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11 Uname: Linux 4.10.0-21-generic x86_64 ApportVersion: 2.20.4-0ubuntu4.1 Architecture:
