[Freeipa] [Bug 1630911] Re: freeipa-client has a hard dependency on "ntp" which is not wanted in lxd environment
This bug was fixed in the package freeipa - 4.4.3-3ubuntu1 --- freeipa (4.4.3-3ubuntu1) zesty; urgency=medium * fix-is-running.diff: Add a third argument to is_running() in ipaplatform/debian/services.py. -- Timo AaltonenFri, 17 Feb 2017 01:40:15 +0200 ** Changed in: freeipa (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1630911 Title: freeipa-client has a hard dependency on "ntp" which is not wanted in lxd environment Status in freeipa package in Ubuntu: Fix Released Bug description: [Note: the package is called "freeipa-client" but launchpad only lets me select "freeipa"] The "freeipa-client" package has a hard dependency on "ntp". However: when running Ubuntu inside an lxd container, ntpd cannot run: the host is responsible for setting the clock, not the container. Hence I want to "apt-get remove ntp" from inside the container. But if I do so, this forcibly removes the "freeipa-client" package as well, because of the dependency. This in turn leaves a whole heap of dangling packages - see below - which are vulnerable to being accidentally removed. Proposal: change to "Recommends: ntp" instead of "Depends: ntp" --- # apt-get remove ntp Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: bind9utils certmonger cracklib-runtime freeipa-common ieee-data iproute libavahi-client3 libavahi-common-data libavahi-common3 libbasicobjects0 libc-ares2 libcollection4 libcrack2 libcups2 libcurl3 libcurl3-nss libdhash1 libfreetype6 libini-config5 libipa-hbac0 libjbig0 libjpeg-turbo8 libjpeg8 liblcms2-2 libldb1 libnfsidmap2 libnl-3-200 libnl-route-3-200 libnspr4 libnss-sss libnss3 libnss3-nssdb libnss3-tools libopts25 libpam-pwquality libpam-sss libpath-utils1 libpwquality-common libpwquality1 libref-array1 libsmbclient libsss-idmap0 libsss-nss-idmap0 libsss-sudo libtdb1 libtevent0 libtiff5 libwebp5 libwebpmux1 libxmlrpc-core-c3 libxslt1.1 oddjob oddjob-mkhomedir python-bs4 python-cffi python-cffi-backend python-chardet python-cryptography python-dbus python-decorator python-dnspython python-enum34 python-gi python-gssapi python-html5lib python-idna python-imaging python-ipaclient python-ipaddress python-ipalib python-jwcrypto python-ldap python-libipa-hbac python-lxml python-memcache python-netaddr python-nss python-pil python-pkg-resources python-ply python-pyasn1 python-pycparser python-qrcode python-setuptools python-six python-sss python-talloc python-usb python-yubico samba-libs sssd sssd-ad sssd-ad-common sssd-common sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy Use 'apt autoremove' to remove them. The following packages will be REMOVED: freeipa-client ntp 0 upgraded, 0 newly installed, 2 to remove and 0 not upgraded. 1 not fully installed or removed. After this operation, 2002 kB disk space will be freed. Do you want to continue? [Y/n] n Abort. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: freeipa-client 4.3.1-0ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-34.53-generic 4.4.15 Uname: Linux 4.4.0-34-generic x86_64 NonfreeKernelModules: nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip6table_filter ip6_tables xt_conntrack ufs msdos xfs binfmt_misc veth ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack isofs xt_CHECKSUM iptable_mangle xt_tcpudp bridge stp llc iptable_filter ip_tables x_tables zfs zunicode zcommon znvpair spl zavl ppdev xen_fbfront syscopyarea sysfillrect sysimgblt fb_sys_fops serio_raw parport_pc parport ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd psmouse floppy ApportVersion: 2.20.1-0ubuntu2.1 Architecture: amd64 Date: Thu Oct 6 09:05:52 2016 Ec2AMI: ami-c06b1eb3 Ec2AMIManifest: (unknown) Ec2AvailabilityZone: eu-west-1a Ec2InstanceType: t2.medium Ec2Kernel: unavailable Ec2Ramdisk: unavailable ProcEnviron: TERM=xterm-256color PATH=(custom, no user) SourcePackage: freeipa UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1630911/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa
[Freeipa] [Bug 1640732] Re: krb5-otp package not being installed when ipa-server-install
This bug was fixed in the package freeipa - 4.4.3-3ubuntu1 --- freeipa (4.4.3-3ubuntu1) zesty; urgency=medium * fix-is-running.diff: Add a third argument to is_running() in ipaplatform/debian/services.py. -- Timo AaltonenFri, 17 Feb 2017 01:40:15 +0200 ** Changed in: freeipa (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1640732 Title: krb5-otp package not being installed when ipa-server-install Status in freeipa package in Ubuntu: Fix Released Bug description: While using Freeipa server with an external RADIUS server (which is in turn is connected to an OTP authenticator), freeipa-server fails to load the required krb5-otp module. That's because the module is simply not there and every request send by an user using FAST/OTP will fail. This is the message on /var/log/auth: NEEDED_PREAUTH: johndoe@REALM for krbtgt/REALM, Additional pre- authentication required The user gets (note that he is not prompted for OTP, the request simply dies): root@freeipa:~# KRB5_TRACE=/dev/stdout kinit -T KEYRING:persistent:0:0 johndoe [2872] 1478769982.447733: Resolving unique ccache of type KEYRING [2872] 1478769982.449824: Getting initial credentials for johndoe@REALM [2872] 1478769982.453943: FAST armor ccache: KEYRING:persistent:0:0 [2872] 1478769982.454171: Retrieving admin@REALM -> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM\@REALM@X-CACHECONF: from KEYRING:persistent:0:0 with result: 0/Success [2872] 1478769982.454284: Read config in KEYRING:persistent:0:0 for krbtgt/REALM@REALM: fast_avail: yes [2872] 1478769982.454396: Using FAST due to armor ccache negotiation result [2872] 1478769982.454484: Getting credentials admin@REALM -> krbtgt/REALM@REALM using ccache KEYRING:persistent:0:0 [2872] 1478769982.454637: Retrieving admin@REALM -> krbtgt/REALM@REALM from KEYRING:persistent:0:0 with result: 0/Success [2872] 1478769982.454733: Armor ccache sesion key: aes256-cts/03D3 [2872] 1478769982.454836: Creating authenticator for admin@REALM -> krbtgt/REALM@REALM, seqnum 0, subkey aes256-cts/8CB1, session key aes256-cts/03D3 [2872] 1478769982.455045: FAST armor key: aes256-cts/21EB [2872] 1478769982.455147: Encoding request body and padata into FAST request [2872] 1478769982.455272: Sending request (947 bytes) to REALM [2872] 1478769982.455437: Resolving hostname freeipa.realm.com [2872] 1478769982.455900: Initiating TCP connection to stream 10.80.40.243:88 [2872] 1478769982.456147: Sending TCP request to stream 10.80.40.243:88 [2872] 1478769982.464118: Received answer (488 bytes) from stream 10.80.40.243:88 [2872] 1478769982.464126: Terminating TCP connection to stream 10.80.40.243:88 [2872] 1478769982.464147: Response was from master KDC [2872] 1478769982.464161: Received error from KDC: -1765328359/Additional pre-authentication required [2872] 1478769982.464166: Decoding FAST response [2872] 1478769982.464438: Processing preauth types: 136, 133, 137 [2872] 1478769982.464446: Received cookie: MIT kinit: Generic preauthentication failure while getting initial credentials Solution: $ sudo apt-get install krb5-otp $ sudo service krb5-kdc restart $ sudo service krb5-admin-server restart After that everything works as expected: root@freeipa:~# KRB5_TRACE=/dev/stdout kinit -T KEYRING:persistent:0:0 johndoe [2924] 1478770020.592804: Resolving unique ccache of type KEYRING [2924] 1478770020.592994: Getting initial credentials for johndoe@REALM [2924] 1478770020.596893: FAST armor ccache: KEYRING:persistent:0:0 [2924] 1478770020.597091: Retrieving admin@REALM -> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM\@REALM@X-CACHECONF: from KEYRING:persistent:0:0 with result: 0/Success [2924] 1478770020.597744: Read config in KEYRING:persistent:0:0 for krbtgt/REALM@REALM: fast_avail: yes [2924] 1478770020.597822: Using FAST due to armor ccache negotiation result [2924] 1478770020.597884: Getting credentials admin@REALM -> krbtgt/REALM@REALM using ccache KEYRING:persistent:0:0 [2924] 1478770020.598012: Retrieving admin@REALM -> krbtgt/REALM@REALM from KEYRING:persistent:0:0 with result: 0/Success [2924] 1478770020.598102: Armor ccache sesion key: aes256-cts/03D3 [2924] 1478770020.598199: Creating authenticator for admin@REALM -> krbtgt/REALM@REALM, seqnum 0, subkey aes256-cts/E28F, session key aes256-cts/03D3 [2924] 1478770020.598381: FAST armor key: aes256-cts/8677 [2924] 1478770020.598471: Encoding request body and padata into FAST request [2924] 1478770020.598585: Sending request (947 bytes) to REALM [2924] 1478770020.598669: Resolving hostname freeipa.realm.com [2924] 1478770020.599039: Initiating TCP connection to stream 10.80.40.243:88 [2924] 1478770020.599366: Sending TCP request to stream
[Freeipa] [Bug 1664453] Re: autopkgtests failing with systemd-232
This bug was fixed in the package dogtag-pki - 10.3.5+12-3ubuntu1 --- dogtag-pki (10.3.5+12-3ubuntu1) zesty; urgency=medium * pki-tomcatd.init: If no instance is configured, the initscript machinery would return error value 5 or 6. This messes up systemd, so just use 'exit 1' on every non-zero return value. (LP: #1664453) -- Timo AaltonenThu, 16 Feb 2017 16:43:49 +0200 ** Changed in: dogtag-pki (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to dogtag-pki in Ubuntu. https://bugs.launchpad.net/bugs/1664453 Title: autopkgtests failing with systemd-232 Status in dogtag-pki package in Ubuntu: Fix Released Bug description: The autopkgtests for dogtag-pki are failing. It looks like this started with the upgrade of systemd to 232. Previously, pki-tomcatd was marked as failed on startup: Job for pki-tomcatd.service failed because the control process exited with error code. See "systemctl status pki-tomcatd.service" and "journalctl -xe" for details. invoke-rc.d: initscript pki-tomcatd, action "start" failed. ● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time Loaded: loaded (/etc/init.d/pki-tomcatd; generated; vendor preset: enabled) Active: failed (Result: exit-code) since Mon 2016-11-07 20:51:19 UTC; 14ms ago Docs: man:systemd-sysv-generator(8) Process: 8100 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, status=5) Now, the service is marked as started and exited: ● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time Loaded: loaded (/etc/init.d/pki-tomcatd; generated; vendor preset: enabled) Active: active (exited) since Tue 2017-02-14 06:02:25 UTC; 31s ago Docs: man:systemd-sysv-generator(8) Since systemd-sysv-generator uses RemainAfterExit=true, subsequent "systemctl start pki-tomcatd" invocations do nothing. I believe the relevant systemd change is: https://github.com/systemd/systemd/commit/41e2036eb83204df95a1c3e829bcfd78ee17aaa3 which fixed it to detect the special LSB exit codes as intended. I see that .../scriptlets/configuration.py issues start() when configuring the first tomcat instance and restart() for subsequent instances (line 364). Maybe one workaround would be to use restart() unconditionally for now? That looks like it does roughly the right thing. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1664453/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1664457] Re: dogtag-pki ftbfs with libresteasy-java 3.1.0
This bug was fixed in the package dogtag-pki - 10.3.5+12-3ubuntu1 --- dogtag-pki (10.3.5+12-3ubuntu1) zesty; urgency=medium * pki-tomcatd.init: If no instance is configured, the initscript machinery would return error value 5 or 6. This messes up systemd, so just use 'exit 1' on every non-zero return value. (LP: #1664453) -- Timo AaltonenThu, 16 Feb 2017 16:43:49 +0200 ** Changed in: dogtag-pki (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to dogtag-pki in Ubuntu. https://bugs.launchpad.net/bugs/1664457 Title: dogtag-pki ftbfs with libresteasy-java 3.1.0 Status in dogtag-pki package in Ubuntu: Fix Released Bug description: https://launchpadlibrarian.net/302962949/buildlog_ubuntu-zesty-amd64 .dogtag-pki_10.3.5-7_BUILDING.txt.gz com/netscape/certsrv/account/AccountResource.java:25: error: cannot find symbol import org.jboss.resteasy.annotations.ClientResponseType; ^ symbol: class ClientResponseType location: package org.jboss.resteasy.annotations I don't think there is a Debian bug yet for this specific issue. The current FTBFS there looks like it's related to tomcat 8.5. This class in particular seems to have moved to the resteasy-legacy jar: http://sources.debian.net/src/resteasy/3.1.0-1/resteasy- legacy/src/main/java/org/jboss/resteasy/annotations/legacy/ClientResponseType.java/ which unfortunately doesn't seem to be packaged... http://sources.debian.net/src/resteasy/3.1.0-1/debian/libresteasy- java.poms/#L54 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1664457/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp