[Freeipa] [Bug 2060298] Re: Python 3.12 SyntaxWarnings when installing python3-ipaclient

[Launchpad Bug Tracker]

This bug was fixed in the package freeipa - 4.11.1-2

---
freeipa (4.11.1-2) unstable; urgency=medium

  * use-raw-strings.diff: Import patch from upstream to fix noise when
installing. (LP: #2060298)
  * map-ssh-service.diff: Map sshd service to use ssh.service. (LP:
#2061055)

 -- Timo Aaltonen   Fri, 12 Apr 2024 14:31:35 +0300

** Changed in: freeipa (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/2060298

Title:
  Python 3.12 SyntaxWarnings when installing python3-ipaclient

Status in freeipa package in Ubuntu:
  Fix Released

Bug description:
  On a system with python 3.12 installing the python ipaclient package
  (this is on Ubuntu 24.04 using the distro packages) produces the
  warnings:

  Setting up python3-ipaclient (4.10.2-2) ...
  
/usr/lib/python3/dist-packages/ipaclient/remote_plugins/2_164/automember.py:19: 
SyntaxWarning: invalid escape sequence '.'
  doc = ("""
  /usr/lib/python3/dist-packages/ipaclient/remote_plugins/2_164/group.py:19: 
SyntaxWarning: invalid escape sequence '\D'
  doc = ("""
  /usr/lib/python3/dist-packages/ipaclient/remote_plugins/2_164/hbactest.py:19: 
SyntaxWarning: invalid escape sequence '\A'
  doc = ("""
  /usr/lib/python3/dist-packages/ipaclient/remote_plugins/2_164/trust.py:19: 
SyntaxWarning: invalid escape sequence '\D'
  doc = ("""
  
/usr/lib/python3/dist-packages/ipaclient/remote_plugins/2_49/automember.py:19: 
SyntaxWarning: invalid escape sequence '.'
  doc = ("""
  /usr/lib/python3/dist-packages/ipaclient/remote_plugins/2_49/group.py:19: 
SyntaxWarning: invalid escape sequence '\D'
  doc = ("""
  /usr/lib/python3/dist-packages/ipaclient/remote_plugins/2_49/trust.py:19: 
SyntaxWarning: invalid escape sequence '\D'
  doc = _(""" 

  I reported the issue upstream at https://pagure.io/freeipa/issue/9565
  where it has already been fixed, including in the 4.10 branch that
  Ubuntu 24.04 is on. Please rebase to a version that has that commit
  (though it's just a warning shown at install time, so not the end of
  the world either).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/2060298/+subscriptions


___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 2061055] Re: Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default

[Launchpad Bug Tracker]

This bug was fixed in the package freeipa - 4.11.1-2

---
freeipa (4.11.1-2) unstable; urgency=medium

  * use-raw-strings.diff: Import patch from upstream to fix noise when
installing. (LP: #2060298)
  * map-ssh-service.diff: Map sshd service to use ssh.service. (LP:
#2061055)

 -- Timo Aaltonen   Fri, 12 Apr 2024 14:31:35 +0300

** Changed in: freeipa (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/2061055

Title:
  Joining IPA domain does not restart ssh -- 'sshd.service' alias is not
  set up by default

Status in freeipa package in Ubuntu:
  Fix Released
Status in openssh package in Ubuntu:
  Triaged

Bug description:
  Joining a FreeIPA domain reconfigures SSH. E.g. it enables GSSAPI
  authentication in /etc/ssh/sshd_config.d/04-ipa.conf . After that, it
  tries to restart sshd, but that fails as "sshd.service" is not a thing
  on Ubuntu:

  2024-04-12T03:10:57Z DEBUG args=['/bin/systemctl', 'is-active', 
'sshd.service']
  2024-04-12T03:10:57Z DEBUG Process finished, return code=4

  (in /var/log/ipaclient-install.log)

  While that could be changed in freeipa, I'd argue that this is really
  a bug in Ubuntu's openssh package. Many upstream software, Ansible
  scripts etc. assume that the service is "sshd.service". In
  Debian/Ubuntu the primary unit is "ssh.service", but it has an
  `[Install] Alias=sshd.service`. That works in Debian because there
  sshd.service *actually* gets enabled by default, and ssh.socket isn't.

  But Ubuntu moved to socket activation (which is good!), so that
  ssh.socket is running by default. But that means that ssh.service
  never gets "systemctl enable"d, and hence the alias never gets set up:

  # systemctl status sshd.service
  Unit sshd.service could not be found.

  So if ssh.service is already running, it never gets restarted by "ipa-
  client-install".

  It would be really good to make that alias work by default -- if
  nothing else, just ship the symlink in the .deb, or create the symlink
  manually in the postinst?

  freeipa-client 4.10.2-2ubuntu3
  openssh-server 1:9.6p1-3ubuntu12

  Note: we have tested this functionality in Cockpit on Ubuntu for a long time 
already. But until very recently we had a workaround to force the creation of 
that alias:
  
https://github.com/cockpit-project/bots/commit/3bf1b20f3fa5fe202b9710b3fe78d2133ba03f5d
  We dropped it because it broke image builds due to some bugs in openssh's 
postinst, but it was a bad one anyway: actual users don't have that hack, and 
it hides bugs like this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/2061055/+subscriptions


___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 2040359] Re: Merge bind9 from Debian unstable for noble

[Launchpad Bug Tracker]

This bug was fixed in the package bind9 - 1:9.18.21-0ubuntu1

---
bind9 (1:9.18.21-0ubuntu1) noble; urgency=medium

  * New upstream release 9.18.21 (LP: #2040359)
- Updates:
  + Update IP addresses for B.ROOT-SERVERS.NET to 170.247.170.2 and
2801:1b8:10::b.
  + Honor nsupdate -v option when server command specified by sending both
the UPDATE request and the initial query over TCP.
  + Mark cookie-algorithm aes as deprecated, use SipHash-2-4, instead.
  + Mark resolver-nonbackoff-tries and resolver-retry-interval as
deprecated.
  + Mark dnssec-must-be-secure as deprecated.
- Bug Fixes:
  + Do not schedule unsigned versions of inline-signed zones containing
DNSSEC records for resigning.
  + Take local authoritative data into account when looking up stale cache
data.
  + Fix use of named -X and lock-file at the same time.
  + Fix improper lock-file removal.
  + Fix bound checking in Content-Length header in the statistics channel.
  + Fix memory leaks from not clearing the OpenSSL error stack.
  + Fix SERVFAIL responses from introduction of krb5-subdomain-self-rhs and
ms-subdomain-self-rhs update policies.
  + Fix stale-refresh-time feature being disabled by cache flush.
  + Fix DNS message corruption from partial writes.
- See https://bind9.readthedocs.io/en/v9.18.21/notes.html for additional
  information
  * d/p/CVE-2023-3341.patch, d/p/CVE-2023-4236.patch: Remove - fixed by
upstream in version 9.18.19
  * d/p/always-use-standard-library-stdatomic.patch: Maintain use of the
standard library stdatomic.h

 -- Lena Voytek   Thu, 25 Jan 2024 08:37:15
-0700

** Changed in: bind9 (Ubuntu)
   Status: In Progress => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-3341

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4236

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2040359

Title:
  Merge bind9 from Debian unstable for noble

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Fix Released

Bug description:
  Upstream: 9.18.19
  Debian:   1:9.19.17-1
  Ubuntu:   1:9.18.18-0ubuntu2

  Debian does new releases regularly, so it's likely there will be newer
  versions available before FF that we can pick up if this merge is done
  later in the cycle.

  If it turns out this needs a sync rather than a merge, please change
  the tag 'needs-merge' to 'needs-sync', and (optionally) update the
  title as desired.

  
  ### New Debian Changes ###

  bind9 (1:9.19.17-1) unstable; urgency=medium

* New upstream version 9.19.17
 - CVE-2023-3341: A stack exhaustion flaw in control channel code may
   cause named to terminate unexpectedly (Closes: #1052416)
 - CVE-2023-4236: named may terminate unexpectedly under high
   DNS-over-TLS query load (Closes: #1052417)

   -- Ondřej Surý   Wed, 20 Sep 2023 18:13:07 +0200

  bind9 (1:9.19.16-1) experimental; urgency=medium

* New upstream version 9.19.16

   -- Ondřej Surý   Wed, 16 Aug 2023 17:54:24 +0200

  bind9 (1:9.19.15-1) experimental; urgency=medium

* New upstream version 9.19.15

   -- Ondřej Surý   Wed, 19 Jul 2023 14:16:46 +0200

  bind9 (1:9.19.14-1) experimental; urgency=medium

* New upstream version 9.19.14

   -- Ondřej Surý   Wed, 21 Jun 2023 21:00:01 +0200

  bind9 (1:9.19.13-1) experimental; urgency=medium

* New upstream version 9.19.13

   -- Ondřej Surý   Wed, 17 May 2023 17:50:48 +0200

  bind9 (1:9.19.12-2) experimental; urgency=medium

* Add liburcu-dev to Build-Depends

   -- Ondřej Surý   Thu, 20 Apr 2023 14:24:06 +0200

  bind9 (1:9.19.12-1) experimental; urgency=medium

* New upstream version 9.19.12

   -- Ondřej Surý   Wed, 19 Apr 2023 15:01:59 +0200

  bind9 (1:9.19.11-1) experimental; urgency=medium

* New upstream version 9.19.11
* Update the d/bind9-dev.install, d/bind9.install and d/not-installed
  after library squash

   -- Ondřej Surý   Wed, 15 Mar 2023 18:27:20 +0100

  bind9 (1:9.19.10-1) experimental; urgency=medium

* New upstream version 9.19.10
* Drop libtool-bin from B-D (Closes: #1022968)

   -- Ondřej Surý   Fri, 10 Feb 2023 15:16:29 +0100

  bind9 (1:9.19.9-2) experimental; urgency=medium

* Allow the named to use systemd notify service

   -- Ondřej Surý   Thu, 26 Jan 2023 21:18:35 +0100

  bind9 (1:9.19.9-1) experimental; urgency=medium

* New upstream version 9.19.9

   -- Ondřej Surý   Wed, 25 Jan 2023 16:04:03 +0100

  bind9 (1:9.19.8-1) experimental; urgency=medium

* New upstream version 9.19.8

   -- Ondřej Surý   Wed, 21 Dec 2022 18:02:17 +0100

  bind9 (1:9.19.7-1) experimental; urgency=medium

* New upstream version 9.19.7

   -- Ondřej Surý   Wed, 16 Nov 2022 14:05:15 +0100

  bind9 

[Freeipa] [Bug 2040359] Re: Merge bind9 from Debian unstable for noble

[Launchpad Bug Tracker]

This bug was fixed in the package bind-dyndb-ldap - 11.10-6ubuntu4

---
bind-dyndb-ldap (11.10-6ubuntu4) noble; urgency=medium

  * No-change rebuild with bind9-libs 1:9.18.21-0ubuntu1 (LP: #2040359)

 -- Lena Voytek   Thu, 25 Jan 2024 15:10:49
-0700

** Changed in: bind-dyndb-ldap (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2040359

Title:
  Merge bind9 from Debian unstable for noble

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  In Progress

Bug description:
  Upstream: 9.18.19
  Debian:   1:9.19.17-1
  Ubuntu:   1:9.18.18-0ubuntu2

  Debian does new releases regularly, so it's likely there will be newer
  versions available before FF that we can pick up if this merge is done
  later in the cycle.

  If it turns out this needs a sync rather than a merge, please change
  the tag 'needs-merge' to 'needs-sync', and (optionally) update the
  title as desired.

  
  ### New Debian Changes ###

  bind9 (1:9.19.17-1) unstable; urgency=medium

* New upstream version 9.19.17
 - CVE-2023-3341: A stack exhaustion flaw in control channel code may
   cause named to terminate unexpectedly (Closes: #1052416)
 - CVE-2023-4236: named may terminate unexpectedly under high
   DNS-over-TLS query load (Closes: #1052417)

   -- Ondřej Surý   Wed, 20 Sep 2023 18:13:07 +0200

  bind9 (1:9.19.16-1) experimental; urgency=medium

* New upstream version 9.19.16

   -- Ondřej Surý   Wed, 16 Aug 2023 17:54:24 +0200

  bind9 (1:9.19.15-1) experimental; urgency=medium

* New upstream version 9.19.15

   -- Ondřej Surý   Wed, 19 Jul 2023 14:16:46 +0200

  bind9 (1:9.19.14-1) experimental; urgency=medium

* New upstream version 9.19.14

   -- Ondřej Surý   Wed, 21 Jun 2023 21:00:01 +0200

  bind9 (1:9.19.13-1) experimental; urgency=medium

* New upstream version 9.19.13

   -- Ondřej Surý   Wed, 17 May 2023 17:50:48 +0200

  bind9 (1:9.19.12-2) experimental; urgency=medium

* Add liburcu-dev to Build-Depends

   -- Ondřej Surý   Thu, 20 Apr 2023 14:24:06 +0200

  bind9 (1:9.19.12-1) experimental; urgency=medium

* New upstream version 9.19.12

   -- Ondřej Surý   Wed, 19 Apr 2023 15:01:59 +0200

  bind9 (1:9.19.11-1) experimental; urgency=medium

* New upstream version 9.19.11
* Update the d/bind9-dev.install, d/bind9.install and d/not-installed
  after library squash

   -- Ondřej Surý   Wed, 15 Mar 2023 18:27:20 +0100

  bind9 (1:9.19.10-1) experimental; urgency=medium

* New upstream version 9.19.10
* Drop libtool-bin from B-D (Closes: #1022968)

   -- Ondřej Surý   Fri, 10 Feb 2023 15:16:29 +0100

  bind9 (1:9.19.9-2) experimental; urgency=medium

* Allow the named to use systemd notify service

   -- Ondřej Surý   Thu, 26 Jan 2023 21:18:35 +0100

  bind9 (1:9.19.9-1) experimental; urgency=medium

* New upstream version 9.19.9

   -- Ondřej Surý   Wed, 25 Jan 2023 16:04:03 +0100

  bind9 (1:9.19.8-1) experimental; urgency=medium

* New upstream version 9.19.8

   -- Ondřej Surý   Wed, 21 Dec 2022 18:02:17 +0100

  bind9 (1:9.19.7-1) experimental; urgency=medium

* New upstream version 9.19.7

   -- Ondřej Surý   Wed, 16 Nov 2022 14:05:15 +0100

  bind9 (1:9.19.6-2) experimental; urgency=medium

* Use systemd notify for service readyness check (Closes: #994696)

   -- Bernhard Schmidt   Sun, 30 Oct 2022 00:14:05
  +0200

  bind9 (1:9.19.6-1) experimental; urgency=medium

* New upstream version 9.19.6

   -- Ondřej Surý   Wed, 19 Oct 2022 15:06:31 +0200

  bind9 (1:9.19.5-1) experimental; urgency=medium

* New upstream version 9.19.5


  ### Old Ubuntu Delta ###

  bind9 (1:9.18.18-0ubuntu2) mantic; urgency=medium

* SECURITY UPDATE: DoS via recusive packet parsing
  - debian/patches/CVE-2023-3341.patch: add a max depth check to
lib/isc/include/isc/result.h, lib/isc/result.c, lib/isccc/cc.c.
  - CVE-2023-3341
* SECURITY UPDATE: Dos via DNS-over-TLS queries
  - debian/patches/CVE-2023-4236.patch: check return code in
lib/isc/netmgr/tlsdns.c.
  - CVE-2023-4236

   -- Marc Deslauriers   Wed, 20 Sep 2023
  12:45:21 -0400

  bind9 (1:9.18.18-0ubuntu1) mantic; urgency=medium

* New upstream release 9.18.18 (LP: #2034367)
  - Updates:
+ Mark a primary server as temporarily unreachable when a TCP connection
  response to an SOA query times out, matching behavior of a refused TCP
  connection.
+ Mark dialup and heartbeat-interval options as deprecated.
+ Retry DNS queries without an EDNS COOKIE when the first response is
  FORMERR with the EDNS COOKIE that was sent originally.
+ Use NS records for the relaxed QNAME minimization mode to reduce the
  number of queries from named.
  - Bug Fixes:
+ Fix 

[Freeipa] [Bug 2044242] Re: ipa-client-install seg faults (s390x)

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: freeipa (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/2044242

Title:
  ipa-client-install seg faults (s390x)

Status in Ubuntu on IBM z Systems:
  New
Status in freeipa package in Ubuntu:
  Confirmed

Bug description:
  Executing 'ipa-client-install' (package: freeipa-client) is causing a
  segmentation fault:

  ubuntu@server:~$ sudo apt install freeipa-client
  ubuntu@server:~$ ipa-client-install
  Segmentation fault (core dumped)
  ubuntu@server:~$ ls -l /var/crash/
  total 2012
  -rw-r- 1 ubuntu ubuntu 2057124 Nov 22 08:22 
_usr_sbin_ipa-client-install.1000.crash
  ubuntu@server:~$ vi /var/log/syslog
  ...
  Nov 22 08:22:33 server kernel: [  162.136131] User process fault: 
interruption code 003b ilc:2 in 
ext_dce.cpython-310-s390x-linux-gnu.so[3ff8b88+4000]
  Nov 22 08:22:33 server kernel: [  162.136153] Failing address: 
03ff23f0f000 TEID: 03ff23f0f800
  Nov 22 08:22:33 server kernel: [  162.136156] Fault in primary space mode 
while using user ASCE.
  Nov 22 08:22:33 server kernel: [  162.136160] AS:9f5581c7 
R3:0024
  Nov 22 08:22:33 server kernel: [  162.136166] CPU: 3 PID: 4294 Comm: 
ipa-client-inst Not tainted 5.15.0-89-generic #99-Ubuntu
  Nov 22 08:22:33 server kernel: [  162.136169] Hardware name: IBM 2964 N63 400 
(z/VM 6.4.0)
  Nov 22 08:22:33 server kernel: [  162.136170] User PSW : 070520018000 
03ff23f0f150
  Nov 22 08:22:33 server kernel: [  162.136173]R:0 T:1 IO:1 EX:1 
Key:0 M:1 W:0 P:1 AS:0 CC:2 PM:0 RI:0 EA:3
  Nov 22 08:22:33 server kernel: [  162.136176] User GPRS: 0f010043 
02aa242fb170 03ff8b885240 0600
  Nov 22 08:22:33 server kernel: [  162.136178]0080 
02aa242fb170 03ff8b882c00 03ff8bde6d70
  Nov 22 08:22:33 server kernel: [  162.136180]03ff8bd50450 
03ff8bdbc7b0 03ff8bd599b0 03ff8bd599e0
  Nov 22 08:22:33 server kernel: [  162.136182]03ff8c8b0f90 
03ff8bdbc7b0 02aa23f49cac 03ffe5c745c0
  Nov 22 08:22:33 server kernel: [  162.136189] User Code: Bad PSW.
  Nov 22 08:22:33 server kernel: [  162.136190] Last Breaking-Event-Address:
  Nov 22 08:22:33 server kernel: [  162.136190]  [<03ff8b882c06>] 
0x3ff8b882c06
  Nov 22 08:22:33 server systemd[986]: Started D-Bus User Message Bus.
  Nov 22 08:22:33 server dbus-daemon[4303]: [session uid=1000 pid=4303] 
AppArmor D-Bus mediation is enabled
  ...

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: freeipa-client 4.9.8-1
  ProcVersionSignature: Ubuntu 5.15.0-89.99-generic 5.15.126
  Uname: Linux 5.15.0-89-generic s390x
  ApportVersion: 2.20.11-0ubuntu82.5
  Architecture: s390x
  CasperMD5CheckResult: pass
  CloudArchitecture: s390x
  CloudID: none
  CloudName: none
  CloudPlatform: none
  CloudSubPlatform: config
  Date: Wed Nov 22 08:52:47 2023
  InstallationDate: Installed on 2023-11-22 (0 days ago)
  InstallationMedia: Ubuntu-Server 22.04.2 LTS "Jammy Jellyfish" - Release 
s390x (20230220.1)
  SourcePackage: freeipa
  UpgradeStatus: No upgrade log present (probably fresh install)

  $ apt-cache policy freeipa-client
  freeipa-client:
Installed: 4.9.8-1
Candidate: 4.9.8-1
Version table:
   *** 4.9.8-1 500
  500 http://ports.ubuntu.com/ubuntu-ports jammy/universe s390x Packages
  100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2044242/+subscriptions


___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 2028413] Re: MRE updates of bind9 for focal, jammy and lunar

[Launchpad Bug Tracker]

This bug was fixed in the package bind-dyndb-ldap - 11.10-4ubuntu0.3

---
bind-dyndb-ldap (11.10-4ubuntu0.3) lunar; urgency=medium

  * d/p/remove-rpz_attach.patch: Remove rpz_attach to fix build failure against
bind9 9.18.13+ (LP: #2028413)

 -- Lena Voytek   Thu, 21 Sep 2023 07:24:11
-0700

** Changed in: bind9 (Ubuntu Jammy)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2028413

Title:
  MRE updates of bind9 for focal, jammy and lunar

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Fix Released
Status in bind-dyndb-ldap source package in Focal:
  Triaged
Status in bind9 source package in Focal:
  Triaged
Status in bind-dyndb-ldap source package in Jammy:
  Fix Released
Status in bind9 source package in Jammy:
  Fix Released
Status in bind-dyndb-ldap source package in Lunar:
  Fix Released
Status in bind9 source package in Lunar:
  Fix Released

Bug description:
  This bug tracks an update for the bind9 package, moving to versions:

   * lunar (23.04): bind9 9.18.18
   * jammy (22.04): bind9 9.18.18
   * focal (20.04): bind9 9.16.43

  These updates include bug fixes following the SRU policy exception
  defined at https://wiki.ubuntu.com/Bind9Updates.

  [Upstream changes]

  9.18.13-9.18.18 for lunar and jammy:

  Updates:

  Mark a primary server as temporarily unreachable when a TCP connection 
response to an SOA query times out, matching behavior of a refused TCP 
connection.
  Mark dialup and heartbeat-interval options as deprecated.
  Retry DNS queries without an EDNS COOKIE when the first response is FORMERR 
with the EDNS COOKIE that was sent originally.
  Use NS records for the relaxed QNAME minimization mode to reduce the number 
of queries from named.
  Mark TKEY mode 2 as deprecated.
  Mark delegation-only and root-delegation-only as deprecated.
  Run RPZ and catalog zone updates on specialized offload threads to reduce 
blocked query processing time.

  Bug Fixes:

  Fix assertion failure from processing already-queued queries while server is 
being reconfigured or cache is being flushed.
  Fix failure to load zones containing resource records with a TTL value larger 
than 86400 seconds when dnssec-policy is set to insecure.
  Fix the ability to read HMAC-MD5 key files (LP: #2015176).
  Fix stability issues with the catalog zone implementation.
  Fix bind9 getting stuck when listen-on statement for HTTP is removed from 
configuration.
  Do not return delegation from cache after stale-answer-client-timeout.
  Fix failure to auto-tune clients-per-query limit in some situations.
  Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in 
statements.
  Bring rndc read timeout back to 60 seconds from 30.
  Treat libuv returning ISC_R_INVALIDPROTO as a network error.
  Clean up empty-non-terminal NSEC3 records.
  Fix log file rotation cleanup for absolute file path destinations.
  Fix various catalog zone processing crashes.
  Fix transfer hang when downloading large zones over TLS.
  Fix named crash when adding a new zone into the configuration file for a name 
which was already configured as a member zone for a catalog zone.
  Delay DNSSEC key queries until all zones have finished loading.

  CVE Fixes - already available as patches:

  CVE-2023-2828
  CVE-2023-2911

  For full release notes, see:
  https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for-
  bind-9-18-18

  While there are behavioral changes in this release, I was unable to
  find any backwards-incompatible changes. Some features were marked as
  deprecated, but are still usable as they were before. Other changes
  are related to performance and timeout management, neither of which
  should change how bind9 works, but are worth keeping an eye on in case
  any regressions arise.

  [Test Plan]

  DEP-8 test results:

  simpletest PASS
  validation FLAKY non-zero exit status 1
  zonetest PASS
  dyndb-ldap PASS

  validation is known to be broken in its current state, both due to a
  need for internet access and incorrect output checking, so the failure
  is expected.

  [Other Information]

  Note to SRU team: this update must happen together with src:bind-dyndb-ldap, 
and in a particular order:
  - first src:bind9 must be accepted
  - once src:bind9 is fully built in all architectures, *then* 
src:bind-dyndb-ldap can be accepted. In other words, src:bind-dyndb-ldap must 
build with the new src:bind9 version.
  - it is expected that until both packages are in proposed and built in the 
correct order, DEP8 tests will fail. That's our safeguard against mistakenly 
releasing them out of sync

  [Regression Potential]

  Upstream has an extensive build and integration test suite. So
  regressions would likely arise from a change in interaction with
  Ubuntu-specific integrations.

To 

[Freeipa] [Bug 2028413] Re: MRE updates of bind9 for focal, jammy and lunar

[Launchpad Bug Tracker]

This bug was fixed in the package bind9 - 1:9.18.18-0ubuntu0.22.04.1

---
bind9 (1:9.18.18-0ubuntu0.22.04.1) jammy; urgency=medium

  * New upstream release 9.18.18 (LP: #2028413)
- Updates:
  + Mark a primary server as temporarily unreachable when a TCP connection
response to an SOA query times out, matching behavior of a refused TCP
connection.
  + Mark dialup and heartbeat-interval options as deprecated.
  + Retry DNS queries without an EDNS COOKIE when the first response is
FORMERR with the EDNS COOKIE that was sent originally.
  + Use NS records for the relaxed QNAME minimization mode to reduce the
number of queries from named.
  + Mark TKEY mode 2 as deprecated.
  + Mark delegation-only and root-delegation-only as deprecated.
  + Run RPZ and catalog zone updates on specialized offload threads to
reduce blocked query processing time.
- Bug Fixes:
  + Fix assertion failure from processing already-queued queries while
server is being reconfigured or cache is being flushed.
  + Fix failure to load zones containing resource records with a TTL value
larger than 86400 seconds when dnssec-policy is set to insecure.
  + Fix the ability to read HMAC-MD5 key files (LP: #2015176).
  + Fix stability issues with the catalog zone implementation.
  + Fix bind9 getting stuck when listen-on statement for HTTP is removed
from configuration.
  + Do not return delegation from cache after stale-answer-client-timeout.
  + Fix failure to auto-tune clients-per-query limit in some situations.
  + Fix proper timeouts when using max-transfer-time-in and
max-transfer-idle-in statements.
  + Bring rndc read timeout back to 60 seconds from 30.
  + Treat libuv returning ISC_R_INVALIDPROTO as a network error.
  + Clean up empty-non-terminal NSEC3 records.
  + Fix log file rotation cleanup for absolute file path destinations.
  + Fix various catalog zone processing crashes.
  + Fix transfer hang when downloading large zones over TLS.
  + Fix named crash when adding a new zone into the configuration file for
a name which was already configured as member zone for a catalog zone.
  + Delay DNSSEC key queries until all zones have finished loading.
- See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional
  information.
  * d/p/CVE-2023-2828.patch, CVE-2023-2911.patch: Remove - fixed upstream in
9.18.16.
  * d/p/CVE-2023-3341.patch: Refresh, matching upstream, to apply in 9.18.18.
  * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650)

 -- Lena Voytek   Wed, 20 Sep 2023 15:15:41
-0700

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2028413

Title:
  MRE updates of bind9 for focal, jammy and lunar

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Fix Released
Status in bind-dyndb-ldap source package in Focal:
  Triaged
Status in bind9 source package in Focal:
  Triaged
Status in bind-dyndb-ldap source package in Jammy:
  Fix Released
Status in bind9 source package in Jammy:
  Fix Released
Status in bind-dyndb-ldap source package in Lunar:
  Fix Released
Status in bind9 source package in Lunar:
  Fix Released

Bug description:
  This bug tracks an update for the bind9 package, moving to versions:

   * lunar (23.04): bind9 9.18.18
   * jammy (22.04): bind9 9.18.18
   * focal (20.04): bind9 9.16.43

  These updates include bug fixes following the SRU policy exception
  defined at https://wiki.ubuntu.com/Bind9Updates.

  [Upstream changes]

  9.18.13-9.18.18 for lunar and jammy:

  Updates:

  Mark a primary server as temporarily unreachable when a TCP connection 
response to an SOA query times out, matching behavior of a refused TCP 
connection.
  Mark dialup and heartbeat-interval options as deprecated.
  Retry DNS queries without an EDNS COOKIE when the first response is FORMERR 
with the EDNS COOKIE that was sent originally.
  Use NS records for the relaxed QNAME minimization mode to reduce the number 
of queries from named.
  Mark TKEY mode 2 as deprecated.
  Mark delegation-only and root-delegation-only as deprecated.
  Run RPZ and catalog zone updates on specialized offload threads to reduce 
blocked query processing time.

  Bug Fixes:

  Fix assertion failure from processing already-queued queries while server is 
being reconfigured or cache is being flushed.
  Fix failure to load zones containing resource records with a TTL value larger 
than 86400 seconds when dnssec-policy is set to insecure.
  Fix the ability to read HMAC-MD5 key files (LP: #2015176).
  Fix stability issues with the catalog zone implementation.
  Fix bind9 getting stuck when listen-on statement for HTTP is removed from 
configuration.
  Do not return delegation from cache after 

[Freeipa] [Bug 2028413] Re: MRE updates of bind9 for focal, jammy and lunar

[Launchpad Bug Tracker]

This bug was fixed in the package bind-dyndb-ldap -
11.9-5ubuntu0.22.04.4

---
bind-dyndb-ldap (11.9-5ubuntu0.22.04.4) jammy; urgency=medium

  * d/p/remove-rpz_attach.patch: Remove rpz_attach to fix build failure against
bind9 9.18.13+ (LP: #2028413)

 -- Lena Voytek   Thu, 21 Sep 2023 07:26:59
-0700

** Changed in: bind-dyndb-ldap (Ubuntu Jammy)
   Status: Fix Committed => Fix Released

** Changed in: bind-dyndb-ldap (Ubuntu Lunar)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2028413

Title:
  MRE updates of bind9 for focal, jammy and lunar

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Fix Released
Status in bind-dyndb-ldap source package in Focal:
  Triaged
Status in bind9 source package in Focal:
  Triaged
Status in bind-dyndb-ldap source package in Jammy:
  Fix Released
Status in bind9 source package in Jammy:
  Fix Released
Status in bind-dyndb-ldap source package in Lunar:
  Fix Released
Status in bind9 source package in Lunar:
  Fix Released

Bug description:
  This bug tracks an update for the bind9 package, moving to versions:

   * lunar (23.04): bind9 9.18.18
   * jammy (22.04): bind9 9.18.18
   * focal (20.04): bind9 9.16.43

  These updates include bug fixes following the SRU policy exception
  defined at https://wiki.ubuntu.com/Bind9Updates.

  [Upstream changes]

  9.18.13-9.18.18 for lunar and jammy:

  Updates:

  Mark a primary server as temporarily unreachable when a TCP connection 
response to an SOA query times out, matching behavior of a refused TCP 
connection.
  Mark dialup and heartbeat-interval options as deprecated.
  Retry DNS queries without an EDNS COOKIE when the first response is FORMERR 
with the EDNS COOKIE that was sent originally.
  Use NS records for the relaxed QNAME minimization mode to reduce the number 
of queries from named.
  Mark TKEY mode 2 as deprecated.
  Mark delegation-only and root-delegation-only as deprecated.
  Run RPZ and catalog zone updates on specialized offload threads to reduce 
blocked query processing time.

  Bug Fixes:

  Fix assertion failure from processing already-queued queries while server is 
being reconfigured or cache is being flushed.
  Fix failure to load zones containing resource records with a TTL value larger 
than 86400 seconds when dnssec-policy is set to insecure.
  Fix the ability to read HMAC-MD5 key files (LP: #2015176).
  Fix stability issues with the catalog zone implementation.
  Fix bind9 getting stuck when listen-on statement for HTTP is removed from 
configuration.
  Do not return delegation from cache after stale-answer-client-timeout.
  Fix failure to auto-tune clients-per-query limit in some situations.
  Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in 
statements.
  Bring rndc read timeout back to 60 seconds from 30.
  Treat libuv returning ISC_R_INVALIDPROTO as a network error.
  Clean up empty-non-terminal NSEC3 records.
  Fix log file rotation cleanup for absolute file path destinations.
  Fix various catalog zone processing crashes.
  Fix transfer hang when downloading large zones over TLS.
  Fix named crash when adding a new zone into the configuration file for a name 
which was already configured as a member zone for a catalog zone.
  Delay DNSSEC key queries until all zones have finished loading.

  CVE Fixes - already available as patches:

  CVE-2023-2828
  CVE-2023-2911

  For full release notes, see:
  https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for-
  bind-9-18-18

  While there are behavioral changes in this release, I was unable to
  find any backwards-incompatible changes. Some features were marked as
  deprecated, but are still usable as they were before. Other changes
  are related to performance and timeout management, neither of which
  should change how bind9 works, but are worth keeping an eye on in case
  any regressions arise.

  [Test Plan]

  DEP-8 test results:

  simpletest PASS
  validation FLAKY non-zero exit status 1
  zonetest PASS
  dyndb-ldap PASS

  validation is known to be broken in its current state, both due to a
  need for internet access and incorrect output checking, so the failure
  is expected.

  [Other Information]

  Note to SRU team: this update must happen together with src:bind-dyndb-ldap, 
and in a particular order:
  - first src:bind9 must be accepted
  - once src:bind9 is fully built in all architectures, *then* 
src:bind-dyndb-ldap can be accepted. In other words, src:bind-dyndb-ldap must 
build with the new src:bind9 version.
  - it is expected that until both packages are in proposed and built in the 
correct order, DEP8 tests will fail. That's our safeguard against mistakenly 
releasing them out of sync

  [Regression Potential]

  Upstream has an extensive build and integration test suite. 

[Freeipa] [Bug 2032650] Re: Add DEP8 tests for bind-dyndb-ldap integration

[Launchpad Bug Tracker]

This bug was fixed in the package bind9 - 1:9.18.18-0ubuntu0.22.04.1

---
bind9 (1:9.18.18-0ubuntu0.22.04.1) jammy; urgency=medium

  * New upstream release 9.18.18 (LP: #2028413)
- Updates:
  + Mark a primary server as temporarily unreachable when a TCP connection
response to an SOA query times out, matching behavior of a refused TCP
connection.
  + Mark dialup and heartbeat-interval options as deprecated.
  + Retry DNS queries without an EDNS COOKIE when the first response is
FORMERR with the EDNS COOKIE that was sent originally.
  + Use NS records for the relaxed QNAME minimization mode to reduce the
number of queries from named.
  + Mark TKEY mode 2 as deprecated.
  + Mark delegation-only and root-delegation-only as deprecated.
  + Run RPZ and catalog zone updates on specialized offload threads to
reduce blocked query processing time.
- Bug Fixes:
  + Fix assertion failure from processing already-queued queries while
server is being reconfigured or cache is being flushed.
  + Fix failure to load zones containing resource records with a TTL value
larger than 86400 seconds when dnssec-policy is set to insecure.
  + Fix the ability to read HMAC-MD5 key files (LP: #2015176).
  + Fix stability issues with the catalog zone implementation.
  + Fix bind9 getting stuck when listen-on statement for HTTP is removed
from configuration.
  + Do not return delegation from cache after stale-answer-client-timeout.
  + Fix failure to auto-tune clients-per-query limit in some situations.
  + Fix proper timeouts when using max-transfer-time-in and
max-transfer-idle-in statements.
  + Bring rndc read timeout back to 60 seconds from 30.
  + Treat libuv returning ISC_R_INVALIDPROTO as a network error.
  + Clean up empty-non-terminal NSEC3 records.
  + Fix log file rotation cleanup for absolute file path destinations.
  + Fix various catalog zone processing crashes.
  + Fix transfer hang when downloading large zones over TLS.
  + Fix named crash when adding a new zone into the configuration file for
a name which was already configured as member zone for a catalog zone.
  + Delay DNSSEC key queries until all zones have finished loading.
- See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional
  information.
  * d/p/CVE-2023-2828.patch, CVE-2023-2911.patch: Remove - fixed upstream in
9.18.16.
  * d/p/CVE-2023-3341.patch: Refresh, matching upstream, to apply in 9.18.18.
  * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650)

 -- Lena Voytek   Wed, 20 Sep 2023 15:15:41
-0700

** Changed in: bind9 (Ubuntu Jammy)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2032650

Title:
  Add DEP8 tests for bind-dyndb-ldap integration

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Fix Released
Status in bind-dyndb-ldap source package in Jammy:
  Fix Released
Status in bind9 source package in Jammy:
  Fix Released
Status in bind-dyndb-ldap source package in Lunar:
  Fix Committed
Status in bind9 source package in Lunar:
  Fix Released
Status in bind-dyndb-ldap source package in Mantic:
  Fix Released
Status in bind9 source package in Mantic:
  Fix Released

Bug description:
  [ Impact ]

  bind-dyndb-ldap breaks very frequently with bind9 updates. Both must
  have DEP8 tests so these breakages can be caught before a release.

  [ Test Plan ]

  For both packages, the test plan consists in having the new dyndb-ldap
  DEP8 test run and succeed.

  [ Where problems could occur ]
  With this new DEP8 change, a bind9 update can be blocked by a bind-dyndb-ldap 
failure to build or run with it.

  While this is exactly the intent (not leave a broken bind-dyndb-ldap
  package in the release), there is a history indicating that bind-
  dyndb-ldap can be late in catching up to bind9 changes. We may reach a
  situation where an important bind9 security update, for example, will
  be blocked by a failing dyndb-ldap test, and it may be difficult to
  fix bind-dyndb-ldap in time, specially if the security update is under
  embargo and the bind-dyndb-ldap developers do not yet have details of
  the changes.

  
  [ Other Info ]
   
  The same test is to be applied to the bind9 package, and is already in 
mantic. But SRUs for DEP8 changes only are frowned upon, so the plan is to 
upload it to proposed and block it there, but AFTER bind-dyndb-ldap has been 
released.

  The tight coupling between bind9 and bind-dyndb-ldap is problematic
  (see [1], [2] and [3]). The moment a new bind9 hits proposed with this
  test, it fill fail until a new bind-dyndb-ldap is rebuilt with that
  proposed version.

  One option would perhaps to accept 

[Freeipa] [Bug 2028413] Re: MRE updates of bind9 for focal, jammy and lunar

[Launchpad Bug Tracker]

This bug was fixed in the package bind9 - 1:9.18.18-0ubuntu0.23.04.1

---
bind9 (1:9.18.18-0ubuntu0.23.04.1) lunar; urgency=medium

  * New upstream release 9.18.18 (LP: #2028413)
- Updates:
  + Mark a primary server as temporarily unreachable when a TCP connection
response to an SOA query times out, matching behavior of a refused TCP
connection.
  + Mark dialup and heartbeat-interval options as deprecated.
  + Retry DNS queries without an EDNS COOKIE when the first response is
FORMERR with the EDNS COOKIE that was sent originally.
  + Use NS records for the relaxed QNAME minimization mode to reduce the
number of queries from named.
  + Mark TKEY mode 2 as deprecated.
  + Mark delegation-only and root-delegation-only as deprecated.
  + Run RPZ and catalog zone updates on specialized offload threads to
reduce blocked query processing time.
- Bug Fixes:
  + Fix assertion failure from processing already-queued queries while
server is being reconfigured or cache is being flushed.
  + Fix failure to load zones containing resource records with a TTL value
larger than 86400 seconds when dnssec-policy is set to insecure.
  + Fix the ability to read HMAC-MD5 key files (LP: #2015176).
  + Fix stability issues with the catalog zone implementation.
  + Fix bind9 getting stuck when listen-on statement for HTTP is removed
from configuration.
  + Do not return delegation from cache after stale-answer-client-timeout.
  + Fix failure to auto-tune clients-per-query limit in some situations.
  + Fix proper timeouts when using max-transfer-time-in and
max-transfer-idle-in statements.
  + Bring rndc read timeout back to 60 seconds from 30.
  + Treat libuv returning ISC_R_INVALIDPROTO as a network error.
  + Clean up empty-non-terminal NSEC3 records.
  + Fix log file rotation cleanup for absolute file path destinations.
  + Fix various catalog zone processing crashes.
  + Fix transfer hang when downloading large zones over TLS.
  + Fix named crash when adding a new zone into the configuration file for
a name which was already configured as member zone for a catalog zone.
  + Delay DNSSEC key queries until all zones have finished loading.
- See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional
  information.
  * d/p/CVE-2023-2828.patch, CVE-2023-2911.patch: Remove - fixed upstream in
9.18.16.
  * d/p/CVE-2023-3341.patch: Refresh, matching upstream, to apply in 9.18.18.
  * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650)

 -- Lena Voytek   Wed, 20 Sep 2023 14:52:27
-0700

** Changed in: bind9 (Ubuntu Lunar)
   Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-2828

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-2911

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-3341

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2028413

Title:
  MRE updates of bind9 for focal, jammy and lunar

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Fix Released
Status in bind-dyndb-ldap source package in Focal:
  Triaged
Status in bind9 source package in Focal:
  Triaged
Status in bind-dyndb-ldap source package in Jammy:
  Fix Released
Status in bind9 source package in Jammy:
  Fix Released
Status in bind-dyndb-ldap source package in Lunar:
  Fix Released
Status in bind9 source package in Lunar:
  Fix Released

Bug description:
  This bug tracks an update for the bind9 package, moving to versions:

   * lunar (23.04): bind9 9.18.18
   * jammy (22.04): bind9 9.18.18
   * focal (20.04): bind9 9.16.43

  These updates include bug fixes following the SRU policy exception
  defined at https://wiki.ubuntu.com/Bind9Updates.

  [Upstream changes]

  9.18.13-9.18.18 for lunar and jammy:

  Updates:

  Mark a primary server as temporarily unreachable when a TCP connection 
response to an SOA query times out, matching behavior of a refused TCP 
connection.
  Mark dialup and heartbeat-interval options as deprecated.
  Retry DNS queries without an EDNS COOKIE when the first response is FORMERR 
with the EDNS COOKIE that was sent originally.
  Use NS records for the relaxed QNAME minimization mode to reduce the number 
of queries from named.
  Mark TKEY mode 2 as deprecated.
  Mark delegation-only and root-delegation-only as deprecated.
  Run RPZ and catalog zone updates on specialized offload threads to reduce 
blocked query processing time.

  Bug Fixes:

  Fix assertion failure from processing already-queued queries while server is 
being reconfigured or cache is being flushed.
  Fix failure to load zones containing resource records with a TTL value larger 
than 86400 seconds when 

[Freeipa] [Bug 2032650] Re: Add DEP8 tests for bind-dyndb-ldap integration

[Launchpad Bug Tracker]

This bug was fixed in the package bind9 - 1:9.18.18-0ubuntu0.23.04.1

---
bind9 (1:9.18.18-0ubuntu0.23.04.1) lunar; urgency=medium

  * New upstream release 9.18.18 (LP: #2028413)
- Updates:
  + Mark a primary server as temporarily unreachable when a TCP connection
response to an SOA query times out, matching behavior of a refused TCP
connection.
  + Mark dialup and heartbeat-interval options as deprecated.
  + Retry DNS queries without an EDNS COOKIE when the first response is
FORMERR with the EDNS COOKIE that was sent originally.
  + Use NS records for the relaxed QNAME minimization mode to reduce the
number of queries from named.
  + Mark TKEY mode 2 as deprecated.
  + Mark delegation-only and root-delegation-only as deprecated.
  + Run RPZ and catalog zone updates on specialized offload threads to
reduce blocked query processing time.
- Bug Fixes:
  + Fix assertion failure from processing already-queued queries while
server is being reconfigured or cache is being flushed.
  + Fix failure to load zones containing resource records with a TTL value
larger than 86400 seconds when dnssec-policy is set to insecure.
  + Fix the ability to read HMAC-MD5 key files (LP: #2015176).
  + Fix stability issues with the catalog zone implementation.
  + Fix bind9 getting stuck when listen-on statement for HTTP is removed
from configuration.
  + Do not return delegation from cache after stale-answer-client-timeout.
  + Fix failure to auto-tune clients-per-query limit in some situations.
  + Fix proper timeouts when using max-transfer-time-in and
max-transfer-idle-in statements.
  + Bring rndc read timeout back to 60 seconds from 30.
  + Treat libuv returning ISC_R_INVALIDPROTO as a network error.
  + Clean up empty-non-terminal NSEC3 records.
  + Fix log file rotation cleanup for absolute file path destinations.
  + Fix various catalog zone processing crashes.
  + Fix transfer hang when downloading large zones over TLS.
  + Fix named crash when adding a new zone into the configuration file for
a name which was already configured as member zone for a catalog zone.
  + Delay DNSSEC key queries until all zones have finished loading.
- See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional
  information.
  * d/p/CVE-2023-2828.patch, CVE-2023-2911.patch: Remove - fixed upstream in
9.18.16.
  * d/p/CVE-2023-3341.patch: Refresh, matching upstream, to apply in 9.18.18.
  * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650)

 -- Lena Voytek   Wed, 20 Sep 2023 14:52:27
-0700

** Changed in: bind9 (Ubuntu Lunar)
   Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-2828

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-2911

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-3341

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2032650

Title:
  Add DEP8 tests for bind-dyndb-ldap integration

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Fix Released
Status in bind-dyndb-ldap source package in Jammy:
  Fix Released
Status in bind9 source package in Jammy:
  Fix Released
Status in bind-dyndb-ldap source package in Lunar:
  Fix Committed
Status in bind9 source package in Lunar:
  Fix Released
Status in bind-dyndb-ldap source package in Mantic:
  Fix Released
Status in bind9 source package in Mantic:
  Fix Released

Bug description:
  [ Impact ]

  bind-dyndb-ldap breaks very frequently with bind9 updates. Both must
  have DEP8 tests so these breakages can be caught before a release.

  [ Test Plan ]

  For both packages, the test plan consists in having the new dyndb-ldap
  DEP8 test run and succeed.

  [ Where problems could occur ]
  With this new DEP8 change, a bind9 update can be blocked by a bind-dyndb-ldap 
failure to build or run with it.

  While this is exactly the intent (not leave a broken bind-dyndb-ldap
  package in the release), there is a history indicating that bind-
  dyndb-ldap can be late in catching up to bind9 changes. We may reach a
  situation where an important bind9 security update, for example, will
  be blocked by a failing dyndb-ldap test, and it may be difficult to
  fix bind-dyndb-ldap in time, specially if the security update is under
  embargo and the bind-dyndb-ldap developers do not yet have details of
  the changes.

  
  [ Other Info ]
   
  The same test is to be applied to the bind9 package, and is already in 
mantic. But SRUs for DEP8 changes only are frowned upon, so the plan is to 
upload it to proposed and block it there, but AFTER bind-dyndb-ldap has been 
released.

  The tight coupling between bind9 and bind-dyndb-ldap 

[Freeipa] [Bug 1978849] Re: bind9-dyndb-ldap has unmet dependencies

[Launchpad Bug Tracker]

This bug was fixed in the package bind-dyndb-ldap -
11.9-5ubuntu0.22.04.3

---
bind-dyndb-ldap (11.9-5ubuntu0.22.04.3) jammy-security; urgency=medium

  * No-change rebuild for bind9 security update.

 -- Marc Deslauriers   Wed, 20 Sep 2023
15:58:12 -0400

** Changed in: bind-dyndb-ldap (Ubuntu Jammy)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/1978849

Title:
  bind9-dyndb-ldap has unmet dependencies

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Invalid
Status in bind-dyndb-ldap source package in Focal:
  Won't Fix
Status in bind-dyndb-ldap source package in Jammy:
  Fix Released
Status in bind-dyndb-ldap source package in Lunar:
  Fix Committed
Status in bind-dyndb-ldap source package in Mantic:
  Fix Released
Status in bind9 source package in Mantic:
  Invalid

Bug description:
  [ Impact ]

  There is a tight coupling between src:bind-dyndb-ldap and src:bind9,
  such that everytime bind9 is updated, even if it's a simple no-change
  rebuild, src:bind-dyndb-ldap has to be rebuilt too.

  This is often forgotten, leading to multiple repeated bugs against
  src:bind-dyndb-ldap.

  The fix for now is to rebuild src:bind-dyndb-ldap, and to avoid it
  from happening again, add a DEP8 test to it so that a src:bind9 update
  won't be released without this rebuild.

  Ideally this coupling shouldn't be that tight, and some ideas are
  floating around (see [1], [2], and [3]). But for now, I think this is
  the quickest way to avoid hitting this problem again in the near
  future.

  1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014503
  2. https://pagure.io/bind-dyndb-ldap/issue/225
  3. https://salsa.debian.org/dns-team/bind9/-/merge_requests/21

  [ Test Plan ]

  The fix is to rebuild the src:bind-dyndb-ldap package with the current
  src:bind9 in the archive for the affected ubuntu release.

  With the build succeeding, and the dyndb-ldap DEP8 test also passing,
  the verification can be considered successfull.

  [ Where problems could occur ]

  With this new DEP8 change, a bind9 update can be blocked by a bind-
  dyndb-ldap failure to build or run with it.

  While this is exactly the intent (not leave a broken bind-dyndb-ldap
  package in the release), there is a history indicating that bind-
  dyndb-ldap can be late in catching up to bind9 changes. We may reach a
  situation where an important bind9 security update, for example, will
  be blocked by a failing dyndb-ldap test, and it may be difficult to
  fix bind-dyndb-ldap in time, specially if the security update is under
  embargo and the bind-dyndb-ldap developers do not yet have details of
  the changes.

  [ Other Info ]
  See also bug 
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2032650 which 
adds the same test to the src:bind9 package.

  [Original Description]

  bind9-dyndb-ldap cannot be installed on Ubuntu 22.04. It appears the
  bind0 package has been updated, but not bind9-dyndb-ldap:

  ~# apt install bind9 bind9-dyndb-ldap
  Reading package lists... Done
  Building dependency tree... Done
  Reading state information... Done
  Some packages could not be installed. This may mean that you have
  requested an impossible situation or if you are using the unstable
  distribution that some required packages have not yet been created
  or been moved out of Incoming.
  The following information may help to resolve the situation:

  The following packages have unmet dependencies:
   bind9-dyndb-ldap : Depends: bind9-libs (= 1:9.18.1-1ubuntu1) but 
1:9.18.1-1ubuntu1.1 is to be installed
  E: Unable to correct problems, you have held broken packages.

  ~# apt-cache policy bind9
  bind9:
  Installed: (none)
  Candidate: 1:9.18.1-1ubuntu1.1
  Version table:
  1:9.18.1-1ubuntu1.1 500
  500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 
Packages
  500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 
Packages
  1:9.18.1-1ubuntu1 500
  500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages

  ~# apt-cache policy bind9-dyndb-ldap
  bind9-dyndb-ldap:
  Installed: (none)
  Candidate: 11.9-5build2
  Version table:
  11.9-5build2 500
  500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/1978849/+subscriptions


___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 2032650] Re: Add DEP8 tests for bind-dyndb-ldap integration

[Launchpad Bug Tracker]

This bug was fixed in the package bind-dyndb-ldap -
11.9-5ubuntu0.22.04.3

---
bind-dyndb-ldap (11.9-5ubuntu0.22.04.3) jammy-security; urgency=medium

  * No-change rebuild for bind9 security update.

 -- Marc Deslauriers   Wed, 20 Sep 2023
15:58:12 -0400

** Changed in: bind-dyndb-ldap (Ubuntu Jammy)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2032650

Title:
  Add DEP8 tests for bind-dyndb-ldap integration

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Fix Released
Status in bind-dyndb-ldap source package in Jammy:
  Fix Released
Status in bind9 source package in Jammy:
  In Progress
Status in bind-dyndb-ldap source package in Lunar:
  Fix Committed
Status in bind9 source package in Lunar:
  In Progress
Status in bind-dyndb-ldap source package in Mantic:
  Fix Released
Status in bind9 source package in Mantic:
  Fix Released

Bug description:
  [ Impact ]

  bind-dyndb-ldap breaks very frequently with bind9 updates. Both must
  have DEP8 tests so these breakages can be caught before a release.

  [ Test Plan ]

  For both packages, the test plan consists in having the new dyndb-ldap
  DEP8 test run and succeed.

  [ Where problems could occur ]
  With this new DEP8 change, a bind9 update can be blocked by a bind-dyndb-ldap 
failure to build or run with it.

  While this is exactly the intent (not leave a broken bind-dyndb-ldap
  package in the release), there is a history indicating that bind-
  dyndb-ldap can be late in catching up to bind9 changes. We may reach a
  situation where an important bind9 security update, for example, will
  be blocked by a failing dyndb-ldap test, and it may be difficult to
  fix bind-dyndb-ldap in time, specially if the security update is under
  embargo and the bind-dyndb-ldap developers do not yet have details of
  the changes.

  
  [ Other Info ]
   
  The same test is to be applied to the bind9 package, and is already in 
mantic. But SRUs for DEP8 changes only are frowned upon, so the plan is to 
upload it to proposed and block it there, but AFTER bind-dyndb-ldap has been 
released.

  The tight coupling between bind9 and bind-dyndb-ldap is problematic
  (see [1], [2] and [3]). The moment a new bind9 hits proposed with this
  test, it fill fail until a new bind-dyndb-ldap is rebuilt with that
  proposed version.

  One option would perhaps to accept a one-time DEP8-only change for
  bind9, so that we can upload both packages together, instead of
  leaving this in proposed with a blocking tag, to be picked up by the
  next bind9 "real" update?

  
  1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014503
  2. https://pagure.io/bind-dyndb-ldap/issue/225
  3. https://salsa.debian.org/dns-team/bind9/-/merge_requests/21

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2032650/+subscriptions


___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 2032650] Re: Add DEP8 tests for bind-dyndb-ldap integration

[Launchpad Bug Tracker]

** Merge proposal linked:
   
https://code.launchpad.net/~lvoytek/ubuntu/+source/bind9/+git/bind9/+merge/451683

** Merge proposal linked:
   
https://code.launchpad.net/~lvoytek/ubuntu/+source/bind9/+git/bind9/+merge/451681

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2032650

Title:
  Add DEP8 tests for bind-dyndb-ldap integration

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Fix Released
Status in bind-dyndb-ldap source package in Jammy:
  Fix Committed
Status in bind9 source package in Jammy:
  In Progress
Status in bind-dyndb-ldap source package in Lunar:
  Fix Committed
Status in bind9 source package in Lunar:
  In Progress
Status in bind-dyndb-ldap source package in Mantic:
  Fix Released
Status in bind9 source package in Mantic:
  Fix Released

Bug description:
  [ Impact ]

  bind-dyndb-ldap breaks very frequently with bind9 updates. Both must
  have DEP8 tests so these breakages can be caught before a release.

  [ Test Plan ]

  For both packages, the test plan consists in having the new dyndb-ldap
  DEP8 test run and succeed.

  [ Where problems could occur ]
  With this new DEP8 change, a bind9 update can be blocked by a bind-dyndb-ldap 
failure to build or run with it.

  While this is exactly the intent (not leave a broken bind-dyndb-ldap
  package in the release), there is a history indicating that bind-
  dyndb-ldap can be late in catching up to bind9 changes. We may reach a
  situation where an important bind9 security update, for example, will
  be blocked by a failing dyndb-ldap test, and it may be difficult to
  fix bind-dyndb-ldap in time, specially if the security update is under
  embargo and the bind-dyndb-ldap developers do not yet have details of
  the changes.

  
  [ Other Info ]
   
  The same test is to be applied to the bind9 package, and is already in 
mantic. But SRUs for DEP8 changes only are frowned upon, so the plan is to 
upload it to proposed and block it there, but AFTER bind-dyndb-ldap has been 
released.

  The tight coupling between bind9 and bind-dyndb-ldap is problematic
  (see [1], [2] and [3]). The moment a new bind9 hits proposed with this
  test, it fill fail until a new bind-dyndb-ldap is rebuilt with that
  proposed version.

  One option would perhaps to accept a one-time DEP8-only change for
  bind9, so that we can upload both packages together, instead of
  leaving this in proposed with a blocking tag, to be picked up by the
  next bind9 "real" update?

  
  1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014503
  2. https://pagure.io/bind-dyndb-ldap/issue/225
  3. https://salsa.debian.org/dns-team/bind9/-/merge_requests/21

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2032650/+subscriptions


___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 2028413] Re: MRE updates of bind9 for focal, jammy and lunar

[Launchpad Bug Tracker]

** Merge proposal linked:
   
https://code.launchpad.net/~lvoytek/ubuntu/+source/bind-dyndb-ldap/+git/bind-dyndb-ldap/+merge/451685

** Merge proposal linked:
   
https://code.launchpad.net/~lvoytek/ubuntu/+source/bind-dyndb-ldap/+git/bind-dyndb-ldap/+merge/451686

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2028413

Title:
  MRE updates of bind9 for focal, jammy and lunar

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Fix Released
Status in bind-dyndb-ldap source package in Focal:
  Triaged
Status in bind9 source package in Focal:
  Triaged
Status in bind-dyndb-ldap source package in Jammy:
  In Progress
Status in bind9 source package in Jammy:
  In Progress
Status in bind-dyndb-ldap source package in Lunar:
  In Progress
Status in bind9 source package in Lunar:
  In Progress

Bug description:
  This bug tracks an update for the bind9 package, moving to versions:

   * lunar (23.04): bind9 9.18.18
   * jammy (22.04): bind9 9.18.18
   * focal (20.04): bind9 9.16.43

  These updates include bug fixes following the SRU policy exception
  defined at https://wiki.ubuntu.com/Bind9Updates.

  [Upstream changes]

  9.18.13-9.18.18 for lunar and jammy:

  Updates:

  Mark a primary server as temporarily unreachable when a TCP connection 
response to an SOA query times out, matching behavior of a refused TCP 
connection.
  Mark dialup and heartbeat-interval options as deprecated.
  Retry DNS queries without an EDNS COOKIE when the first response is FORMERR 
with the EDNS COOKIE that was sent originally.
  Use NS records for the relaxed QNAME minimization mode to reduce the number 
of queries from named.
  Mark TKEY mode 2 as deprecated.
  Mark delegation-only and root-delegation-only as deprecated.
  Run RPZ and catalog zone updates on specialized offload threads to reduce 
blocked query processing time.

  Bug Fixes:

  Fix assertion failure from processing already-queued queries while server is 
being reconfigured or cache is being flushed.
  Fix failure to load zones containing resource records with a TTL value larger 
than 86400 seconds when dnssec-policy is set to insecure.
  Fix the ability to read HMAC-MD5 key files (LP: #2015176).
  Fix stability issues with the catalog zone implementation.
  Fix bind9 getting stuck when listen-on statement for HTTP is removed from 
configuration.
  Do not return delegation from cache after stale-answer-client-timeout.
  Fix failure to auto-tune clients-per-query limit in some situations.
  Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in 
statements.
  Bring rndc read timeout back to 60 seconds from 30.
  Treat libuv returning ISC_R_INVALIDPROTO as a network error.
  Clean up empty-non-terminal NSEC3 records.
  Fix log file rotation cleanup for absolute file path destinations.
  Fix various catalog zone processing crashes.
  Fix transfer hang when downloading large zones over TLS.
  Fix named crash when adding a new zone into the configuration file for a name 
which was already configured as a member zone for a catalog zone.
  Delay DNSSEC key queries until all zones have finished loading.

  CVE Fixes - already available as patches:

  CVE-2023-2828
  CVE-2023-2911

  For full release notes, see:
  https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for-
  bind-9-18-18

  While there are behavioral changes in this release, I was unable to
  find any backwards-incompatible changes. Some features were marked as
  deprecated, but are still usable as they were before. Other changes
  are related to performance and timeout management, neither of which
  should change how bind9 works, but are worth keeping an eye on in case
  any regressions arise.

  [Test Plan]

  DEP-8 test results:

  simpletest PASS
  validation FLAKY non-zero exit status 1
  zonetest PASS

  validation is known to be broken in its current state, both due to a
  need for internet access and incorrect output checking, so the failure
  is expected.

  [Regression Potential]

  Upstream has an extensive build and integration test suite. So
  regressions would likely arise from a change in interaction with
  Ubuntu-specific integrations.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2028413/+subscriptions


___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 2034250] Re: Insufficient access in dyndb DEP8 test

[Launchpad Bug Tracker]

This bug was fixed in the package bind9 - 1:9.18.16-1ubuntu4

---
bind9 (1:9.18.16-1ubuntu4) mantic; urgency=medium

  * d/t/dyndb-ldap: allow writing to the dns tree (LP: #2034250)

 -- Andreas Hasenack   Tue, 05 Sep 2023 10:20:27
-0300

** Changed in: bind9 (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2034250

Title:
  Insufficient access in dyndb DEP8 test

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Fix Released

Bug description:
  Caught this in a run of the dyndb-ldap DEP8 test:

  280s 2023-09-05T00:59:05.435102+00:00 autopkgtest slapd[1491]: conn=1010 op=1 
MOD dn="idnsName=example.internal,ou=dns,dc=example,dc=internal"
  280s 2023-09-05T00:59:05.435953+00:00 autopkgtest slapd[1491]: conn=1010 op=1 
MOD attr=idnsSOAserial
  280s 2023-09-05T00:59:05.436043+00:00 autopkgtest slapd[1491]: conn=1010 op=1 
RESULT tag=103 err=50 qtime=0.09 etime=0.001324 text=
  280s 2023-09-05T00:59:05.436068+00:00 autopkgtest named[1519]: LDAP error: 
Insufficient access: while modifying(replace) entry 
'idnsName=example.internal,ou=dns,dc=example,dc=internal'

  Looks like sometimes the dyndb-ldap plugin wants to write to the tree,
  and not just read from it. Looking at the code, that can happen for
  some SOA attributes, and perhaps other cases too. The documentation
  isn't immediately clear.

  A re-run of this test cleared the error, but we all dislike flaky
  tests, so it's probably best to adjust the ACL and allow the bind9
  user to write to the DNS tree. Production deployments will definitely
  want to fine tune this ACL and list explicit attribites and entry
  types that can be modified, but for a DEP8 test, this is enough.

  
  ```diff
  --- a/debian/tests/dyndb-ldap
  +++ b/debian/tests/dyndb-ldap
  @@ -135,7 +135,7 @@ EOF
   dn: olcDatabase={1}mdb,cn=config
   changetype: modify
   add: olcAccess
  -olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by 
dn.exact="${ldap_bind9_dn}" read by * none
  +olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by 
dn.exact="${ldap_bind9_dn}" write by * none
   
   EOF
   }
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2034250/+subscriptions


___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 2034250] Re: Insufficient access in dyndb DEP8 test

[Launchpad Bug Tracker]

This bug was fixed in the package bind-dyndb-ldap - 11.10-6ubuntu1

---
bind-dyndb-ldap (11.10-6ubuntu1) mantic; urgency=medium

  * d/t/dyndb-ldap fixes:
- use correct attribute in the bind9 dn entry (LP: #2034251)
- allow writing to the dns tree (LP: #2034250)

 -- Andreas Hasenack   Tue, 05 Sep 2023 10:05:46
-0300

** Changed in: bind-dyndb-ldap (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2034250

Title:
  Insufficient access in dyndb DEP8 test

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  In Progress

Bug description:
  Caught this in a run of the dyndb-ldap DEP8 test:

  280s 2023-09-05T00:59:05.435102+00:00 autopkgtest slapd[1491]: conn=1010 op=1 
MOD dn="idnsName=example.internal,ou=dns,dc=example,dc=internal"
  280s 2023-09-05T00:59:05.435953+00:00 autopkgtest slapd[1491]: conn=1010 op=1 
MOD attr=idnsSOAserial
  280s 2023-09-05T00:59:05.436043+00:00 autopkgtest slapd[1491]: conn=1010 op=1 
RESULT tag=103 err=50 qtime=0.09 etime=0.001324 text=
  280s 2023-09-05T00:59:05.436068+00:00 autopkgtest named[1519]: LDAP error: 
Insufficient access: while modifying(replace) entry 
'idnsName=example.internal,ou=dns,dc=example,dc=internal'

  Looks like sometimes the dyndb-ldap plugin wants to write to the tree,
  and not just read from it. Looking at the code, that can happen for
  some SOA attributes, and perhaps other cases too. The documentation
  isn't immediately clear.

  A re-run of this test cleared the error, but we all dislike flaky
  tests, so it's probably best to adjust the ACL and allow the bind9
  user to write to the DNS tree. Production deployments will definitely
  want to fine tune this ACL and list explicit attribites and entry
  types that can be modified, but for a DEP8 test, this is enough.

  
  ```diff
  --- a/debian/tests/dyndb-ldap
  +++ b/debian/tests/dyndb-ldap
  @@ -135,7 +135,7 @@ EOF
   dn: olcDatabase={1}mdb,cn=config
   changetype: modify
   add: olcAccess
  -olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by 
dn.exact="${ldap_bind9_dn}" read by * none
  +olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by 
dn.exact="${ldap_bind9_dn}" write by * none
   
   EOF
   }
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2034250/+subscriptions


___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 2034251] Re: Incorrect rdn in the bind9 dn entry in the DEP8 test

[Launchpad Bug Tracker]

This bug was fixed in the package bind-dyndb-ldap - 11.10-6ubuntu1

---
bind-dyndb-ldap (11.10-6ubuntu1) mantic; urgency=medium

  * d/t/dyndb-ldap fixes:
- use correct attribute in the bind9 dn entry (LP: #2034251)
- allow writing to the dns tree (LP: #2034250)

 -- Andreas Hasenack   Tue, 05 Sep 2023 10:05:46
-0300

** Changed in: bind-dyndb-ldap (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2034251

Title:
  Incorrect rdn in the bind9 dn entry in the DEP8 test

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released

Bug description:
  There is a small mistake in the bind9 DN entry, it should have an
  attribute matching the dn, but instead it  mentions a "replicator"
  entity that doesn't exist.

  It doesn't fail the test, but it's an incorrect LDAP entry and should
  be fixed:

  diff --git a/debian/tests/dyndb-ldap b/debian/tests/dyndb-ldap
  index 5482bc0..019bf24 100644
  --- a/debian/tests/dyndb-ldap
  +++ b/debian/tests/dyndb-ldap
  @@ -8,6 +8,7 @@ myhostname="dep8"
   ldap_admin_dn="cn=admin,${ldap_suffix}"
   ldap_admin_pw="secret"
   ldap_bind9_dn="uid=bind9,${ldap_suffix}"
  +ldap_bind9_rdn="uid: bind9" # match ldap_bind9_dn
   ldap_bind9_pw="secretagain"

   cleanup() {
  @@ -122,7 +123,7 @@ EOF
   create_bind9_uid() {
   ldapadd -x -D "${ldap_admin_dn}" -w "${ldap_admin_pw}" 

[Freeipa] [Bug 2032650] Re: Add DEP8 tests for bind-dyndb-ldap integration

[Launchpad Bug Tracker]

** Merge proposal linked:
   
https://code.launchpad.net/~ahasenack/ubuntu/+source/bind9/+git/bind9/+merge/450698

** Merge proposal linked:
   
https://code.launchpad.net/~ahasenack/ubuntu/+source/bind9/+git/bind9/+merge/450699

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2032650

Title:
  Add DEP8 tests for bind-dyndb-ldap integration

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Fix Released
Status in bind-dyndb-ldap source package in Jammy:
  In Progress
Status in bind9 source package in Jammy:
  New
Status in bind-dyndb-ldap source package in Lunar:
  In Progress
Status in bind9 source package in Lunar:
  New
Status in bind-dyndb-ldap source package in Mantic:
  Fix Released
Status in bind9 source package in Mantic:
  Fix Released

Bug description:
  bind-dyndb-ldap breaks very frequently with bind9 updates. Both must
  have DEP8 tests so these breakages can be caught before a release.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2032650/+subscriptions


___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 2034250] Re: Insufficient access in dyndb DEP8 test

[Launchpad Bug Tracker]

** Merge proposal linked:
   
https://code.launchpad.net/~ahasenack/ubuntu/+source/bind9/+git/bind9/+merge/450679

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2034250

Title:
  Insufficient access in dyndb DEP8 test

Status in bind-dyndb-ldap package in Ubuntu:
  In Progress
Status in bind9 package in Ubuntu:
  In Progress

Bug description:
  Caught this in a run of the dyndb-ldap DEP8 test:

  280s 2023-09-05T00:59:05.435102+00:00 autopkgtest slapd[1491]: conn=1010 op=1 
MOD dn="idnsName=example.internal,ou=dns,dc=example,dc=internal"
  280s 2023-09-05T00:59:05.435953+00:00 autopkgtest slapd[1491]: conn=1010 op=1 
MOD attr=idnsSOAserial
  280s 2023-09-05T00:59:05.436043+00:00 autopkgtest slapd[1491]: conn=1010 op=1 
RESULT tag=103 err=50 qtime=0.09 etime=0.001324 text=
  280s 2023-09-05T00:59:05.436068+00:00 autopkgtest named[1519]: LDAP error: 
Insufficient access: while modifying(replace) entry 
'idnsName=example.internal,ou=dns,dc=example,dc=internal'

  Looks like sometimes the dyndb-ldap plugin wants to write to the tree,
  and not just read from it. Looking at the code, that can happen for
  some SOA attributes, and perhaps other cases too. The documentation
  isn't immediately clear.

  A re-run of this test cleared the error, but we all dislike flaky
  tests, so it's probably best to adjust the ACL and allow the bind9
  user to write to the DNS tree. Production deployments will definitely
  want to fine tune this ACL and list explicit attribites and entry
  types that can be modified, but for a DEP8 test, this is enough.

  
  ```diff
  --- a/debian/tests/dyndb-ldap
  +++ b/debian/tests/dyndb-ldap
  @@ -135,7 +135,7 @@ EOF
   dn: olcDatabase={1}mdb,cn=config
   changetype: modify
   add: olcAccess
  -olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by 
dn.exact="${ldap_bind9_dn}" read by * none
  +olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by 
dn.exact="${ldap_bind9_dn}" write by * none
   
   EOF
   }
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2034250/+subscriptions


___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 2034250] Re: Insufficient access in dyndb DEP8 test

[Launchpad Bug Tracker]

** Merge proposal linked:
   
https://code.launchpad.net/~ahasenack/ubuntu/+source/bind-dyndb-ldap/+git/bind-dyndb-ldap/+merge/450665

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2034250

Title:
  Insufficient access in dyndb DEP8 test

Status in bind-dyndb-ldap package in Ubuntu:
  In Progress
Status in bind9 package in Ubuntu:
  In Progress

Bug description:
  Caught this in a run of the dyndb-ldap DEP8 test:

  280s 2023-09-05T00:59:05.435102+00:00 autopkgtest slapd[1491]: conn=1010 op=1 
MOD dn="idnsName=example.internal,ou=dns,dc=example,dc=internal"
  280s 2023-09-05T00:59:05.435953+00:00 autopkgtest slapd[1491]: conn=1010 op=1 
MOD attr=idnsSOAserial
  280s 2023-09-05T00:59:05.436043+00:00 autopkgtest slapd[1491]: conn=1010 op=1 
RESULT tag=103 err=50 qtime=0.09 etime=0.001324 text=
  280s 2023-09-05T00:59:05.436068+00:00 autopkgtest named[1519]: LDAP error: 
Insufficient access: while modifying(replace) entry 
'idnsName=example.internal,ou=dns,dc=example,dc=internal'

  Looks like sometimes the dyndb-ldap plugin wants to write to the tree,
  and not just read from it. Looking at the code, that can happen for
  some SOA attributes, and perhaps other cases too. The documentation
  isn't immediately clear.

  A re-run of this test cleared the error, but we all dislike flaky
  tests, so it's probably best to adjust the ACL and allow the bind9
  user to write to the DNS tree. Production deployments will definitely
  want to fine tune this ACL and list explicit attribites and entry
  types that can be modified, but for a DEP8 test, this is enough.

  
  ```diff
  --- a/debian/tests/dyndb-ldap
  +++ b/debian/tests/dyndb-ldap
  @@ -135,7 +135,7 @@ EOF
   dn: olcDatabase={1}mdb,cn=config
   changetype: modify
   add: olcAccess
  -olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by 
dn.exact="${ldap_bind9_dn}" read by * none
  +olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by 
dn.exact="${ldap_bind9_dn}" write by * none
   
   EOF
   }
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2034250/+subscriptions


___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 2034251] Re: Incorrect rdn in the bind9 dn entry in the DEP8 test

[Launchpad Bug Tracker]

** Merge proposal linked:
   
https://code.launchpad.net/~ahasenack/ubuntu/+source/bind-dyndb-ldap/+git/bind-dyndb-ldap/+merge/450665

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2034251

Title:
  Incorrect rdn in the bind9 dn entry in the DEP8 test

Status in bind-dyndb-ldap package in Ubuntu:
  In Progress

Bug description:
  There is a small mistake in the bind9 DN entry, it should have an
  attribute matching the dn, but instead it  mentions a "replicator"
  entity that doesn't exist.

  It doesn't fail the test, but it's an incorrect LDAP entry and should
  be fixed:

  diff --git a/debian/tests/dyndb-ldap b/debian/tests/dyndb-ldap
  index 5482bc0..019bf24 100644
  --- a/debian/tests/dyndb-ldap
  +++ b/debian/tests/dyndb-ldap
  @@ -8,6 +8,7 @@ myhostname="dep8"
   ldap_admin_dn="cn=admin,${ldap_suffix}"
   ldap_admin_pw="secret"
   ldap_bind9_dn="uid=bind9,${ldap_suffix}"
  +ldap_bind9_rdn="uid: bind9" # match ldap_bind9_dn
   ldap_bind9_pw="secretagain"

   cleanup() {
  @@ -122,7 +123,7 @@ EOF
   create_bind9_uid() {
   ldapadd -x -D "${ldap_admin_dn}" -w "${ldap_admin_pw}" 

[Freeipa] [Bug 1978849] Re: bind9-dyndb-ldap has unmet dependencies

[Launchpad Bug Tracker]

** Merge proposal linked:
   
https://code.launchpad.net/~ahasenack/ubuntu/+source/bind-dyndb-ldap/+git/bind-dyndb-ldap/+merge/450608

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/1978849

Title:
  bind9-dyndb-ldap has unmet dependencies

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Invalid
Status in bind-dyndb-ldap source package in Focal:
  Won't Fix
Status in bind-dyndb-ldap source package in Jammy:
  In Progress
Status in bind-dyndb-ldap source package in Lunar:
  In Progress
Status in bind-dyndb-ldap source package in Mantic:
  Fix Released
Status in bind9 source package in Mantic:
  Invalid

Bug description:
  bind9-dyndb-ldap cannot be installed on Ubuntu 22.04. It appears the
  bind0 package has been updated, but not bind9-dyndb-ldap:

  ~# apt install bind9 bind9-dyndb-ldap
  Reading package lists... Done
  Building dependency tree... Done
  Reading state information... Done
  Some packages could not be installed. This may mean that you have
  requested an impossible situation or if you are using the unstable
  distribution that some required packages have not yet been created
  or been moved out of Incoming.
  The following information may help to resolve the situation:

  The following packages have unmet dependencies:
   bind9-dyndb-ldap : Depends: bind9-libs (= 1:9.18.1-1ubuntu1) but 
1:9.18.1-1ubuntu1.1 is to be installed
  E: Unable to correct problems, you have held broken packages.

  ~# apt-cache policy bind9
  bind9:
  Installed: (none)
  Candidate: 1:9.18.1-1ubuntu1.1
  Version table:
  1:9.18.1-1ubuntu1.1 500
  500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 
Packages
  500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 
Packages
  1:9.18.1-1ubuntu1 500
  500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages

  ~# apt-cache policy bind9-dyndb-ldap 
  bind9-dyndb-ldap:
  Installed: (none)
  Candidate: 11.9-5build2
  Version table:
  11.9-5build2 500
  500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/1978849/+subscriptions


___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 2032650] Re: Add DEP8 tests for bind-dyndb-ldap integration

[Launchpad Bug Tracker]

** Merge proposal linked:
   
https://code.launchpad.net/~ahasenack/ubuntu/+source/bind-dyndb-ldap/+git/bind-dyndb-ldap/+merge/450608

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2032650

Title:
  Add DEP8 tests for bind-dyndb-ldap integration

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Fix Released
Status in bind-dyndb-ldap source package in Jammy:
  In Progress
Status in bind9 source package in Jammy:
  New
Status in bind-dyndb-ldap source package in Lunar:
  In Progress
Status in bind9 source package in Lunar:
  New
Status in bind-dyndb-ldap source package in Mantic:
  Fix Released
Status in bind9 source package in Mantic:
  Fix Released

Bug description:
  bind-dyndb-ldap breaks very frequently with bind9 updates. Both must
  have DEP8 tests so these breakages can be caught before a release.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2032650/+subscriptions


___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1978849] Re: bind9-dyndb-ldap has unmet dependencies

[Launchpad Bug Tracker]

** Merge proposal linked:
   
https://code.launchpad.net/~ahasenack/ubuntu/+source/bind-dyndb-ldap/+git/bind-dyndb-ldap/+merge/450607

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/1978849

Title:
  bind9-dyndb-ldap has unmet dependencies

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Invalid
Status in bind-dyndb-ldap source package in Focal:
  New
Status in bind-dyndb-ldap source package in Jammy:
  In Progress
Status in bind-dyndb-ldap source package in Lunar:
  In Progress
Status in bind-dyndb-ldap source package in Mantic:
  Fix Released
Status in bind9 source package in Mantic:
  Invalid

Bug description:
  bind9-dyndb-ldap cannot be installed on Ubuntu 22.04. It appears the
  bind0 package has been updated, but not bind9-dyndb-ldap:

  ~# apt install bind9 bind9-dyndb-ldap
  Reading package lists... Done
  Building dependency tree... Done
  Reading state information... Done
  Some packages could not be installed. This may mean that you have
  requested an impossible situation or if you are using the unstable
  distribution that some required packages have not yet been created
  or been moved out of Incoming.
  The following information may help to resolve the situation:

  The following packages have unmet dependencies:
   bind9-dyndb-ldap : Depends: bind9-libs (= 1:9.18.1-1ubuntu1) but 
1:9.18.1-1ubuntu1.1 is to be installed
  E: Unable to correct problems, you have held broken packages.

  ~# apt-cache policy bind9
  bind9:
  Installed: (none)
  Candidate: 1:9.18.1-1ubuntu1.1
  Version table:
  1:9.18.1-1ubuntu1.1 500
  500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 
Packages
  500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 
Packages
  1:9.18.1-1ubuntu1 500
  500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages

  ~# apt-cache policy bind9-dyndb-ldap 
  bind9-dyndb-ldap:
  Installed: (none)
  Candidate: 11.9-5build2
  Version table:
  11.9-5build2 500
  500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/1978849/+subscriptions


___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 2032650] Re: Add DEP8 tests for bind-dyndb-ldap integration

[Launchpad Bug Tracker]

** Merge proposal linked:
   
https://code.launchpad.net/~ahasenack/ubuntu/+source/bind-dyndb-ldap/+git/bind-dyndb-ldap/+merge/450607

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2032650

Title:
  Add DEP8 tests for bind-dyndb-ldap integration

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Fix Released
Status in bind-dyndb-ldap source package in Jammy:
  In Progress
Status in bind9 source package in Jammy:
  New
Status in bind-dyndb-ldap source package in Lunar:
  In Progress
Status in bind9 source package in Lunar:
  New
Status in bind-dyndb-ldap source package in Mantic:
  Fix Released
Status in bind9 source package in Mantic:
  Fix Released

Bug description:
  bind-dyndb-ldap breaks very frequently with bind9 updates. Both must
  have DEP8 tests so these breakages can be caught before a release.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2032650/+subscriptions


___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 2032650] Re: Add DEP8 tests for bind-dyndb-ldap integration

[Launchpad Bug Tracker]

This bug was fixed in the package bind9 - 1:9.18.16-1ubuntu3

---
bind9 (1:9.18.16-1ubuntu3) mantic; urgency=medium

  * d/t/control: exclude the i386 architecture for the dyndb-ldap test,
since bind9-dyndb-ldap is not available there on Ubuntu
  * d/t/dyndb-ldap: fix for the ldap bind9 dn entry

bind9 (1:9.18.16-1ubuntu2) mantic; urgency=medium

  * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650)

 -- Andreas Hasenack   Wed, 30 Aug 2023 10:14:04
-0300

** Changed in: bind9 (Ubuntu Mantic)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2032650

Title:
  Add DEP8 tests for bind-dyndb-ldap integration

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Fix Released
Status in bind-dyndb-ldap source package in Mantic:
  Fix Released
Status in bind9 source package in Mantic:
  Fix Released

Bug description:
  bind-dyndb-ldap breaks very frequently with bind9 updates. Both must
  have DEP8 tests so these breakages can be caught before a release.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2032650/+subscriptions


___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 2018050] Re: Merge bind9 from Debian unstable for mantic

[Launchpad Bug Tracker]

This bug was fixed in the package bind9 - 1:9.18.16-1ubuntu1

---
bind9 (1:9.18.16-1ubuntu1) mantic; urgency=medium

  * Merge with Debian unstable (LP: #2018050). Remaining changes:
- Don't build dnstap as it depends on universe packages:
  + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
protobuf-c-compiler (universe packages)
  + d/dnsutils.install: don't install dnstap
  + d/rules: don't build dnstap nor install dnstap.proto
- Add back apport:
  + d/bind9.apport: add back old bind9 apport hook, but without calling
attach_conffiles() since that is already done by apport itself, with
confirmation from the user.
  + d/control, d/rules: build-depends on dh-apport and use it
- d/control: remove optional libjemalloc-dev Build-Depends as it is not in
  main.
- d/NEWS: mention relevant packaging changes
- Improve dep-8 test suite (LP #2003584):
  + d/t/zonetest: Add dep8 test for checking the domain zone creation
process
  + d/t/control: Add new test outline
  * Added Changes:
- d/po/de.po: Fix German UTF-8 encoding
- d/copyright: Fix lintian warnings
  + Remove the entry for lib/isc/hp.c lib/isc/include/isc/hp.h as they were
deleted in 9.18.2
  + Remove the entry for lib/isc/include/pkcs11/pkcs11.h as it is no longer
bundled as of 9.17.19
  + Update the location of random_test.c and add info about its public
domain section
  + Add wildcards to folders as needed
  + Note that m4/ uses the FSFAP license
- d/control: Remove lsb-base dependency as it is no longer needed
  + See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019851

 -- Lena Voytek   Mon, 26 Jun 2023 14:25:50
-0700

** Changed in: bind9 (Ubuntu)
   Status: In Progress => Fix Released

** Bug watch added: Debian Bug tracker #1019851
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019851

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2018050

Title:
  Merge bind9 from Debian unstable for mantic

Status in bind-dyndb-ldap package in Ubuntu:
  In Progress
Status in bind9 package in Ubuntu:
  Fix Released

Bug description:
  Upstream: 9.18.14
  Debian:   1:9.18.13-11:9.19.11-1
  Ubuntu:   1:9.18.12-1ubuntu1

  Debian new has 1:9.19.11-1, which may be available for merge soon.

  If it turns out this needs a sync rather than a merge, please change
  the tag 'needs-merge' to 'needs-sync', and (optionally) update the
  title as desired.

  
  ### New Debian Changes ###

  bind9 (1:9.18.13-1) unstable; urgency=medium

* New upstream version 9.18.13

   -- Ondřej Surý   Wed, 15 Mar 2023 18:11:29 +0100

  bind9 (1:9.18.12-1) unstable; urgency=medium

* New upstream version 9.18.12
* Drop libtool-bin from B-D (Closes: #1022968)

   -- Ondřej Surý   Fri, 10 Feb 2023 15:15:49 +0100

  bind9 (1:9.18.11-2) unstable; urgency=medium

* Allow the named to use systemd notify service

   -- Ondřej Surý   Thu, 26 Jan 2023 21:13:55 +0100

  bind9 (1:9.18.11-1) unstable; urgency=medium

* New upstream version 9.18.11

   -- Ondřej Surý   Wed, 25 Jan 2023 15:51:35 +0100

  bind9 (1:9.18.10-2) unstable; urgency=medium

* Backport upstream feature to use sd_notify()
* Use systemd notify for service readyness check (Closes: #994696)
* apparmor.d: Allow named to read all OpenSSL config files.
  (Closes: #1025519)
* apparmor.d: Allow named to query for hugepages support.
  (Closes: #1020315)
* Fix path to README.Debian (Closes: #1016646)

   -- Bernhard Schmidt   Thu, 22 Dec 2022 17:12:17
  +0100

  bind9 (1:9.18.10-1) unstable; urgency=medium

* New upstream version 9.18.10

   -- Ondřej Surý   Wed, 21 Dec 2022 18:00:33 +0100

  bind9 (1:9.18.9-1) unstable; urgency=medium

* New upstream version 9.18.9

   -- Ondřej Surý   Wed, 16 Nov 2022 14:00:05 +0100

  bind9 (1:9.18.8-1) unstable; urgency=medium

* New upstream version 9.18.8

   -- Ondřej Surý   Wed, 19 Oct 2022 14:58:38 +0200

  bind9 (1:9.18.7-1) unstable; urgency=medium

* New upstream version 9.18.7
 - CVE-2022-2795: Processing large delegations may severely degrade
   resolver performance
 - CVE-2022-2881: Buffer overread in statistics channel code
 - CVE-2022-2906: Memory leaks in code handling Diffie-Hellman key
   exchange via TKEY RRs (OpenSSL 3.0.0+ only)
 - CVE-2022-3080: BIND 9 resolvers configured to answer from stale
   cache with zero stale-answer-client-timeout may terminate unexpectedly
 - CVE-2022-38177: Memory leak in ECDSA DNSSEC verification code
 - CVE-2022-38178: Memory leaks in EdDSA DNSSEC verification code

   -- Ondřej Surý   Wed, 21 Sep 2022 12:48:36 +0200

  bind9 (1:9.18.6-2) unstable; urgency=medium

* No-change source-only upload

   -- Bernhard Schmidt   Mon, 05 Sep 2022 21:30:08
  

[Freeipa] [Bug 2003586] Re: MRE Updates 9.18.12 / 9.16.39

[Launchpad Bug Tracker]

This bug was fixed in the package bind-dyndb-ldap -
11.9-5ubuntu0.22.04.1

---
bind-dyndb-ldap (11.9-5ubuntu0.22.04.1) jammy; urgency=medium

  * Fix bind-dyndb-ldap build against bind9 9.18.12 (LP: #2003586):
- d/p/hardcode-version.diff: Update defined LIBDNS version from bind9 to be
  1812, provided by bind9 9.18.12
- d/p/fix-dns_db_allrdatasets.patch: Modify calls to dns_db_allrdatasets()
  for bind9 9.18.10+ since the function has a new parameter
- d/p/fix-include.patch: Include isc/rwlock.h in dns/zt.h to fix build
  since isrwlock is used in this file
- d/p/fix-isc-error.patch: Fix the use of the fatal_error macro as its
  arguments have changed
- d/p/make-dscp-optional.patch: Do not require DSCP codes for bind9 9.18.11
  and above as their support was removed in that version
- d/control: Require bind9 9.18.12 or above

 -- Lena Voytek   Thu, 09 Mar 2023 15:06:25
-0700

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2003586

Title:
  MRE Updates 9.18.12 / 9.16.39

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Fix Released
Status in bind9 source package in Focal:
  In Progress
Status in bind-dyndb-ldap source package in Jammy:
  Fix Released
Status in bind9 source package in Jammy:
  Fix Released
Status in bind-dyndb-ldap source package in Kinetic:
  Fix Released
Status in bind9 source package in Kinetic:
  Fix Released

Bug description:
  This bug tracks an update for the bind9 package, moving to versions:

  * Kinetic (22.10): bind9 9.18.12
  * Jammy (22.04): bind9 9.18.12
  * Focal (20.04): bind9 9.16.39

  These updates include bug fixes following the SRU policy exception
  defined at https://wiki.ubuntu.com/Bind9Updates.

  [Upstream changes]

  For bind9 9.18.2-9.18.12, major changes include:

  CVE fixes (These already existed as patches but are now included as part of 
upstream):
  CVE-2022-1183
  CVE-2022-2795
  CVE-2022-2881
  CVE-2022-2906
  CVE-2022-3080
  CVE-2022-38178
  CVE-2022-3094
  CVE-2022-3736
  CVE-2022-3924

  Features:
  update-quota option
  named -V shows supported cryptographic algorithms
  Additional info given for recursion not available and query (cache) '...' 
denied outputs

  Jammy only (Kinetic already has these):
  Catalog Zones schema version 2 support in named
  DNS error support Stale Answer and Stale NXDOMAIN Answer
  remote TLS certificate verification support
  reusereport option

  Bug Fixes:
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3178
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3636
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3772
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3752
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3678
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3637
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3739
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3743
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3725
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3693
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3683
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3727
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3638
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3183
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3721
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3707
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3591
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3598
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3247
  https://gitlab.isc.org/isc-projects/bind9/-/issues/2895
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3584
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3627
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3563
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3603
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3542
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3557
  https://gitlab.isc.org/isc-projects/bind9/-/issues/2982
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3439
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3438
  https://gitlab.isc.org/isc-projects/bind9/-/issues/2918
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3462
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3400
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3402
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3152
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3415
  https://gitlab.isc.org/isc-projects/bind9/-/issues/2506
  Jammy only:
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3327
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3380
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3302
  https://gitlab.isc.org/isc-projects/bind9/-/issues/2931
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3242
  

[Freeipa] [Bug 2003586] Re: MRE Updates 9.18.12 / 9.16.39

[Launchpad Bug Tracker]

This bug was fixed in the package bind-dyndb-ldap -
11.10-1ubuntu0.22.10.1

---
bind-dyndb-ldap (11.10-1ubuntu0.22.10.1) kinetic; urgency=medium

  * Fix bind-dyndb-ldap build against bind9 9.18.12 (LP: #2003586):
- d/p/hardcode-version.diff: Update defined LIBDNS version from bind9 to be
  1812, provided by bind9 9.18.12
- d/p/fix-dns_db_allrdatasets.patch: Modify calls to dns_db_allrdatasets()
  for bind9 9.18.10+ since the function has a new parameter
- d/p/fix-include.patch: Include isc/rwlock.h in dns/zt.h to fix build
  since isrwlock is used in this file
- d/p/fix-isc-error.patch: Fix the use of the fatal_error macro as its
  arguments have changed
- d/p/make-dscp-optional.patch: Do not require DSCP codes for bind9 9.18.11
  and above as their support was removed in that version
- d/control: Require bind9 9.18.12 or above

 -- Lena Voytek   Wed, 08 Mar 2023 14:52:32
-0700

** Changed in: bind-dyndb-ldap (Ubuntu Kinetic)
   Status: Fix Committed => Fix Released

** Changed in: bind-dyndb-ldap (Ubuntu Jammy)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2003586

Title:
  MRE Updates 9.18.12 / 9.16.39

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Fix Released
Status in bind9 source package in Focal:
  In Progress
Status in bind-dyndb-ldap source package in Jammy:
  Fix Released
Status in bind9 source package in Jammy:
  Fix Released
Status in bind-dyndb-ldap source package in Kinetic:
  Fix Released
Status in bind9 source package in Kinetic:
  Fix Released

Bug description:
  This bug tracks an update for the bind9 package, moving to versions:

  * Kinetic (22.10): bind9 9.18.12
  * Jammy (22.04): bind9 9.18.12
  * Focal (20.04): bind9 9.16.39

  These updates include bug fixes following the SRU policy exception
  defined at https://wiki.ubuntu.com/Bind9Updates.

  [Upstream changes]

  For bind9 9.18.2-9.18.12, major changes include:

  CVE fixes (These already existed as patches but are now included as part of 
upstream):
  CVE-2022-1183
  CVE-2022-2795
  CVE-2022-2881
  CVE-2022-2906
  CVE-2022-3080
  CVE-2022-38178
  CVE-2022-3094
  CVE-2022-3736
  CVE-2022-3924

  Features:
  update-quota option
  named -V shows supported cryptographic algorithms
  Additional info given for recursion not available and query (cache) '...' 
denied outputs

  Jammy only (Kinetic already has these):
  Catalog Zones schema version 2 support in named
  DNS error support Stale Answer and Stale NXDOMAIN Answer
  remote TLS certificate verification support
  reusereport option

  Bug Fixes:
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3178
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3636
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3772
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3752
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3678
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3637
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3739
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3743
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3725
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3693
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3683
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3727
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3638
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3183
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3721
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3707
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3591
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3598
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3247
  https://gitlab.isc.org/isc-projects/bind9/-/issues/2895
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3584
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3627
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3563
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3603
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3542
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3557
  https://gitlab.isc.org/isc-projects/bind9/-/issues/2982
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3439
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3438
  https://gitlab.isc.org/isc-projects/bind9/-/issues/2918
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3462
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3400
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3402
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3152
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3415
  https://gitlab.isc.org/isc-projects/bind9/-/issues/2506
  Jammy only:
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3327
  

[Freeipa] [Bug 2003586] Re: MRE Updates 9.18.12 / 9.16.36

[Launchpad Bug Tracker]

This bug was fixed in the package bind9 - 1:9.18.12-0ubuntu0.22.10.1

---
bind9 (1:9.18.12-0ubuntu0.22.10.1) kinetic; urgency=medium

  * New upstream releases 9.18.5 - 9.18.12 (LP: #2003586)
- Updates:
  + update-quota option
  + named -V shows supported cryptographic algorithms
- Bug Fixes Include:
  + Fix crash when using dig with +nssearch and +tcp (LP: #1258003)
  + Fix incomplete results using dig with +nssearch (LP: #1970252)
  + CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080,
CVE-2022-38178, CVE-2022-3094, CVE-2022-3736, CVE-2022-3924
  + Fix thread safety in dns_dispatch
  + Fix ADB quota management in resolver
  + Fix Prohibited DNS error on allow-recursion
  + Fix crash when restarting server with active statschannel connection
  + Fix use after free for catalog zone processing
  + Fix leak of dns_keyfileio_t objects
  + Fix nslookup failure to use port option when record type ANY is used
  + Fix crash on dnssec-policy zone with NSEC3 and inline-signing turned on
  + Fix inheritance when setting remote server port
  + Fix assertion error when accessing statistics channel
  + Fix rndc dumpdb -expired for stuck cache
  + Fix check for other name servers after receiving FORMERR
  + See 
https://bind9.readthedocs.io/en/v9_18_12/notes.html#notes-for-bind-9-18-12
for additional bug fixes and information
  * Improve dep-8 test suite (LP: #2003584):
- d/t/zonetest: Add dep8 test for checking the domain zone creation process
- d/t/control: Add new test outline
  * d/bind9-doc.docs: Stop installing removed file doc/misc/options.active
  * d/p/0001-Disable-treat-warnings-as-errors-in-sphinx-build.patch: refresh to
apply with version 9.18.8
  * Remove CVE patches fixed upstream:
- debian/patches/CVE-2022-2795.patch
- debian/patches/CVE-2022-2881.patch
- debian/patches/CVE-2022-2906.patch
- debian/patches/CVE-2022-3080.patch
- debian/patches/CVE-2022-38178.patch
  [Included in upstream release 9.18.7]
- debian/patches/CVE-2022-3094.patch
- debian/patches/CVE-2022-3736.patch
- debian/patches/CVE-2022-3924.patch
  [Included in upstream release 9.18.11]

 -- Lena Voytek   Wed, 08 Mar 2023 08:49:53
-0700

** Changed in: bind9 (Ubuntu Kinetic)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2003586

Title:
  MRE Updates 9.18.12 / 9.16.36

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Fix Released
Status in bind-dyndb-ldap source package in Focal:
  New
Status in bind9 source package in Focal:
  New
Status in bind-dyndb-ldap source package in Jammy:
  Fix Committed
Status in bind9 source package in Jammy:
  Fix Released
Status in bind-dyndb-ldap source package in Kinetic:
  Fix Committed
Status in bind9 source package in Kinetic:
  Fix Released

Bug description:
  This bug tracks an update for the bind9 package, moving to versions:

  * Kinetic (22.10): bind9 9.18.12
  * Jammy (22.04): bind9 9.18.12
  * Focal (20.04): bind9 9.16.36

  These updates include bug fixes following the SRU policy exception
  defined at https://wiki.ubuntu.com/Bind9Updates.

  [Upstream changes]

  For bind9 9.18.2-9.18.12, major changes include:

  CVE fixes (These already existed as patches but are now included as part of 
upstream):
  CVE-2022-1183
  CVE-2022-2795
  CVE-2022-2881
  CVE-2022-2906
  CVE-2022-3080
  CVE-2022-38178
  CVE-2022-3094
  CVE-2022-3736
  CVE-2022-3924

  Features:
  update-quota option
  named -V shows supported cryptographic algorithms
  Additional info given for recursion not available and query (cache) '...' 
denied outputs

  Jammy only (Kinetic already has these):
  Catalog Zones schema version 2 support in named
  DNS error support Stale Answer and Stale NXDOMAIN Answer
  remote TLS certificate verification support
  reusereport option

  Bug Fixes:
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3178
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3636
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3772
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3752
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3678
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3637
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3739
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3743
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3725
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3693
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3683
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3727
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3638
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3183
  https://gitlab.isc.org/isc-projects/bind9/-/issues/3721
  

[Freeipa] [Bug 2003586] Re: MRE Updates 9.18.12 / 9.16.36

[Launchpad Bug Tracker]

This bug was fixed in the package bind9 - 1:9.18.12-0ubuntu0.22.04.1

---
bind9 (1:9.18.12-0ubuntu0.22.04.1) jammy; urgency=medium

  * New upstream releases 9.18.2 - 9.18.12 (LP: #2003586)
- Updates:
  + update-quota option
  + named -V shows supported cryptographic algorithms
  + Catalog Zones schema version 2 support in named
  + DNS error support Stale Answer and Stale NXDOMAIN Answer
  + Remote TLS certificate verification support
  + reusereport option
- Bug Fixes Include:
  + Fix crash when using dig with +nssearch and +tcp (LP: #1258003)
  + Fix incomplete results using dig with +nssearch (LP: #1970252)
  + Fix loading of preinstalled plugins (LP: #2006972)
  + CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080,
CVE-2022-38178, CVE-2022-3094, CVE-2022-3736, CVE-2022-3924,
CVE-2022-1183
  + Fix thread safety in dns_dispatch
  + Fix ADB quota management in resolver
  + Fix Prohibited DNS error on allow-recursion
  + Fix crash when restarting server with active statschannel connection
  + Fix use after free for catalog zone processing
  + Fix leak of dns_keyfileio_t objects
  + Fix nslookup failure to use port option when record type ANY is used
  + Fix crash on dnssec-policy zone with NSEC3 and inline-signing turned on
  + Fix inheritance when setting remote server port
  + Fix assertion error when accessing statistics channel
  + Fix rndc dumpdb -expired for stuck cache
  + Fix check for other name servers after receiving FORMERR
  + Fix deletion of CDS after zone sign
  + Fix dighost query context management
  + Fix dig hanging due to IPv4 mapped IPv6 address
  + See 
https://bind9.readthedocs.io/en/v9_18_12/notes.html#notes-for-bind-9-18-12
for additional bug fixes and information
  * Improve dep-8 test suite (LP: #2003584):
- d/t/zonetest: Add dep8 test for checking the domain zone creation process
- d/t/control: Add new test outline
  * d/bind9-doc.docs: Stop installing removed file doc/misc/options.active
  * Remove patches for bugs LP #1964400 and LP #1964686 fixed upstream:
- lp1964400-lp1964686-Fix-an-issue-in-dig-when-retrying-with-the-next-serv
- lp1964400-lp1964686-When-resending-a-UDP-request-insert-the-query-to-the
- lp1964400-lp1964686-Add-digdelv-system-test-to-check-timed-out-result-fo
- lp1964400-lp1964686-After-dig-request-errors-try-to-use-other-servers-wh
- lp1964400-lp1964686-Add-digdelv-system-test-to-check-that-dig-tries-othe
- lp1964400-lp1964686-Fix-dig-error-when-trying-the-next-server-after-a-TC
- lp1964400-lp1964686-Add-various-dig-host-tests-for-TCP-UDP-socket-error-
  * Remove CVE patches fixed upstream:
- debian/patches/CVE-2022-1183.patch
  [Included in upstream release 9.18.3]
- debian/patches/CVE-2022-2795.patch
- debian/patches/CVE-2022-2881.patch
- debian/patches/CVE-2022-2906.patch
- debian/patches/CVE-2022-3080.patch
- debian/patches/CVE-2022-38178.patch
  [Included in upstream release 9.18.7]
- debian/patches/CVE-2022-3094.patch
- debian/patches/CVE-2022-3736.patch
- debian/patches/CVE-2022-3924.patch
  [Included in upstream release 9.18.11]

 -- Lena Voytek   Wed, 08 Mar 2023 12:08:55
-0700

** Changed in: bind9 (Ubuntu Jammy)
   Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1183

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-2795

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-2881

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-2906

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3080

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3094

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3736

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-38178

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3924

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2003586

Title:
  MRE Updates 9.18.12 / 9.16.36

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Fix Released
Status in bind-dyndb-ldap source package in Focal:
  New
Status in bind9 source package in Focal:
  New
Status in bind-dyndb-ldap source package in Jammy:
  Fix Committed
Status in bind9 source package in Jammy:
  Fix Released
Status in bind-dyndb-ldap source package in Kinetic:
  Fix Committed
Status in bind9 source package in Kinetic:
  Fix Released

Bug description:
  This bug tracks an update for the bind9 package, moving to versions:

  * Kinetic (22.10): bind9 9.18.12
  * Jammy (22.04): bind9 9.18.12
  * Focal (20.04): bind9 9.16.36

  These updates include bug fixes following the SRU policy exception
  

[Freeipa] [Bug 1987276] Re: certmonger - libcrypto issues with openssl3

[Launchpad Bug Tracker]

This bug was fixed in the package certmonger - 0.79.16-1

---
certmonger (0.79.16-1) unstable; urgency=medium

  * New upstream release. (LP: #1987276)

 -- Timo Aaltonen   Fri, 26 Aug 2022 09:42:54 +0300

** Changed in: certmonger (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to certmonger in Ubuntu.
https://bugs.launchpad.net/bugs/1987276

Title:
  certmonger - libcrypto issues with openssl3

Status in certmonger package in Ubuntu:
  Fix Released

Bug description:
  I just want to let you know that this bug is still present from 22.04
  onwards (anything that uses libssl3 as default) - bug is being tracked
  in https://pagure.io/certmonger/issue/244 - I already tested the patch
  provided and it works, but I would love to see an updated package on
  the official repository.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/1987276/+subscriptions


___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1987276] Re: certmonger - libcrypto issues with openssl3

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: certmonger (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to certmonger in Ubuntu.
https://bugs.launchpad.net/bugs/1987276

Title:
  certmonger - libcrypto issues with openssl3

Status in certmonger package in Ubuntu:
  Confirmed

Bug description:
  I just want to let you know that this bug is still present from 22.04
  onwards (anything that uses libssl3 as default) - bug is being tracked
  in https://pagure.io/certmonger/issue/244 - I already tested the patch
  provided and it works, but I would love to see an updated package on
  the official repository.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/1987276/+subscriptions


___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1978849] Re: bind9-dyndb-ldap has unmet dependencies

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: bind-dyndb-ldap (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/1978849

Title:
  bind9-dyndb-ldap has unmet dependencies

Status in bind-dyndb-ldap package in Ubuntu:
  Confirmed

Bug description:
  bind9-dyndb-ldap cannot be installed on Ubuntu 22.04. It appears the
  bind0 package has been updated, but not bind9-dyndb-ldap:

  ~# apt install bind9 bind9-dyndb-ldap
  Reading package lists... Done
  Building dependency tree... Done
  Reading state information... Done
  Some packages could not be installed. This may mean that you have
  requested an impossible situation or if you are using the unstable
  distribution that some required packages have not yet been created
  or been moved out of Incoming.
  The following information may help to resolve the situation:

  The following packages have unmet dependencies:
   bind9-dyndb-ldap : Depends: bind9-libs (= 1:9.18.1-1ubuntu1) but 
1:9.18.1-1ubuntu1.1 is to be installed
  E: Unable to correct problems, you have held broken packages.

  ~# apt-cache policy bind9
  bind9:
  Installed: (none)
  Candidate: 1:9.18.1-1ubuntu1.1
  Version table:
  1:9.18.1-1ubuntu1.1 500
  500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 
Packages
  500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 
Packages
  1:9.18.1-1ubuntu1 500
  500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages

  ~# apt-cache policy bind9-dyndb-ldap 
  bind9-dyndb-ldap:
  Installed: (none)
  Candidate: 11.9-5build2
  Version table:
  11.9-5build2 500
  500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/1978849/+subscriptions


___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1951015] Re: Package is uninstallable because libwbclient-sssd doesn't exist anymore

[Launchpad Bug Tracker]

This bug was fixed in the package freeipa - 4.8.6-1ubuntu9

---
freeipa (4.8.6-1ubuntu9) jammy; urgency=medium

  * d/control: Drop freeipa-client-samba's dependency on
libwbclient-sssd, which doesn't exist anymore.  Replace it with a
dependency on libwbclient-dev (from the samba package). (LP: #1951015)
  * d/control.common: Likewise.

 -- Sergio Durigan Junior   Mon, 15 Nov
2021 15:10:54 -0500

** Changed in: freeipa (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1951015

Title:
  Package is uninstallable because libwbclient-sssd doesn't exist
  anymore

Status in freeipa package in Ubuntu:
  Fix Released
Status in sssd package in Ubuntu:
  Invalid

Bug description:
  The latest version of sssd in Ubuntu (2.5.2-4ubuntu1) drops the
  libwbclient-sssd binary package due to upstream's decision:

  https://github.com/SSSD/sssd/releases/tag/2.5.0

"* SSSD's implementation of libwbclient was removed as incompatible
  with modern version of Samba."

  This makes freeipa-client-samba uninstallable, because it depends on
  that package.

  I think the best approach here is to make freeipa-client-samba depend
  on libwbclient-dev instead, which is samba's libwbclient version.

  I proposed a Merge Request against freeipa on Debian here:

  https://salsa.debian.org/freeipa-team/freeipa/-/merge_requests/1

  I will propose adding the same change as an Ubuntu delta for now in
  order to unblock sssd in update-excuses.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1951015/+subscriptions


___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1951015] Re: Package is uninstallable because libwbclient-sssd doesn't exist anymore

[Launchpad Bug Tracker]

** Merge proposal linked:
   
https://code.launchpad.net/~sergiodj/ubuntu/+source/freeipa/+git/freeipa/+merge/411884

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1951015

Title:
  Package is uninstallable because libwbclient-sssd doesn't exist
  anymore

Status in freeipa package in Ubuntu:
  Confirmed
Status in sssd package in Ubuntu:
  Invalid

Bug description:
  The latest version of sssd in Ubuntu (2.5.2-4ubuntu1) drops the
  libwbclient-sssd binary package due to upstream's decision:

  https://github.com/SSSD/sssd/releases/tag/2.5.0

"* SSSD's implementation of libwbclient was removed as incompatible
  with modern version of Samba."

  This makes freeipa-client-samba uninstallable, because it depends on
  that package.

  I think the best approach here is to make freeipa-client-samba depend
  on libwbclient-dev instead, which is samba's libwbclient version.

  I proposed a Merge Request against freeipa on Debian here:

  https://salsa.debian.org/freeipa-team/freeipa/-/merge_requests/1

  I will propose adding the same change as an Ubuntu delta for now in
  order to unblock sssd in update-excuses.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1951015/+subscriptions


___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1910390] Re: autopkgtest fails in focal

[Launchpad Bug Tracker]

** Merge proposal linked:
   https://code.launchpad.net/~rbalint/britney/+git/hints-ubuntu/+merge/395912

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to dogtag-pki in Ubuntu.
https://bugs.launchpad.net/bugs/1910390

Title:
  autopkgtest fails in focal

Status in dogtag-pki package in Ubuntu:
  New

Bug description:
  https://autopkgtest.ubuntu.com/packages/d/dogtag-pki/focal/s390x

  
https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac
  /autopkgtest-focal/focal/s390x/d/dogtag-
  pki/20210105_134957_c21a5@/log.gz

  ...
  Installing CA into /var/lib/pki/pki-tomcat.

  Installation failed: Server unreachable due to SSL error: ("bad
  handshake: SysCallError(-1, 'Unexpected EOF')",)

  ERROR: Exception: Server unreachable due to SSL error: ("bad handshake: 
SysCallError(-1, 'Unexpected EOF')",)
File "/usr/lib/python3/dist-packages/pki/server/pkispawn.py", line 562, in 
main
  scriptlet.spawn(deployer)
File 
"/usr/lib/python3/dist-packages/pki/server/deployment/scriptlets/configuration.py",
 line 833, in spawn
  deployer.instance.wait_for_startup(
File "/usr/lib/python3/dist-packages/pki/server/deployment/pkihelper.py", 
line 911, in wait_for_startup
  raise Exception('Server unreachable due to SSL error: %s' % reason) from 
exc

   CA spawn failed:
  2021-01-05 13:49:25 ERROR: Exception: Server unreachable due to SSL error: 
("bad handshake: SysCallError(-1, 'Unexpected EOF')",)
File "/usr/lib/python3/dist-packages/pki/server/pkispawn.py", line 562, in 
main
  scriptlet.spawn(deployer)
File 
"/usr/lib/python3/dist-packages/pki/server/deployment/scriptlets/configuration.py",
 line 833, in spawn
  deployer.instance.wait_for_startup(
File "/usr/lib/python3/dist-packages/pki/server/deployment/pkihelper.py", 
line 911, in wait_for_startup
  raise Exception('Server unreachable due to SSL error: %s' % reason) from 
exc

  autopkgtest [13:49:26]: test pkispawn: ---]
  autopkgtest [13:49:26]: test pkispawn:  - - - - - - - - - - results - - - - - 
- - - - -
  pkispawn FAIL non-zero exit status 1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1910390/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1875217] Re: /usr/lib/tmpfiles.d/certmonger.conf references path below legacy directory /var/run/

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: certmonger (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to certmonger in Ubuntu.
https://bugs.launchpad.net/bugs/1875217

Title:
  /usr/lib/tmpfiles.d/certmonger.conf references path below legacy
  directory /var/run/

Status in certmonger package in Ubuntu:
  Confirmed

Bug description:
  The systemd-tmpfiles service (on 20.04) logs this line in syslog:

  Apr 26 14:36:55 mysystem systemd-tmpfiles[94920]:
  /usr/lib/tmpfiles.d/certmonger.conf:3: Line references path below
  legacy directory /var/run/, updating /var/run/certmonger →
  /run/certmonger; please update the tmpfiles.d/ drop-in file
  accordingly.

  Changing the line to read "d /run/certmonger 0755 root root" resolves
  the issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/1875217/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1890786] Re: ipa-client-install fails on restarting non-existing chronyd.service

[Launchpad Bug Tracker]

This bug was fixed in the package freeipa - 4.8.6-1ubuntu3

---
freeipa (4.8.6-1ubuntu3) groovy; urgency=medium

  * fix-chrony-service-name.diff: Map to correct chrony service name.
(LP: #1890786)
  * fix-sssd-socket-activation.diff: Don't add a 'services =' line on
sssd.conf. (LP: #1879083)

 -- Timo Aaltonen   Fri, 16 Oct 2020 10:34:47 +0300

** Changed in: freeipa (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1890786

Title:
  ipa-client-install fails on restarting non-existing chronyd.service

Status in freeipa package in Ubuntu:
  Fix Released

Bug description:
  DistroRelease: Ubuntu 20.10
  Package: freeipa-client 4.8.6-1ubuntu2

  Client install fails:

   * LANG=C /usr/sbin/ipa-client-install --domain cockpit.lan --realm 
COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join 
--principal admin -W --force-ntpd
  Option --force-ntpd has been deprecated and will be removed in a future 
release.
  Discovery was successful!
  Client hostname: x0.cockpit.lan
  Realm: COCKPIT.LAN
  DNS Domain: cockpit.lan
  IPA Server: f0.cockpit.lan
  BaseDN: dc=cockpit,dc=lan
  Synchronizing time
  No SRV records of NTP servers found and no NTP server or pool address was 
provided.
  CalledProcessError(Command ['/bin/systemctl', 'restart', 'chronyd.service'] 
returned non-zero exit status 5: 'Failed to restart chronyd.service: Unit 
chronyd.service not found.\n')
  The ipa-client-install command failed. See /var/log/ipaclient-install.log for 
more information

  /var/log/ipaclient-install.log basically says the same,  just with a
  giant Traceback for CalledProcessError.

  freeipa-client could depend on chronyd, but IMHO it would be better to
  make this non-fatal. If one uses systemd-timesyncd (as we do by
  default in Ubuntu), that should be fine?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1890786/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1879083] Re: default sssd.conf after ipa-client-install crashes sssd

[Launchpad Bug Tracker]

This bug was fixed in the package freeipa - 4.8.6-1ubuntu3

---
freeipa (4.8.6-1ubuntu3) groovy; urgency=medium

  * fix-chrony-service-name.diff: Map to correct chrony service name.
(LP: #1890786)
  * fix-sssd-socket-activation.diff: Don't add a 'services =' line on
sssd.conf. (LP: #1879083)

 -- Timo Aaltonen   Fri, 16 Oct 2020 10:34:47 +0300

** Changed in: freeipa (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1879083

Title:
  default sssd.conf after ipa-client-install crashes sssd

Status in freeipa package in Ubuntu:
  Fix Released

Bug description:
  Notice 
  ipa-client-install
  creates /etc/sssd/sssd.conf
  but changes in the sssd process's socket approach calls for that file to 
change
  /etc/sssd.conf from
  ...
  [sssd]
  services = nss, pam, ssh, sud
  ...
  to
  [sssd]
  #services = nss, pam, ssh, sud
  otherwise the sssd service either won't start or complains.

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: freeipa-client 4.8.6-1ubuntu2
  ProcVersionSignature: Ubuntu 5.4.0-29.33-generic 5.4.30
  Uname: Linux 5.4.0-29-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27
  Architecture: amd64
  CasperMD5CheckResult: skip
  CurrentDesktop: MATE
  Date: Sat May 16 12:51:21 2020
  InstallationDate: Installed on 2020-05-13 (2 days ago)
  InstallationMedia: Ubuntu-MATE 20.04 LTS "Focal Fossa" - Release amd64 
(20200423)
  SourcePackage: freeipa
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1879083/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1890786] Re: ipa-client-install fails on restarting non-existing chronyd.service

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: freeipa (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1890786

Title:
  ipa-client-install fails on restarting non-existing chronyd.service

Status in freeipa package in Ubuntu:
  Confirmed

Bug description:
  DistroRelease: Ubuntu 20.10
  Package: freeipa-client 4.8.6-1ubuntu2

  Client install fails:

   * LANG=C /usr/sbin/ipa-client-install --domain cockpit.lan --realm 
COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join 
--principal admin -W --force-ntpd
  Option --force-ntpd has been deprecated and will be removed in a future 
release.
  Discovery was successful!
  Client hostname: x0.cockpit.lan
  Realm: COCKPIT.LAN
  DNS Domain: cockpit.lan
  IPA Server: f0.cockpit.lan
  BaseDN: dc=cockpit,dc=lan
  Synchronizing time
  No SRV records of NTP servers found and no NTP server or pool address was 
provided.
  CalledProcessError(Command ['/bin/systemctl', 'restart', 'chronyd.service'] 
returned non-zero exit status 5: 'Failed to restart chronyd.service: Unit 
chronyd.service not found.\n')
  The ipa-client-install command failed. See /var/log/ipaclient-install.log for 
more information

  /var/log/ipaclient-install.log basically says the same,  just with a
  giant Traceback for CalledProcessError.

  freeipa-client could depend on chronyd, but IMHO it would be better to
  make this non-fatal. If one uses systemd-timesyncd (as we do by
  default in Ubuntu), that should be fine?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1890786/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1874568] Re: Working config in eoan, bind9 fails after upgrade to fossa

[Launchpad Bug Tracker]

This bug was fixed in the package bind-dyndb-ldap - 11.4-1

---
bind-dyndb-ldap (11.4-1) unstable; urgency=medium

  * New upstream release.
  * bind-9.16-support.diff: Dropped, upstream.

 -- Timo Aaltonen   Fri, 18 Sep 2020 12:01:09 +0300

** Changed in: bind-dyndb-ldap (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/1874568

Title:
  Working config in eoan, bind9 fails after upgrade to fossa

Status in bind package in Ubuntu:
  Confirmed
Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released

Bug description:
  Configuration was working in Eoan.  Just upgraded to Fossa.
  Bind9(named) will not start.  Syslog show the following:

  Apr 23 16:55:58 ltserver2 named[1611]: starting BIND 9.16.1-Ubuntu (Stable 
Release) 
  Apr 23 16:55:58 ltserver2 named[1611]: running on Linux x86_64 
5.4.0-26-generic #30-Ubuntu SMP Mon Apr 20 16:58:30 UTC 2020
  Apr 23 16:55:58 ltserver2 named[1611]: built with '--build=x86_64-linux-gnu' 
'--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' 
'--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' 
'--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' 
'--runstatedir=/run' '--disable-maintainer-mode' 
'--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' 
'--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' 
'--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' 
'--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' 
'--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' 
'--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' 
'--enable-filter-' '--disable-native-pkcs11' 'build_alias=x86_64-linux-gnu' 
'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-OLooom/bind9-9.16.1=. 
-fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing 
-fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 
'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' 
'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
  Apr 23 16:55:58 ltserver2 named[1611]: running as: named -f -u bind
  Apr 23 16:55:58 ltserver2 named[1611]: compiled by GCC 9.3.0
  Apr 23 16:55:58 ltserver2 named[1611]: compiled with OpenSSL version: OpenSSL 
1.1.1f  31 Mar 2020
  Apr 23 16:55:58 ltserver2 named[1611]: linked to OpenSSL version: OpenSSL 
1.1.1f  31 Mar 2020
  Apr 23 16:55:58 ltserver2 named[1611]: compiled with libxml2 version: 2.9.10
  Apr 23 16:55:58 ltserver2 named[1611]: linked to libxml2 version: 20910
  Apr 23 16:55:58 ltserver2 named[1611]: compiled with json-c version: 0.13.1
  Apr 23 16:55:58 ltserver2 named[1611]: linked to json-c version: 0.13.1
  Apr 23 16:55:58 ltserver2 named[1611]: compiled with zlib version: 1.2.11
  Apr 23 16:55:58 ltserver2 named[1611]: linked to zlib version: 1.2.11
  Apr 23 16:55:58 ltserver2 named[1611]: 

  Apr 23 16:55:58 ltserver2 named[1611]: BIND 9 is maintained by Internet 
Systems Consortium,
  Apr 23 16:55:58 ltserver2 named[1611]: Inc. (ISC), a non-profit 501(c)(3) 
public-benefit 
  Apr 23 16:55:58 ltserver2 named[1611]: corporation.  Support and training for 
BIND 9 are 
  Apr 23 16:55:58 ltserver2 named[1611]: available at 
https://www.isc.org/support
  Apr 23 16:55:58 ltserver2 named[1611]: 

  Apr 23 16:55:58 ltserver2 named[1611]: adjusted limit on open files from 
524288 to 1048576
  Apr 23 16:55:58 ltserver2 named[1611]: found 2 CPUs, using 2 worker threads
  Apr 23 16:55:58 ltserver2 named[1611]: using 2 UDP listeners per interface
  Apr 23 16:55:58 ltserver2 named[1611]: using up to 21000 sockets
  Apr 23 16:55:58 ltserver2 named[1611]: loading configuration from 
'/etc/bind/named.conf'
  Apr 23 16:55:58 ltserver2 named[1611]: reading built-in trust anchors from 
file '/etc/bind/bind.keys'
  Apr 23 16:55:58 ltserver2 named[1611]: looking for GeoIP2 databases in 
'/usr/share/GeoIP'
  Apr 23 16:55:58 ltserver2 named[1611]: using default UDP/IPv4 port range: 
[32768, 60999]
  Apr 23 16:55:58 ltserver2 named[1611]: using default UDP/IPv6 port range: 
[32768, 60999]
  Apr 23 16:55:58 ltserver2 named[1611]: listening on IPv4 interface enp3s0, 
#53
  Apr 23 16:55:58 ltserver2 named[1611]: IPv6 socket API is incomplete; 
explicitly binding to each IPv6 address separately
  Apr 23 16:55:58 ltserver2 named[1611]: listening on IPv6 interface lo, ::1#53
  Apr 23 16:55:58 ltserver2 named[1611]: listening on IPv6 interface enp3s0, 
%2#53
  Apr 23 16:55:58 ltserver2 named[1611]: unable to set effective uid to 0: 
Operation not permitted
  Apr 23 16:55:58 ltserver2 named[1611]: generating session key for dynamic DNS
  Apr 23 16:55:58 ltserver2 named[1611]: unable to set effective uid to 0: 
Operation not permitted
  Apr 23 16:55:58 

[Freeipa] [Bug 1879083] Re: default sssd.conf after ipa-client-install crashes sssd

[Launchpad Bug Tracker]

[Expired for freeipa (Ubuntu) because there has been no activity for 60
days.]

** Changed in: freeipa (Ubuntu)
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1879083

Title:
  default sssd.conf after ipa-client-install crashes sssd

Status in freeipa package in Ubuntu:
  Expired

Bug description:
  Notice 
  ipa-client-install
  creates /etc/sssd/sssd.conf
  but changes in the sssd process's socket approach calls for that file to 
change
  /etc/sssd.conf from
  ...
  [sssd]
  services = nss, pam, ssh, sud
  ...
  to
  [sssd]
  #services = nss, pam, ssh, sud
  otherwise the sssd service either won't start or complains.

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: freeipa-client 4.8.6-1ubuntu2
  ProcVersionSignature: Ubuntu 5.4.0-29.33-generic 5.4.30
  Uname: Linux 5.4.0-29-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27
  Architecture: amd64
  CasperMD5CheckResult: skip
  CurrentDesktop: MATE
  Date: Sat May 16 12:51:21 2020
  InstallationDate: Installed on 2020-05-13 (2 days ago)
  InstallationMedia: Ubuntu-MATE 20.04 LTS "Focal Fossa" - Release amd64 
(20200423)
  SourcePackage: freeipa
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1879083/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1874915] [NEW] krb5kdc[27833]: Couldn't open log file /var/log/krb5kdc.log: Read-only file system

[Launchpad Bug Tracker]

You have been subscribed to a public bug:

Hopefully this can trivially be corrected.

Seems the systemd service file for the kerberos portion of freeipa could
use a minor tweak.

When restarting the kerberos service, it (incorrectly) reports that the
default configured log file (/var/log/krb5kdc.log) is sending to a "read
only filesystem".  This is a misleading error, since the /var/log
directory by default -IS- writeable, but systemd is in fact preventing
the daemon from writing.  Why systemd can't inject itself
inappropriately and report that it's causing the trouble is another
conversation. ;) [not personally a systemd fan]


File:
=
/lib/systemd/system/krb5-kdc.service

Command:
=
service krb5-kdc restart

Error:
=
krb5kdc[27833]: Couldn't open log file /var/log/krb5kdc.log: Read-only file 
system


Please make the following adjustment to the default systemd file.
=
13c13
< ReadWriteDirectories=-/var/tmp /tmp /var/lib/krb5kdc -/var/run /run
---
> ReadWriteDirectories=-/var/tmp /tmp /var/lib/krb5kdc -/var/run /run /var/log


Thank you for all the help and support.  :)

Cheers,
-Chris

** Affects: freeipa (Ubuntu)
 Importance: Undecided
 Status: Triaged

-- 
krb5kdc[27833]: Couldn't open log file /var/log/krb5kdc.log: Read-only file 
system
https://bugs.launchpad.net/bugs/1874915
You received this bug notification because you are a member of FreeIPA, which 
is subscribed to freeipa in Ubuntu.

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1730039] Re: 389-console fails to connect with TLSv1.2

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: 389-console (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to jss in Ubuntu.
https://bugs.launchpad.net/bugs/1730039

Title:
  389-console fails to connect with TLSv1.2

Status in 389-console package in Ubuntu:
  Confirmed
Status in jss package in Ubuntu:
  Confirmed

Bug description:
  389-console on Ubuntu 17.10 fails to connect to an instance of dirsrv-
  admin that has been configured to allow only TLSv1.2 connections
  (389-console on Ubuntu 17.04 works fine against the same instance).

  389-console -D 9 debug shows the following error:

  CREATE JSS SSLSocket
  Unable to create ssl socket
  org.mozilla.jss.ssl.SSLSocketException: SSL_VersionRangeSetDefault() for 
variant=0 with min=768 max=770 out of range (769:772): 0: (0) Unknown error
at org.mozilla.jss.ssl.SSLSocket.setSSLVersionRangeDefault(Native 
Method)
at 
org.mozilla.jss.ssl.SSLSocket.setSSLVersionRangeDefault(SSLSocket.java:1398)
at com.netscape.management.client.comm.HttpsChannel.open(Unknown Source)
at com.netscape.management.client.comm.CommManager.send(Unknown Source)
at com.netscape.management.client.comm.HttpManager.get(Unknown Source)
at com.netscape.management.client.console.Console.invoke_task(Unknown 
Source)
at 
com.netscape.management.client.console.Console.authenticate_user(Unknown Source)
at com.netscape.management.client.console.Console.(Unknown Source)
at com.netscape.management.client.console.Console.main(Unknown Source)

  Downgrading the libjss-java package to version 4.3.1-7build1 from
  Ubuntu 17.04 fixes the problem.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/389-console/+bug/1730039/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1773843] Re: cannot upgrade freeipa-server

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: freeipa (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1773843

Title:
  cannot upgrade freeipa-server

Status in freeipa package in Ubuntu:
  Confirmed

Bug description:
  I am trying to upgrade from freeipa 4.7.0~pre1 to 4.7.0~pre2-0~ppa3 of
  the staging repository. The install fails with the following error:
  RemoteRetrieveError: Failed to authenticate to CA REST API

  In the past, I also tried upgrading freeipa 4.7.0~pre1 to
  4.7.0~pre2-0~ppa2 or from 4.7.0~pre2-0~ppa2 to 4.7.0~pre2-0~ppa3. All
  these attempts failed with the same error.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1773843/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1813916] Re: incorrect classpath in pki/cli/main.py

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: dogtag-pki (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to dogtag-pki in Ubuntu.
https://bugs.launchpad.net/bugs/1813916

Title:
  incorrect classpath in pki/cli/main.py

Status in dogtag-pki package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu 18.04

  Running the 'pki' command will fail when python executes java. The cmd
  array  on line 101 in pki/cli/main.py has an incorrect classpath.

  Instead of 
  '-Djava.ext.dirs=' + pki_lib, 

  it needs to be:

  '-Djava.ext.dirs=' + pki_lib + ':/usr/share/java',

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1813916/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1813919] Re: Incorrect trust flags in NSSDB when renewing subsystem certificates

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: dogtag-pki (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to dogtag-pki in Ubuntu.
https://bugs.launchpad.net/bugs/1813919

Title:
  Incorrect trust flags in NSSDB when renewing subsystem certificates

Status in dogtag-pki package in Ubuntu:
  Confirmed

Bug description:
  OS: ubuntu 18.04
  Dogtag: 10.6.0

  When renewing subsystem certificates in dogtag (by following the
  process described here:
  https://www.dogtagpki.org/wiki/System_Certificate_Renewal), OCSP will
  break due to incorrect trust flags in NSS.

  The certificate IDs are:

  'ocsp_signing'(gets 'u,u,u' should get 'CTu,Cu,Cu')
  'ocsp_audit_signing'  (gets 'u,u,u' should get 'u,u,Pu')
  'ca_audit_signing'(gets 'u,u,u' should get 'u,u,Pu')


  To fix this certutil must be executed to correct them.

  In case anyone else finds this bugreport and need an emergency fix,

  certutil -M -t 'CTU,Cu,Cu' -d 'sql:/etc/pki/pki-tomcat/alias' -n
  'ocspSigningCert cert-pki-tomcat OCSP'

  certutil -M -t 'u,u,Pu' -d 'sql:/etc/pki/pki-tomcat/alias' -n
  'auditSigningCert cert-pki-tomcat OCSP'

  certutil -M -t 'u,u,Pu' -d 'sql:/etc/pki/pki-tomcat/alias' -n
  'auditSigningCert cert-pki-tomcat CA'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1813919/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1800631] Re: ipa-server-upgrade fail

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: freeipa (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1800631

Title:
  ipa-server-upgrade fail

Status in freeipa package in Ubuntu:
  Confirmed

Bug description:
  when upgrade package from an old version to the last freeipa-server
  package 4.3.1, it fails on freeipa-server-upgrade command with this
  error:

  2018-10-30T09:54:10Z INFO [Add default CA ACL]
  2018-10-30T09:54:10Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysupgrade/sysupgrade.state'
  2018-10-30T09:54:10Z INFO Default CA ACL already added
  2018-10-30T09:54:10Z ERROR IPA server upgrade failed: Inspect 
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
  2018-10-30T09:54:10Z DEBUG   File 
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 171, in execute
  return_value = self.run()
File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_upgrade.py", 
line 48, in run
  server.upgrade()
File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", line 
1713, in upgrade
  upgrade_configuration()
File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", line 
1655, in upgrade_configuration
  set_sssd_domain_option('ipa_server_mode', 'True')
File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", line 
1268, in set_sssd_domain_option
  domain.set_option(option, value)
File "/usr/lib/python2.7/dist-packages/SSSDConfig/__init__.py", line 1143, 
in set_option
  (self.name, option))

  2018-10-30T09:54:10Z DEBUG The ipa-server-upgrade command failed, exception: 
NoOptionError: Section [mydomainmasked.tld] has no option [ipa_server_mode]
  2018-10-30T09:54:10Z ERROR Unexpected error - see /var/log/ipaupgrade.log for 
details:
  NoOptionError: Section [mydomainmasked.tld] has no option [ipa_server_mode]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1800631/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1813155] Re: remove from disco-proposed, Dogtag doesn't support TLS 1.3/Java 11 yet

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: jss (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to dogtag-pki in Ubuntu.
https://bugs.launchpad.net/bugs/1813155

Title:
  remove from disco-proposed, Dogtag doesn't support TLS 1.3/Java 11 yet

Status in dogtag-pki package in Ubuntu:
  Confirmed
Status in jss package in Ubuntu:
  Confirmed
Status in resteasy3.0 package in Ubuntu:
  Confirmed

Bug description:
  The current dogtag-pki stack in disco-proposed migrated to Java11
  because everything built fine and was supposed to work. Turned out
  there are issues getting the tomcat instance up with ssl support, and
  upstream probably won't get to it before Fedora has switched to
  Java11.

  So, remove these from proposed and block re-entry for now, until the
  situation has improved..

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1813155/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1813155] Re: remove from disco-proposed, Dogtag doesn't support TLS 1.3/Java 11 yet

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: dogtag-pki (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to dogtag-pki in Ubuntu.
https://bugs.launchpad.net/bugs/1813155

Title:
  remove from disco-proposed, Dogtag doesn't support TLS 1.3/Java 11 yet

Status in dogtag-pki package in Ubuntu:
  Confirmed
Status in jss package in Ubuntu:
  Confirmed
Status in resteasy3.0 package in Ubuntu:
  Confirmed

Bug description:
  The current dogtag-pki stack in disco-proposed migrated to Java11
  because everything built fine and was supposed to work. Turned out
  there are issues getting the tomcat instance up with ssl support, and
  upstream probably won't get to it before Fedora has switched to
  Java11.

  So, remove these from proposed and block re-entry for now, until the
  situation has improved..

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1813155/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1813155] Re: remove from disco-proposed, Dogtag doesn't support TLS 1.3/Java 11 yet

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: resteasy3.0 (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to dogtag-pki in Ubuntu.
https://bugs.launchpad.net/bugs/1813155

Title:
  remove from disco-proposed, Dogtag doesn't support TLS 1.3/Java 11 yet

Status in dogtag-pki package in Ubuntu:
  Confirmed
Status in jss package in Ubuntu:
  Confirmed
Status in resteasy3.0 package in Ubuntu:
  Confirmed

Bug description:
  The current dogtag-pki stack in disco-proposed migrated to Java11
  because everything built fine and was supposed to work. Turned out
  there are issues getting the tomcat instance up with ssl support, and
  upstream probably won't get to it before Fedora has switched to
  Java11.

  So, remove these from proposed and block re-entry for now, until the
  situation has improved..

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1813155/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1769440] Re: freeipa server install fails - named-pkcs11 fails to run

[Launchpad Bug Tracker]

This bug was fixed in the package bind9 - 1:9.11.3+dfsg-1ubuntu1.3

---
bind9 (1:9.11.3+dfsg-1ubuntu1.3) bionic; urgency=medium

  [ Karl Stenerud ]
  * d/p/skip-rtld-deepbind-for-dyndb.diff: fix named-pkcs11 crashing on
startup. Thanks to Petr Menšík  (LP: #1769440)

 -- Andreas Hasenack   Wed, 10 Oct 2018 14:33:34
-0300

** Changed in: bind9 (Ubuntu Bionic)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440

Title:
  freeipa server install fails - named-pkcs11 fails to run

Status in bind9 package in Ubuntu:
  Fix Released
Status in freeipa package in Ubuntu:
  Invalid
Status in bind9 source package in Bionic:
  Fix Released

Bug description:
  [Impact]

  Using RTLD_DEEPBIND in bind9 causes the FreeIPA serve install to fail.

  This patch, also applied in fedora and debian, disables use of RTLD_DEEPBIND.
  
https://src.fedoraproject.org/rpms/bind/c/3d5ea105bd877f0069452e450320f8877b01cb52?branch=master
  
https://salsa.debian.org/dns-team/bind9/commit/afc6b5fe2e359e4e7eadc256cd94481965418b4b

  [Test Case]

  # uvt-kvm create --memory 2048 cosmic-freeipa release=cosmic label=daily
  # uvt-kvm wait cosmic-freeipa
  # uvt-kvm ssh cosmic-freeipa

  Inside vm:

  # sudo su
  # apt purge -y cloud-init
  # echo "cosmic-freeipa.example.com" >/etc/hostname
  # sed -i 's/127.0.1.1.*cosmic.*//g' /etc/hosts
  # echo "$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut 
-f1 -d'/')  cosmic-freeipa.example.com" >>/etc/hosts
  # apt update
  # apt dist-upgrade -y
  # reboot
  # apt install -y freeipa-server

  * Default Kerberos realm: EXAMPLE.COM
  * Kerberos servers: cosmic-freeipa.example.com
  * Administrative server: cosmic-freeipa.example.com

  Get machine's ip address. You'll be using the x.x.x.1 address for the DNS 
forwarder
  # ip addr

  # ipa-server-install --allow-zone-overlap

  * Do you want to configure integrated DNS (BIND): YES
  * Server host name: cosmic-freeipa.example.com
  * Please confirm the domain name: example.com
  * Please provide a realm name: EXAMPLE.COM
  * Directory Manager password: (anything)
  * IPA admin password: (anything)
  * Do you want to configure DNS forwarders: yes
  * Do you want to configure these servers as DNS forwarders?: no
  * Enter an IP address for a DNS forwarder, or press Enter to skip: (x.x.x.1 
address from before)
  * Do you want to search for missing reverse zones?: yes

  Installation should fail.

  [Regression Potential]

  In theory, if another library with the exact same symbol is loaded,
  bind9 may end up calling the wrong function. This is, however, a
  potential problem with any program that loads shared libraries.

  [Original Description]

  Setting up FreeIPA server fails at "Configuring the web interface",
  step 12/21

  It's in a cleanly started LXC Ubuntu Bionic container. The
  ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2

  Configuring the web interface (httpd)
    [1/21]: stopping httpd
    [2/21]: backing up ssl.conf
    [3/21]: disabling nss.conf
    [4/21]: configuring mod_ssl certificate paths
    [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
    [6/21]: configuring mod_ssl log directory
    [7/21]: disabling mod_ssl OCSP
    [8/21]: adding URL rewriting rules
    [9/21]: configuring httpd
    [10/21]: setting up httpd keytab
    [11/21]: configuring Gssproxy
    [12/21]: setting up ssl
    [error] RuntimeError: Certificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERRORThe ipa-server-install command failed. See 
/var/log/ipaserver-install.log for more information

  and in the log there is

  2018-05-05T20:37:29Z DEBUG stderr=
  2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
  2018-05-05T20:37:29Z DEBUG   [12/21]: setting up ssl
  2018-05-05T20:37:33Z DEBUG certmonger request is in state 
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
  2018-05-05T20:37:38Z DEBUG certmonger request is in state 
dbus.String(u'CA_REJECTED', variant_level=1)
  2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 
555, in start_creation
  run_step(full_msg, method)
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 
541, in run_step
  method()
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", 
line 376, in __setup_ssl
  passwd_fname=key_passwd_file
    File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 
320, in request_and_wait_for_cert
  raise RuntimeError("Certificate issuance failed ({})".format(state))
  RuntimeError: Certificate issuance failed (CA_REJECTED)

  2018-05-05T20:37:42Z DEBUG   [error] RuntimeError: Certificate issuance 

[Freeipa] [Bug 1769440] Re: freeipa server install fails - named-pkcs11 fails to run

[Launchpad Bug Tracker]

** Merge proposal linked:
   
https://code.launchpad.net/~ahasenack/ubuntu/+source/bind9/+git/bind9/+merge/356439

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440

Title:
  freeipa server install fails - named-pkcs11 fails to run

Status in bind9 package in Ubuntu:
  Fix Released
Status in freeipa package in Ubuntu:
  Invalid
Status in bind9 source package in Bionic:
  In Progress

Bug description:
  [Impact]

  Using RTLD_DEEPBIND in bind9 causes the FreeIPA serve install to fail.

  This patch, also applied in fedora and debian, disables use of RTLD_DEEPBIND.
  
https://src.fedoraproject.org/rpms/bind/c/3d5ea105bd877f0069452e450320f8877b01cb52?branch=master
  
https://salsa.debian.org/dns-team/bind9/commit/afc6b5fe2e359e4e7eadc256cd94481965418b4b

  [Test Case]

  # uvt-kvm create --memory 2048 cosmic-freeipa release=cosmic label=daily
  # uvt-kvm wait cosmic-freeipa
  # uvt-kvm ssh cosmic-freeipa

  Inside vm:

  # sudo su
  # apt purge -y cloud-init
  # echo "cosmic-freeipa.example.com" >/etc/hostname
  # sed -i 's/127.0.1.1.*cosmic.*//g' /etc/hosts
  # echo "$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut 
-f1 -d'/')  cosmic-freeipa.example.com" >>/etc/hosts
  # apt update
  # apt dist-upgrade -y
  # reboot
  # apt install -y freeipa-server

  * Default Kerberos realm: EXAMPLE.COM
  * Kerberos servers: cosmic-freeipa.example.com
  * Administrative server: cosmic-freeipa.example.com

  Get machine's ip address. You'll be using the x.x.x.1 address for the DNS 
forwarder
  # ip addr

  # ipa-server-install --allow-zone-overlap

  * Do you want to configure integrated DNS (BIND): YES
  * Server host name: cosmic-freeipa.example.com
  * Please confirm the domain name: example.com
  * Please provide a realm name: EXAMPLE.COM
  * Directory Manager password: (anything)
  * IPA admin password: (anything)
  * Do you want to configure DNS forwarders: yes
  * Do you want to configure these servers as DNS forwarders?: no
  * Enter an IP address for a DNS forwarder, or press Enter to skip: (x.x.x.1 
address from before)
  * Do you want to search for missing reverse zones?: yes

  Installation should fail.

  [Regression Potential]

  In theory, if another library with the exact same symbol is loaded,
  bind9 may end up calling the wrong function. This is, however, a
  potential problem with any program that loads shared libraries.

  [Original Description]

  Setting up FreeIPA server fails at "Configuring the web interface",
  step 12/21

  It's in a cleanly started LXC Ubuntu Bionic container. The
  ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2

  Configuring the web interface (httpd)
    [1/21]: stopping httpd
    [2/21]: backing up ssl.conf
    [3/21]: disabling nss.conf
    [4/21]: configuring mod_ssl certificate paths
    [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
    [6/21]: configuring mod_ssl log directory
    [7/21]: disabling mod_ssl OCSP
    [8/21]: adding URL rewriting rules
    [9/21]: configuring httpd
    [10/21]: setting up httpd keytab
    [11/21]: configuring Gssproxy
    [12/21]: setting up ssl
    [error] RuntimeError: Certificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERRORThe ipa-server-install command failed. See 
/var/log/ipaserver-install.log for more information

  and in the log there is

  2018-05-05T20:37:29Z DEBUG stderr=
  2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
  2018-05-05T20:37:29Z DEBUG   [12/21]: setting up ssl
  2018-05-05T20:37:33Z DEBUG certmonger request is in state 
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
  2018-05-05T20:37:38Z DEBUG certmonger request is in state 
dbus.String(u'CA_REJECTED', variant_level=1)
  2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 
555, in start_creation
  run_step(full_msg, method)
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 
541, in run_step
  method()
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", 
line 376, in __setup_ssl
  passwd_fname=key_passwd_file
    File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 
320, in request_and_wait_for_cert
  raise RuntimeError("Certificate issuance failed ({})".format(state))
  RuntimeError: Certificate issuance failed (CA_REJECTED)

  2018-05-05T20:37:42Z DEBUG   [error] RuntimeError: Certificate issuance 
failed (CA_REJECTED)
  2018-05-05T20:37:42Z DEBUG   File 
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
  ute
  ...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1769440/+subscriptions

[Freeipa] [Bug 1793994] Re: freeipa server upgrade fails trying to switch to authselect

[Launchpad Bug Tracker]

This bug was fixed in the package freeipa - 4.7.1-1

---
freeipa (4.7.1-1) unstable; urgency=medium

  * New upstream release.
- fix-replicainstall.diff dropped, not applicable anymore
- ipa-httpd-pwdreader-force-fqdn.diff dropped, obsolete
- refresh patches
- server: drop ipa-replica-prepare
  * dont-migrate-to-authselect.diff We don't have authselect, so just
return true when trying to migrate to it. (LP: #1793994)
  * control: Move client dependency on chrony to recommends. (Closes:
#909803)
  * control: Build server on any arch again.
  * tests: Don't fail the tests, just dump the log if something goes
wrong.

 -- Timo Aaltonen   Tue, 09 Oct 2018 10:30:09 +0300

** Changed in: freeipa (Ubuntu)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1793994

Title:
  freeipa server upgrade fails trying to switch to authselect

Status in freeipa package in Ubuntu:
  Fix Released

Bug description:
  On upgrading freeipa using the staging ppa, I encountered the
  following failure:

  traceback:

  2018-09-03T17:46:05Z INFO [Migrating to authselect profile]
  2018-09-03T17:46:05Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysupgrade/sysupgrade.state'
  2018-09-03T17:46:05Z DEBUG Loading StateFile from 
'/var/lib/ipa-client/sysrestore/sysrestore.state'
  2018-09-03T17:46:05Z DEBUG Loading StateFile from 
'/var/lib/ipa-client/sysrestore/sysrestore.state'
  2018-09-03T17:46:05Z DEBUG Starting external process
  2018-09-03T17:46:05Z DEBUG args=[None, 'select', 'sssd', '--force']
  2018-09-03T17:46:06Z DEBUG Process execution failed
  2018-09-03T17:46:06Z ERROR IPA server upgrade failed: Inspect 
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
  2018-09-03T17:46:06Z DEBUG   File 
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 178, in execute
  return_value = self.run()
File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_upgrade.py", 
line 52, in run
  server.upgrade()
File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", line 
2103, in upgrade
  upgrade_configuration()
File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", line 
1982, in upgrade_configuration
  migrate_to_authselect()
File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", line 
1696, in migrate_to_authselect
  tasks.migrate_auth_configuration(statestore)
File "/usr/lib/python2.7/dist-packages/ipaplatform/redhat/tasks.py", line 
238, in migrate_auth_configuration
  ipautil.run(authselect_cmd)
File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 518, in 
run
  preexec_fn=preexec_fn)
File "/usr/lib/python2.7/subprocess.py", line 394, in __init__
  errread, errwrite)
File "/usr/lib/python2.7/subprocess.py", line 1047, in _execute_child
  raise child_exception

  2018-09-03T17:46:06Z DEBUG The ipa-server-upgrade command failed, exception: 
AttributeError: 'NoneType' object has no attribute 'rfind'
  2018-09-03T17:46:06Z ERROR Unexpected error - see /var/log/ipaupgrade.log for 
details:
  AttributeError: 'NoneType' object has no attribute 'rfind'
  2018-09-03T17:46:06Z ERROR The ipa-server-upgrade command failed. See 
/var/log/ipaupgrade.log for more information

  Looking through /usr/lib/python2.7/dist-
  packages/ipaplatform/debian/tasks.py, I note that debian doesn't use
  authconfig. Presuming (perhaps wrongly) that authselect is similarly
  inapplicable, I modified def migrate_to_authselect() in
  /usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py
  to just return. With this change, upgrade completed successfully. I'm
  not sure if this is the correct approach.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1793994/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1769485] Re: freeipa install server fails - cannot start apache server with SSL

[Launchpad Bug Tracker]

This bug was fixed in the package freeipa - 4.7.0-1ubuntu4

---
freeipa (4.7.0-1ubuntu4) cosmic; urgency=medium

  * Actually build server on architecture any.

 -- Dimitri John Ledkov   Tue, 02 Oct 2018 23:32:01
+0100

** Changed in: freeipa (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769485

Title:
  freeipa install server fails - cannot start apache server with SSL

Status in freeipa package in Ubuntu:
  Fix Released
Status in freeipa source package in Bionic:
  Confirmed

Bug description:
  After having installed the new version of Tomcat 8, compatible with
  JDK 8 (see
  https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1765616), I am
  still stucked with freeipa-server on Ubuntu 18.04.

  The ipa-server-install script fails during step "[19/21]: starting
  httpd" of HTTP configuration.  From my investigation, it seems that
  the problem is that the SSL private key in
  /var/lib/ipa/private/httpd.key has a passphrase, saved in
  /var/lib/ipa/-443-RSA. The passphrase is correct (I checked with
  openssl), but Apache does not find it.

  [Test Case]

  Add repository ppa:freeipa/ppa, install freeipa-server, run ipa-
  server-install.

  [What expected]

  ipa-server-install terminates without errors.

  [What happens]

  ipa-server-install fails.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769485/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1772921] Re: freeipa web ui -- incorrect configuration for awesome fonts

[Launchpad Bug Tracker]

This bug was fixed in the package freeipa - 4.7.0-1ubuntu4

---
freeipa (4.7.0-1ubuntu4) cosmic; urgency=medium

  * Actually build server on architecture any.

 -- Dimitri John Ledkov   Tue, 02 Oct 2018 23:32:01
+0100

** Changed in: freeipa (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1772921

Title:
  freeipa web ui -- incorrect configuration for awesome fonts

Status in freeipa package in Ubuntu:
  Fix Released

Bug description:
  Hi, another bug for FreeIPA, but this is quite trivial and not very
  important either. The file /usr/share/ipa/ipa.conf.template containw
  the line

  Alias /ipa/ui/fonts/fontawesome "${FONTS_DIR}/fontawesome"

  for providing the Awesome font to web browsers. $FONTS_DIR si
  correctly replaced with /usr/share/fonts/truetype/ when the template
  is copied into the Apache configuration directory, but the name of the
  directory (fontawesome) is wrong in Ubuntu, since the font is actually
  installed into /usr/share/fonts/truetype/font-awesome/ (with the minus
  sign). As a result, the web ui is full of unrecognized UTF-8 glyphs.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772921/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1772447] Re: freeipa installation - directory /var/lib/krb5kdc is not accessible by Apache

[Launchpad Bug Tracker]

This bug was fixed in the package freeipa - 4.7.0-1ubuntu4

---
freeipa (4.7.0-1ubuntu4) cosmic; urgency=medium

  * Actually build server on architecture any.

 -- Dimitri John Ledkov   Tue, 02 Oct 2018 23:32:01
+0100

** Changed in: freeipa (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1772447

Title:
  freeipa installation - directory /var/lib/krb5kdc is not accessible by
  Apache

Status in freeipa package in Ubuntu:
  Fix Released

Bug description:
  After having installed FreeIPA on Ubuntu 18.04, I cannot login by the
  web interface. I think the problem is that Apache uses the certificate
  in /var/lib/krb5kdc/kdc.crt to get Kerberos credentials. Although this
  file is readable by everyone, the directory /var/lib/krb5kdc is only
  accessible by root. After a 'chmod 0755 /var/lib/krb5kdc' it is
  possible to login trough the web interface.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772447/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1772450] Re: freeipa server -- problems with certificates

[Launchpad Bug Tracker]

This bug was fixed in the package freeipa - 4.7.0-1ubuntu4

---
freeipa (4.7.0-1ubuntu4) cosmic; urgency=medium

  * Actually build server on architecture any.

 -- Dimitri John Ledkov   Tue, 02 Oct 2018 23:32:01
+0100

** Changed in: freeipa (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1772450

Title:
  freeipa server -- problems with certificates

Status in freeipa package in Ubuntu:
  Fix Released

Bug description:
  After having installed FreeIPA server on Ubuntu 18.04 and having
  sorted out all the other bugs, I still have problems with
  certificates.

  In the web interface, every attempt to select the "Authentication ->
  Certificates" tab ends with the following error

  IPA Error 4301: CertificateOperationError
  Certificate operation cannot be completed: Unable to communicate with CMS 
(Start tag expected, '<' not found, line 1, column 1)

  The problem also occur with command line utilities. For example, 'ipa
  cert-show 1' returns the error: 'ipa: ERROR: Certificate operation
  cannot be completed: Unable to communicate with CMS (500)'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772450/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1778236] Re: missing GZIP path in freeipa platform configuration

[Launchpad Bug Tracker]

This bug was fixed in the package freeipa - 4.7.0-1ubuntu4

---
freeipa (4.7.0-1ubuntu4) cosmic; urgency=medium

  * Actually build server on architecture any.

 -- Dimitri John Ledkov   Tue, 02 Oct 2018 23:32:01
+0100

** Changed in: freeipa (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1778236

Title:
  missing GZIP path in freeipa platform configuration

Status in freeipa package in Ubuntu:
  Fix Released

Bug description:
  The file "/usr/lib/python2.7/dist-
  packages/ipaplatform/debian/paths.py" is missing the line

  GZIP = "/bin/gzip"

  Without this definition, the default incorrect value of
  "/usr/bin/gzip" is used. Among the others, this is required by the
  "ipa-backup" command.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1778236/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1769440] Re: freeipa server install fails - named-pkcs11 fails to run

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: bind9 (Ubuntu Bionic)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440

Title:
  freeipa server install fails - named-pkcs11 fails to run

Status in bind9 package in Ubuntu:
  Fix Released
Status in freeipa package in Ubuntu:
  Invalid
Status in bind9 source package in Bionic:
  Confirmed

Bug description:
  [Impact]

  Using RTLD_DEEPBIND in bind9 causes the FreeIPA serve install to fail.

  This patch, also applied in fedora and debian, disables use of RTLD_DEEPBIND.
  
https://src.fedoraproject.org/rpms/bind/c/3d5ea105bd877f0069452e450320f8877b01cb52?branch=master
  
https://salsa.debian.org/dns-team/bind9/commit/afc6b5fe2e359e4e7eadc256cd94481965418b4b

  [Test Case]

  # uvt-kvm create --memory 2048 cosmic-freeipa release=cosmic label=daily
  # uvt-kvm wait cosmic-freeipa
  # uvt-kvm ssh cosmic-freeipa

  Inside vm:

  # sudo su
  # apt purge -y cloud-init
  # echo "cosmic-freeipa.example.com" >/etc/hostname
  # sed -i 's/127.0.1.1.*cosmic.*//g' /etc/hosts
  # echo "$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut 
-f1 -d'/')  cosmic-freeipa.example.com" >>/etc/hosts
  # apt update
  # apt dist-upgrade -y
  # reboot
  # apt install -y freeipa-server

  * Default Kerberos realm: EXAMPLE.COM
  * Kerberos servers: cosmic-freeipa.example.com
  * Administrative server: cosmic-freeipa.example.com

  Get machine's ip address. You'll be using the x.x.x.1 address for the DNS 
forwarder
  # ip addr

  # ipa-server-install --allow-zone-overlap

  * Do you want to configure integrated DNS (BIND): YES
  * Server host name: cosmic-freeipa.example.com
  * Please confirm the domain name: example.com
  * Please provide a realm name: EXAMPLE.COM
  * Directory Manager password: (anything)
  * IPA admin password: (anything)
  * Do you want to configure DNS forwarders: yes
  * Do you want to configure these servers as DNS forwarders?: no
  * Enter an IP address for a DNS forwarder, or press Enter to skip: (x.x.x.1 
address from before)
  * Do you want to search for missing reverse zones?: yes

  Installation should fail.

  [Regression Potential]

  In theory, if another library with the exact same symbol is loaded,
  bind9 may end up calling the wrong function. This is, however, a
  potential problem with any program that loads shared libraries.

  [Original Description]

  Setting up FreeIPA server fails at "Configuring the web interface",
  step 12/21

  It's in a cleanly started LXC Ubuntu Bionic container. The
  ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2

  Configuring the web interface (httpd)
    [1/21]: stopping httpd
    [2/21]: backing up ssl.conf
    [3/21]: disabling nss.conf
    [4/21]: configuring mod_ssl certificate paths
    [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
    [6/21]: configuring mod_ssl log directory
    [7/21]: disabling mod_ssl OCSP
    [8/21]: adding URL rewriting rules
    [9/21]: configuring httpd
    [10/21]: setting up httpd keytab
    [11/21]: configuring Gssproxy
    [12/21]: setting up ssl
    [error] RuntimeError: Certificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERRORThe ipa-server-install command failed. See 
/var/log/ipaserver-install.log for more information

  and in the log there is

  2018-05-05T20:37:29Z DEBUG stderr=
  2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
  2018-05-05T20:37:29Z DEBUG   [12/21]: setting up ssl
  2018-05-05T20:37:33Z DEBUG certmonger request is in state 
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
  2018-05-05T20:37:38Z DEBUG certmonger request is in state 
dbus.String(u'CA_REJECTED', variant_level=1)
  2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 
555, in start_creation
  run_step(full_msg, method)
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 
541, in run_step
  method()
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", 
line 376, in __setup_ssl
  passwd_fname=key_passwd_file
    File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 
320, in request_and_wait_for_cert
  raise RuntimeError("Certificate issuance failed ({})".format(state))
  RuntimeError: Certificate issuance failed (CA_REJECTED)

  2018-05-05T20:37:42Z DEBUG   [error] RuntimeError: Certificate issuance 
failed (CA_REJECTED)
  2018-05-05T20:37:42Z DEBUG   File 
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
  ute
  ...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1769440/+subscriptions

[Freeipa] [Bug 1769440] Re: freeipa server install fails - named-pkcs11 fails to run

[Launchpad Bug Tracker]

This bug was fixed in the package bind9 - 1:9.11.4+dfsg-3ubuntu2

---
bind9 (1:9.11.4+dfsg-3ubuntu2) cosmic; urgency=medium

  * d/p/skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11
crashing on startup. (LP: #1769440)

 -- Karl Stenerud   Thu, 30 Aug 2018
07:11:39 -0700

** Changed in: bind9 (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440

Title:
  freeipa server install fails - named-pkcs11 fails to run

Status in bind9 package in Ubuntu:
  Fix Released
Status in freeipa package in Ubuntu:
  Invalid

Bug description:
  [Impact]

  Using RTLD_DEEPBIND in bind9 causes the FreeIPA serve install to fail.

  This patch, also applied in fedora and debian, disables use of RTLD_DEEPBIND.
  
https://src.fedoraproject.org/rpms/bind/c/3d5ea105bd877f0069452e450320f8877b01cb52?branch=master
  
https://salsa.debian.org/dns-team/bind9/commit/afc6b5fe2e359e4e7eadc256cd94481965418b4b

  [Test Case]

  # uvt-kvm create --memory 2048 cosmic-freeipa release=cosmic label=daily
  # uvt-kvm wait cosmic-freeipa
  # uvt-kvm ssh cosmic-freeipa

  Inside vm:

  # sudo su
  # apt purge -y cloud-init
  # echo "cosmic-freeipa.example.com" >/etc/hostname
  # sed -i 's/127.0.1.1.*cosmic.*//g' /etc/hosts
  # echo "$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut 
-f1 -d'/')  cosmic-freeipa.example.com" >>/etc/hosts
  # apt update
  # apt dist-upgrade -y
  # reboot
  # apt install -y freeipa-server

  * Default Kerberos realm: EXAMPLE.COM
  * Kerberos servers: cosmic-freeipa.example.com
  * Administrative server: cosmic-freeipa.example.com

  Get machine's ip address. You'll be using the x.x.x.1 address for the DNS 
forwarder
  # ip addr

  # ipa-server-install --allow-zone-overlap

  * Do you want to configure integrated DNS (BIND): YES
  * Server host name: cosmic-freeipa.example.com
  * Please confirm the domain name: example.com
  * Please provide a realm name: EXAMPLE.COM
  * Directory Manager password: (anything)
  * IPA admin password: (anything)
  * Do you want to configure DNS forwarders: yes
  * Do you want to configure these servers as DNS forwarders?: no
  * Enter an IP address for a DNS forwarder, or press Enter to skip: (x.x.x.1 
address from before)
  * Do you want to search for missing reverse zones?: yes

  Installation should fail.

  [Regression Potential]

  In theory, if another library with the exact same symbol is loaded,
  bind9 may end up calling the wrong function. This is, however, a
  potential problem with any program that loads shared libraries.

  [Original Description]

  Setting up FreeIPA server fails at "Configuring the web interface",
  step 12/21

  It's in a cleanly started LXC Ubuntu Bionic container. The
  ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2

  Configuring the web interface (httpd)
    [1/21]: stopping httpd
    [2/21]: backing up ssl.conf
    [3/21]: disabling nss.conf
    [4/21]: configuring mod_ssl certificate paths
    [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
    [6/21]: configuring mod_ssl log directory
    [7/21]: disabling mod_ssl OCSP
    [8/21]: adding URL rewriting rules
    [9/21]: configuring httpd
    [10/21]: setting up httpd keytab
    [11/21]: configuring Gssproxy
    [12/21]: setting up ssl
    [error] RuntimeError: Certificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERRORThe ipa-server-install command failed. See 
/var/log/ipaserver-install.log for more information

  and in the log there is

  2018-05-05T20:37:29Z DEBUG stderr=
  2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
  2018-05-05T20:37:29Z DEBUG   [12/21]: setting up ssl
  2018-05-05T20:37:33Z DEBUG certmonger request is in state 
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
  2018-05-05T20:37:38Z DEBUG certmonger request is in state 
dbus.String(u'CA_REJECTED', variant_level=1)
  2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 
555, in start_creation
  run_step(full_msg, method)
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 
541, in run_step
  method()
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", 
line 376, in __setup_ssl
  passwd_fname=key_passwd_file
    File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 
320, in request_and_wait_for_cert
  raise RuntimeError("Certificate issuance failed ({})".format(state))
  RuntimeError: Certificate issuance failed (CA_REJECTED)

  2018-05-05T20:37:42Z DEBUG   [error] RuntimeError: Certificate issuance 
failed (CA_REJECTED)
  2018-05-05T20:37:42Z DEBUG   File 

[Freeipa] [Bug 1769440] Re: freeipa server install fails - named-pkcs11 fails to run

[Launchpad Bug Tracker]

** Merge proposal linked:
   
https://code.launchpad.net/~kstenerud/ubuntu/+source/bind9/+git/bind9/+merge/354002

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440

Title:
  freeipa server install fails - named-pkcs11 fails to run

Status in bind9 package in Ubuntu:
  Confirmed
Status in freeipa package in Ubuntu:
  Invalid

Bug description:
  Setting up FreeIPA server fails at "Configuring the web interface",
  step 12/21

  It's in a cleanly started LXC Ubuntu Bionic container. The
  ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2

  Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERRORThe ipa-server-install command failed. See 
/var/log/ipaserver-install.log for more information

  and in the log there is

  2018-05-05T20:37:29Z DEBUG stderr=
  2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
  2018-05-05T20:37:29Z DEBUG   [12/21]: setting up ssl
  2018-05-05T20:37:33Z DEBUG certmonger request is in state 
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
  2018-05-05T20:37:38Z DEBUG certmonger request is in state 
dbus.String(u'CA_REJECTED', variant_level=1)
  2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 
555, in start_creation
  run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 
541, in run_step
  method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", 
line 376, in __setup_ssl
  passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 
320, in request_and_wait_for_cert
  raise RuntimeError("Certificate issuance failed ({})".format(state))
  RuntimeError: Certificate issuance failed (CA_REJECTED)

  2018-05-05T20:37:42Z DEBUG   [error] RuntimeError: Certificate issuance 
failed (CA_REJECTED)
  2018-05-05T20:37:42Z DEBUG   File 
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
  ute
  ...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1769440/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1772405] Re: freeipa dns install does not correctly configure reverse zones due to systemd-resolved

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: systemd (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1772405

Title:
  freeipa dns install does not correctly configure reverse zones due to
  systemd-resolved

Status in freeipa package in Ubuntu:
  Triaged
Status in systemd package in Ubuntu:
  Confirmed

Bug description:
  In Ubuntu 18.04, ipa-dns-intall (or ipa-server-install when asking to
  configure BIND) does not create reverse DNS zones for my domain. Note
  that I already fixed (or more correctly, circumvented) other bugs
  involving BIND, such as
  https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440.

  The problem seems due to the presence of systemd-resolved. When ipa-
  dns-install valuates whether to create a reverse DNS zone, it tries to
  use the local DNS for resolving the IP address of the server. When you
  want to install BIND alongside IPA, this normally fails, and the
  installer knows he needs to configure an appropriate reverse zone. But
  when systemd-resolved is active, it takes the role of local DNS and
  answers this query: therefore, the installer thinks a reverse DNS zone
  is already present.

  To fix this problem I had to perform the following steps before calling 
ipa-dns-install (or ipa-server-install):
  1) stop systemd-resolved with "systemctl stop systemd-resolved".
  2) disable systemd-resolved with "systemctl disable systemd-resolved".
  3) delete the file "/etc/resolv.conf", which is a symlink to a file created 
by systemd.
  4) optionally, recreate "/etc/resolv.conf" pointing to the (real) local DNS.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772405/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1784399] Re: package freeipa-server 4.7.0~pre1+git20180411-2ubuntu2 failed to install/upgrade: installed freeipa-server package post-installation script subprocess returned error exit s

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: freeipa (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1784399

Title:
  package freeipa-server 4.7.0~pre1+git20180411-2ubuntu2 failed to
  install/upgrade: installed freeipa-server package post-installation
  script subprocess returned error exit status 1

Status in freeipa package in Ubuntu:
  Confirmed

Bug description:
  I was trying to upgrade a freeipa server running ubuntu 16.04 to
  18.04.

  ProblemType: Package
  DistroRelease: Ubuntu 18.04
  Package: freeipa-server 4.7.0~pre1+git20180411-2ubuntu2
  ProcVersionSignature: Ubuntu 4.15.0-29.31~16.04.1-generic 4.15.18
  Uname: Linux 4.15.0-29-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.2
  Architecture: amd64
  Date: Mon Jul 30 14:32:34 2018
  ErrorMessage: installed freeipa-server package post-installation script 
subprocess returned error exit status 1
  InstallationDate: Installed on 2018-05-29 (62 days ago)
  InstallationMedia: Ubuntu-Server 16.04.3 LTS "Xenial Xerus" - Release amd64 
(20170801)
  Python3Details: /usr/bin/python3.6, Python 3.6.5, python3-minimal, 
3.6.5-3ubuntu1
  PythonDetails: /usr/bin/python2.7, Python 2.7.15rc1, python-minimal, 
2.7.15~rc1-1
  RelatedPackageVersions:
   dpkg 1.19.0.5ubuntu2
   apt  1.6.3
  SourcePackage: freeipa
  Title: package freeipa-server 4.7.0~pre1+git20180411-2ubuntu2 failed to 
install/upgrade: installed freeipa-server package post-installation script 
subprocess returned error exit status 1
  UpgradeStatus: Upgraded to bionic on 2018-07-30 (0 days ago)
  modified.conffile..etc.default.ipa-dnskeysyncd: [modified]
  mtime.conffile..etc.default.ipa-dnskeysyncd: 2018-06-19T16:17:32.099908

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1784399/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1785157] [NEW] external (letsencrypt) certs failing to parse due to pyasn1

[Launchpad Bug Tracker]

You have been subscribed to a public bug by Timo Aaltonen (tjaalton):

attempting a clean installation of freeipa-server on bionic using
letsencrypt certs passed as arguments fails with an error similar to:

 not in asn1Spec:  encoding iso-8859-1>
The ipa-server-certinstall command failed

I was able to bypass this by downgrading pyasn1 and pyasn1-modules:

rm -rf /usr/lib/python2.7/dist-packages/pyasn1
rm -rf /usr/lib/python2.7/dist-packages/pyasn1-0.4.2.egg-info/
rm -rf /usr/lib/python2.7/dist-packages/pyasn1_modules
rm -rf /usr/lib/python2.7/dist-packages/pyasn1_modules-0.2.1.egg-info
apt install python-pip
pip install pyasn1==0.2.3
pip install pyasn1-modules==0.0.9

After that, installation is able to proceed with letsencrypt
certificates passed in.

** Affects: pyasn1 (Ubuntu)
 Importance: Undecided
 Status: New

-- 
external (letsencrypt) certs failing to parse due to pyasn1
https://bugs.launchpad.net/bugs/1785157
You received this bug notification because you are a member of FreeIPA, which 
is subscribed to the bug report.

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1769485] Re: freeipa install server fails - cannot start apache server with SSL

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: freeipa (Ubuntu Bionic)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769485

Title:
  freeipa install server fails - cannot start apache server with SSL

Status in freeipa package in Ubuntu:
  In Progress
Status in freeipa source package in Bionic:
  Confirmed

Bug description:
  After having installed the new version of Tomcat 8, compatible with
  JDK 8 (see
  https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1765616), I am
  still stucked with freeipa-server on Ubuntu 18.04.

  The ipa-server-install script fails during step "[19/21]: starting
  httpd" of HTTP configuration.  From my investigation, it seems that
  the problem is that the SSL private key in
  /var/lib/ipa/private/httpd.key has a passphrase, saved in
  /var/lib/ipa/-443-RSA. The passphrase is correct (I checked with
  openssl), but Apache does not find it.

  [Test Case]

  Add repository ppa:freeipa/ppa, install freeipa-server, run ipa-
  server-install.

  [What expected]

  ipa-server-install terminates without errors.

  [What happens]

  ipa-server-install fails.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769485/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1768865] Re: freeipa server installation fails on Bionic due to tomcat conflict

[Launchpad Bug Tracker]

*** This bug is a duplicate of bug 1765616 ***
https://bugs.launchpad.net/bugs/1765616

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: freeipa (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1768865

Title:
  freeipa server installation fails on Bionic due to tomcat conflict

Status in freeipa package in Ubuntu:
  Confirmed

Bug description:
  Installing freeipa server fails at configuring certificate server
  (pki-tomcatd).

  ...
  Configuring kadmin
[1/2]: starting kadmin 
[2/2]: configuring kadmin to start on boot
  Done configuring kadmin.
  Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
  ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: 
CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', 
'/tmp/tmpGu_KPq'] returned non-zero exit status 1: u"pkispawn: ERROR
... subprocess.CalledProcessError:  Command '['sysctl', 
'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn
: ERROR... server did not start after 300s\npkispawn: ERROR
... server failed to restart\n")
  ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the 
following files/directories for more information:
  ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
  ipapython.admintool: ERRORCA configuration failed.
  ipapython.admintool: ERRORThe ipa-server-install command failed. See 
/var/log/ipaserver-install.log for more information

  Looking more closely in /var/log/pki/pki-tomcat/catalina.out there are
  a bunch of java.io.FileNotFoundException

  root@usrv1:~# grep java.io.FileNotFoundException 
/var/log/pki/pki-tomcat/catalina.out
  java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No 
such file or directory)
  java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file 
or directory)
  java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or 
directory)
  java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No 
such file or directory)
  java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file 
or directory)
  java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or 
directory)

  This have been discussed on the FreeIPA users list, and the conclusion
  was:

  "If Ubuntu 18.04 has Tomcat 8.5, you are not going to get it working with
   the current release of FreeIPA.

   We have been working on FreeIPA 4.7 for about a half a year now and only
   recently dogtag got support for tomcat 8.5. There are still bits and
   pieces which being fixed in dogtag to support FreeIPA 4.7.

   I guess currently you aren't going to get any luck with Ubuntu/Debian
   builds."

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1768865/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1730039] Re: 389-console fails to connect with TLSv1.2

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: jss (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to jss in Ubuntu.
https://bugs.launchpad.net/bugs/1730039

Title:
  389-console fails to connect with TLSv1.2

Status in 389-console package in Ubuntu:
  New
Status in jss package in Ubuntu:
  Confirmed

Bug description:
  389-console on Ubuntu 17.10 fails to connect to an instance of dirsrv-
  admin that has been configured to allow only TLSv1.2 connections
  (389-console on Ubuntu 17.04 works fine against the same instance).

  389-console -D 9 debug shows the following error:

  CREATE JSS SSLSocket
  Unable to create ssl socket
  org.mozilla.jss.ssl.SSLSocketException: SSL_VersionRangeSetDefault() for 
variant=0 with min=768 max=770 out of range (769:772): 0: (0) Unknown error
at org.mozilla.jss.ssl.SSLSocket.setSSLVersionRangeDefault(Native 
Method)
at 
org.mozilla.jss.ssl.SSLSocket.setSSLVersionRangeDefault(SSLSocket.java:1398)
at com.netscape.management.client.comm.HttpsChannel.open(Unknown Source)
at com.netscape.management.client.comm.CommManager.send(Unknown Source)
at com.netscape.management.client.comm.HttpManager.get(Unknown Source)
at com.netscape.management.client.console.Console.invoke_task(Unknown 
Source)
at 
com.netscape.management.client.console.Console.authenticate_user(Unknown Source)
at com.netscape.management.client.console.Console.(Unknown Source)
at com.netscape.management.client.console.Console.main(Unknown Source)

  Downgrading the libjss-java package to version 4.3.1-7build1 from
  Ubuntu 17.04 fixes the problem.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/389-console/+bug/1730039/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: freeipa (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440

Title:
  freeipa server install fails - Configuring the web interface, setting
  up ssl

Status in freeipa package in Ubuntu:
  Confirmed

Bug description:
  Setting up FreeIPA server fails at "Configuring the web interface",
  step 12/21

  It's in a cleanly started LXC Ubuntu Bionic container. The
  ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2

  Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERRORThe ipa-server-install command failed. See 
/var/log/ipaserver-install.log for more information

  and in the log there is

  2018-05-05T20:37:29Z DEBUG stderr=
  2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
  2018-05-05T20:37:29Z DEBUG   [12/21]: setting up ssl
  2018-05-05T20:37:33Z DEBUG certmonger request is in state 
dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
  2018-05-05T20:37:38Z DEBUG certmonger request is in state 
dbus.String(u'CA_REJECTED', variant_level=1)
  2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 
555, in start_creation
  run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 
541, in run_step
  method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", 
line 376, in __setup_ssl
  passwd_fname=key_passwd_file
File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 
320, in request_and_wait_for_cert
  raise RuntimeError("Certificate issuance failed ({})".format(state))
  RuntimeError: Certificate issuance failed (CA_REJECTED)

  2018-05-05T20:37:42Z DEBUG   [error] RuntimeError: Certificate issuance 
failed (CA_REJECTED)
  2018-05-05T20:37:42Z DEBUG   File 
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
  ute
  ...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1772205] [NEW] freeipa install does not correctly setup krb5-admin-server

[Launchpad Bug Tracker]

You have been subscribed to a public bug:

In Ubuntu 18.04, ipa-server-install does not correctly configures krb5
-admin-server. Therefore, the kadmin server does not start. The problem
is that the krb5-admin-server service needs the file
/etc/krb5kdc/kadm5.acl. This file may be empty, but it should exists,
otherwise the server does not start. However, the krb5-admin-server does
not contain such a file, nor the ipa-server-install command creates it
during its execution.

Note this was different in Ubuntu 16.04, where krb5-admin-server used to
start even without the ACL file.

** Affects: freeipa (Ubuntu)
 Importance: Undecided
 Status: New

-- 
freeipa install does not correctly setup krb5-admin-server
https://bugs.launchpad.net/bugs/1772205
You received this bug notification because you are a member of FreeIPA, which 
is subscribed to freeipa in Ubuntu.

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.

[Launchpad Bug Tracker]

This bug was fixed in the package tomcat8 - 8.5.30-1ubuntu2

---
tomcat8 (8.5.30-1ubuntu2) cosmic; urgency=medium

  * support-jre8.diff: Fix running tomcat with JRE8. (LP: #1765616)

 -- Timo Aaltonen   Tue, 24 Apr 2018 23:47:45 +0300

** Changed in: tomcat8 (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1765616

Title:
  freeipa server install fails -  RuntimeError: CA configuration failed.

Status in freeipa package in Ubuntu:
  Invalid
Status in tomcat8 package in Ubuntu:
  Fix Released
Status in freeipa source package in Bionic:
  Invalid
Status in tomcat8 source package in Bionic:
  Confirmed
Status in tomcat8 package in Debian:
  New

Bug description:
  [Impact]

  The issue occurs while installing IPA server. More specifically whist
  configuring pki-tomcatd. The following error is produced.

  Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
    [1/28]: configuring certificate server instance
  ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA 
instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', 
'/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR
... subprocess.CalledProcessError:  Command '['sysctl', 
'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn
: ERROR... server did not start after 60s\npkispawn: ERROR
... server failed to restart\n")
  ipaserver.install.dogtaginstance: CRITICAL See the installation logs and 
the following files/directories for more information:
  ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat
    [error] RuntimeError: CA configuration failed.
  ipapython.admintool: ERRORCA configuration failed.
  ipapython.admintool: ERRORThe ipa-server-install command failed. See 
/var/log/ipaserver-install.log for more information

  The cause for this is that tomcat8 is built with JDK9 and is not
  compatible with instances that have to use JRE8 for other reasons.

  [Test Case]

  Install freeipa-server, run ipa-server-install.

  [Regression Potential]

  The fix is a fairly big patch for tomcat8 to modify the code so that
  it runs with JRE8. It passes the upstream test suite though, when run
  with JRE8 though tomcat itself was built with the default JDK.

  [Other info]

  Patch will be sent upstream too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: tomcat8 (Ubuntu Bionic)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1765616

Title:
  freeipa server install fails -  RuntimeError: CA configuration failed.

Status in freeipa package in Ubuntu:
  Invalid
Status in tomcat8 package in Ubuntu:
  In Progress
Status in freeipa source package in Bionic:
  Invalid
Status in tomcat8 source package in Bionic:
  Confirmed

Bug description:
  [Impact]

  The issue occurs while installing IPA server. More specifically whist
  configuring pki-tomcatd. The following error is produced.

  Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
    [1/28]: configuring certificate server instance
  ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA 
instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', 
'/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR
... subprocess.CalledProcessError:  Command '['sysctl', 
'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn
: ERROR... server did not start after 60s\npkispawn: ERROR
... server failed to restart\n")
  ipaserver.install.dogtaginstance: CRITICAL See the installation logs and 
the following files/directories for more information:
  ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat
    [error] RuntimeError: CA configuration failed.
  ipapython.admintool: ERRORCA configuration failed.
  ipapython.admintool: ERRORThe ipa-server-install command failed. See 
/var/log/ipaserver-install.log for more information

  The cause for this is that tomcat8 is built with JDK9 and is not
  compatible with instances that have to use JRE8 for other reasons.

  [Test Case]

  Install freeipa-server, run ipa-server-install.

  [Regression Potential]

  The fix is a fairly big patch for tomcat8 to modify the code so that
  it runs with JRE8. It passes the upstream test suite though, when run
  with JRE8 though tomcat itself was built with the default JDK.

  [Other info]

  Patch will be sent upstream too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: freeipa (Ubuntu Bionic)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1765616

Title:
  freeipa server install fails -  RuntimeError: CA configuration failed.

Status in freeipa package in Ubuntu:
  Invalid
Status in tomcat8 package in Ubuntu:
  In Progress
Status in freeipa source package in Bionic:
  Invalid
Status in tomcat8 source package in Bionic:
  Confirmed

Bug description:
  [Impact]

  The issue occurs while installing IPA server. More specifically whist
  configuring pki-tomcatd. The following error is produced.

  Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
    [1/28]: configuring certificate server instance
  ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA 
instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', 
'/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR
... subprocess.CalledProcessError:  Command '['sysctl', 
'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn
: ERROR... server did not start after 60s\npkispawn: ERROR
... server failed to restart\n")
  ipaserver.install.dogtaginstance: CRITICAL See the installation logs and 
the following files/directories for more information:
  ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat
    [error] RuntimeError: CA configuration failed.
  ipapython.admintool: ERRORCA configuration failed.
  ipapython.admintool: ERRORThe ipa-server-install command failed. See 
/var/log/ipaserver-install.log for more information

  The cause for this is that tomcat8 is built with JDK9 and is not
  compatible with instances that have to use JRE8 for other reasons.

  [Test Case]

  Install freeipa-server, run ipa-server-install.

  [Regression Potential]

  The fix is a fairly big patch for tomcat8 to modify the code so that
  it runs with JRE8. It passes the upstream test suite though, when run
  with JRE8 though tomcat itself was built with the default JDK.

  [Other info]

  Patch will be sent upstream too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1717998] Re: Please remove tomcat8.0 before 18.04 releases

[Launchpad Bug Tracker]

This bug was fixed in the package tomcat8 - 8.5.30-1ubuntu1

---
tomcat8 (8.5.30-1ubuntu1) bionic; urgency=medium

  * control: Break/replace tomcat8.0 binaries. (LP: #1717998)

 -- Timo Aaltonen   Thu, 19 Apr 2018 14:53:19 +0300

** Changed in: tomcat8 (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to tomcat8.0 in Ubuntu.
https://bugs.launchpad.net/bugs/1717998

Title:
  Please remove tomcat8.0 before 18.04 releases

Status in tomcat8 package in Ubuntu:
  Fix Released
Status in tomcat8.0 package in Ubuntu:
  Triaged

Bug description:
  This package is meant to be temporary to allow tomcatjss, dogtag-pki
  (and thus freeipa) to work until upstream has ported the components
  for tomcat 8.5 and up.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1717998/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1733571] Re: unable to access kerberized nfs4 shares with keyring ccache

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: nfs-utils (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1733571

Title:
  unable to access kerberized nfs4 shares with keyring ccache

Status in freeipa package in Ubuntu:
  Confirmed
Status in nfs-utils package in Ubuntu:
  Confirmed

Bug description:
  # Problem

  With default `ipa-client-install` method, users authenticated to
  kerberos cannot access kerberized nfs shares from other ipa joined
  ubuntu hosts, even though permissions are correct.

  # Steps to reproduce

  1. Set up FreeIPA server on CentOS 7 per default docs
  2. Set up two Ubuntu 16.04 hosts, one `server.domain.tld` one 
`client.domain.tld`, join both to FreeIPA
  3. Create principals `nfs/server.domain.tld` and `nfs/client.domain.tld`
  4. Create user in FreeIPA `testuser`
  5. Install `nfs-kernel-server` on `server.domain.tld` and share `/srv/nfs4`: 
`/srv/nfs4 *(sec=krb5i,rw,fsid=root,crossmnt,no_subtree_check,root_squash)`, 
run `exportfs -rav`
  6. Create some files and directories in `/srv/nfs4` owned by 
`testuser:testuser`
  7. Install `nfs-common` on `client.domain.tld` and mount: `mount -t nfs4 
server.domain.tld:/ /srv/nfs4`
  8. Log in as `testuser` and `kinit testuser` if necessary
  9. `cd /srv/nfs4; ls /srv/nfs4; touch /srv/nfs4/some_file`

  # Expected result

  Changing of working directory to `/srv/nfs4`, listing directory
  contents and creating new file

  # Actual result

  `Permission denied`

  # Reason

  After quite some time debugging I found that `gssd` in Ubuntu 16.04
  cannot read kernel persistent keyrings for kerberos' ccache. Removing
  the line `default_ccache_name = KEYRING:persistent:%{uid}` from
  `/etc/krb5.conf` solved the issue.

  This config file is created by `ipa-client-install` in
  `configure_krb5_conf()` after `#configure KEYRING CCACHE if
  supported`.

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: freeipa-client 4.3.1-0ubuntu1
  ProcVersionSignature: Ubuntu 4.4.0-101.124-generic 4.4.95
  Uname: Linux 4.4.0-101-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.12
  Architecture: amd64
  Date: Tue Nov 21 12:41:59 2017
  JournalErrors:
   Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] 
failed with exit code 1: Hint: You are currently not seeing messages from other 
users and the system.
 Users in the 'systemd-journal' group can see all messages. Pass -q to
 turn off this notice.
   No journal files were opened due to insufficient permissions.
  SourcePackage: freeipa
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1733571/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1716842] Re: dogtag-pki needs porting work for tomcat 8.5

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: freeipa (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to dogtag-pki in Ubuntu.
https://bugs.launchpad.net/bugs/1716842

Title:
  dogtag-pki needs porting work for tomcat 8.5

Status in dogtag-pki package in Ubuntu:
  Incomplete
Status in freeipa package in Ubuntu:
  Confirmed
Status in dogtag-pki package in Debian:
  Fix Released

Bug description:
  dogtag-pki needs porting work for tomcat8, demoting to proposed for
  now, plus the freeipa dependency.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1716842/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1693154] Re: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library

[Launchpad Bug Tracker]

This bug was fixed in the package freeipa - 4.4.3-3ubuntu2.1

---
freeipa (4.4.3-3ubuntu2.1) zesty; urgency=medium

  * client.dirs: Ship /etc/krb5.conf.d, because not having that breaks
the installer when krb5.conf tries to include it. (LP: #1693154)

 -- Timo Aaltonen   Wed, 14 Jun 2017 13:56:03 +0300

** Changed in: freeipa (Ubuntu Zesty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1693154

Title:
  ipa-client-install fails: kinit: Included profile directory could not
  be read while initializing Kerberos 5 library

Status in freeipa package in Ubuntu:
  Fix Released
Status in freeipa source package in Zesty:
  Fix Released
Status in kerberos-configs package in Debian:
  New

Bug description:
  [Impact]
  ipa-client-install fails because it modifies /etc/krb5.conf to include 
/etc/krb5.conf.d which doesn't exist, so kinit fails.

  The (temporary) fix is to add /etc/krb5.conf.d directory to freeipa-
  client.

  [Test case]
  Enroll an IPA client with ipa-client-install, it should pass.

  [Regression potential]
  None, this is a safe addition.

  
  [original description]
  Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS) wrt. 
joining a FreeIPA kerberos server. I am running a server on 10.111.112.100 with 
a COCKPIT.LAN domain (from the "ipa-*" image on 
https://fedorapeople.org/groups/cockpit/images/), and realmd.service fails. 
Running ipa-client-install manually shows why:

  $ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd 
sssd-tools packagekit
  $ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf

  $ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN 
--mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W 
--force-ntpd -w foobarfoo
  Discovery was successful!
  Client hostname: autopkgtest
  Realm: COCKPIT.LAN
  DNS Domain: cockpit.lan
  IPA Server: f0.cockpit.lan
  BaseDN: dc=cockpit,dc=lan

  Synchronizing time with KDC...
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Unable to sync time with NTP server, assuming the time is in sync. Please 
check that 123 UDP port is opened.
  Please make sure the following ports are opened in the firewall settings:
   TCP: 80, 88, 389
   UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
  Also note that following ports are necessary for ipa-client working properly 
after enrollment:
   TCP: 464
   UDP: 464, 123 (if NTP enabled)
  Kerberos authentication failed: kinit: Included profile directory could not 
be read while initializing Kerberos 5 library

  Installation failed. Rolling back changes.
  IPA client is not configured on this system.

  stracing shows that it tries to access /etc/krb5.conf.d/ which does
  not exist. mkdir'ing this is sufficient to fix it.

  I'm not entirely sure if this is really in freeipa-client or krb5-user
  (kinit), but running "kinit -f ad...@cockpit.lan" directly succeeds.

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: freeipa-client 4.4.3-3ubuntu2
  ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11
  Uname: Linux 4.10.0-21-generic x86_64
  ApportVersion: 2.20.4-0ubuntu4.1
  Architecture: amd64
  Date: Wed May 24 09:30:57 2017
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: freeipa
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1693154/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1691655] Re: pki-base postinst creates corrupt /etc/pki/pki.version

[Launchpad Bug Tracker]

This bug was fixed in the package dogtag-pki - 10.3.5+12-4

---
dogtag-pki (10.3.5+12-4) unstable; urgency=medium

  * pki-tomcatd.init: If no instance is configured, the initscript
machinery would return error value 5 or 6. This messes up systemd, so
just use 'exit 1' on every non-zero return value. (LP: #1664453)
  * pki-server.postinst: Clarify pki-tomcatd initial start failure
message a bit.
  * Depend libresteasy-java << 3.1.0, because the new on doesn't work
even after fixing the build.
  * pki-tools.links: Fix the convenience links DRMTool -> KRATool.
(Closes: #857209)
  * pki-base.postinst: Force recreating pki.version if upgrading from
older than 10.3.5-1. (LP: #1691655)

 -- Timo Aaltonen   Thu, 18 May 2017 09:10:17 +0300

** Changed in: dogtag-pki (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to dogtag-pki in Ubuntu.
https://bugs.launchpad.net/bugs/1691655

Title:
  pki-base postinst creates corrupt /etc/pki/pki.version

Status in dogtag-pki package in Ubuntu:
  Fix Released
Status in dogtag-pki source package in Zesty:
  New

Bug description:
  [Impact]

  Upgrading pki-base from xenial to zesty fails, because
  /etc/pki/pki.versio created on xenial looks like this:

  Configuration-Version: 10.2.6+git20160317

  while it should just have 10.2.6. To fix the upgrade, the file should
  be recreated if old pki-base is older than 10.3.5-1.

  [Test case]

  Install pki-base on a xenial chroot, sed -i 's/xenial/zesty' 
/etc/apt/sources.list, apt dist-upgrade.
  It should not fail.

  [Regression potential]

  Can't think of any.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1691655/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1635568] Re: freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert

[Launchpad Bug Tracker]

[Expired for freeipa (Ubuntu) because there has been no activity for 60
days.]

** Changed in: freeipa (Ubuntu)
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1635568

Title:
  freeipa-client - Can't enroll a client if server has external CA certs
  in addition to self signed CA cert

Status in freeipa package in Ubuntu:
  Expired

Bug description:
  Ubuntu version - Ubuntu 14.04.5 LTS
  freeipa-client package version - 3.3.4-0ubuntu3.1

  What is expected:

  root@ip-10-5-0-73:/home/ubuntu# ipa-client-install --mkhomedir
  Discovery was successful!
  Client hostname: ip-10-5-0-73.eu-west-1.compute.internal
  Realm: ID.DOMAIN.COM
  DNS Domain: id.domain.com
  IPA Server: directory.id.domain.com
  BaseDN: dc=id,dc=domain,dc=com

  Continue to configure the system with these values? [no]: yes
  Synchronizing time with KDC...
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Unable to sync time with NTP server, assuming the time is in sync. Please 
check that 123 UDP port is opened.
  User authorized to enroll computers: enroll.user
  Password for enroll.u...@id.domain.com:
  Successfully retrieved CA cert
  Subject: CN=Certificate Authority,O=ID.DOMAIN.COM
  Issuer:  CN=Certificate Authority,O=ID.DOMAIN.COM
  Valid From:  Wed Oct 19 14:54:08 2016 UTC
  Valid Until: Sun Oct 19 14:54:08 2036 UTC

  Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP 
Network,O=AddTrust AB,C=SE
  Issuer:  CN=AddTrust External CA Root,OU=AddTrust External TTP 
Network,O=AddTrust AB,C=SE
  Valid From:  Tue May 30 10:48:38 2000 UTC
  Valid Until: Sat May 30 10:48:38 2020 UTC

  Subject: CN=COMODO RSA Certification Authority,O=COMODO CA 
Limited,L=Salford,ST=Greater Manchester,C=GB
  Issuer:  CN=AddTrust External CA Root,OU=AddTrust External TTP 
Network,O=AddTrust AB,C=SE
  Valid From:  Tue May 30 10:48:38 2000 UTC
  Valid Until: Sat May 30 10:48:38 2020 UTC

  Subject: CN=COMODO RSA Certification Authority,O=COMODO CA 
Limited,L=Salford,ST=Greater Manchester,C=GB
  Issuer:  CN=COMODO RSA Certification Authority,O=COMODO CA 
Limited,L=Salford,ST=Greater Manchester,C=GB
  Valid From:  Tue Jan 19 00:00:00 2010 UTC
  Valid Until: Mon Jan 18 23:59:59 2038 UTC

  Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA 
Limited,L=Salford,ST=Greater Manchester,C=GB
  Issuer:  CN=COMODO RSA Certification Authority,O=COMODO CA 
Limited,L=Salford,ST=Greater Manchester,C=GB
  Valid From:  Wed Feb 12 00:00:00 2014 UTC
  Valid Until: Sun Feb 11 23:59:59 2029 UTC

  Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP 
Network,O=AddTrust AB,C=SE
  Issuer:  CN=AddTrust External CA Root,OU=AddTrust External TTP 
Network,O=AddTrust AB,C=SE
  Valid From:  Tue May 30 10:48:38 2000 UTC
  Valid Until: Sat May 30 10:48:38 2020 UTC

  Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA 
Limited,L=Salford,ST=Greater Manchester,C=GB
  Issuer:  CN=COMODO RSA Certification Authority,O=COMODO CA 
Limited,L=Salford,ST=Greater Manchester,C=GB
  Valid From:  Wed Feb 12 00:00:00 2014 UTC
  Valid Until: Sun Feb 11 23:59:59 2029 UTC

  Subject: CN=COMODO RSA Certification Authority,O=COMODO CA 
Limited,L=Salford,ST=Greater Manchester,C=GB
  Issuer:  CN=COMODO RSA Certification Authority,O=COMODO CA 
Limited,L=Salford,ST=Greater Manchester,C=GB
  Valid From:  Tue Jan 19 00:00:00 2010 UTC
  Valid Until: Mon Jan 18 23:59:59 2038 UTC

  Enrolled in IPA realm ID.DOMAIN.COM
  Created /etc/ipa/default.conf
  New SSSD config will be created
  Configured sudoers in /etc/nsswitch.conf
  Configured /etc/sssd/sssd.conf
  Configured /etc/krb5.conf for IPA realm ID.DOMAIN.COM
  trying https://directory.id.domain.com/ipa/json
  Forwarding 'ping' to json server 'https://directory.id.domain.com/ipa/json'
  Forwarding 'ca_is_enabled' to json server 
'https://directory.id.domain.com/ipa/json'
  Systemwide CA database updated.
  Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
  Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
  Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
  Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
  Forwarding 'host_mod' to json server 
'https://directory.id.domain.com/ipa/json'
  Could not update DNS SSHFP records.
  SSSD enabled
  Configured /etc/openldap/ldap.conf
  NTP enabled
  Configured /etc/ssh/ssh_config
  Configured /etc/ssh/sshd_config
  Configuring id.domain.com as NIS domain.
  Client configuration complete.

  What happend instead:

  root@ip-10-5-0-73:/home/ubuntu# 

[Freeipa] [Bug 1677139] Re: pkcs11 setup needs fixes for SoftHSM 2.2

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: freeipa (Ubuntu Aa-series)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1677139

Title:
  pkcs11 setup needs fixes for SoftHSM 2.2

Status in freeipa package in Ubuntu:
  Confirmed
Status in freeipa source package in Zesty:
  Confirmed
Status in freeipa source package in aa-series:
  Confirmed

Bug description:
  [Impact]

  https://pagure.io/freeipa/issue/6692

  SoftHSM 2.2 broke freeipa DNS integration.

  [Test case]

  Install ipa server with 'ipa-server-install --setup-dns'.

  [Regression potential]

  The patch touches only the pkcs11 helper, so shouldn't regress
  anything else.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1677139/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1677139] Re: pkcs11 setup needs fixes for SoftHSM 2.2

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: freeipa (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1677139

Title:
  pkcs11 setup needs fixes for SoftHSM 2.2

Status in freeipa package in Ubuntu:
  Confirmed
Status in freeipa source package in Zesty:
  Confirmed
Status in freeipa source package in aa-series:
  Confirmed

Bug description:
  [Impact]

  https://pagure.io/freeipa/issue/6692

  SoftHSM 2.2 broke freeipa DNS integration.

  [Test case]

  Install ipa server with 'ipa-server-install --setup-dns'.

  [Regression potential]

  The patch touches only the pkcs11 helper, so shouldn't regress
  anything else.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1677139/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1635568] Re: freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: freeipa (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1635568

Title:
  freeipa-client - Can't enroll a client if server has external CA certs
  in addition to self signed CA cert

Status in freeipa package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu version - Ubuntu 14.04.5 LTS
  freeipa-client package version - 3.3.4-0ubuntu3.1

  What is expected:

  root@ip-10-5-0-73:/home/ubuntu# ipa-client-install --mkhomedir
  Discovery was successful!
  Client hostname: ip-10-5-0-73.eu-west-1.compute.internal
  Realm: ID.DOMAIN.COM
  DNS Domain: id.domain.com
  IPA Server: directory.id.domain.com
  BaseDN: dc=id,dc=domain,dc=com

  Continue to configure the system with these values? [no]: yes
  Synchronizing time with KDC...
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Unable to sync time with NTP server, assuming the time is in sync. Please 
check that 123 UDP port is opened.
  User authorized to enroll computers: enroll.user
  Password for enroll.u...@id.domain.com:
  Successfully retrieved CA cert
  Subject: CN=Certificate Authority,O=ID.DOMAIN.COM
  Issuer:  CN=Certificate Authority,O=ID.DOMAIN.COM
  Valid From:  Wed Oct 19 14:54:08 2016 UTC
  Valid Until: Sun Oct 19 14:54:08 2036 UTC

  Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP 
Network,O=AddTrust AB,C=SE
  Issuer:  CN=AddTrust External CA Root,OU=AddTrust External TTP 
Network,O=AddTrust AB,C=SE
  Valid From:  Tue May 30 10:48:38 2000 UTC
  Valid Until: Sat May 30 10:48:38 2020 UTC

  Subject: CN=COMODO RSA Certification Authority,O=COMODO CA 
Limited,L=Salford,ST=Greater Manchester,C=GB
  Issuer:  CN=AddTrust External CA Root,OU=AddTrust External TTP 
Network,O=AddTrust AB,C=SE
  Valid From:  Tue May 30 10:48:38 2000 UTC
  Valid Until: Sat May 30 10:48:38 2020 UTC

  Subject: CN=COMODO RSA Certification Authority,O=COMODO CA 
Limited,L=Salford,ST=Greater Manchester,C=GB
  Issuer:  CN=COMODO RSA Certification Authority,O=COMODO CA 
Limited,L=Salford,ST=Greater Manchester,C=GB
  Valid From:  Tue Jan 19 00:00:00 2010 UTC
  Valid Until: Mon Jan 18 23:59:59 2038 UTC

  Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA 
Limited,L=Salford,ST=Greater Manchester,C=GB
  Issuer:  CN=COMODO RSA Certification Authority,O=COMODO CA 
Limited,L=Salford,ST=Greater Manchester,C=GB
  Valid From:  Wed Feb 12 00:00:00 2014 UTC
  Valid Until: Sun Feb 11 23:59:59 2029 UTC

  Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP 
Network,O=AddTrust AB,C=SE
  Issuer:  CN=AddTrust External CA Root,OU=AddTrust External TTP 
Network,O=AddTrust AB,C=SE
  Valid From:  Tue May 30 10:48:38 2000 UTC
  Valid Until: Sat May 30 10:48:38 2020 UTC

  Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA 
Limited,L=Salford,ST=Greater Manchester,C=GB
  Issuer:  CN=COMODO RSA Certification Authority,O=COMODO CA 
Limited,L=Salford,ST=Greater Manchester,C=GB
  Valid From:  Wed Feb 12 00:00:00 2014 UTC
  Valid Until: Sun Feb 11 23:59:59 2029 UTC

  Subject: CN=COMODO RSA Certification Authority,O=COMODO CA 
Limited,L=Salford,ST=Greater Manchester,C=GB
  Issuer:  CN=COMODO RSA Certification Authority,O=COMODO CA 
Limited,L=Salford,ST=Greater Manchester,C=GB
  Valid From:  Tue Jan 19 00:00:00 2010 UTC
  Valid Until: Mon Jan 18 23:59:59 2038 UTC

  Enrolled in IPA realm ID.DOMAIN.COM
  Created /etc/ipa/default.conf
  New SSSD config will be created
  Configured sudoers in /etc/nsswitch.conf
  Configured /etc/sssd/sssd.conf
  Configured /etc/krb5.conf for IPA realm ID.DOMAIN.COM
  trying https://directory.id.domain.com/ipa/json
  Forwarding 'ping' to json server 'https://directory.id.domain.com/ipa/json'
  Forwarding 'ca_is_enabled' to json server 
'https://directory.id.domain.com/ipa/json'
  Systemwide CA database updated.
  Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
  Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
  Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
  Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
  Forwarding 'host_mod' to json server 
'https://directory.id.domain.com/ipa/json'
  Could not update DNS SSHFP records.
  SSSD enabled
  Configured /etc/openldap/ldap.conf
  NTP enabled
  Configured /etc/ssh/ssh_config
  Configured /etc/ssh/sshd_config
  Configuring id.domain.com as NIS domain.
  Client configuration complete.

  What happend instead:

  root@ip-10-5-0-73:/home/ubuntu# 

[Freeipa] [Bug 1630911] Re: freeipa-client has a hard dependency on "ntp" which is not wanted in lxd environment

[Launchpad Bug Tracker]

This bug was fixed in the package freeipa - 4.4.3-3ubuntu1

---
freeipa (4.4.3-3ubuntu1) zesty; urgency=medium

  * fix-is-running.diff: Add a third argument to is_running() in
ipaplatform/debian/services.py.

 -- Timo Aaltonen   Fri, 17 Feb 2017 01:40:15 +0200

** Changed in: freeipa (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1630911

Title:
  freeipa-client has a hard dependency on "ntp" which is not wanted in
  lxd environment

Status in freeipa package in Ubuntu:
  Fix Released

Bug description:
  [Note: the package is called "freeipa-client" but launchpad only lets
  me select "freeipa"]

  The "freeipa-client" package has a hard dependency on "ntp".

  However: when running Ubuntu inside an lxd container, ntpd cannot run:
  the host is responsible for setting the clock, not the container.

  Hence I want to "apt-get remove ntp" from inside the container. But if
  I do so, this forcibly removes the "freeipa-client" package as well,
  because of the dependency. This in turn leaves a whole heap of
  dangling packages - see below - which are vulnerable to being
  accidentally removed.

  Proposal: change to "Recommends: ntp" instead of "Depends: ntp"


  
---
  # apt-get remove ntp
  Reading package lists... Done
  Building dependency tree
  Reading state information... Done
  The following packages were automatically installed and are no longer 
required:
bind9utils certmonger cracklib-runtime freeipa-common ieee-data iproute
libavahi-client3 libavahi-common-data libavahi-common3 libbasicobjects0
libc-ares2 libcollection4 libcrack2 libcups2 libcurl3 libcurl3-nss libdhash1
libfreetype6 libini-config5 libipa-hbac0 libjbig0 libjpeg-turbo8 libjpeg8
liblcms2-2 libldb1 libnfsidmap2 libnl-3-200 libnl-route-3-200 libnspr4
libnss-sss libnss3 libnss3-nssdb libnss3-tools libopts25 libpam-pwquality
libpam-sss libpath-utils1 libpwquality-common libpwquality1 libref-array1
libsmbclient libsss-idmap0 libsss-nss-idmap0 libsss-sudo libtdb1 libtevent0
libtiff5 libwebp5 libwebpmux1 libxmlrpc-core-c3 libxslt1.1 oddjob
oddjob-mkhomedir python-bs4 python-cffi python-cffi-backend python-chardet
python-cryptography python-dbus python-decorator python-dnspython
python-enum34 python-gi python-gssapi python-html5lib python-idna
python-imaging python-ipaclient python-ipaddress python-ipalib
python-jwcrypto python-ldap python-libipa-hbac python-lxml python-memcache
python-netaddr python-nss python-pil python-pkg-resources python-ply
python-pyasn1 python-pycparser python-qrcode python-setuptools python-six
python-sss python-talloc python-usb python-yubico samba-libs sssd sssd-ad
sssd-ad-common sssd-common sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap
sssd-proxy
  Use 'apt autoremove' to remove them.
  The following packages will be REMOVED:
freeipa-client ntp
  0 upgraded, 0 newly installed, 2 to remove and 0 not upgraded.
  1 not fully installed or removed.
  After this operation, 2002 kB disk space will be freed.
  Do you want to continue? [Y/n] n
  Abort.

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: freeipa-client 4.3.1-0ubuntu1
  ProcVersionSignature: Ubuntu 4.4.0-34.53-generic 4.4.15
  Uname: Linux 4.4.0-34-generic x86_64
  NonfreeKernelModules: nfsd auth_rpcgss nfs_acl lockd grace sunrpc 
ip6table_filter ip6_tables xt_conntrack ufs msdos xfs binfmt_misc veth 
ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 
nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack isofs xt_CHECKSUM iptable_mangle 
xt_tcpudp bridge stp llc iptable_filter ip_tables x_tables zfs zunicode zcommon 
znvpair spl zavl ppdev xen_fbfront syscopyarea sysfillrect sysimgblt 
fb_sys_fops serio_raw parport_pc parport ib_iser rdma_cm iw_cm ib_cm ib_sa 
ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi 
autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor 
async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul 
crc32_pclmul aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd 
psmouse floppy
  ApportVersion: 2.20.1-0ubuntu2.1
  Architecture: amd64
  Date: Thu Oct  6 09:05:52 2016
  Ec2AMI: ami-c06b1eb3
  Ec2AMIManifest: (unknown)
  Ec2AvailabilityZone: eu-west-1a
  Ec2InstanceType: t2.medium
  Ec2Kernel: unavailable
  Ec2Ramdisk: unavailable
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
  SourcePackage: freeipa
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1630911/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa

[Freeipa] [Bug 1640732] Re: krb5-otp package not being installed when ipa-server-install

[Launchpad Bug Tracker]

This bug was fixed in the package freeipa - 4.4.3-3ubuntu1

---
freeipa (4.4.3-3ubuntu1) zesty; urgency=medium

  * fix-is-running.diff: Add a third argument to is_running() in
ipaplatform/debian/services.py.

 -- Timo Aaltonen   Fri, 17 Feb 2017 01:40:15 +0200

** Changed in: freeipa (Ubuntu)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1640732

Title:
  krb5-otp package not being installed when ipa-server-install

Status in freeipa package in Ubuntu:
  Fix Released

Bug description:
  While using Freeipa server with an external RADIUS server (which is in turn 
is connected to an OTP authenticator), freeipa-server fails to load the 
required krb5-otp module.
  That's because the module is simply not there and every request send by an 
user using FAST/OTP will fail. This is the message on /var/log/auth:

  NEEDED_PREAUTH: johndoe@REALM for krbtgt/REALM, Additional pre-
  authentication required

  The user gets (note that he is not prompted for OTP, the request simply dies):
  root@freeipa:~# KRB5_TRACE=/dev/stdout kinit -T KEYRING:persistent:0:0 johndoe
  [2872] 1478769982.447733: Resolving unique ccache of type KEYRING
  [2872] 1478769982.449824: Getting initial credentials for johndoe@REALM
  [2872] 1478769982.453943: FAST armor ccache: KEYRING:persistent:0:0
  [2872] 1478769982.454171: Retrieving admin@REALM -> 
krb5_ccache_conf_data/fast_avail/krbtgt\/REALM\@REALM@X-CACHECONF: from 
KEYRING:persistent:0:0 with result: 0/Success
  [2872] 1478769982.454284: Read config in KEYRING:persistent:0:0 for 
krbtgt/REALM@REALM: fast_avail: yes
  [2872] 1478769982.454396: Using FAST due to armor ccache negotiation result
  [2872] 1478769982.454484: Getting credentials admin@REALM -> 
krbtgt/REALM@REALM using ccache KEYRING:persistent:0:0
  [2872] 1478769982.454637: Retrieving admin@REALM -> krbtgt/REALM@REALM from 
KEYRING:persistent:0:0 with result: 0/Success
  [2872] 1478769982.454733: Armor ccache sesion key: aes256-cts/03D3
  [2872] 1478769982.454836: Creating authenticator for admin@REALM -> 
krbtgt/REALM@REALM, seqnum 0, subkey aes256-cts/8CB1, session key 
aes256-cts/03D3
  [2872] 1478769982.455045: FAST armor key: aes256-cts/21EB
  [2872] 1478769982.455147: Encoding request body and padata into FAST request
  [2872] 1478769982.455272: Sending request (947 bytes) to REALM
  [2872] 1478769982.455437: Resolving hostname freeipa.realm.com
  [2872] 1478769982.455900: Initiating TCP connection to stream 10.80.40.243:88
  [2872] 1478769982.456147: Sending TCP request to stream 10.80.40.243:88
  [2872] 1478769982.464118: Received answer (488 bytes) from stream 
10.80.40.243:88
  [2872] 1478769982.464126: Terminating TCP connection to stream 10.80.40.243:88
  [2872] 1478769982.464147: Response was from master KDC
  [2872] 1478769982.464161: Received error from KDC: -1765328359/Additional 
pre-authentication required
  [2872] 1478769982.464166: Decoding FAST response
  [2872] 1478769982.464438: Processing preauth types: 136, 133, 137
  [2872] 1478769982.464446: Received cookie: MIT
  kinit: Generic preauthentication failure while getting initial credentials

  
  Solution:

  $ sudo apt-get install krb5-otp
  $ sudo service krb5-kdc restart 
  $ sudo service krb5-admin-server restart 

  
  After that everything works as expected:

  root@freeipa:~# KRB5_TRACE=/dev/stdout kinit -T KEYRING:persistent:0:0 johndoe
  [2924] 1478770020.592804: Resolving unique ccache of type KEYRING
  [2924] 1478770020.592994: Getting initial credentials for johndoe@REALM
  [2924] 1478770020.596893: FAST armor ccache: KEYRING:persistent:0:0
  [2924] 1478770020.597091: Retrieving admin@REALM -> 
krb5_ccache_conf_data/fast_avail/krbtgt\/REALM\@REALM@X-CACHECONF: from 
KEYRING:persistent:0:0 with result: 0/Success
  [2924] 1478770020.597744: Read config in KEYRING:persistent:0:0 for 
krbtgt/REALM@REALM: fast_avail: yes
  [2924] 1478770020.597822: Using FAST due to armor ccache negotiation result
  [2924] 1478770020.597884: Getting credentials admin@REALM -> 
krbtgt/REALM@REALM using ccache KEYRING:persistent:0:0
  [2924] 1478770020.598012: Retrieving admin@REALM -> krbtgt/REALM@REALM from 
KEYRING:persistent:0:0 with result: 0/Success
  [2924] 1478770020.598102: Armor ccache sesion key: aes256-cts/03D3
  [2924] 1478770020.598199: Creating authenticator for admin@REALM -> 
krbtgt/REALM@REALM, seqnum 0, subkey aes256-cts/E28F, session key 
aes256-cts/03D3
  [2924] 1478770020.598381: FAST armor key: aes256-cts/8677
  [2924] 1478770020.598471: Encoding request body and padata into FAST request
  [2924] 1478770020.598585: Sending request (947 bytes) to REALM
  [2924] 1478770020.598669: Resolving hostname freeipa.realm.com
  [2924] 1478770020.599039: Initiating TCP connection to stream 10.80.40.243:88
  [2924] 1478770020.599366: Sending TCP request to stream 

[Freeipa] [Bug 1664453] Re: autopkgtests failing with systemd-232

[Launchpad Bug Tracker]

This bug was fixed in the package dogtag-pki - 10.3.5+12-3ubuntu1

---
dogtag-pki (10.3.5+12-3ubuntu1) zesty; urgency=medium

  * pki-tomcatd.init: If no instance is configured, the initscript
machinery would return error value 5 or 6. This messes up systemd, so
just use 'exit 1' on every non-zero return value. (LP: #1664453)

 -- Timo Aaltonen   Thu, 16 Feb 2017 16:43:49 +0200

** Changed in: dogtag-pki (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to dogtag-pki in Ubuntu.
https://bugs.launchpad.net/bugs/1664453

Title:
  autopkgtests failing with systemd-232

Status in dogtag-pki package in Ubuntu:
  Fix Released

Bug description:
  The autopkgtests for dogtag-pki are failing. It looks like this
  started with the upgrade of systemd to 232.

  Previously, pki-tomcatd was marked as failed on startup:

  Job for pki-tomcatd.service failed because the control process exited with 
error code.
  See "systemctl status pki-tomcatd.service" and "journalctl -xe" for details.
  invoke-rc.d: initscript pki-tomcatd, action "start" failed.
  ● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time
 Loaded: loaded (/etc/init.d/pki-tomcatd; generated; vendor preset: enabled)
 Active: failed (Result: exit-code) since Mon 2016-11-07 20:51:19 UTC; 14ms 
ago
   Docs: man:systemd-sysv-generator(8)
Process: 8100 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, 
status=5)

  Now, the service is marked as started and exited:

  ● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time
 Loaded: loaded (/etc/init.d/pki-tomcatd; generated; vendor preset: enabled)
 Active: active (exited) since Tue 2017-02-14 06:02:25 UTC; 31s ago
   Docs: man:systemd-sysv-generator(8)

  Since systemd-sysv-generator uses RemainAfterExit=true, subsequent
  "systemctl start pki-tomcatd" invocations do nothing.

  I believe the relevant systemd change is:

  
https://github.com/systemd/systemd/commit/41e2036eb83204df95a1c3e829bcfd78ee17aaa3

  which fixed it to detect the special LSB exit codes as intended.

  I see that .../scriptlets/configuration.py issues start() when
  configuring the first tomcat instance and restart() for subsequent
  instances (line 364). Maybe one workaround would be to use restart()
  unconditionally for now? That looks like it does roughly the right
  thing.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1664453/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1664457] Re: dogtag-pki ftbfs with libresteasy-java 3.1.0

[Launchpad Bug Tracker]

This bug was fixed in the package dogtag-pki - 10.3.5+12-3ubuntu1

---
dogtag-pki (10.3.5+12-3ubuntu1) zesty; urgency=medium

  * pki-tomcatd.init: If no instance is configured, the initscript
machinery would return error value 5 or 6. This messes up systemd, so
just use 'exit 1' on every non-zero return value. (LP: #1664453)

 -- Timo Aaltonen   Thu, 16 Feb 2017 16:43:49 +0200

** Changed in: dogtag-pki (Ubuntu)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to dogtag-pki in Ubuntu.
https://bugs.launchpad.net/bugs/1664457

Title:
  dogtag-pki ftbfs with libresteasy-java 3.1.0

Status in dogtag-pki package in Ubuntu:
  Fix Released

Bug description:
  https://launchpadlibrarian.net/302962949/buildlog_ubuntu-zesty-amd64
  .dogtag-pki_10.3.5-7_BUILDING.txt.gz

  com/netscape/certsrv/account/AccountResource.java:25: error: cannot find 
symbol
  import org.jboss.resteasy.annotations.ClientResponseType;
   ^
symbol:   class ClientResponseType
location: package org.jboss.resteasy.annotations

  I don't think there is a Debian bug yet for this specific issue. The
  current FTBFS there looks like it's related to tomcat 8.5.

  This class in particular seems to have moved to the resteasy-legacy
  jar:

  http://sources.debian.net/src/resteasy/3.1.0-1/resteasy-
  
legacy/src/main/java/org/jboss/resteasy/annotations/legacy/ClientResponseType.java/

  which unfortunately doesn't seem to be packaged...

  http://sources.debian.net/src/resteasy/3.1.0-1/debian/libresteasy-
  java.poms/#L54

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1664457/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1600513] Re: Depend on libnss-sss and libpam-sss

[Launchpad Bug Tracker]

This bug was fixed in the package freeipa - 4.3.2-5

---
freeipa (4.3.2-5) unstable; urgency=medium

  * fix-cve-2016-5404.diff: Fix permission check bypass (Closes: #835131)
- CVE-2016-5404
  * ipa-kdb-support-dal-version-5-and-6.diff: Support mit-krb5 1.15.
(Closes: #844114)

 -- Timo Aaltonen   Sat, 03 Dec 2016 01:02:40 +0200

** Changed in: freeipa (Ubuntu)
   Status: New => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-5404

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1600513

Title:
  Depend on libnss-sss and libpam-sss

Status in freeipa package in Ubuntu:
  Fix Released

Bug description:
  Currently libnss-sss and libpam-sss are marked as recommended on the
  sssd-common package. This however causes issues on systems that have
  installing recommended packages turned off (which I noticed was
  enabled on a VPS).

  The fact that those libaries are not installed means that the client
  install is not able to get a working setup running. It would probably
  be best if freeipa-client had a dependency on libnss-sss and libpam-
  nss as they're essentially necessary to get a working setup.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1600513/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1628884] Re: ipa-otpd@1-32385-0.service: Failed at step EXEC spawning /usr/lib/ipa-otpd: No such file or directory

[Launchpad Bug Tracker]

This bug was fixed in the package freeipa - 4.3.2-5

---
freeipa (4.3.2-5) unstable; urgency=medium

  * fix-cve-2016-5404.diff: Fix permission check bypass (Closes: #835131)
- CVE-2016-5404
  * ipa-kdb-support-dal-version-5-and-6.diff: Support mit-krb5 1.15.
(Closes: #844114)

 -- Timo Aaltonen   Sat, 03 Dec 2016 01:02:40 +0200

** Changed in: freeipa (Ubuntu)
   Status: Triaged => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-5404

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1628884

Title:
  ipa-otpd@1-32385-0.service: Failed at step EXEC spawning /usr/lib/ipa-
  otpd: No such file or directory

Status in freeipa package in Ubuntu:
  Fix Released

Bug description:
  In the "/lib/systemd/system/ipa-otpd@.service" file the ipa-otpd path is 
wrong:
   ExecStart=/usr/lib/ipa-otpd $ldap_uri

  The /usr/lib/ipa-otpd file not found in the package.
  The right path is /usr/lib/ipa/ipa-otpd.

  Please fix it.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1628884/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1645201] Re: ipa-client-automount fails

[Launchpad Bug Tracker]

This bug was fixed in the package freeipa - 4.3.2-5

---
freeipa (4.3.2-5) unstable; urgency=medium

  * fix-cve-2016-5404.diff: Fix permission check bypass (Closes: #835131)
- CVE-2016-5404
  * ipa-kdb-support-dal-version-5-and-6.diff: Support mit-krb5 1.15.
(Closes: #844114)

 -- Timo Aaltonen   Sat, 03 Dec 2016 01:02:40 +0200

** Changed in: freeipa (Ubuntu)
   Status: In Progress => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-5404

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1645201

Title:
  ipa-client-automount fails

Status in freeipa package in Ubuntu:
  Fix Released

Bug description:
  Host was successfully enrolled with the FreeIPA server using the 'ipa-
  client-install' command.

  
  $ sudo ipa-client-automount
  Searching for IPA server...
  IPA server: DNS discovery
  Location: default
  Continue to configure the system with these values? [no]: y
  Configured /etc/default/nfs-common
  Configured /etc/idmapd.conf
  rpcidmapd failed to restart: Command '/bin/systemctl restart 
nfs-idmap.service' returned non-zero exit status 5
  rpcgssd failed to restart: Command '/bin/systemctl restart 
nfs-secure.service' returned non-zero exit status 5
  Restarting sssd, waiting for it to become available.
  Started autofs

  
  Distribution: Ubuntu 16.04
  Architecture: amd64
  Version: 4.3.1-0ubuntu1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1645201/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1627371] Re: Timing problems with FreeIPA installation

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: dogtag-pki (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1627371

Title:
  Timing problems with FreeIPA installation

Status in dogtag-pki package in Ubuntu:
  Confirmed
Status in freeipa package in Ubuntu:
  Confirmed

Bug description:
  While installing FreeIPA I came accross two situations that turned out
  to be timing problems. In both cases, the installation procedure was
  attempting to access the certificate server immediately after a
  restart, and the server was not listening.

  The first one is at step 10 of "Configuring certificate server
  (pki_tomcatd)":

[10/28]: importing CA chain to RA certificate database
[error] RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection 
refused
  ipa.ipapython.install.cli.install_tool(Server): ERROR Unable to retrieve CA 
chain: [Errno 111] Connection refused

  The second is at step 25:

[25/28]: migrating certificate profiles to LDAP
[error] NetworkError: cannot connect to 
'https://server.name:8443/ca/rest/account/login': Could not connect to 
server.name using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR) Network address 
type not supported.

  My solution was to add a delay at the top of the functions for those
  steps.

  def __import_ca_chain(self):
  + ##==
  + # Add wait time to allow certificate server to start up
  + # 
  + time.sleep(10)

  chain = self.__get_ca_chain()

  ...

  def migrate_profiles_to_ldap():
  """Migrate profiles from filesystem to LDAP.

  This must be run *after* switching to the LDAPProfileSubsystem
  and restarting the CA.

  The profile might already exist, e.g. if a replica was already
  upgraded, so this case is ignored.

  """
  + ##==
  + # Add wait time to allow certificate server to start up
  + # 
  + time.sleep(20)

  ensure_ldap_profiles_container()

  It might be necessary to adjust the sleep time.

  These bugs are intermittent and they may not appear at all. In my
  case, one KVM machine had no problems whatsoever while another had
  problems at the "migrate profiles ..." step. Both problems showed up
  on one Raspberry Pi. There were also time differences between runs.
  So, one needs to be _very_ patient.

  This is all on Ubuntu Xenial. freeipa-server 4.3.1-0ubuntu1.
  The RaspberryPi is a pi 2B

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1627371/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1628884] [NEW] ipa-otpd@1-32385-0.service: Failed at step EXEC spawning /usr/lib/ipa-otpd: No such file or directory

[Launchpad Bug Tracker]

You have been subscribed to a public bug:

In the "/lib/systemd/system/ipa-otpd@.service" file the ipa-otpd path is wrong:
 ExecStart=/usr/lib/ipa-otpd $ldap_uri

The /usr/lib/ipa-otpd file not found in the package.
The right path is /usr/lib/ipa/ipa-otpd.

Please fix it.

** Affects: freeipa (Ubuntu)
 Importance: Undecided
 Status: New

-- 
ipa-otpd@1-32385-0.service: Failed at step EXEC spawning /usr/lib/ipa-otpd: No 
such file or directory
https://bugs.launchpad.net/bugs/1628884
You received this bug notification because you are a member of FreeIPA, which 
is subscribed to freeipa in Ubuntu.

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1543230] Re: After installing freeipa-server-trust-ad ipa tries to start smb.service which doesn't exist

[Launchpad Bug Tracker]

This bug was fixed in the package freeipa - 4.3.1-0ubuntu1

---
freeipa (4.3.1-0ubuntu1) xenial; urgency=medium

  * Sync from Debian.

freeipa (4.3.1-1) unstable; urgency=medium

  * New upstream release. (Closes: #781607, #786411) (LP: #1449304)
- drop no-test-lang.diff, obsolete
  * fix-match-hostname.diff, control: Drop the patch and python-openssl
deps, not needed anymore
  * rules, platform, server.dirs, server.install:
Add support for DNSSEC.
  * control, rules: Add support for kdcproxy.
  * control, server: Migrate to mod-auth-gssapi.
  * control, rules, fix-ipa-conf.diff: Add support for custodia.
  * control:
- Add python-cryptography to build-deps and python-freeipa deps.
- Add libp11-kit-dev to build-deps, p11-kit to server deps.
- Depend on python-gssapi instead of python-kerberos/-krbV.
- Add libini-config-dev and python-dbus to build-deps, replace wget
  with curl.
- Bump libkrb5-dev build-dep.
- Add pki-base to build-deps and pki-kra to server deps, bump pki-ca
  version.
- Drop python-m2crypto from deps, obsolete.
- Bump sssd deps to 1.13.1.
- Add python-six to build-deps and python-freeipa deps.
- Split python stuff from server, client, tests to python-
  ipa{server,client,tests}, rename python-freeipa to match and move
  translations to freeipa-common. Mark them Arch:all where possible,
  and add Breaks/Replaces.
- Add oddjob to server and oddjob-mkhomedir to client deps.
- Add python-setuptools to python-ipalib deps.
- Bump 389-ds-base* deps.
- Bump server and python-ipaserver dependency on python-ldap to 2.4.22
  to fix a bug on ipa-server-upgrade.
- Add pki-tools to python-ipaserver deps.
- Add zip to python-ipaserver depends.
- Add python-systemd to server depends.
- Add opendnssec to freeipa-server-dns depends.
- Add python-cffi to python-ipalib depends.
- Bump dep on bind9-dyndb-ldap.
- Bump certmonger dependency to version that has helpers in the correct
  place.
  * patches:
- prefix.patch: Fix ipalib install too.
- Drop bits of platform.diff and other patches that are now upstream.
- fix-kdcproxy-paths.diff: Fix paths in kdcproxy configs.
- fix-oddjobs.diff: Fix paths and uids in oddjob configs.
- fix-replicainstall.diff: Use ldap instead of ldaps for conncheck.
- fix-dnssec-services.diff: Debianize ipa-dnskeysyncd & ipa-ods-
  exporter units.
- create-sysconfig-ods.diff: Create an empty file for opendnssec
  daemons, until opendnssec itself is fixed.
- purge-firefox-extension.diff: Clean obsolete kerberosauth.xpi.
- enable-mod-nss-during-setup.diff: Split from platform.diff, call
  a2enmod/a2dismod from httpinstance.py.
- fix-memcached.diff: Split from platform.diff, debianize memcached
  conf & unit.
- hack-libarch.diff: Don't use fedora libpaths.
  * add-debian-platform.diff:
- Update paths.py to include all variables, comment out ones we don't
  modify.
- Use systemwide certificate store; put ipa-ca.crt in
  /usr/local/share/ca-certificates, and run update-ca-certificates
- Map smb service to smbd (LP: #1543230)
- Don't ship /var/cache/bind/data, fix named.conf a bit.
- Use DebianNoService() for dbus. (LP: #1564981)
- Add more constants
  * Split freeipa-server-dns from freeipa-server, add -dns to -server
Recommends.
  * server.postinst: Use ipa-server-upgrade.
  * admintools: Use the new location for bash completions.
  * rules: Remove obsolete configure.jar, preferences.html.
  * platform: Fix ipautil.run stdout handling, add support for systemd.
  * server.postinst, tmpfile: Create state directories for
mod_auth_gssapi.
  * rules, server.install: Install scripts under /usr/lib instead of
multiarch path to avoid hacking the code too much.
  * fix-ipa-otpd-install.diff, rules, server.install: Put ipa-otpd in
/usr/lib/ipa instead of directly under multiarch lib path.
  * control, server*.install: Move dirsrv plugins from server-trust-ad
to server, needed on upgrades even if trust-ad isn't set up.
  * server: Enable mod_proxy_ajp and mod_proxy_http on postinst, disable
on postrm.
  * rules: Add SKIP_API_VERSION_CHECK, and adjust directories to clean.
  * rules: Don't enable systemd units on install.
  * client: Don't create /etc/pki/nssdb on postinst, it's not used
anymore.
  * platform.diff, rules, server.install: Drop generate-rndc-key.sh, bind
already generates the keyfile.

 -- Timo Aaltonen   Tue, 19 Apr 2016 00:15:05 +0300

** Changed in: freeipa (Ubuntu)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1543230

Title:
  After installing freeipa-server-trust-ad ipa tries to start
  smb.service which doesn't exist

Status in freeipa package in Ubuntu:
  

[Freeipa] [Bug 1449304] Re: ipa-replica-prepare fails

[Launchpad Bug Tracker]

This bug was fixed in the package freeipa - 4.3.1-0ubuntu1

---
freeipa (4.3.1-0ubuntu1) xenial; urgency=medium

  * Sync from Debian.

freeipa (4.3.1-1) unstable; urgency=medium

  * New upstream release. (Closes: #781607, #786411) (LP: #1449304)
- drop no-test-lang.diff, obsolete
  * fix-match-hostname.diff, control: Drop the patch and python-openssl
deps, not needed anymore
  * rules, platform, server.dirs, server.install:
Add support for DNSSEC.
  * control, rules: Add support for kdcproxy.
  * control, server: Migrate to mod-auth-gssapi.
  * control, rules, fix-ipa-conf.diff: Add support for custodia.
  * control:
- Add python-cryptography to build-deps and python-freeipa deps.
- Add libp11-kit-dev to build-deps, p11-kit to server deps.
- Depend on python-gssapi instead of python-kerberos/-krbV.
- Add libini-config-dev and python-dbus to build-deps, replace wget
  with curl.
- Bump libkrb5-dev build-dep.
- Add pki-base to build-deps and pki-kra to server deps, bump pki-ca
  version.
- Drop python-m2crypto from deps, obsolete.
- Bump sssd deps to 1.13.1.
- Add python-six to build-deps and python-freeipa deps.
- Split python stuff from server, client, tests to python-
  ipa{server,client,tests}, rename python-freeipa to match and move
  translations to freeipa-common. Mark them Arch:all where possible,
  and add Breaks/Replaces.
- Add oddjob to server and oddjob-mkhomedir to client deps.
- Add python-setuptools to python-ipalib deps.
- Bump 389-ds-base* deps.
- Bump server and python-ipaserver dependency on python-ldap to 2.4.22
  to fix a bug on ipa-server-upgrade.
- Add pki-tools to python-ipaserver deps.
- Add zip to python-ipaserver depends.
- Add python-systemd to server depends.
- Add opendnssec to freeipa-server-dns depends.
- Add python-cffi to python-ipalib depends.
- Bump dep on bind9-dyndb-ldap.
- Bump certmonger dependency to version that has helpers in the correct
  place.
  * patches:
- prefix.patch: Fix ipalib install too.
- Drop bits of platform.diff and other patches that are now upstream.
- fix-kdcproxy-paths.diff: Fix paths in kdcproxy configs.
- fix-oddjobs.diff: Fix paths and uids in oddjob configs.
- fix-replicainstall.diff: Use ldap instead of ldaps for conncheck.
- fix-dnssec-services.diff: Debianize ipa-dnskeysyncd & ipa-ods-
  exporter units.
- create-sysconfig-ods.diff: Create an empty file for opendnssec
  daemons, until opendnssec itself is fixed.
- purge-firefox-extension.diff: Clean obsolete kerberosauth.xpi.
- enable-mod-nss-during-setup.diff: Split from platform.diff, call
  a2enmod/a2dismod from httpinstance.py.
- fix-memcached.diff: Split from platform.diff, debianize memcached
  conf & unit.
- hack-libarch.diff: Don't use fedora libpaths.
  * add-debian-platform.diff:
- Update paths.py to include all variables, comment out ones we don't
  modify.
- Use systemwide certificate store; put ipa-ca.crt in
  /usr/local/share/ca-certificates, and run update-ca-certificates
- Map smb service to smbd (LP: #1543230)
- Don't ship /var/cache/bind/data, fix named.conf a bit.
- Use DebianNoService() for dbus. (LP: #1564981)
- Add more constants
  * Split freeipa-server-dns from freeipa-server, add -dns to -server
Recommends.
  * server.postinst: Use ipa-server-upgrade.
  * admintools: Use the new location for bash completions.
  * rules: Remove obsolete configure.jar, preferences.html.
  * platform: Fix ipautil.run stdout handling, add support for systemd.
  * server.postinst, tmpfile: Create state directories for
mod_auth_gssapi.
  * rules, server.install: Install scripts under /usr/lib instead of
multiarch path to avoid hacking the code too much.
  * fix-ipa-otpd-install.diff, rules, server.install: Put ipa-otpd in
/usr/lib/ipa instead of directly under multiarch lib path.
  * control, server*.install: Move dirsrv plugins from server-trust-ad
to server, needed on upgrades even if trust-ad isn't set up.
  * server: Enable mod_proxy_ajp and mod_proxy_http on postinst, disable
on postrm.
  * rules: Add SKIP_API_VERSION_CHECK, and adjust directories to clean.
  * rules: Don't enable systemd units on install.
  * client: Don't create /etc/pki/nssdb on postinst, it's not used
anymore.
  * platform.diff, rules, server.install: Drop generate-rndc-key.sh, bind
already generates the keyfile.

 -- Timo Aaltonen   Tue, 19 Apr 2016 00:15:05 +0300

** Changed in: freeipa (Ubuntu)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1449304

Title:
  ipa-replica-prepare fails

Status in freeipa package in Ubuntu:
  Fix Released
Status in freeipa package in Debian:
  New

Bug 

[Freeipa] [Bug 1564981] Re: freeipa install errors out with certmonger 'dbus' 'start' ''' returned non-zero exit status 4

[Launchpad Bug Tracker]

This bug was fixed in the package freeipa - 4.3.1-0ubuntu1

---
freeipa (4.3.1-0ubuntu1) xenial; urgency=medium

  * Sync from Debian.

freeipa (4.3.1-1) unstable; urgency=medium

  * New upstream release. (Closes: #781607, #786411) (LP: #1449304)
- drop no-test-lang.diff, obsolete
  * fix-match-hostname.diff, control: Drop the patch and python-openssl
deps, not needed anymore
  * rules, platform, server.dirs, server.install:
Add support for DNSSEC.
  * control, rules: Add support for kdcproxy.
  * control, server: Migrate to mod-auth-gssapi.
  * control, rules, fix-ipa-conf.diff: Add support for custodia.
  * control:
- Add python-cryptography to build-deps and python-freeipa deps.
- Add libp11-kit-dev to build-deps, p11-kit to server deps.
- Depend on python-gssapi instead of python-kerberos/-krbV.
- Add libini-config-dev and python-dbus to build-deps, replace wget
  with curl.
- Bump libkrb5-dev build-dep.
- Add pki-base to build-deps and pki-kra to server deps, bump pki-ca
  version.
- Drop python-m2crypto from deps, obsolete.
- Bump sssd deps to 1.13.1.
- Add python-six to build-deps and python-freeipa deps.
- Split python stuff from server, client, tests to python-
  ipa{server,client,tests}, rename python-freeipa to match and move
  translations to freeipa-common. Mark them Arch:all where possible,
  and add Breaks/Replaces.
- Add oddjob to server and oddjob-mkhomedir to client deps.
- Add python-setuptools to python-ipalib deps.
- Bump 389-ds-base* deps.
- Bump server and python-ipaserver dependency on python-ldap to 2.4.22
  to fix a bug on ipa-server-upgrade.
- Add pki-tools to python-ipaserver deps.
- Add zip to python-ipaserver depends.
- Add python-systemd to server depends.
- Add opendnssec to freeipa-server-dns depends.
- Add python-cffi to python-ipalib depends.
- Bump dep on bind9-dyndb-ldap.
- Bump certmonger dependency to version that has helpers in the correct
  place.
  * patches:
- prefix.patch: Fix ipalib install too.
- Drop bits of platform.diff and other patches that are now upstream.
- fix-kdcproxy-paths.diff: Fix paths in kdcproxy configs.
- fix-oddjobs.diff: Fix paths and uids in oddjob configs.
- fix-replicainstall.diff: Use ldap instead of ldaps for conncheck.
- fix-dnssec-services.diff: Debianize ipa-dnskeysyncd & ipa-ods-
  exporter units.
- create-sysconfig-ods.diff: Create an empty file for opendnssec
  daemons, until opendnssec itself is fixed.
- purge-firefox-extension.diff: Clean obsolete kerberosauth.xpi.
- enable-mod-nss-during-setup.diff: Split from platform.diff, call
  a2enmod/a2dismod from httpinstance.py.
- fix-memcached.diff: Split from platform.diff, debianize memcached
  conf & unit.
- hack-libarch.diff: Don't use fedora libpaths.
  * add-debian-platform.diff:
- Update paths.py to include all variables, comment out ones we don't
  modify.
- Use systemwide certificate store; put ipa-ca.crt in
  /usr/local/share/ca-certificates, and run update-ca-certificates
- Map smb service to smbd (LP: #1543230)
- Don't ship /var/cache/bind/data, fix named.conf a bit.
- Use DebianNoService() for dbus. (LP: #1564981)
- Add more constants
  * Split freeipa-server-dns from freeipa-server, add -dns to -server
Recommends.
  * server.postinst: Use ipa-server-upgrade.
  * admintools: Use the new location for bash completions.
  * rules: Remove obsolete configure.jar, preferences.html.
  * platform: Fix ipautil.run stdout handling, add support for systemd.
  * server.postinst, tmpfile: Create state directories for
mod_auth_gssapi.
  * rules, server.install: Install scripts under /usr/lib instead of
multiarch path to avoid hacking the code too much.
  * fix-ipa-otpd-install.diff, rules, server.install: Put ipa-otpd in
/usr/lib/ipa instead of directly under multiarch lib path.
  * control, server*.install: Move dirsrv plugins from server-trust-ad
to server, needed on upgrades even if trust-ad isn't set up.
  * server: Enable mod_proxy_ajp and mod_proxy_http on postinst, disable
on postrm.
  * rules: Add SKIP_API_VERSION_CHECK, and adjust directories to clean.
  * rules: Don't enable systemd units on install.
  * client: Don't create /etc/pki/nssdb on postinst, it's not used
anymore.
  * platform.diff, rules, server.install: Drop generate-rndc-key.sh, bind
already generates the keyfile.

 -- Timo Aaltonen   Tue, 19 Apr 2016 00:15:05 +0300

** Changed in: freeipa (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1564981

Title:
  freeipa install errors out with certmonger 'dbus' 'start' ''' returned
  non-zero exit status 4

Status in freeipa package in Ubuntu:
  Fix 

[Freeipa] [Bug 1492229] Re: automount error due to syntax error in nsswitch.conf after ipa-client-install

[Launchpad Bug Tracker]

[Expired for freeipa (Ubuntu) because there has been no activity for 60
days.]

** Changed in: freeipa (Ubuntu)
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1492229

Title:
  automount error due to syntax error in nsswitch.conf after ipa-client-
  install

Status in freeipa package in Ubuntu:
  Expired

Bug description:
  automount throws errors about an syntax error in /etc/nsswitch.conf
  after setting up automount using ipa-client-automount.

  It appears it's caused by the indentation used in the nsswitch.conf
  file. After aligning the automount part with the rest of the config
  the errors disappears and automount starts working.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: freeipa-client 3.3.4-0ubuntu3.1
  Uname: Linux 2.6.32-39-pve i686
  ApportVersion: 2.14.1-0ubuntu3.12
  Architecture: i386
  Date: Fri Sep  4 15:31:52 2015
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
  SourcePackage: freeipa
  UpgradeStatus: Upgraded to trusty on 2015-09-04 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1492229/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1492219] Re: ipa-client-install crashes when /usr/bin/nsupdate isn't installed

[Launchpad Bug Tracker]

[Expired for freeipa (Ubuntu) because there has been no activity for 60
days.]

** Changed in: freeipa (Ubuntu)
   Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1492219

Title:
  ipa-client-install crashes when /usr/bin/nsupdate isn't installed

Status in freeipa package in Ubuntu:
  Expired

Bug description:
  The ipa-client-install crashes when /usr/bin/nsupdate is not available
  on the system. We're using OpenCZ containers which by default don't
  have dnsutils installed. I think it would be best to add dnsutils as
  dependency to freeipa-client.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: freeipa-client 3.3.4-0ubuntu3.1
  Uname: Linux 2.6.32-39-pve i686
  ApportVersion: 2.14.1-0ubuntu3.12
  Architecture: i386
  Date: Fri Sep  4 14:06:37 2015
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
  SourcePackage: freeipa
  UpgradeStatus: Upgraded to trusty on 2015-05-15 (111 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1492219/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1492184] Re: ipa-server-install fails when using --external-ca option because of missong gnupg-agent package

[Launchpad Bug Tracker]

This bug was fixed in the package freeipa - 4.1.4-1

---
freeipa (4.1.4-1) experimental; urgency=medium

  * New upstream release. (LP: #1492226)
- Refresh patches
- platform-support.diff: Added NAMED_VAR_DIR.
- fix-bind-conf.diff: Dropped, obsolete with above.
- disable-dnssec-support.patch: Disable DNSSEC-support as we're
  missing the dependencies for now.
  * control: Add python-usb to build-depends and to python-freeipa
depends.
  * control: Bump SSSD dependencies.
  * control: Add libsofthsm2-dev to build-depends and softhsm2 to server
depends.
  * freeipa-{server,client}.install: Add new files.
  * control: Bump Depends on slapi-nis for CVE fixes.
  * control: Bump 389-ds-base, pki-ca depends.
  * control: Drop dogtag-pki-server-theme from server depends, it's not
needed.
  * control: Server needs newer python-ldap, bump build-dep too.
  * control: Bump certmonger depends.
  * control: Bump python-nss depends.
  * freeipa-client: Add /etc/ipa/nssdb, rework /etc/pki/nssdb handling.
  * platform: Add DebianNamedService.
  * platform, disable-dnssec-support.patch: Fix named.conf template.
  * server.postinst: Run ipa-ldap-updater and ipa-upgradeconfig on
postinst.
  * Revert DNSSEC changes to schema and ACI, makes upgrade tools fail.
  * server.postrm: Clean logs on purge and disable apache modules on
remove/purge.

 -- Timo Aaltonen   Fri, 25 Sep 2015 14:07:40 +0300

** Changed in: freeipa (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1492184

Title:
  ipa-server-install fails when using --external-ca option because of
  missong gnupg-agent package

Status in freeipa package in Ubuntu:
  Fix Released

Bug description:
  Using ipa-server-install fails when using the --external-ca option
  because the gnupg-agent package is not installed

  ProblemType: Bug
  DistroRelease: Ubuntu 15.04
  Package: freeipa-server 4.0.5-3 [modified: usr/share/ipa/html/ca.crt 
usr/share/ipa/html/configure.jar usr/share/ipa/html/kerberosauth.xpi 
usr/share/ipa/html/krb.con usr/share/ipa/html/krb.js 
usr/share/ipa/html/krb5.ini usr/share/ipa/html/krbrealm.con 
usr/share/ipa/html/preferences.html]
  ProcVersionSignature: Ubuntu 3.19.0-26.28-generic 3.19.8-ckt4
  Uname: Linux 3.19.0-26-generic x86_64
  ApportVersion: 2.17.2-0ubuntu1.3
  Architecture: amd64
  Date: Fri Sep  4 11:48:18 2015
  InstallationDate: Installed on 2015-09-02 (1 days ago)
  InstallationMedia: Ubuntu-Server 15.04 "Vivid Vervet" - Release amd64 
(20150422)
  SourcePackage: freeipa
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1492184/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1492226] Re: ipa-client-install doesn't setup sudo as service

[Launchpad Bug Tracker]

This bug was fixed in the package freeipa - 4.1.4-1

---
freeipa (4.1.4-1) experimental; urgency=medium

  * New upstream release. (LP: #1492226)
- Refresh patches
- platform-support.diff: Added NAMED_VAR_DIR.
- fix-bind-conf.diff: Dropped, obsolete with above.
- disable-dnssec-support.patch: Disable DNSSEC-support as we're
  missing the dependencies for now.
  * control: Add python-usb to build-depends and to python-freeipa
depends.
  * control: Bump SSSD dependencies.
  * control: Add libsofthsm2-dev to build-depends and softhsm2 to server
depends.
  * freeipa-{server,client}.install: Add new files.
  * control: Bump Depends on slapi-nis for CVE fixes.
  * control: Bump 389-ds-base, pki-ca depends.
  * control: Drop dogtag-pki-server-theme from server depends, it's not
needed.
  * control: Server needs newer python-ldap, bump build-dep too.
  * control: Bump certmonger depends.
  * control: Bump python-nss depends.
  * freeipa-client: Add /etc/ipa/nssdb, rework /etc/pki/nssdb handling.
  * platform: Add DebianNamedService.
  * platform, disable-dnssec-support.patch: Fix named.conf template.
  * server.postinst: Run ipa-ldap-updater and ipa-upgradeconfig on
postinst.
  * Revert DNSSEC changes to schema and ACI, makes upgrade tools fail.
  * server.postrm: Clean logs on purge and disable apache modules on
remove/purge.

 -- Timo Aaltonen   Fri, 25 Sep 2015 14:07:40 +0300

** Changed in: freeipa (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1492226

Title:
  ipa-client-install doesn't setup sudo as service

Status in freeipa package in Ubuntu:
  Fix Released

Bug description:
  After the installation using ipa-client-install is done its not
  possible to use sudo as IPA user even though it has been allowed
  through the interface. Adding 'sudo' to the sssd services appears to
  solve this problem.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: freeipa-client 3.3.4-0ubuntu3.1
  Uname: Linux 2.6.32-39-pve i686
  ApportVersion: 2.14.1-0ubuntu3.12
  Architecture: i386
  Date: Fri Sep  4 15:25:42 2015
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
  SourcePackage: freeipa
  UpgradeStatus: Upgraded to trusty on 2015-09-04 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1492226/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp