[Freeipa] [Bug 2060298] Re: Python 3.12 SyntaxWarnings when installing python3-ipaclient
This bug was fixed in the package freeipa - 4.11.1-2 --- freeipa (4.11.1-2) unstable; urgency=medium * use-raw-strings.diff: Import patch from upstream to fix noise when installing. (LP: #2060298) * map-ssh-service.diff: Map sshd service to use ssh.service. (LP: #2061055) -- Timo Aaltonen Fri, 12 Apr 2024 14:31:35 +0300 ** Changed in: freeipa (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/2060298 Title: Python 3.12 SyntaxWarnings when installing python3-ipaclient Status in freeipa package in Ubuntu: Fix Released Bug description: On a system with python 3.12 installing the python ipaclient package (this is on Ubuntu 24.04 using the distro packages) produces the warnings: Setting up python3-ipaclient (4.10.2-2) ... /usr/lib/python3/dist-packages/ipaclient/remote_plugins/2_164/automember.py:19: SyntaxWarning: invalid escape sequence '.' doc = (""" /usr/lib/python3/dist-packages/ipaclient/remote_plugins/2_164/group.py:19: SyntaxWarning: invalid escape sequence '\D' doc = (""" /usr/lib/python3/dist-packages/ipaclient/remote_plugins/2_164/hbactest.py:19: SyntaxWarning: invalid escape sequence '\A' doc = (""" /usr/lib/python3/dist-packages/ipaclient/remote_plugins/2_164/trust.py:19: SyntaxWarning: invalid escape sequence '\D' doc = (""" /usr/lib/python3/dist-packages/ipaclient/remote_plugins/2_49/automember.py:19: SyntaxWarning: invalid escape sequence '.' doc = (""" /usr/lib/python3/dist-packages/ipaclient/remote_plugins/2_49/group.py:19: SyntaxWarning: invalid escape sequence '\D' doc = (""" /usr/lib/python3/dist-packages/ipaclient/remote_plugins/2_49/trust.py:19: SyntaxWarning: invalid escape sequence '\D' doc = _(""" I reported the issue upstream at https://pagure.io/freeipa/issue/9565 where it has already been fixed, including in the 4.10 branch that Ubuntu 24.04 is on. Please rebase to a version that has that commit (though it's just a warning shown at install time, so not the end of the world either). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/2060298/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2061055] Re: Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default
This bug was fixed in the package freeipa - 4.11.1-2 --- freeipa (4.11.1-2) unstable; urgency=medium * use-raw-strings.diff: Import patch from upstream to fix noise when installing. (LP: #2060298) * map-ssh-service.diff: Map sshd service to use ssh.service. (LP: #2061055) -- Timo Aaltonen Fri, 12 Apr 2024 14:31:35 +0300 ** Changed in: freeipa (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/2061055 Title: Joining IPA domain does not restart ssh -- 'sshd.service' alias is not set up by default Status in freeipa package in Ubuntu: Fix Released Status in openssh package in Ubuntu: Triaged Bug description: Joining a FreeIPA domain reconfigures SSH. E.g. it enables GSSAPI authentication in /etc/ssh/sshd_config.d/04-ipa.conf . After that, it tries to restart sshd, but that fails as "sshd.service" is not a thing on Ubuntu: 2024-04-12T03:10:57Z DEBUG args=['/bin/systemctl', 'is-active', 'sshd.service'] 2024-04-12T03:10:57Z DEBUG Process finished, return code=4 (in /var/log/ipaclient-install.log) While that could be changed in freeipa, I'd argue that this is really a bug in Ubuntu's openssh package. Many upstream software, Ansible scripts etc. assume that the service is "sshd.service". In Debian/Ubuntu the primary unit is "ssh.service", but it has an `[Install] Alias=sshd.service`. That works in Debian because there sshd.service *actually* gets enabled by default, and ssh.socket isn't. But Ubuntu moved to socket activation (which is good!), so that ssh.socket is running by default. But that means that ssh.service never gets "systemctl enable"d, and hence the alias never gets set up: # systemctl status sshd.service Unit sshd.service could not be found. So if ssh.service is already running, it never gets restarted by "ipa- client-install". It would be really good to make that alias work by default -- if nothing else, just ship the symlink in the .deb, or create the symlink manually in the postinst? freeipa-client 4.10.2-2ubuntu3 openssh-server 1:9.6p1-3ubuntu12 Note: we have tested this functionality in Cockpit on Ubuntu for a long time already. But until very recently we had a workaround to force the creation of that alias: https://github.com/cockpit-project/bots/commit/3bf1b20f3fa5fe202b9710b3fe78d2133ba03f5d We dropped it because it broke image builds due to some bugs in openssh's postinst, but it was a bad one anyway: actual users don't have that hack, and it hides bugs like this. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/2061055/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2040359] Re: Merge bind9 from Debian unstable for noble
This bug was fixed in the package bind9 - 1:9.18.21-0ubuntu1 --- bind9 (1:9.18.21-0ubuntu1) noble; urgency=medium * New upstream release 9.18.21 (LP: #2040359) - Updates: + Update IP addresses for B.ROOT-SERVERS.NET to 170.247.170.2 and 2801:1b8:10::b. + Honor nsupdate -v option when server command specified by sending both the UPDATE request and the initial query over TCP. + Mark cookie-algorithm aes as deprecated, use SipHash-2-4, instead. + Mark resolver-nonbackoff-tries and resolver-retry-interval as deprecated. + Mark dnssec-must-be-secure as deprecated. - Bug Fixes: + Do not schedule unsigned versions of inline-signed zones containing DNSSEC records for resigning. + Take local authoritative data into account when looking up stale cache data. + Fix use of named -X and lock-file at the same time. + Fix improper lock-file removal. + Fix bound checking in Content-Length header in the statistics channel. + Fix memory leaks from not clearing the OpenSSL error stack. + Fix SERVFAIL responses from introduction of krb5-subdomain-self-rhs and ms-subdomain-self-rhs update policies. + Fix stale-refresh-time feature being disabled by cache flush. + Fix DNS message corruption from partial writes. - See https://bind9.readthedocs.io/en/v9.18.21/notes.html for additional information * d/p/CVE-2023-3341.patch, d/p/CVE-2023-4236.patch: Remove - fixed by upstream in version 9.18.19 * d/p/always-use-standard-library-stdatomic.patch: Maintain use of the standard library stdatomic.h -- Lena Voytek Thu, 25 Jan 2024 08:37:15 -0700 ** Changed in: bind9 (Ubuntu) Status: In Progress => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-3341 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4236 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2040359 Title: Merge bind9 from Debian unstable for noble Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Bug description: Upstream: 9.18.19 Debian: 1:9.19.17-1 Ubuntu: 1:9.18.18-0ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### bind9 (1:9.19.17-1) unstable; urgency=medium * New upstream version 9.19.17 - CVE-2023-3341: A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly (Closes: #1052416) - CVE-2023-4236: named may terminate unexpectedly under high DNS-over-TLS query load (Closes: #1052417) -- Ondřej Surý Wed, 20 Sep 2023 18:13:07 +0200 bind9 (1:9.19.16-1) experimental; urgency=medium * New upstream version 9.19.16 -- Ondřej Surý Wed, 16 Aug 2023 17:54:24 +0200 bind9 (1:9.19.15-1) experimental; urgency=medium * New upstream version 9.19.15 -- Ondřej Surý Wed, 19 Jul 2023 14:16:46 +0200 bind9 (1:9.19.14-1) experimental; urgency=medium * New upstream version 9.19.14 -- Ondřej Surý Wed, 21 Jun 2023 21:00:01 +0200 bind9 (1:9.19.13-1) experimental; urgency=medium * New upstream version 9.19.13 -- Ondřej Surý Wed, 17 May 2023 17:50:48 +0200 bind9 (1:9.19.12-2) experimental; urgency=medium * Add liburcu-dev to Build-Depends -- Ondřej Surý Thu, 20 Apr 2023 14:24:06 +0200 bind9 (1:9.19.12-1) experimental; urgency=medium * New upstream version 9.19.12 -- Ondřej Surý Wed, 19 Apr 2023 15:01:59 +0200 bind9 (1:9.19.11-1) experimental; urgency=medium * New upstream version 9.19.11 * Update the d/bind9-dev.install, d/bind9.install and d/not-installed after library squash -- Ondřej Surý Wed, 15 Mar 2023 18:27:20 +0100 bind9 (1:9.19.10-1) experimental; urgency=medium * New upstream version 9.19.10 * Drop libtool-bin from B-D (Closes: #1022968) -- Ondřej Surý Fri, 10 Feb 2023 15:16:29 +0100 bind9 (1:9.19.9-2) experimental; urgency=medium * Allow the named to use systemd notify service -- Ondřej Surý Thu, 26 Jan 2023 21:18:35 +0100 bind9 (1:9.19.9-1) experimental; urgency=medium * New upstream version 9.19.9 -- Ondřej Surý Wed, 25 Jan 2023 16:04:03 +0100 bind9 (1:9.19.8-1) experimental; urgency=medium * New upstream version 9.19.8 -- Ondřej Surý Wed, 21 Dec 2022 18:02:17 +0100 bind9 (1:9.19.7-1) experimental; urgency=medium * New upstream version 9.19.7 -- Ondřej Surý Wed, 16 Nov 2022 14:05:15 +0100 bind9
[Freeipa] [Bug 2040359] Re: Merge bind9 from Debian unstable for noble
This bug was fixed in the package bind-dyndb-ldap - 11.10-6ubuntu4 --- bind-dyndb-ldap (11.10-6ubuntu4) noble; urgency=medium * No-change rebuild with bind9-libs 1:9.18.21-0ubuntu1 (LP: #2040359) -- Lena Voytek Thu, 25 Jan 2024 15:10:49 -0700 ** Changed in: bind-dyndb-ldap (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2040359 Title: Merge bind9 from Debian unstable for noble Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: In Progress Bug description: Upstream: 9.18.19 Debian: 1:9.19.17-1 Ubuntu: 1:9.18.18-0ubuntu2 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### bind9 (1:9.19.17-1) unstable; urgency=medium * New upstream version 9.19.17 - CVE-2023-3341: A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly (Closes: #1052416) - CVE-2023-4236: named may terminate unexpectedly under high DNS-over-TLS query load (Closes: #1052417) -- Ondřej Surý Wed, 20 Sep 2023 18:13:07 +0200 bind9 (1:9.19.16-1) experimental; urgency=medium * New upstream version 9.19.16 -- Ondřej Surý Wed, 16 Aug 2023 17:54:24 +0200 bind9 (1:9.19.15-1) experimental; urgency=medium * New upstream version 9.19.15 -- Ondřej Surý Wed, 19 Jul 2023 14:16:46 +0200 bind9 (1:9.19.14-1) experimental; urgency=medium * New upstream version 9.19.14 -- Ondřej Surý Wed, 21 Jun 2023 21:00:01 +0200 bind9 (1:9.19.13-1) experimental; urgency=medium * New upstream version 9.19.13 -- Ondřej Surý Wed, 17 May 2023 17:50:48 +0200 bind9 (1:9.19.12-2) experimental; urgency=medium * Add liburcu-dev to Build-Depends -- Ondřej Surý Thu, 20 Apr 2023 14:24:06 +0200 bind9 (1:9.19.12-1) experimental; urgency=medium * New upstream version 9.19.12 -- Ondřej Surý Wed, 19 Apr 2023 15:01:59 +0200 bind9 (1:9.19.11-1) experimental; urgency=medium * New upstream version 9.19.11 * Update the d/bind9-dev.install, d/bind9.install and d/not-installed after library squash -- Ondřej Surý Wed, 15 Mar 2023 18:27:20 +0100 bind9 (1:9.19.10-1) experimental; urgency=medium * New upstream version 9.19.10 * Drop libtool-bin from B-D (Closes: #1022968) -- Ondřej Surý Fri, 10 Feb 2023 15:16:29 +0100 bind9 (1:9.19.9-2) experimental; urgency=medium * Allow the named to use systemd notify service -- Ondřej Surý Thu, 26 Jan 2023 21:18:35 +0100 bind9 (1:9.19.9-1) experimental; urgency=medium * New upstream version 9.19.9 -- Ondřej Surý Wed, 25 Jan 2023 16:04:03 +0100 bind9 (1:9.19.8-1) experimental; urgency=medium * New upstream version 9.19.8 -- Ondřej Surý Wed, 21 Dec 2022 18:02:17 +0100 bind9 (1:9.19.7-1) experimental; urgency=medium * New upstream version 9.19.7 -- Ondřej Surý Wed, 16 Nov 2022 14:05:15 +0100 bind9 (1:9.19.6-2) experimental; urgency=medium * Use systemd notify for service readyness check (Closes: #994696) -- Bernhard Schmidt Sun, 30 Oct 2022 00:14:05 +0200 bind9 (1:9.19.6-1) experimental; urgency=medium * New upstream version 9.19.6 -- Ondřej Surý Wed, 19 Oct 2022 15:06:31 +0200 bind9 (1:9.19.5-1) experimental; urgency=medium * New upstream version 9.19.5 ### Old Ubuntu Delta ### bind9 (1:9.18.18-0ubuntu2) mantic; urgency=medium * SECURITY UPDATE: DoS via recusive packet parsing - debian/patches/CVE-2023-3341.patch: add a max depth check to lib/isc/include/isc/result.h, lib/isc/result.c, lib/isccc/cc.c. - CVE-2023-3341 * SECURITY UPDATE: Dos via DNS-over-TLS queries - debian/patches/CVE-2023-4236.patch: check return code in lib/isc/netmgr/tlsdns.c. - CVE-2023-4236 -- Marc Deslauriers Wed, 20 Sep 2023 12:45:21 -0400 bind9 (1:9.18.18-0ubuntu1) mantic; urgency=medium * New upstream release 9.18.18 (LP: #2034367) - Updates: + Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. + Mark dialup and heartbeat-interval options as deprecated. + Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. + Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. - Bug Fixes: + Fix
[Freeipa] [Bug 2044242] Re: ipa-client-install seg faults (s390x)
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: freeipa (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/2044242 Title: ipa-client-install seg faults (s390x) Status in Ubuntu on IBM z Systems: New Status in freeipa package in Ubuntu: Confirmed Bug description: Executing 'ipa-client-install' (package: freeipa-client) is causing a segmentation fault: ubuntu@server:~$ sudo apt install freeipa-client ubuntu@server:~$ ipa-client-install Segmentation fault (core dumped) ubuntu@server:~$ ls -l /var/crash/ total 2012 -rw-r- 1 ubuntu ubuntu 2057124 Nov 22 08:22 _usr_sbin_ipa-client-install.1000.crash ubuntu@server:~$ vi /var/log/syslog ... Nov 22 08:22:33 server kernel: [ 162.136131] User process fault: interruption code 003b ilc:2 in ext_dce.cpython-310-s390x-linux-gnu.so[3ff8b88+4000] Nov 22 08:22:33 server kernel: [ 162.136153] Failing address: 03ff23f0f000 TEID: 03ff23f0f800 Nov 22 08:22:33 server kernel: [ 162.136156] Fault in primary space mode while using user ASCE. Nov 22 08:22:33 server kernel: [ 162.136160] AS:9f5581c7 R3:0024 Nov 22 08:22:33 server kernel: [ 162.136166] CPU: 3 PID: 4294 Comm: ipa-client-inst Not tainted 5.15.0-89-generic #99-Ubuntu Nov 22 08:22:33 server kernel: [ 162.136169] Hardware name: IBM 2964 N63 400 (z/VM 6.4.0) Nov 22 08:22:33 server kernel: [ 162.136170] User PSW : 070520018000 03ff23f0f150 Nov 22 08:22:33 server kernel: [ 162.136173]R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:1 AS:0 CC:2 PM:0 RI:0 EA:3 Nov 22 08:22:33 server kernel: [ 162.136176] User GPRS: 0f010043 02aa242fb170 03ff8b885240 0600 Nov 22 08:22:33 server kernel: [ 162.136178]0080 02aa242fb170 03ff8b882c00 03ff8bde6d70 Nov 22 08:22:33 server kernel: [ 162.136180]03ff8bd50450 03ff8bdbc7b0 03ff8bd599b0 03ff8bd599e0 Nov 22 08:22:33 server kernel: [ 162.136182]03ff8c8b0f90 03ff8bdbc7b0 02aa23f49cac 03ffe5c745c0 Nov 22 08:22:33 server kernel: [ 162.136189] User Code: Bad PSW. Nov 22 08:22:33 server kernel: [ 162.136190] Last Breaking-Event-Address: Nov 22 08:22:33 server kernel: [ 162.136190] [<03ff8b882c06>] 0x3ff8b882c06 Nov 22 08:22:33 server systemd[986]: Started D-Bus User Message Bus. Nov 22 08:22:33 server dbus-daemon[4303]: [session uid=1000 pid=4303] AppArmor D-Bus mediation is enabled ... ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: freeipa-client 4.9.8-1 ProcVersionSignature: Ubuntu 5.15.0-89.99-generic 5.15.126 Uname: Linux 5.15.0-89-generic s390x ApportVersion: 2.20.11-0ubuntu82.5 Architecture: s390x CasperMD5CheckResult: pass CloudArchitecture: s390x CloudID: none CloudName: none CloudPlatform: none CloudSubPlatform: config Date: Wed Nov 22 08:52:47 2023 InstallationDate: Installed on 2023-11-22 (0 days ago) InstallationMedia: Ubuntu-Server 22.04.2 LTS "Jammy Jellyfish" - Release s390x (20230220.1) SourcePackage: freeipa UpgradeStatus: No upgrade log present (probably fresh install) $ apt-cache policy freeipa-client freeipa-client: Installed: 4.9.8-1 Candidate: 4.9.8-1 Version table: *** 4.9.8-1 500 500 http://ports.ubuntu.com/ubuntu-ports jammy/universe s390x Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/2044242/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2028413] Re: MRE updates of bind9 for focal, jammy and lunar
This bug was fixed in the package bind-dyndb-ldap - 11.10-4ubuntu0.3 --- bind-dyndb-ldap (11.10-4ubuntu0.3) lunar; urgency=medium * d/p/remove-rpz_attach.patch: Remove rpz_attach to fix build failure against bind9 9.18.13+ (LP: #2028413) -- Lena Voytek Thu, 21 Sep 2023 07:24:11 -0700 ** Changed in: bind9 (Ubuntu Jammy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2028413 Title: MRE updates of bind9 for focal, jammy and lunar Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Focal: Triaged Status in bind9 source package in Focal: Triaged Status in bind-dyndb-ldap source package in Jammy: Fix Released Status in bind9 source package in Jammy: Fix Released Status in bind-dyndb-ldap source package in Lunar: Fix Released Status in bind9 source package in Lunar: Fix Released Bug description: This bug tracks an update for the bind9 package, moving to versions: * lunar (23.04): bind9 9.18.18 * jammy (22.04): bind9 9.18.18 * focal (20.04): bind9 9.16.43 These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates. [Upstream changes] 9.18.13-9.18.18 for lunar and jammy: Updates: Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. Mark dialup and heartbeat-interval options as deprecated. Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. Mark TKEY mode 2 as deprecated. Mark delegation-only and root-delegation-only as deprecated. Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. Bug Fixes: Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. Fix the ability to read HMAC-MD5 key files (LP: #2015176). Fix stability issues with the catalog zone implementation. Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. Do not return delegation from cache after stale-answer-client-timeout. Fix failure to auto-tune clients-per-query limit in some situations. Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements. Bring rndc read timeout back to 60 seconds from 30. Treat libuv returning ISC_R_INVALIDPROTO as a network error. Clean up empty-non-terminal NSEC3 records. Fix log file rotation cleanup for absolute file path destinations. Fix various catalog zone processing crashes. Fix transfer hang when downloading large zones over TLS. Fix named crash when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone. Delay DNSSEC key queries until all zones have finished loading. CVE Fixes - already available as patches: CVE-2023-2828 CVE-2023-2911 For full release notes, see: https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for- bind-9-18-18 While there are behavioral changes in this release, I was unable to find any backwards-incompatible changes. Some features were marked as deprecated, but are still usable as they were before. Other changes are related to performance and timeout management, neither of which should change how bind9 works, but are worth keeping an eye on in case any regressions arise. [Test Plan] DEP-8 test results: simpletest PASS validation FLAKY non-zero exit status 1 zonetest PASS dyndb-ldap PASS validation is known to be broken in its current state, both due to a need for internet access and incorrect output checking, so the failure is expected. [Other Information] Note to SRU team: this update must happen together with src:bind-dyndb-ldap, and in a particular order: - first src:bind9 must be accepted - once src:bind9 is fully built in all architectures, *then* src:bind-dyndb-ldap can be accepted. In other words, src:bind-dyndb-ldap must build with the new src:bind9 version. - it is expected that until both packages are in proposed and built in the correct order, DEP8 tests will fail. That's our safeguard against mistakenly releasing them out of sync [Regression Potential] Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. To
[Freeipa] [Bug 2028413] Re: MRE updates of bind9 for focal, jammy and lunar
This bug was fixed in the package bind9 - 1:9.18.18-0ubuntu0.22.04.1 --- bind9 (1:9.18.18-0ubuntu0.22.04.1) jammy; urgency=medium * New upstream release 9.18.18 (LP: #2028413) - Updates: + Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. + Mark dialup and heartbeat-interval options as deprecated. + Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. + Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. + Mark TKEY mode 2 as deprecated. + Mark delegation-only and root-delegation-only as deprecated. + Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. - Bug Fixes: + Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. + Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. + Fix the ability to read HMAC-MD5 key files (LP: #2015176). + Fix stability issues with the catalog zone implementation. + Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. + Do not return delegation from cache after stale-answer-client-timeout. + Fix failure to auto-tune clients-per-query limit in some situations. + Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements. + Bring rndc read timeout back to 60 seconds from 30. + Treat libuv returning ISC_R_INVALIDPROTO as a network error. + Clean up empty-non-terminal NSEC3 records. + Fix log file rotation cleanup for absolute file path destinations. + Fix various catalog zone processing crashes. + Fix transfer hang when downloading large zones over TLS. + Fix named crash when adding a new zone into the configuration file for a name which was already configured as member zone for a catalog zone. + Delay DNSSEC key queries until all zones have finished loading. - See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional information. * d/p/CVE-2023-2828.patch, CVE-2023-2911.patch: Remove - fixed upstream in 9.18.16. * d/p/CVE-2023-3341.patch: Refresh, matching upstream, to apply in 9.18.18. * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650) -- Lena Voytek Wed, 20 Sep 2023 15:15:41 -0700 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2028413 Title: MRE updates of bind9 for focal, jammy and lunar Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Focal: Triaged Status in bind9 source package in Focal: Triaged Status in bind-dyndb-ldap source package in Jammy: Fix Released Status in bind9 source package in Jammy: Fix Released Status in bind-dyndb-ldap source package in Lunar: Fix Released Status in bind9 source package in Lunar: Fix Released Bug description: This bug tracks an update for the bind9 package, moving to versions: * lunar (23.04): bind9 9.18.18 * jammy (22.04): bind9 9.18.18 * focal (20.04): bind9 9.16.43 These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates. [Upstream changes] 9.18.13-9.18.18 for lunar and jammy: Updates: Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. Mark dialup and heartbeat-interval options as deprecated. Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. Mark TKEY mode 2 as deprecated. Mark delegation-only and root-delegation-only as deprecated. Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. Bug Fixes: Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. Fix the ability to read HMAC-MD5 key files (LP: #2015176). Fix stability issues with the catalog zone implementation. Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. Do not return delegation from cache after
[Freeipa] [Bug 2028413] Re: MRE updates of bind9 for focal, jammy and lunar
This bug was fixed in the package bind-dyndb-ldap - 11.9-5ubuntu0.22.04.4 --- bind-dyndb-ldap (11.9-5ubuntu0.22.04.4) jammy; urgency=medium * d/p/remove-rpz_attach.patch: Remove rpz_attach to fix build failure against bind9 9.18.13+ (LP: #2028413) -- Lena Voytek Thu, 21 Sep 2023 07:26:59 -0700 ** Changed in: bind-dyndb-ldap (Ubuntu Jammy) Status: Fix Committed => Fix Released ** Changed in: bind-dyndb-ldap (Ubuntu Lunar) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2028413 Title: MRE updates of bind9 for focal, jammy and lunar Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Focal: Triaged Status in bind9 source package in Focal: Triaged Status in bind-dyndb-ldap source package in Jammy: Fix Released Status in bind9 source package in Jammy: Fix Released Status in bind-dyndb-ldap source package in Lunar: Fix Released Status in bind9 source package in Lunar: Fix Released Bug description: This bug tracks an update for the bind9 package, moving to versions: * lunar (23.04): bind9 9.18.18 * jammy (22.04): bind9 9.18.18 * focal (20.04): bind9 9.16.43 These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates. [Upstream changes] 9.18.13-9.18.18 for lunar and jammy: Updates: Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. Mark dialup and heartbeat-interval options as deprecated. Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. Mark TKEY mode 2 as deprecated. Mark delegation-only and root-delegation-only as deprecated. Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. Bug Fixes: Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. Fix the ability to read HMAC-MD5 key files (LP: #2015176). Fix stability issues with the catalog zone implementation. Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. Do not return delegation from cache after stale-answer-client-timeout. Fix failure to auto-tune clients-per-query limit in some situations. Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements. Bring rndc read timeout back to 60 seconds from 30. Treat libuv returning ISC_R_INVALIDPROTO as a network error. Clean up empty-non-terminal NSEC3 records. Fix log file rotation cleanup for absolute file path destinations. Fix various catalog zone processing crashes. Fix transfer hang when downloading large zones over TLS. Fix named crash when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone. Delay DNSSEC key queries until all zones have finished loading. CVE Fixes - already available as patches: CVE-2023-2828 CVE-2023-2911 For full release notes, see: https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for- bind-9-18-18 While there are behavioral changes in this release, I was unable to find any backwards-incompatible changes. Some features were marked as deprecated, but are still usable as they were before. Other changes are related to performance and timeout management, neither of which should change how bind9 works, but are worth keeping an eye on in case any regressions arise. [Test Plan] DEP-8 test results: simpletest PASS validation FLAKY non-zero exit status 1 zonetest PASS dyndb-ldap PASS validation is known to be broken in its current state, both due to a need for internet access and incorrect output checking, so the failure is expected. [Other Information] Note to SRU team: this update must happen together with src:bind-dyndb-ldap, and in a particular order: - first src:bind9 must be accepted - once src:bind9 is fully built in all architectures, *then* src:bind-dyndb-ldap can be accepted. In other words, src:bind-dyndb-ldap must build with the new src:bind9 version. - it is expected that until both packages are in proposed and built in the correct order, DEP8 tests will fail. That's our safeguard against mistakenly releasing them out of sync [Regression Potential] Upstream has an extensive build and integration test suite.
[Freeipa] [Bug 2032650] Re: Add DEP8 tests for bind-dyndb-ldap integration
This bug was fixed in the package bind9 - 1:9.18.18-0ubuntu0.22.04.1 --- bind9 (1:9.18.18-0ubuntu0.22.04.1) jammy; urgency=medium * New upstream release 9.18.18 (LP: #2028413) - Updates: + Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. + Mark dialup and heartbeat-interval options as deprecated. + Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. + Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. + Mark TKEY mode 2 as deprecated. + Mark delegation-only and root-delegation-only as deprecated. + Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. - Bug Fixes: + Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. + Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. + Fix the ability to read HMAC-MD5 key files (LP: #2015176). + Fix stability issues with the catalog zone implementation. + Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. + Do not return delegation from cache after stale-answer-client-timeout. + Fix failure to auto-tune clients-per-query limit in some situations. + Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements. + Bring rndc read timeout back to 60 seconds from 30. + Treat libuv returning ISC_R_INVALIDPROTO as a network error. + Clean up empty-non-terminal NSEC3 records. + Fix log file rotation cleanup for absolute file path destinations. + Fix various catalog zone processing crashes. + Fix transfer hang when downloading large zones over TLS. + Fix named crash when adding a new zone into the configuration file for a name which was already configured as member zone for a catalog zone. + Delay DNSSEC key queries until all zones have finished loading. - See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional information. * d/p/CVE-2023-2828.patch, CVE-2023-2911.patch: Remove - fixed upstream in 9.18.16. * d/p/CVE-2023-3341.patch: Refresh, matching upstream, to apply in 9.18.18. * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650) -- Lena Voytek Wed, 20 Sep 2023 15:15:41 -0700 ** Changed in: bind9 (Ubuntu Jammy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2032650 Title: Add DEP8 tests for bind-dyndb-ldap integration Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Jammy: Fix Released Status in bind9 source package in Jammy: Fix Released Status in bind-dyndb-ldap source package in Lunar: Fix Committed Status in bind9 source package in Lunar: Fix Released Status in bind-dyndb-ldap source package in Mantic: Fix Released Status in bind9 source package in Mantic: Fix Released Bug description: [ Impact ] bind-dyndb-ldap breaks very frequently with bind9 updates. Both must have DEP8 tests so these breakages can be caught before a release. [ Test Plan ] For both packages, the test plan consists in having the new dyndb-ldap DEP8 test run and succeed. [ Where problems could occur ] With this new DEP8 change, a bind9 update can be blocked by a bind-dyndb-ldap failure to build or run with it. While this is exactly the intent (not leave a broken bind-dyndb-ldap package in the release), there is a history indicating that bind- dyndb-ldap can be late in catching up to bind9 changes. We may reach a situation where an important bind9 security update, for example, will be blocked by a failing dyndb-ldap test, and it may be difficult to fix bind-dyndb-ldap in time, specially if the security update is under embargo and the bind-dyndb-ldap developers do not yet have details of the changes. [ Other Info ] The same test is to be applied to the bind9 package, and is already in mantic. But SRUs for DEP8 changes only are frowned upon, so the plan is to upload it to proposed and block it there, but AFTER bind-dyndb-ldap has been released. The tight coupling between bind9 and bind-dyndb-ldap is problematic (see [1], [2] and [3]). The moment a new bind9 hits proposed with this test, it fill fail until a new bind-dyndb-ldap is rebuilt with that proposed version. One option would perhaps to accept
[Freeipa] [Bug 2028413] Re: MRE updates of bind9 for focal, jammy and lunar
This bug was fixed in the package bind9 - 1:9.18.18-0ubuntu0.23.04.1 --- bind9 (1:9.18.18-0ubuntu0.23.04.1) lunar; urgency=medium * New upstream release 9.18.18 (LP: #2028413) - Updates: + Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. + Mark dialup and heartbeat-interval options as deprecated. + Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. + Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. + Mark TKEY mode 2 as deprecated. + Mark delegation-only and root-delegation-only as deprecated. + Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. - Bug Fixes: + Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. + Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. + Fix the ability to read HMAC-MD5 key files (LP: #2015176). + Fix stability issues with the catalog zone implementation. + Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. + Do not return delegation from cache after stale-answer-client-timeout. + Fix failure to auto-tune clients-per-query limit in some situations. + Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements. + Bring rndc read timeout back to 60 seconds from 30. + Treat libuv returning ISC_R_INVALIDPROTO as a network error. + Clean up empty-non-terminal NSEC3 records. + Fix log file rotation cleanup for absolute file path destinations. + Fix various catalog zone processing crashes. + Fix transfer hang when downloading large zones over TLS. + Fix named crash when adding a new zone into the configuration file for a name which was already configured as member zone for a catalog zone. + Delay DNSSEC key queries until all zones have finished loading. - See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional information. * d/p/CVE-2023-2828.patch, CVE-2023-2911.patch: Remove - fixed upstream in 9.18.16. * d/p/CVE-2023-3341.patch: Refresh, matching upstream, to apply in 9.18.18. * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650) -- Lena Voytek Wed, 20 Sep 2023 14:52:27 -0700 ** Changed in: bind9 (Ubuntu Lunar) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-2828 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-2911 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-3341 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2028413 Title: MRE updates of bind9 for focal, jammy and lunar Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Focal: Triaged Status in bind9 source package in Focal: Triaged Status in bind-dyndb-ldap source package in Jammy: Fix Released Status in bind9 source package in Jammy: Fix Released Status in bind-dyndb-ldap source package in Lunar: Fix Released Status in bind9 source package in Lunar: Fix Released Bug description: This bug tracks an update for the bind9 package, moving to versions: * lunar (23.04): bind9 9.18.18 * jammy (22.04): bind9 9.18.18 * focal (20.04): bind9 9.16.43 These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates. [Upstream changes] 9.18.13-9.18.18 for lunar and jammy: Updates: Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. Mark dialup and heartbeat-interval options as deprecated. Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. Mark TKEY mode 2 as deprecated. Mark delegation-only and root-delegation-only as deprecated. Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. Bug Fixes: Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when
[Freeipa] [Bug 2032650] Re: Add DEP8 tests for bind-dyndb-ldap integration
This bug was fixed in the package bind9 - 1:9.18.18-0ubuntu0.23.04.1 --- bind9 (1:9.18.18-0ubuntu0.23.04.1) lunar; urgency=medium * New upstream release 9.18.18 (LP: #2028413) - Updates: + Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. + Mark dialup and heartbeat-interval options as deprecated. + Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. + Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. + Mark TKEY mode 2 as deprecated. + Mark delegation-only and root-delegation-only as deprecated. + Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. - Bug Fixes: + Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. + Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. + Fix the ability to read HMAC-MD5 key files (LP: #2015176). + Fix stability issues with the catalog zone implementation. + Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. + Do not return delegation from cache after stale-answer-client-timeout. + Fix failure to auto-tune clients-per-query limit in some situations. + Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements. + Bring rndc read timeout back to 60 seconds from 30. + Treat libuv returning ISC_R_INVALIDPROTO as a network error. + Clean up empty-non-terminal NSEC3 records. + Fix log file rotation cleanup for absolute file path destinations. + Fix various catalog zone processing crashes. + Fix transfer hang when downloading large zones over TLS. + Fix named crash when adding a new zone into the configuration file for a name which was already configured as member zone for a catalog zone. + Delay DNSSEC key queries until all zones have finished loading. - See https://bind9.readthedocs.io/en/v9.18.18/notes.html for additional information. * d/p/CVE-2023-2828.patch, CVE-2023-2911.patch: Remove - fixed upstream in 9.18.16. * d/p/CVE-2023-3341.patch: Refresh, matching upstream, to apply in 9.18.18. * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650) -- Lena Voytek Wed, 20 Sep 2023 14:52:27 -0700 ** Changed in: bind9 (Ubuntu Lunar) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-2828 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-2911 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-3341 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2032650 Title: Add DEP8 tests for bind-dyndb-ldap integration Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Jammy: Fix Released Status in bind9 source package in Jammy: Fix Released Status in bind-dyndb-ldap source package in Lunar: Fix Committed Status in bind9 source package in Lunar: Fix Released Status in bind-dyndb-ldap source package in Mantic: Fix Released Status in bind9 source package in Mantic: Fix Released Bug description: [ Impact ] bind-dyndb-ldap breaks very frequently with bind9 updates. Both must have DEP8 tests so these breakages can be caught before a release. [ Test Plan ] For both packages, the test plan consists in having the new dyndb-ldap DEP8 test run and succeed. [ Where problems could occur ] With this new DEP8 change, a bind9 update can be blocked by a bind-dyndb-ldap failure to build or run with it. While this is exactly the intent (not leave a broken bind-dyndb-ldap package in the release), there is a history indicating that bind- dyndb-ldap can be late in catching up to bind9 changes. We may reach a situation where an important bind9 security update, for example, will be blocked by a failing dyndb-ldap test, and it may be difficult to fix bind-dyndb-ldap in time, specially if the security update is under embargo and the bind-dyndb-ldap developers do not yet have details of the changes. [ Other Info ] The same test is to be applied to the bind9 package, and is already in mantic. But SRUs for DEP8 changes only are frowned upon, so the plan is to upload it to proposed and block it there, but AFTER bind-dyndb-ldap has been released. The tight coupling between bind9 and bind-dyndb-ldap
[Freeipa] [Bug 1978849] Re: bind9-dyndb-ldap has unmet dependencies
This bug was fixed in the package bind-dyndb-ldap - 11.9-5ubuntu0.22.04.3 --- bind-dyndb-ldap (11.9-5ubuntu0.22.04.3) jammy-security; urgency=medium * No-change rebuild for bind9 security update. -- Marc Deslauriers Wed, 20 Sep 2023 15:58:12 -0400 ** Changed in: bind-dyndb-ldap (Ubuntu Jammy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/1978849 Title: bind9-dyndb-ldap has unmet dependencies Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Invalid Status in bind-dyndb-ldap source package in Focal: Won't Fix Status in bind-dyndb-ldap source package in Jammy: Fix Released Status in bind-dyndb-ldap source package in Lunar: Fix Committed Status in bind-dyndb-ldap source package in Mantic: Fix Released Status in bind9 source package in Mantic: Invalid Bug description: [ Impact ] There is a tight coupling between src:bind-dyndb-ldap and src:bind9, such that everytime bind9 is updated, even if it's a simple no-change rebuild, src:bind-dyndb-ldap has to be rebuilt too. This is often forgotten, leading to multiple repeated bugs against src:bind-dyndb-ldap. The fix for now is to rebuild src:bind-dyndb-ldap, and to avoid it from happening again, add a DEP8 test to it so that a src:bind9 update won't be released without this rebuild. Ideally this coupling shouldn't be that tight, and some ideas are floating around (see [1], [2], and [3]). But for now, I think this is the quickest way to avoid hitting this problem again in the near future. 1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014503 2. https://pagure.io/bind-dyndb-ldap/issue/225 3. https://salsa.debian.org/dns-team/bind9/-/merge_requests/21 [ Test Plan ] The fix is to rebuild the src:bind-dyndb-ldap package with the current src:bind9 in the archive for the affected ubuntu release. With the build succeeding, and the dyndb-ldap DEP8 test also passing, the verification can be considered successfull. [ Where problems could occur ] With this new DEP8 change, a bind9 update can be blocked by a bind- dyndb-ldap failure to build or run with it. While this is exactly the intent (not leave a broken bind-dyndb-ldap package in the release), there is a history indicating that bind- dyndb-ldap can be late in catching up to bind9 changes. We may reach a situation where an important bind9 security update, for example, will be blocked by a failing dyndb-ldap test, and it may be difficult to fix bind-dyndb-ldap in time, specially if the security update is under embargo and the bind-dyndb-ldap developers do not yet have details of the changes. [ Other Info ] See also bug https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2032650 which adds the same test to the src:bind9 package. [Original Description] bind9-dyndb-ldap cannot be installed on Ubuntu 22.04. It appears the bind0 package has been updated, but not bind9-dyndb-ldap: ~# apt install bind9 bind9-dyndb-ldap Reading package lists... Done Building dependency tree... Done Reading state information... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: bind9-dyndb-ldap : Depends: bind9-libs (= 1:9.18.1-1ubuntu1) but 1:9.18.1-1ubuntu1.1 is to be installed E: Unable to correct problems, you have held broken packages. ~# apt-cache policy bind9 bind9: Installed: (none) Candidate: 1:9.18.1-1ubuntu1.1 Version table: 1:9.18.1-1ubuntu1.1 500 500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages 1:9.18.1-1ubuntu1 500 500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages ~# apt-cache policy bind9-dyndb-ldap bind9-dyndb-ldap: Installed: (none) Candidate: 11.9-5build2 Version table: 11.9-5build2 500 500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/1978849/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2032650] Re: Add DEP8 tests for bind-dyndb-ldap integration
This bug was fixed in the package bind-dyndb-ldap - 11.9-5ubuntu0.22.04.3 --- bind-dyndb-ldap (11.9-5ubuntu0.22.04.3) jammy-security; urgency=medium * No-change rebuild for bind9 security update. -- Marc Deslauriers Wed, 20 Sep 2023 15:58:12 -0400 ** Changed in: bind-dyndb-ldap (Ubuntu Jammy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2032650 Title: Add DEP8 tests for bind-dyndb-ldap integration Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Jammy: Fix Released Status in bind9 source package in Jammy: In Progress Status in bind-dyndb-ldap source package in Lunar: Fix Committed Status in bind9 source package in Lunar: In Progress Status in bind-dyndb-ldap source package in Mantic: Fix Released Status in bind9 source package in Mantic: Fix Released Bug description: [ Impact ] bind-dyndb-ldap breaks very frequently with bind9 updates. Both must have DEP8 tests so these breakages can be caught before a release. [ Test Plan ] For both packages, the test plan consists in having the new dyndb-ldap DEP8 test run and succeed. [ Where problems could occur ] With this new DEP8 change, a bind9 update can be blocked by a bind-dyndb-ldap failure to build or run with it. While this is exactly the intent (not leave a broken bind-dyndb-ldap package in the release), there is a history indicating that bind- dyndb-ldap can be late in catching up to bind9 changes. We may reach a situation where an important bind9 security update, for example, will be blocked by a failing dyndb-ldap test, and it may be difficult to fix bind-dyndb-ldap in time, specially if the security update is under embargo and the bind-dyndb-ldap developers do not yet have details of the changes. [ Other Info ] The same test is to be applied to the bind9 package, and is already in mantic. But SRUs for DEP8 changes only are frowned upon, so the plan is to upload it to proposed and block it there, but AFTER bind-dyndb-ldap has been released. The tight coupling between bind9 and bind-dyndb-ldap is problematic (see [1], [2] and [3]). The moment a new bind9 hits proposed with this test, it fill fail until a new bind-dyndb-ldap is rebuilt with that proposed version. One option would perhaps to accept a one-time DEP8-only change for bind9, so that we can upload both packages together, instead of leaving this in proposed with a blocking tag, to be picked up by the next bind9 "real" update? 1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014503 2. https://pagure.io/bind-dyndb-ldap/issue/225 3. https://salsa.debian.org/dns-team/bind9/-/merge_requests/21 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2032650/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2032650] Re: Add DEP8 tests for bind-dyndb-ldap integration
** Merge proposal linked: https://code.launchpad.net/~lvoytek/ubuntu/+source/bind9/+git/bind9/+merge/451683 ** Merge proposal linked: https://code.launchpad.net/~lvoytek/ubuntu/+source/bind9/+git/bind9/+merge/451681 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2032650 Title: Add DEP8 tests for bind-dyndb-ldap integration Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Jammy: Fix Committed Status in bind9 source package in Jammy: In Progress Status in bind-dyndb-ldap source package in Lunar: Fix Committed Status in bind9 source package in Lunar: In Progress Status in bind-dyndb-ldap source package in Mantic: Fix Released Status in bind9 source package in Mantic: Fix Released Bug description: [ Impact ] bind-dyndb-ldap breaks very frequently with bind9 updates. Both must have DEP8 tests so these breakages can be caught before a release. [ Test Plan ] For both packages, the test plan consists in having the new dyndb-ldap DEP8 test run and succeed. [ Where problems could occur ] With this new DEP8 change, a bind9 update can be blocked by a bind-dyndb-ldap failure to build or run with it. While this is exactly the intent (not leave a broken bind-dyndb-ldap package in the release), there is a history indicating that bind- dyndb-ldap can be late in catching up to bind9 changes. We may reach a situation where an important bind9 security update, for example, will be blocked by a failing dyndb-ldap test, and it may be difficult to fix bind-dyndb-ldap in time, specially if the security update is under embargo and the bind-dyndb-ldap developers do not yet have details of the changes. [ Other Info ] The same test is to be applied to the bind9 package, and is already in mantic. But SRUs for DEP8 changes only are frowned upon, so the plan is to upload it to proposed and block it there, but AFTER bind-dyndb-ldap has been released. The tight coupling between bind9 and bind-dyndb-ldap is problematic (see [1], [2] and [3]). The moment a new bind9 hits proposed with this test, it fill fail until a new bind-dyndb-ldap is rebuilt with that proposed version. One option would perhaps to accept a one-time DEP8-only change for bind9, so that we can upload both packages together, instead of leaving this in proposed with a blocking tag, to be picked up by the next bind9 "real" update? 1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014503 2. https://pagure.io/bind-dyndb-ldap/issue/225 3. https://salsa.debian.org/dns-team/bind9/-/merge_requests/21 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2032650/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2028413] Re: MRE updates of bind9 for focal, jammy and lunar
** Merge proposal linked: https://code.launchpad.net/~lvoytek/ubuntu/+source/bind-dyndb-ldap/+git/bind-dyndb-ldap/+merge/451685 ** Merge proposal linked: https://code.launchpad.net/~lvoytek/ubuntu/+source/bind-dyndb-ldap/+git/bind-dyndb-ldap/+merge/451686 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2028413 Title: MRE updates of bind9 for focal, jammy and lunar Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Focal: Triaged Status in bind9 source package in Focal: Triaged Status in bind-dyndb-ldap source package in Jammy: In Progress Status in bind9 source package in Jammy: In Progress Status in bind-dyndb-ldap source package in Lunar: In Progress Status in bind9 source package in Lunar: In Progress Bug description: This bug tracks an update for the bind9 package, moving to versions: * lunar (23.04): bind9 9.18.18 * jammy (22.04): bind9 9.18.18 * focal (20.04): bind9 9.16.43 These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates. [Upstream changes] 9.18.13-9.18.18 for lunar and jammy: Updates: Mark a primary server as temporarily unreachable when a TCP connection response to an SOA query times out, matching behavior of a refused TCP connection. Mark dialup and heartbeat-interval options as deprecated. Retry DNS queries without an EDNS COOKIE when the first response is FORMERR with the EDNS COOKIE that was sent originally. Use NS records for the relaxed QNAME minimization mode to reduce the number of queries from named. Mark TKEY mode 2 as deprecated. Mark delegation-only and root-delegation-only as deprecated. Run RPZ and catalog zone updates on specialized offload threads to reduce blocked query processing time. Bug Fixes: Fix assertion failure from processing already-queued queries while server is being reconfigured or cache is being flushed. Fix failure to load zones containing resource records with a TTL value larger than 86400 seconds when dnssec-policy is set to insecure. Fix the ability to read HMAC-MD5 key files (LP: #2015176). Fix stability issues with the catalog zone implementation. Fix bind9 getting stuck when listen-on statement for HTTP is removed from configuration. Do not return delegation from cache after stale-answer-client-timeout. Fix failure to auto-tune clients-per-query limit in some situations. Fix proper timeouts when using max-transfer-time-in and max-transfer-idle-in statements. Bring rndc read timeout back to 60 seconds from 30. Treat libuv returning ISC_R_INVALIDPROTO as a network error. Clean up empty-non-terminal NSEC3 records. Fix log file rotation cleanup for absolute file path destinations. Fix various catalog zone processing crashes. Fix transfer hang when downloading large zones over TLS. Fix named crash when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone. Delay DNSSEC key queries until all zones have finished loading. CVE Fixes - already available as patches: CVE-2023-2828 CVE-2023-2911 For full release notes, see: https://bind9.readthedocs.io/en/v9.18.18/notes.html#notes-for- bind-9-18-18 While there are behavioral changes in this release, I was unable to find any backwards-incompatible changes. Some features were marked as deprecated, but are still usable as they were before. Other changes are related to performance and timeout management, neither of which should change how bind9 works, but are worth keeping an eye on in case any regressions arise. [Test Plan] DEP-8 test results: simpletest PASS validation FLAKY non-zero exit status 1 zonetest PASS validation is known to be broken in its current state, both due to a need for internet access and incorrect output checking, so the failure is expected. [Regression Potential] Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2028413/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2034250] Re: Insufficient access in dyndb DEP8 test
This bug was fixed in the package bind9 - 1:9.18.16-1ubuntu4 --- bind9 (1:9.18.16-1ubuntu4) mantic; urgency=medium * d/t/dyndb-ldap: allow writing to the dns tree (LP: #2034250) -- Andreas Hasenack Tue, 05 Sep 2023 10:20:27 -0300 ** Changed in: bind9 (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2034250 Title: Insufficient access in dyndb DEP8 test Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Bug description: Caught this in a run of the dyndb-ldap DEP8 test: 280s 2023-09-05T00:59:05.435102+00:00 autopkgtest slapd[1491]: conn=1010 op=1 MOD dn="idnsName=example.internal,ou=dns,dc=example,dc=internal" 280s 2023-09-05T00:59:05.435953+00:00 autopkgtest slapd[1491]: conn=1010 op=1 MOD attr=idnsSOAserial 280s 2023-09-05T00:59:05.436043+00:00 autopkgtest slapd[1491]: conn=1010 op=1 RESULT tag=103 err=50 qtime=0.09 etime=0.001324 text= 280s 2023-09-05T00:59:05.436068+00:00 autopkgtest named[1519]: LDAP error: Insufficient access: while modifying(replace) entry 'idnsName=example.internal,ou=dns,dc=example,dc=internal' Looks like sometimes the dyndb-ldap plugin wants to write to the tree, and not just read from it. Looking at the code, that can happen for some SOA attributes, and perhaps other cases too. The documentation isn't immediately clear. A re-run of this test cleared the error, but we all dislike flaky tests, so it's probably best to adjust the ACL and allow the bind9 user to write to the DNS tree. Production deployments will definitely want to fine tune this ACL and list explicit attribites and entry types that can be modified, but for a DEP8 test, this is enough. ```diff --- a/debian/tests/dyndb-ldap +++ b/debian/tests/dyndb-ldap @@ -135,7 +135,7 @@ EOF dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcAccess -olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by dn.exact="${ldap_bind9_dn}" read by * none +olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by dn.exact="${ldap_bind9_dn}" write by * none EOF } ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2034250/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2034250] Re: Insufficient access in dyndb DEP8 test
This bug was fixed in the package bind-dyndb-ldap - 11.10-6ubuntu1 --- bind-dyndb-ldap (11.10-6ubuntu1) mantic; urgency=medium * d/t/dyndb-ldap fixes: - use correct attribute in the bind9 dn entry (LP: #2034251) - allow writing to the dns tree (LP: #2034250) -- Andreas Hasenack Tue, 05 Sep 2023 10:05:46 -0300 ** Changed in: bind-dyndb-ldap (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2034250 Title: Insufficient access in dyndb DEP8 test Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: In Progress Bug description: Caught this in a run of the dyndb-ldap DEP8 test: 280s 2023-09-05T00:59:05.435102+00:00 autopkgtest slapd[1491]: conn=1010 op=1 MOD dn="idnsName=example.internal,ou=dns,dc=example,dc=internal" 280s 2023-09-05T00:59:05.435953+00:00 autopkgtest slapd[1491]: conn=1010 op=1 MOD attr=idnsSOAserial 280s 2023-09-05T00:59:05.436043+00:00 autopkgtest slapd[1491]: conn=1010 op=1 RESULT tag=103 err=50 qtime=0.09 etime=0.001324 text= 280s 2023-09-05T00:59:05.436068+00:00 autopkgtest named[1519]: LDAP error: Insufficient access: while modifying(replace) entry 'idnsName=example.internal,ou=dns,dc=example,dc=internal' Looks like sometimes the dyndb-ldap plugin wants to write to the tree, and not just read from it. Looking at the code, that can happen for some SOA attributes, and perhaps other cases too. The documentation isn't immediately clear. A re-run of this test cleared the error, but we all dislike flaky tests, so it's probably best to adjust the ACL and allow the bind9 user to write to the DNS tree. Production deployments will definitely want to fine tune this ACL and list explicit attribites and entry types that can be modified, but for a DEP8 test, this is enough. ```diff --- a/debian/tests/dyndb-ldap +++ b/debian/tests/dyndb-ldap @@ -135,7 +135,7 @@ EOF dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcAccess -olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by dn.exact="${ldap_bind9_dn}" read by * none +olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by dn.exact="${ldap_bind9_dn}" write by * none EOF } ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2034250/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2034251] Re: Incorrect rdn in the bind9 dn entry in the DEP8 test
This bug was fixed in the package bind-dyndb-ldap - 11.10-6ubuntu1 --- bind-dyndb-ldap (11.10-6ubuntu1) mantic; urgency=medium * d/t/dyndb-ldap fixes: - use correct attribute in the bind9 dn entry (LP: #2034251) - allow writing to the dns tree (LP: #2034250) -- Andreas Hasenack Tue, 05 Sep 2023 10:05:46 -0300 ** Changed in: bind-dyndb-ldap (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2034251 Title: Incorrect rdn in the bind9 dn entry in the DEP8 test Status in bind-dyndb-ldap package in Ubuntu: Fix Released Bug description: There is a small mistake in the bind9 DN entry, it should have an attribute matching the dn, but instead it mentions a "replicator" entity that doesn't exist. It doesn't fail the test, but it's an incorrect LDAP entry and should be fixed: diff --git a/debian/tests/dyndb-ldap b/debian/tests/dyndb-ldap index 5482bc0..019bf24 100644 --- a/debian/tests/dyndb-ldap +++ b/debian/tests/dyndb-ldap @@ -8,6 +8,7 @@ myhostname="dep8" ldap_admin_dn="cn=admin,${ldap_suffix}" ldap_admin_pw="secret" ldap_bind9_dn="uid=bind9,${ldap_suffix}" +ldap_bind9_rdn="uid: bind9" # match ldap_bind9_dn ldap_bind9_pw="secretagain" cleanup() { @@ -122,7 +123,7 @@ EOF create_bind9_uid() { ldapadd -x -D "${ldap_admin_dn}" -w "${ldap_admin_pw}"
[Freeipa] [Bug 2032650] Re: Add DEP8 tests for bind-dyndb-ldap integration
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/bind9/+git/bind9/+merge/450698 ** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/bind9/+git/bind9/+merge/450699 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2032650 Title: Add DEP8 tests for bind-dyndb-ldap integration Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Jammy: In Progress Status in bind9 source package in Jammy: New Status in bind-dyndb-ldap source package in Lunar: In Progress Status in bind9 source package in Lunar: New Status in bind-dyndb-ldap source package in Mantic: Fix Released Status in bind9 source package in Mantic: Fix Released Bug description: bind-dyndb-ldap breaks very frequently with bind9 updates. Both must have DEP8 tests so these breakages can be caught before a release. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2032650/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2034250] Re: Insufficient access in dyndb DEP8 test
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/bind9/+git/bind9/+merge/450679 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2034250 Title: Insufficient access in dyndb DEP8 test Status in bind-dyndb-ldap package in Ubuntu: In Progress Status in bind9 package in Ubuntu: In Progress Bug description: Caught this in a run of the dyndb-ldap DEP8 test: 280s 2023-09-05T00:59:05.435102+00:00 autopkgtest slapd[1491]: conn=1010 op=1 MOD dn="idnsName=example.internal,ou=dns,dc=example,dc=internal" 280s 2023-09-05T00:59:05.435953+00:00 autopkgtest slapd[1491]: conn=1010 op=1 MOD attr=idnsSOAserial 280s 2023-09-05T00:59:05.436043+00:00 autopkgtest slapd[1491]: conn=1010 op=1 RESULT tag=103 err=50 qtime=0.09 etime=0.001324 text= 280s 2023-09-05T00:59:05.436068+00:00 autopkgtest named[1519]: LDAP error: Insufficient access: while modifying(replace) entry 'idnsName=example.internal,ou=dns,dc=example,dc=internal' Looks like sometimes the dyndb-ldap plugin wants to write to the tree, and not just read from it. Looking at the code, that can happen for some SOA attributes, and perhaps other cases too. The documentation isn't immediately clear. A re-run of this test cleared the error, but we all dislike flaky tests, so it's probably best to adjust the ACL and allow the bind9 user to write to the DNS tree. Production deployments will definitely want to fine tune this ACL and list explicit attribites and entry types that can be modified, but for a DEP8 test, this is enough. ```diff --- a/debian/tests/dyndb-ldap +++ b/debian/tests/dyndb-ldap @@ -135,7 +135,7 @@ EOF dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcAccess -olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by dn.exact="${ldap_bind9_dn}" read by * none +olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by dn.exact="${ldap_bind9_dn}" write by * none EOF } ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2034250/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2034250] Re: Insufficient access in dyndb DEP8 test
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/bind-dyndb-ldap/+git/bind-dyndb-ldap/+merge/450665 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2034250 Title: Insufficient access in dyndb DEP8 test Status in bind-dyndb-ldap package in Ubuntu: In Progress Status in bind9 package in Ubuntu: In Progress Bug description: Caught this in a run of the dyndb-ldap DEP8 test: 280s 2023-09-05T00:59:05.435102+00:00 autopkgtest slapd[1491]: conn=1010 op=1 MOD dn="idnsName=example.internal,ou=dns,dc=example,dc=internal" 280s 2023-09-05T00:59:05.435953+00:00 autopkgtest slapd[1491]: conn=1010 op=1 MOD attr=idnsSOAserial 280s 2023-09-05T00:59:05.436043+00:00 autopkgtest slapd[1491]: conn=1010 op=1 RESULT tag=103 err=50 qtime=0.09 etime=0.001324 text= 280s 2023-09-05T00:59:05.436068+00:00 autopkgtest named[1519]: LDAP error: Insufficient access: while modifying(replace) entry 'idnsName=example.internal,ou=dns,dc=example,dc=internal' Looks like sometimes the dyndb-ldap plugin wants to write to the tree, and not just read from it. Looking at the code, that can happen for some SOA attributes, and perhaps other cases too. The documentation isn't immediately clear. A re-run of this test cleared the error, but we all dislike flaky tests, so it's probably best to adjust the ACL and allow the bind9 user to write to the DNS tree. Production deployments will definitely want to fine tune this ACL and list explicit attribites and entry types that can be modified, but for a DEP8 test, this is enough. ```diff --- a/debian/tests/dyndb-ldap +++ b/debian/tests/dyndb-ldap @@ -135,7 +135,7 @@ EOF dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcAccess -olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by dn.exact="${ldap_bind9_dn}" read by * none +olcAccess: {1}to dn.subtree="ou=dns,${ldap_suffix}" by dn.exact="${ldap_bind9_dn}" write by * none EOF } ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2034250/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2034251] Re: Incorrect rdn in the bind9 dn entry in the DEP8 test
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/bind-dyndb-ldap/+git/bind-dyndb-ldap/+merge/450665 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2034251 Title: Incorrect rdn in the bind9 dn entry in the DEP8 test Status in bind-dyndb-ldap package in Ubuntu: In Progress Bug description: There is a small mistake in the bind9 DN entry, it should have an attribute matching the dn, but instead it mentions a "replicator" entity that doesn't exist. It doesn't fail the test, but it's an incorrect LDAP entry and should be fixed: diff --git a/debian/tests/dyndb-ldap b/debian/tests/dyndb-ldap index 5482bc0..019bf24 100644 --- a/debian/tests/dyndb-ldap +++ b/debian/tests/dyndb-ldap @@ -8,6 +8,7 @@ myhostname="dep8" ldap_admin_dn="cn=admin,${ldap_suffix}" ldap_admin_pw="secret" ldap_bind9_dn="uid=bind9,${ldap_suffix}" +ldap_bind9_rdn="uid: bind9" # match ldap_bind9_dn ldap_bind9_pw="secretagain" cleanup() { @@ -122,7 +123,7 @@ EOF create_bind9_uid() { ldapadd -x -D "${ldap_admin_dn}" -w "${ldap_admin_pw}"
[Freeipa] [Bug 1978849] Re: bind9-dyndb-ldap has unmet dependencies
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/bind-dyndb-ldap/+git/bind-dyndb-ldap/+merge/450608 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/1978849 Title: bind9-dyndb-ldap has unmet dependencies Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Invalid Status in bind-dyndb-ldap source package in Focal: Won't Fix Status in bind-dyndb-ldap source package in Jammy: In Progress Status in bind-dyndb-ldap source package in Lunar: In Progress Status in bind-dyndb-ldap source package in Mantic: Fix Released Status in bind9 source package in Mantic: Invalid Bug description: bind9-dyndb-ldap cannot be installed on Ubuntu 22.04. It appears the bind0 package has been updated, but not bind9-dyndb-ldap: ~# apt install bind9 bind9-dyndb-ldap Reading package lists... Done Building dependency tree... Done Reading state information... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: bind9-dyndb-ldap : Depends: bind9-libs (= 1:9.18.1-1ubuntu1) but 1:9.18.1-1ubuntu1.1 is to be installed E: Unable to correct problems, you have held broken packages. ~# apt-cache policy bind9 bind9: Installed: (none) Candidate: 1:9.18.1-1ubuntu1.1 Version table: 1:9.18.1-1ubuntu1.1 500 500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages 1:9.18.1-1ubuntu1 500 500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages ~# apt-cache policy bind9-dyndb-ldap bind9-dyndb-ldap: Installed: (none) Candidate: 11.9-5build2 Version table: 11.9-5build2 500 500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/1978849/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2032650] Re: Add DEP8 tests for bind-dyndb-ldap integration
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/bind-dyndb-ldap/+git/bind-dyndb-ldap/+merge/450608 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2032650 Title: Add DEP8 tests for bind-dyndb-ldap integration Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Jammy: In Progress Status in bind9 source package in Jammy: New Status in bind-dyndb-ldap source package in Lunar: In Progress Status in bind9 source package in Lunar: New Status in bind-dyndb-ldap source package in Mantic: Fix Released Status in bind9 source package in Mantic: Fix Released Bug description: bind-dyndb-ldap breaks very frequently with bind9 updates. Both must have DEP8 tests so these breakages can be caught before a release. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2032650/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1978849] Re: bind9-dyndb-ldap has unmet dependencies
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/bind-dyndb-ldap/+git/bind-dyndb-ldap/+merge/450607 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/1978849 Title: bind9-dyndb-ldap has unmet dependencies Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Invalid Status in bind-dyndb-ldap source package in Focal: New Status in bind-dyndb-ldap source package in Jammy: In Progress Status in bind-dyndb-ldap source package in Lunar: In Progress Status in bind-dyndb-ldap source package in Mantic: Fix Released Status in bind9 source package in Mantic: Invalid Bug description: bind9-dyndb-ldap cannot be installed on Ubuntu 22.04. It appears the bind0 package has been updated, but not bind9-dyndb-ldap: ~# apt install bind9 bind9-dyndb-ldap Reading package lists... Done Building dependency tree... Done Reading state information... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: bind9-dyndb-ldap : Depends: bind9-libs (= 1:9.18.1-1ubuntu1) but 1:9.18.1-1ubuntu1.1 is to be installed E: Unable to correct problems, you have held broken packages. ~# apt-cache policy bind9 bind9: Installed: (none) Candidate: 1:9.18.1-1ubuntu1.1 Version table: 1:9.18.1-1ubuntu1.1 500 500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages 1:9.18.1-1ubuntu1 500 500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages ~# apt-cache policy bind9-dyndb-ldap bind9-dyndb-ldap: Installed: (none) Candidate: 11.9-5build2 Version table: 11.9-5build2 500 500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/1978849/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2032650] Re: Add DEP8 tests for bind-dyndb-ldap integration
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/bind-dyndb-ldap/+git/bind-dyndb-ldap/+merge/450607 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2032650 Title: Add DEP8 tests for bind-dyndb-ldap integration Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Jammy: In Progress Status in bind9 source package in Jammy: New Status in bind-dyndb-ldap source package in Lunar: In Progress Status in bind9 source package in Lunar: New Status in bind-dyndb-ldap source package in Mantic: Fix Released Status in bind9 source package in Mantic: Fix Released Bug description: bind-dyndb-ldap breaks very frequently with bind9 updates. Both must have DEP8 tests so these breakages can be caught before a release. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2032650/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2032650] Re: Add DEP8 tests for bind-dyndb-ldap integration
This bug was fixed in the package bind9 - 1:9.18.16-1ubuntu3 --- bind9 (1:9.18.16-1ubuntu3) mantic; urgency=medium * d/t/control: exclude the i386 architecture for the dyndb-ldap test, since bind9-dyndb-ldap is not available there on Ubuntu * d/t/dyndb-ldap: fix for the ldap bind9 dn entry bind9 (1:9.18.16-1ubuntu2) mantic; urgency=medium * d/t/control, d/t/dyndb-ldap: add DEP8 test (LP: #2032650) -- Andreas Hasenack Wed, 30 Aug 2023 10:14:04 -0300 ** Changed in: bind9 (Ubuntu Mantic) Status: In Progress => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2032650 Title: Add DEP8 tests for bind-dyndb-ldap integration Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Mantic: Fix Released Status in bind9 source package in Mantic: Fix Released Bug description: bind-dyndb-ldap breaks very frequently with bind9 updates. Both must have DEP8 tests so these breakages can be caught before a release. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2032650/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 2018050] Re: Merge bind9 from Debian unstable for mantic
This bug was fixed in the package bind9 - 1:9.18.16-1ubuntu1 --- bind9 (1:9.18.16-1ubuntu1) mantic; urgency=medium * Merge with Debian unstable (LP: #2018050). Remaining changes: - Don't build dnstap as it depends on universe packages: + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and protobuf-c-compiler (universe packages) + d/dnsutils.install: don't install dnstap + d/rules: don't build dnstap nor install dnstap.proto - Add back apport: + d/bind9.apport: add back old bind9 apport hook, but without calling attach_conffiles() since that is already done by apport itself, with confirmation from the user. + d/control, d/rules: build-depends on dh-apport and use it - d/control: remove optional libjemalloc-dev Build-Depends as it is not in main. - d/NEWS: mention relevant packaging changes - Improve dep-8 test suite (LP #2003584): + d/t/zonetest: Add dep8 test for checking the domain zone creation process + d/t/control: Add new test outline * Added Changes: - d/po/de.po: Fix German UTF-8 encoding - d/copyright: Fix lintian warnings + Remove the entry for lib/isc/hp.c lib/isc/include/isc/hp.h as they were deleted in 9.18.2 + Remove the entry for lib/isc/include/pkcs11/pkcs11.h as it is no longer bundled as of 9.17.19 + Update the location of random_test.c and add info about its public domain section + Add wildcards to folders as needed + Note that m4/ uses the FSFAP license - d/control: Remove lsb-base dependency as it is no longer needed + See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019851 -- Lena Voytek Mon, 26 Jun 2023 14:25:50 -0700 ** Changed in: bind9 (Ubuntu) Status: In Progress => Fix Released ** Bug watch added: Debian Bug tracker #1019851 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019851 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2018050 Title: Merge bind9 from Debian unstable for mantic Status in bind-dyndb-ldap package in Ubuntu: In Progress Status in bind9 package in Ubuntu: Fix Released Bug description: Upstream: 9.18.14 Debian: 1:9.18.13-11:9.19.11-1 Ubuntu: 1:9.18.12-1ubuntu1 Debian new has 1:9.19.11-1, which may be available for merge soon. If it turns out this needs a sync rather than a merge, please change the tag 'needs-merge' to 'needs-sync', and (optionally) update the title as desired. ### New Debian Changes ### bind9 (1:9.18.13-1) unstable; urgency=medium * New upstream version 9.18.13 -- Ondřej Surý Wed, 15 Mar 2023 18:11:29 +0100 bind9 (1:9.18.12-1) unstable; urgency=medium * New upstream version 9.18.12 * Drop libtool-bin from B-D (Closes: #1022968) -- Ondřej Surý Fri, 10 Feb 2023 15:15:49 +0100 bind9 (1:9.18.11-2) unstable; urgency=medium * Allow the named to use systemd notify service -- Ondřej Surý Thu, 26 Jan 2023 21:13:55 +0100 bind9 (1:9.18.11-1) unstable; urgency=medium * New upstream version 9.18.11 -- Ondřej Surý Wed, 25 Jan 2023 15:51:35 +0100 bind9 (1:9.18.10-2) unstable; urgency=medium * Backport upstream feature to use sd_notify() * Use systemd notify for service readyness check (Closes: #994696) * apparmor.d: Allow named to read all OpenSSL config files. (Closes: #1025519) * apparmor.d: Allow named to query for hugepages support. (Closes: #1020315) * Fix path to README.Debian (Closes: #1016646) -- Bernhard Schmidt Thu, 22 Dec 2022 17:12:17 +0100 bind9 (1:9.18.10-1) unstable; urgency=medium * New upstream version 9.18.10 -- Ondřej Surý Wed, 21 Dec 2022 18:00:33 +0100 bind9 (1:9.18.9-1) unstable; urgency=medium * New upstream version 9.18.9 -- Ondřej Surý Wed, 16 Nov 2022 14:00:05 +0100 bind9 (1:9.18.8-1) unstable; urgency=medium * New upstream version 9.18.8 -- Ondřej Surý Wed, 19 Oct 2022 14:58:38 +0200 bind9 (1:9.18.7-1) unstable; urgency=medium * New upstream version 9.18.7 - CVE-2022-2795: Processing large delegations may severely degrade resolver performance - CVE-2022-2881: Buffer overread in statistics channel code - CVE-2022-2906: Memory leaks in code handling Diffie-Hellman key exchange via TKEY RRs (OpenSSL 3.0.0+ only) - CVE-2022-3080: BIND 9 resolvers configured to answer from stale cache with zero stale-answer-client-timeout may terminate unexpectedly - CVE-2022-38177: Memory leak in ECDSA DNSSEC verification code - CVE-2022-38178: Memory leaks in EdDSA DNSSEC verification code -- Ondřej Surý Wed, 21 Sep 2022 12:48:36 +0200 bind9 (1:9.18.6-2) unstable; urgency=medium * No-change source-only upload -- Bernhard Schmidt Mon, 05 Sep 2022 21:30:08
[Freeipa] [Bug 2003586] Re: MRE Updates 9.18.12 / 9.16.39
This bug was fixed in the package bind-dyndb-ldap - 11.9-5ubuntu0.22.04.1 --- bind-dyndb-ldap (11.9-5ubuntu0.22.04.1) jammy; urgency=medium * Fix bind-dyndb-ldap build against bind9 9.18.12 (LP: #2003586): - d/p/hardcode-version.diff: Update defined LIBDNS version from bind9 to be 1812, provided by bind9 9.18.12 - d/p/fix-dns_db_allrdatasets.patch: Modify calls to dns_db_allrdatasets() for bind9 9.18.10+ since the function has a new parameter - d/p/fix-include.patch: Include isc/rwlock.h in dns/zt.h to fix build since isrwlock is used in this file - d/p/fix-isc-error.patch: Fix the use of the fatal_error macro as its arguments have changed - d/p/make-dscp-optional.patch: Do not require DSCP codes for bind9 9.18.11 and above as their support was removed in that version - d/control: Require bind9 9.18.12 or above -- Lena Voytek Thu, 09 Mar 2023 15:06:25 -0700 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2003586 Title: MRE Updates 9.18.12 / 9.16.39 Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind9 source package in Focal: In Progress Status in bind-dyndb-ldap source package in Jammy: Fix Released Status in bind9 source package in Jammy: Fix Released Status in bind-dyndb-ldap source package in Kinetic: Fix Released Status in bind9 source package in Kinetic: Fix Released Bug description: This bug tracks an update for the bind9 package, moving to versions: * Kinetic (22.10): bind9 9.18.12 * Jammy (22.04): bind9 9.18.12 * Focal (20.04): bind9 9.16.39 These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates. [Upstream changes] For bind9 9.18.2-9.18.12, major changes include: CVE fixes (These already existed as patches but are now included as part of upstream): CVE-2022-1183 CVE-2022-2795 CVE-2022-2881 CVE-2022-2906 CVE-2022-3080 CVE-2022-38178 CVE-2022-3094 CVE-2022-3736 CVE-2022-3924 Features: update-quota option named -V shows supported cryptographic algorithms Additional info given for recursion not available and query (cache) '...' denied outputs Jammy only (Kinetic already has these): Catalog Zones schema version 2 support in named DNS error support Stale Answer and Stale NXDOMAIN Answer remote TLS certificate verification support reusereport option Bug Fixes: https://gitlab.isc.org/isc-projects/bind9/-/issues/3178 https://gitlab.isc.org/isc-projects/bind9/-/issues/3636 https://gitlab.isc.org/isc-projects/bind9/-/issues/3772 https://gitlab.isc.org/isc-projects/bind9/-/issues/3752 https://gitlab.isc.org/isc-projects/bind9/-/issues/3678 https://gitlab.isc.org/isc-projects/bind9/-/issues/3637 https://gitlab.isc.org/isc-projects/bind9/-/issues/3739 https://gitlab.isc.org/isc-projects/bind9/-/issues/3743 https://gitlab.isc.org/isc-projects/bind9/-/issues/3725 https://gitlab.isc.org/isc-projects/bind9/-/issues/3693 https://gitlab.isc.org/isc-projects/bind9/-/issues/3683 https://gitlab.isc.org/isc-projects/bind9/-/issues/3727 https://gitlab.isc.org/isc-projects/bind9/-/issues/3638 https://gitlab.isc.org/isc-projects/bind9/-/issues/3183 https://gitlab.isc.org/isc-projects/bind9/-/issues/3721 https://gitlab.isc.org/isc-projects/bind9/-/issues/3707 https://gitlab.isc.org/isc-projects/bind9/-/issues/3591 https://gitlab.isc.org/isc-projects/bind9/-/issues/3598 https://gitlab.isc.org/isc-projects/bind9/-/issues/3247 https://gitlab.isc.org/isc-projects/bind9/-/issues/2895 https://gitlab.isc.org/isc-projects/bind9/-/issues/3584 https://gitlab.isc.org/isc-projects/bind9/-/issues/3627 https://gitlab.isc.org/isc-projects/bind9/-/issues/3563 https://gitlab.isc.org/isc-projects/bind9/-/issues/3603 https://gitlab.isc.org/isc-projects/bind9/-/issues/3542 https://gitlab.isc.org/isc-projects/bind9/-/issues/3557 https://gitlab.isc.org/isc-projects/bind9/-/issues/2982 https://gitlab.isc.org/isc-projects/bind9/-/issues/3439 https://gitlab.isc.org/isc-projects/bind9/-/issues/3438 https://gitlab.isc.org/isc-projects/bind9/-/issues/2918 https://gitlab.isc.org/isc-projects/bind9/-/issues/3462 https://gitlab.isc.org/isc-projects/bind9/-/issues/3400 https://gitlab.isc.org/isc-projects/bind9/-/issues/3402 https://gitlab.isc.org/isc-projects/bind9/-/issues/3152 https://gitlab.isc.org/isc-projects/bind9/-/issues/3415 https://gitlab.isc.org/isc-projects/bind9/-/issues/2506 Jammy only: https://gitlab.isc.org/isc-projects/bind9/-/issues/3327 https://gitlab.isc.org/isc-projects/bind9/-/issues/3380 https://gitlab.isc.org/isc-projects/bind9/-/issues/3302 https://gitlab.isc.org/isc-projects/bind9/-/issues/2931 https://gitlab.isc.org/isc-projects/bind9/-/issues/3242
[Freeipa] [Bug 2003586] Re: MRE Updates 9.18.12 / 9.16.39
This bug was fixed in the package bind-dyndb-ldap - 11.10-1ubuntu0.22.10.1 --- bind-dyndb-ldap (11.10-1ubuntu0.22.10.1) kinetic; urgency=medium * Fix bind-dyndb-ldap build against bind9 9.18.12 (LP: #2003586): - d/p/hardcode-version.diff: Update defined LIBDNS version from bind9 to be 1812, provided by bind9 9.18.12 - d/p/fix-dns_db_allrdatasets.patch: Modify calls to dns_db_allrdatasets() for bind9 9.18.10+ since the function has a new parameter - d/p/fix-include.patch: Include isc/rwlock.h in dns/zt.h to fix build since isrwlock is used in this file - d/p/fix-isc-error.patch: Fix the use of the fatal_error macro as its arguments have changed - d/p/make-dscp-optional.patch: Do not require DSCP codes for bind9 9.18.11 and above as their support was removed in that version - d/control: Require bind9 9.18.12 or above -- Lena Voytek Wed, 08 Mar 2023 14:52:32 -0700 ** Changed in: bind-dyndb-ldap (Ubuntu Kinetic) Status: Fix Committed => Fix Released ** Changed in: bind-dyndb-ldap (Ubuntu Jammy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2003586 Title: MRE Updates 9.18.12 / 9.16.39 Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind9 source package in Focal: In Progress Status in bind-dyndb-ldap source package in Jammy: Fix Released Status in bind9 source package in Jammy: Fix Released Status in bind-dyndb-ldap source package in Kinetic: Fix Released Status in bind9 source package in Kinetic: Fix Released Bug description: This bug tracks an update for the bind9 package, moving to versions: * Kinetic (22.10): bind9 9.18.12 * Jammy (22.04): bind9 9.18.12 * Focal (20.04): bind9 9.16.39 These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates. [Upstream changes] For bind9 9.18.2-9.18.12, major changes include: CVE fixes (These already existed as patches but are now included as part of upstream): CVE-2022-1183 CVE-2022-2795 CVE-2022-2881 CVE-2022-2906 CVE-2022-3080 CVE-2022-38178 CVE-2022-3094 CVE-2022-3736 CVE-2022-3924 Features: update-quota option named -V shows supported cryptographic algorithms Additional info given for recursion not available and query (cache) '...' denied outputs Jammy only (Kinetic already has these): Catalog Zones schema version 2 support in named DNS error support Stale Answer and Stale NXDOMAIN Answer remote TLS certificate verification support reusereport option Bug Fixes: https://gitlab.isc.org/isc-projects/bind9/-/issues/3178 https://gitlab.isc.org/isc-projects/bind9/-/issues/3636 https://gitlab.isc.org/isc-projects/bind9/-/issues/3772 https://gitlab.isc.org/isc-projects/bind9/-/issues/3752 https://gitlab.isc.org/isc-projects/bind9/-/issues/3678 https://gitlab.isc.org/isc-projects/bind9/-/issues/3637 https://gitlab.isc.org/isc-projects/bind9/-/issues/3739 https://gitlab.isc.org/isc-projects/bind9/-/issues/3743 https://gitlab.isc.org/isc-projects/bind9/-/issues/3725 https://gitlab.isc.org/isc-projects/bind9/-/issues/3693 https://gitlab.isc.org/isc-projects/bind9/-/issues/3683 https://gitlab.isc.org/isc-projects/bind9/-/issues/3727 https://gitlab.isc.org/isc-projects/bind9/-/issues/3638 https://gitlab.isc.org/isc-projects/bind9/-/issues/3183 https://gitlab.isc.org/isc-projects/bind9/-/issues/3721 https://gitlab.isc.org/isc-projects/bind9/-/issues/3707 https://gitlab.isc.org/isc-projects/bind9/-/issues/3591 https://gitlab.isc.org/isc-projects/bind9/-/issues/3598 https://gitlab.isc.org/isc-projects/bind9/-/issues/3247 https://gitlab.isc.org/isc-projects/bind9/-/issues/2895 https://gitlab.isc.org/isc-projects/bind9/-/issues/3584 https://gitlab.isc.org/isc-projects/bind9/-/issues/3627 https://gitlab.isc.org/isc-projects/bind9/-/issues/3563 https://gitlab.isc.org/isc-projects/bind9/-/issues/3603 https://gitlab.isc.org/isc-projects/bind9/-/issues/3542 https://gitlab.isc.org/isc-projects/bind9/-/issues/3557 https://gitlab.isc.org/isc-projects/bind9/-/issues/2982 https://gitlab.isc.org/isc-projects/bind9/-/issues/3439 https://gitlab.isc.org/isc-projects/bind9/-/issues/3438 https://gitlab.isc.org/isc-projects/bind9/-/issues/2918 https://gitlab.isc.org/isc-projects/bind9/-/issues/3462 https://gitlab.isc.org/isc-projects/bind9/-/issues/3400 https://gitlab.isc.org/isc-projects/bind9/-/issues/3402 https://gitlab.isc.org/isc-projects/bind9/-/issues/3152 https://gitlab.isc.org/isc-projects/bind9/-/issues/3415 https://gitlab.isc.org/isc-projects/bind9/-/issues/2506 Jammy only: https://gitlab.isc.org/isc-projects/bind9/-/issues/3327
[Freeipa] [Bug 2003586] Re: MRE Updates 9.18.12 / 9.16.36
This bug was fixed in the package bind9 - 1:9.18.12-0ubuntu0.22.10.1 --- bind9 (1:9.18.12-0ubuntu0.22.10.1) kinetic; urgency=medium * New upstream releases 9.18.5 - 9.18.12 (LP: #2003586) - Updates: + update-quota option + named -V shows supported cryptographic algorithms - Bug Fixes Include: + Fix crash when using dig with +nssearch and +tcp (LP: #1258003) + Fix incomplete results using dig with +nssearch (LP: #1970252) + CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38178, CVE-2022-3094, CVE-2022-3736, CVE-2022-3924 + Fix thread safety in dns_dispatch + Fix ADB quota management in resolver + Fix Prohibited DNS error on allow-recursion + Fix crash when restarting server with active statschannel connection + Fix use after free for catalog zone processing + Fix leak of dns_keyfileio_t objects + Fix nslookup failure to use port option when record type ANY is used + Fix crash on dnssec-policy zone with NSEC3 and inline-signing turned on + Fix inheritance when setting remote server port + Fix assertion error when accessing statistics channel + Fix rndc dumpdb -expired for stuck cache + Fix check for other name servers after receiving FORMERR + See https://bind9.readthedocs.io/en/v9_18_12/notes.html#notes-for-bind-9-18-12 for additional bug fixes and information * Improve dep-8 test suite (LP: #2003584): - d/t/zonetest: Add dep8 test for checking the domain zone creation process - d/t/control: Add new test outline * d/bind9-doc.docs: Stop installing removed file doc/misc/options.active * d/p/0001-Disable-treat-warnings-as-errors-in-sphinx-build.patch: refresh to apply with version 9.18.8 * Remove CVE patches fixed upstream: - debian/patches/CVE-2022-2795.patch - debian/patches/CVE-2022-2881.patch - debian/patches/CVE-2022-2906.patch - debian/patches/CVE-2022-3080.patch - debian/patches/CVE-2022-38178.patch [Included in upstream release 9.18.7] - debian/patches/CVE-2022-3094.patch - debian/patches/CVE-2022-3736.patch - debian/patches/CVE-2022-3924.patch [Included in upstream release 9.18.11] -- Lena Voytek Wed, 08 Mar 2023 08:49:53 -0700 ** Changed in: bind9 (Ubuntu Kinetic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2003586 Title: MRE Updates 9.18.12 / 9.16.36 Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Focal: New Status in bind9 source package in Focal: New Status in bind-dyndb-ldap source package in Jammy: Fix Committed Status in bind9 source package in Jammy: Fix Released Status in bind-dyndb-ldap source package in Kinetic: Fix Committed Status in bind9 source package in Kinetic: Fix Released Bug description: This bug tracks an update for the bind9 package, moving to versions: * Kinetic (22.10): bind9 9.18.12 * Jammy (22.04): bind9 9.18.12 * Focal (20.04): bind9 9.16.36 These updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates. [Upstream changes] For bind9 9.18.2-9.18.12, major changes include: CVE fixes (These already existed as patches but are now included as part of upstream): CVE-2022-1183 CVE-2022-2795 CVE-2022-2881 CVE-2022-2906 CVE-2022-3080 CVE-2022-38178 CVE-2022-3094 CVE-2022-3736 CVE-2022-3924 Features: update-quota option named -V shows supported cryptographic algorithms Additional info given for recursion not available and query (cache) '...' denied outputs Jammy only (Kinetic already has these): Catalog Zones schema version 2 support in named DNS error support Stale Answer and Stale NXDOMAIN Answer remote TLS certificate verification support reusereport option Bug Fixes: https://gitlab.isc.org/isc-projects/bind9/-/issues/3178 https://gitlab.isc.org/isc-projects/bind9/-/issues/3636 https://gitlab.isc.org/isc-projects/bind9/-/issues/3772 https://gitlab.isc.org/isc-projects/bind9/-/issues/3752 https://gitlab.isc.org/isc-projects/bind9/-/issues/3678 https://gitlab.isc.org/isc-projects/bind9/-/issues/3637 https://gitlab.isc.org/isc-projects/bind9/-/issues/3739 https://gitlab.isc.org/isc-projects/bind9/-/issues/3743 https://gitlab.isc.org/isc-projects/bind9/-/issues/3725 https://gitlab.isc.org/isc-projects/bind9/-/issues/3693 https://gitlab.isc.org/isc-projects/bind9/-/issues/3683 https://gitlab.isc.org/isc-projects/bind9/-/issues/3727 https://gitlab.isc.org/isc-projects/bind9/-/issues/3638 https://gitlab.isc.org/isc-projects/bind9/-/issues/3183 https://gitlab.isc.org/isc-projects/bind9/-/issues/3721
[Freeipa] [Bug 2003586] Re: MRE Updates 9.18.12 / 9.16.36
This bug was fixed in the package bind9 - 1:9.18.12-0ubuntu0.22.04.1 --- bind9 (1:9.18.12-0ubuntu0.22.04.1) jammy; urgency=medium * New upstream releases 9.18.2 - 9.18.12 (LP: #2003586) - Updates: + update-quota option + named -V shows supported cryptographic algorithms + Catalog Zones schema version 2 support in named + DNS error support Stale Answer and Stale NXDOMAIN Answer + Remote TLS certificate verification support + reusereport option - Bug Fixes Include: + Fix crash when using dig with +nssearch and +tcp (LP: #1258003) + Fix incomplete results using dig with +nssearch (LP: #1970252) + Fix loading of preinstalled plugins (LP: #2006972) + CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38178, CVE-2022-3094, CVE-2022-3736, CVE-2022-3924, CVE-2022-1183 + Fix thread safety in dns_dispatch + Fix ADB quota management in resolver + Fix Prohibited DNS error on allow-recursion + Fix crash when restarting server with active statschannel connection + Fix use after free for catalog zone processing + Fix leak of dns_keyfileio_t objects + Fix nslookup failure to use port option when record type ANY is used + Fix crash on dnssec-policy zone with NSEC3 and inline-signing turned on + Fix inheritance when setting remote server port + Fix assertion error when accessing statistics channel + Fix rndc dumpdb -expired for stuck cache + Fix check for other name servers after receiving FORMERR + Fix deletion of CDS after zone sign + Fix dighost query context management + Fix dig hanging due to IPv4 mapped IPv6 address + See https://bind9.readthedocs.io/en/v9_18_12/notes.html#notes-for-bind-9-18-12 for additional bug fixes and information * Improve dep-8 test suite (LP: #2003584): - d/t/zonetest: Add dep8 test for checking the domain zone creation process - d/t/control: Add new test outline * d/bind9-doc.docs: Stop installing removed file doc/misc/options.active * Remove patches for bugs LP #1964400 and LP #1964686 fixed upstream: - lp1964400-lp1964686-Fix-an-issue-in-dig-when-retrying-with-the-next-serv - lp1964400-lp1964686-When-resending-a-UDP-request-insert-the-query-to-the - lp1964400-lp1964686-Add-digdelv-system-test-to-check-timed-out-result-fo - lp1964400-lp1964686-After-dig-request-errors-try-to-use-other-servers-wh - lp1964400-lp1964686-Add-digdelv-system-test-to-check-that-dig-tries-othe - lp1964400-lp1964686-Fix-dig-error-when-trying-the-next-server-after-a-TC - lp1964400-lp1964686-Add-various-dig-host-tests-for-TCP-UDP-socket-error- * Remove CVE patches fixed upstream: - debian/patches/CVE-2022-1183.patch [Included in upstream release 9.18.3] - debian/patches/CVE-2022-2795.patch - debian/patches/CVE-2022-2881.patch - debian/patches/CVE-2022-2906.patch - debian/patches/CVE-2022-3080.patch - debian/patches/CVE-2022-38178.patch [Included in upstream release 9.18.7] - debian/patches/CVE-2022-3094.patch - debian/patches/CVE-2022-3736.patch - debian/patches/CVE-2022-3924.patch [Included in upstream release 9.18.11] -- Lena Voytek Wed, 08 Mar 2023 12:08:55 -0700 ** Changed in: bind9 (Ubuntu Jammy) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1183 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-2795 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-2881 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-2906 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3080 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3094 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3736 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-38178 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-3924 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/2003586 Title: MRE Updates 9.18.12 / 9.16.36 Status in bind-dyndb-ldap package in Ubuntu: Fix Released Status in bind9 package in Ubuntu: Fix Released Status in bind-dyndb-ldap source package in Focal: New Status in bind9 source package in Focal: New Status in bind-dyndb-ldap source package in Jammy: Fix Committed Status in bind9 source package in Jammy: Fix Released Status in bind-dyndb-ldap source package in Kinetic: Fix Committed Status in bind9 source package in Kinetic: Fix Released Bug description: This bug tracks an update for the bind9 package, moving to versions: * Kinetic (22.10): bind9 9.18.12 * Jammy (22.04): bind9 9.18.12 * Focal (20.04): bind9 9.16.36 These updates include bug fixes following the SRU policy exception
[Freeipa] [Bug 1987276] Re: certmonger - libcrypto issues with openssl3
This bug was fixed in the package certmonger - 0.79.16-1 --- certmonger (0.79.16-1) unstable; urgency=medium * New upstream release. (LP: #1987276) -- Timo Aaltonen Fri, 26 Aug 2022 09:42:54 +0300 ** Changed in: certmonger (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to certmonger in Ubuntu. https://bugs.launchpad.net/bugs/1987276 Title: certmonger - libcrypto issues with openssl3 Status in certmonger package in Ubuntu: Fix Released Bug description: I just want to let you know that this bug is still present from 22.04 onwards (anything that uses libssl3 as default) - bug is being tracked in https://pagure.io/certmonger/issue/244 - I already tested the patch provided and it works, but I would love to see an updated package on the official repository. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/1987276/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1987276] Re: certmonger - libcrypto issues with openssl3
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: certmonger (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to certmonger in Ubuntu. https://bugs.launchpad.net/bugs/1987276 Title: certmonger - libcrypto issues with openssl3 Status in certmonger package in Ubuntu: Confirmed Bug description: I just want to let you know that this bug is still present from 22.04 onwards (anything that uses libssl3 as default) - bug is being tracked in https://pagure.io/certmonger/issue/244 - I already tested the patch provided and it works, but I would love to see an updated package on the official repository. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/1987276/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1978849] Re: bind9-dyndb-ldap has unmet dependencies
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: bind-dyndb-ldap (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/1978849 Title: bind9-dyndb-ldap has unmet dependencies Status in bind-dyndb-ldap package in Ubuntu: Confirmed Bug description: bind9-dyndb-ldap cannot be installed on Ubuntu 22.04. It appears the bind0 package has been updated, but not bind9-dyndb-ldap: ~# apt install bind9 bind9-dyndb-ldap Reading package lists... Done Building dependency tree... Done Reading state information... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: bind9-dyndb-ldap : Depends: bind9-libs (= 1:9.18.1-1ubuntu1) but 1:9.18.1-1ubuntu1.1 is to be installed E: Unable to correct problems, you have held broken packages. ~# apt-cache policy bind9 bind9: Installed: (none) Candidate: 1:9.18.1-1ubuntu1.1 Version table: 1:9.18.1-1ubuntu1.1 500 500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages 1:9.18.1-1ubuntu1 500 500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages ~# apt-cache policy bind9-dyndb-ldap bind9-dyndb-ldap: Installed: (none) Candidate: 11.9-5build2 Version table: 11.9-5build2 500 500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/1978849/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1951015] Re: Package is uninstallable because libwbclient-sssd doesn't exist anymore
This bug was fixed in the package freeipa - 4.8.6-1ubuntu9 --- freeipa (4.8.6-1ubuntu9) jammy; urgency=medium * d/control: Drop freeipa-client-samba's dependency on libwbclient-sssd, which doesn't exist anymore. Replace it with a dependency on libwbclient-dev (from the samba package). (LP: #1951015) * d/control.common: Likewise. -- Sergio Durigan Junior Mon, 15 Nov 2021 15:10:54 -0500 ** Changed in: freeipa (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1951015 Title: Package is uninstallable because libwbclient-sssd doesn't exist anymore Status in freeipa package in Ubuntu: Fix Released Status in sssd package in Ubuntu: Invalid Bug description: The latest version of sssd in Ubuntu (2.5.2-4ubuntu1) drops the libwbclient-sssd binary package due to upstream's decision: https://github.com/SSSD/sssd/releases/tag/2.5.0 "* SSSD's implementation of libwbclient was removed as incompatible with modern version of Samba." This makes freeipa-client-samba uninstallable, because it depends on that package. I think the best approach here is to make freeipa-client-samba depend on libwbclient-dev instead, which is samba's libwbclient version. I proposed a Merge Request against freeipa on Debian here: https://salsa.debian.org/freeipa-team/freeipa/-/merge_requests/1 I will propose adding the same change as an Ubuntu delta for now in order to unblock sssd in update-excuses. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1951015/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1951015] Re: Package is uninstallable because libwbclient-sssd doesn't exist anymore
** Merge proposal linked: https://code.launchpad.net/~sergiodj/ubuntu/+source/freeipa/+git/freeipa/+merge/411884 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1951015 Title: Package is uninstallable because libwbclient-sssd doesn't exist anymore Status in freeipa package in Ubuntu: Confirmed Status in sssd package in Ubuntu: Invalid Bug description: The latest version of sssd in Ubuntu (2.5.2-4ubuntu1) drops the libwbclient-sssd binary package due to upstream's decision: https://github.com/SSSD/sssd/releases/tag/2.5.0 "* SSSD's implementation of libwbclient was removed as incompatible with modern version of Samba." This makes freeipa-client-samba uninstallable, because it depends on that package. I think the best approach here is to make freeipa-client-samba depend on libwbclient-dev instead, which is samba's libwbclient version. I proposed a Merge Request against freeipa on Debian here: https://salsa.debian.org/freeipa-team/freeipa/-/merge_requests/1 I will propose adding the same change as an Ubuntu delta for now in order to unblock sssd in update-excuses. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1951015/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1910390] Re: autopkgtest fails in focal
** Merge proposal linked: https://code.launchpad.net/~rbalint/britney/+git/hints-ubuntu/+merge/395912 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to dogtag-pki in Ubuntu. https://bugs.launchpad.net/bugs/1910390 Title: autopkgtest fails in focal Status in dogtag-pki package in Ubuntu: New Bug description: https://autopkgtest.ubuntu.com/packages/d/dogtag-pki/focal/s390x https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac /autopkgtest-focal/focal/s390x/d/dogtag- pki/20210105_134957_c21a5@/log.gz ... Installing CA into /var/lib/pki/pki-tomcat. Installation failed: Server unreachable due to SSL error: ("bad handshake: SysCallError(-1, 'Unexpected EOF')",) ERROR: Exception: Server unreachable due to SSL error: ("bad handshake: SysCallError(-1, 'Unexpected EOF')",) File "/usr/lib/python3/dist-packages/pki/server/pkispawn.py", line 562, in main scriptlet.spawn(deployer) File "/usr/lib/python3/dist-packages/pki/server/deployment/scriptlets/configuration.py", line 833, in spawn deployer.instance.wait_for_startup( File "/usr/lib/python3/dist-packages/pki/server/deployment/pkihelper.py", line 911, in wait_for_startup raise Exception('Server unreachable due to SSL error: %s' % reason) from exc CA spawn failed: 2021-01-05 13:49:25 ERROR: Exception: Server unreachable due to SSL error: ("bad handshake: SysCallError(-1, 'Unexpected EOF')",) File "/usr/lib/python3/dist-packages/pki/server/pkispawn.py", line 562, in main scriptlet.spawn(deployer) File "/usr/lib/python3/dist-packages/pki/server/deployment/scriptlets/configuration.py", line 833, in spawn deployer.instance.wait_for_startup( File "/usr/lib/python3/dist-packages/pki/server/deployment/pkihelper.py", line 911, in wait_for_startup raise Exception('Server unreachable due to SSL error: %s' % reason) from exc autopkgtest [13:49:26]: test pkispawn: ---] autopkgtest [13:49:26]: test pkispawn: - - - - - - - - - - results - - - - - - - - - - pkispawn FAIL non-zero exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1910390/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1875217] Re: /usr/lib/tmpfiles.d/certmonger.conf references path below legacy directory /var/run/
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: certmonger (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to certmonger in Ubuntu. https://bugs.launchpad.net/bugs/1875217 Title: /usr/lib/tmpfiles.d/certmonger.conf references path below legacy directory /var/run/ Status in certmonger package in Ubuntu: Confirmed Bug description: The systemd-tmpfiles service (on 20.04) logs this line in syslog: Apr 26 14:36:55 mysystem systemd-tmpfiles[94920]: /usr/lib/tmpfiles.d/certmonger.conf:3: Line references path below legacy directory /var/run/, updating /var/run/certmonger → /run/certmonger; please update the tmpfiles.d/ drop-in file accordingly. Changing the line to read "d /run/certmonger 0755 root root" resolves the issue. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/1875217/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1890786] Re: ipa-client-install fails on restarting non-existing chronyd.service
This bug was fixed in the package freeipa - 4.8.6-1ubuntu3 --- freeipa (4.8.6-1ubuntu3) groovy; urgency=medium * fix-chrony-service-name.diff: Map to correct chrony service name. (LP: #1890786) * fix-sssd-socket-activation.diff: Don't add a 'services =' line on sssd.conf. (LP: #1879083) -- Timo Aaltonen Fri, 16 Oct 2020 10:34:47 +0300 ** Changed in: freeipa (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1890786 Title: ipa-client-install fails on restarting non-existing chronyd.service Status in freeipa package in Ubuntu: Fix Released Bug description: DistroRelease: Ubuntu 20.10 Package: freeipa-client 4.8.6-1ubuntu2 Client install fails: * LANG=C /usr/sbin/ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W --force-ntpd Option --force-ntpd has been deprecated and will be removed in a future release. Discovery was successful! Client hostname: x0.cockpit.lan Realm: COCKPIT.LAN DNS Domain: cockpit.lan IPA Server: f0.cockpit.lan BaseDN: dc=cockpit,dc=lan Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. CalledProcessError(Command ['/bin/systemctl', 'restart', 'chronyd.service'] returned non-zero exit status 5: 'Failed to restart chronyd.service: Unit chronyd.service not found.\n') The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information /var/log/ipaclient-install.log basically says the same, just with a giant Traceback for CalledProcessError. freeipa-client could depend on chronyd, but IMHO it would be better to make this non-fatal. If one uses systemd-timesyncd (as we do by default in Ubuntu), that should be fine? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1890786/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1879083] Re: default sssd.conf after ipa-client-install crashes sssd
This bug was fixed in the package freeipa - 4.8.6-1ubuntu3 --- freeipa (4.8.6-1ubuntu3) groovy; urgency=medium * fix-chrony-service-name.diff: Map to correct chrony service name. (LP: #1890786) * fix-sssd-socket-activation.diff: Don't add a 'services =' line on sssd.conf. (LP: #1879083) -- Timo Aaltonen Fri, 16 Oct 2020 10:34:47 +0300 ** Changed in: freeipa (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1879083 Title: default sssd.conf after ipa-client-install crashes sssd Status in freeipa package in Ubuntu: Fix Released Bug description: Notice ipa-client-install creates /etc/sssd/sssd.conf but changes in the sssd process's socket approach calls for that file to change /etc/sssd.conf from ... [sssd] services = nss, pam, ssh, sud ... to [sssd] #services = nss, pam, ssh, sud otherwise the sssd service either won't start or complains. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: freeipa-client 4.8.6-1ubuntu2 ProcVersionSignature: Ubuntu 5.4.0-29.33-generic 5.4.30 Uname: Linux 5.4.0-29-generic x86_64 ApportVersion: 2.20.11-0ubuntu27 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: MATE Date: Sat May 16 12:51:21 2020 InstallationDate: Installed on 2020-05-13 (2 days ago) InstallationMedia: Ubuntu-MATE 20.04 LTS "Focal Fossa" - Release amd64 (20200423) SourcePackage: freeipa UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1879083/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1890786] Re: ipa-client-install fails on restarting non-existing chronyd.service
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: freeipa (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1890786 Title: ipa-client-install fails on restarting non-existing chronyd.service Status in freeipa package in Ubuntu: Confirmed Bug description: DistroRelease: Ubuntu 20.10 Package: freeipa-client 4.8.6-1ubuntu2 Client install fails: * LANG=C /usr/sbin/ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W --force-ntpd Option --force-ntpd has been deprecated and will be removed in a future release. Discovery was successful! Client hostname: x0.cockpit.lan Realm: COCKPIT.LAN DNS Domain: cockpit.lan IPA Server: f0.cockpit.lan BaseDN: dc=cockpit,dc=lan Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. CalledProcessError(Command ['/bin/systemctl', 'restart', 'chronyd.service'] returned non-zero exit status 5: 'Failed to restart chronyd.service: Unit chronyd.service not found.\n') The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information /var/log/ipaclient-install.log basically says the same, just with a giant Traceback for CalledProcessError. freeipa-client could depend on chronyd, but IMHO it would be better to make this non-fatal. If one uses systemd-timesyncd (as we do by default in Ubuntu), that should be fine? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1890786/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1874568] Re: Working config in eoan, bind9 fails after upgrade to fossa
This bug was fixed in the package bind-dyndb-ldap - 11.4-1 --- bind-dyndb-ldap (11.4-1) unstable; urgency=medium * New upstream release. * bind-9.16-support.diff: Dropped, upstream. -- Timo Aaltonen Fri, 18 Sep 2020 12:01:09 +0300 ** Changed in: bind-dyndb-ldap (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to bind-dyndb-ldap in Ubuntu. https://bugs.launchpad.net/bugs/1874568 Title: Working config in eoan, bind9 fails after upgrade to fossa Status in bind package in Ubuntu: Confirmed Status in bind-dyndb-ldap package in Ubuntu: Fix Released Bug description: Configuration was working in Eoan. Just upgraded to Fossa. Bind9(named) will not start. Syslog show the following: Apr 23 16:55:58 ltserver2 named[1611]: starting BIND 9.16.1-Ubuntu (Stable Release) Apr 23 16:55:58 ltserver2 named[1611]: running on Linux x86_64 5.4.0-26-generic #30-Ubuntu SMP Mon Apr 20 16:58:30 UTC 2020 Apr 23 16:55:58 ltserver2 named[1611]: built with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-' '--disable-native-pkcs11' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-OLooom/bind9-9.16.1=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' Apr 23 16:55:58 ltserver2 named[1611]: running as: named -f -u bind Apr 23 16:55:58 ltserver2 named[1611]: compiled by GCC 9.3.0 Apr 23 16:55:58 ltserver2 named[1611]: compiled with OpenSSL version: OpenSSL 1.1.1f 31 Mar 2020 Apr 23 16:55:58 ltserver2 named[1611]: linked to OpenSSL version: OpenSSL 1.1.1f 31 Mar 2020 Apr 23 16:55:58 ltserver2 named[1611]: compiled with libxml2 version: 2.9.10 Apr 23 16:55:58 ltserver2 named[1611]: linked to libxml2 version: 20910 Apr 23 16:55:58 ltserver2 named[1611]: compiled with json-c version: 0.13.1 Apr 23 16:55:58 ltserver2 named[1611]: linked to json-c version: 0.13.1 Apr 23 16:55:58 ltserver2 named[1611]: compiled with zlib version: 1.2.11 Apr 23 16:55:58 ltserver2 named[1611]: linked to zlib version: 1.2.11 Apr 23 16:55:58 ltserver2 named[1611]: Apr 23 16:55:58 ltserver2 named[1611]: BIND 9 is maintained by Internet Systems Consortium, Apr 23 16:55:58 ltserver2 named[1611]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Apr 23 16:55:58 ltserver2 named[1611]: corporation. Support and training for BIND 9 are Apr 23 16:55:58 ltserver2 named[1611]: available at https://www.isc.org/support Apr 23 16:55:58 ltserver2 named[1611]: Apr 23 16:55:58 ltserver2 named[1611]: adjusted limit on open files from 524288 to 1048576 Apr 23 16:55:58 ltserver2 named[1611]: found 2 CPUs, using 2 worker threads Apr 23 16:55:58 ltserver2 named[1611]: using 2 UDP listeners per interface Apr 23 16:55:58 ltserver2 named[1611]: using up to 21000 sockets Apr 23 16:55:58 ltserver2 named[1611]: loading configuration from '/etc/bind/named.conf' Apr 23 16:55:58 ltserver2 named[1611]: reading built-in trust anchors from file '/etc/bind/bind.keys' Apr 23 16:55:58 ltserver2 named[1611]: looking for GeoIP2 databases in '/usr/share/GeoIP' Apr 23 16:55:58 ltserver2 named[1611]: using default UDP/IPv4 port range: [32768, 60999] Apr 23 16:55:58 ltserver2 named[1611]: using default UDP/IPv6 port range: [32768, 60999] Apr 23 16:55:58 ltserver2 named[1611]: listening on IPv4 interface enp3s0, #53 Apr 23 16:55:58 ltserver2 named[1611]: IPv6 socket API is incomplete; explicitly binding to each IPv6 address separately Apr 23 16:55:58 ltserver2 named[1611]: listening on IPv6 interface lo, ::1#53 Apr 23 16:55:58 ltserver2 named[1611]: listening on IPv6 interface enp3s0, %2#53 Apr 23 16:55:58 ltserver2 named[1611]: unable to set effective uid to 0: Operation not permitted Apr 23 16:55:58 ltserver2 named[1611]: generating session key for dynamic DNS Apr 23 16:55:58 ltserver2 named[1611]: unable to set effective uid to 0: Operation not permitted Apr 23 16:55:58
[Freeipa] [Bug 1879083] Re: default sssd.conf after ipa-client-install crashes sssd
[Expired for freeipa (Ubuntu) because there has been no activity for 60 days.] ** Changed in: freeipa (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1879083 Title: default sssd.conf after ipa-client-install crashes sssd Status in freeipa package in Ubuntu: Expired Bug description: Notice ipa-client-install creates /etc/sssd/sssd.conf but changes in the sssd process's socket approach calls for that file to change /etc/sssd.conf from ... [sssd] services = nss, pam, ssh, sud ... to [sssd] #services = nss, pam, ssh, sud otherwise the sssd service either won't start or complains. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: freeipa-client 4.8.6-1ubuntu2 ProcVersionSignature: Ubuntu 5.4.0-29.33-generic 5.4.30 Uname: Linux 5.4.0-29-generic x86_64 ApportVersion: 2.20.11-0ubuntu27 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: MATE Date: Sat May 16 12:51:21 2020 InstallationDate: Installed on 2020-05-13 (2 days ago) InstallationMedia: Ubuntu-MATE 20.04 LTS "Focal Fossa" - Release amd64 (20200423) SourcePackage: freeipa UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1879083/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1874915] [NEW] krb5kdc[27833]: Couldn't open log file /var/log/krb5kdc.log: Read-only file system
You have been subscribed to a public bug: Hopefully this can trivially be corrected. Seems the systemd service file for the kerberos portion of freeipa could use a minor tweak. When restarting the kerberos service, it (incorrectly) reports that the default configured log file (/var/log/krb5kdc.log) is sending to a "read only filesystem". This is a misleading error, since the /var/log directory by default -IS- writeable, but systemd is in fact preventing the daemon from writing. Why systemd can't inject itself inappropriately and report that it's causing the trouble is another conversation. ;) [not personally a systemd fan] File: = /lib/systemd/system/krb5-kdc.service Command: = service krb5-kdc restart Error: = krb5kdc[27833]: Couldn't open log file /var/log/krb5kdc.log: Read-only file system Please make the following adjustment to the default systemd file. = 13c13 < ReadWriteDirectories=-/var/tmp /tmp /var/lib/krb5kdc -/var/run /run --- > ReadWriteDirectories=-/var/tmp /tmp /var/lib/krb5kdc -/var/run /run /var/log Thank you for all the help and support. :) Cheers, -Chris ** Affects: freeipa (Ubuntu) Importance: Undecided Status: Triaged -- krb5kdc[27833]: Couldn't open log file /var/log/krb5kdc.log: Read-only file system https://bugs.launchpad.net/bugs/1874915 You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1730039] Re: 389-console fails to connect with TLSv1.2
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: 389-console (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to jss in Ubuntu. https://bugs.launchpad.net/bugs/1730039 Title: 389-console fails to connect with TLSv1.2 Status in 389-console package in Ubuntu: Confirmed Status in jss package in Ubuntu: Confirmed Bug description: 389-console on Ubuntu 17.10 fails to connect to an instance of dirsrv- admin that has been configured to allow only TLSv1.2 connections (389-console on Ubuntu 17.04 works fine against the same instance). 389-console -D 9 debug shows the following error: CREATE JSS SSLSocket Unable to create ssl socket org.mozilla.jss.ssl.SSLSocketException: SSL_VersionRangeSetDefault() for variant=0 with min=768 max=770 out of range (769:772): 0: (0) Unknown error at org.mozilla.jss.ssl.SSLSocket.setSSLVersionRangeDefault(Native Method) at org.mozilla.jss.ssl.SSLSocket.setSSLVersionRangeDefault(SSLSocket.java:1398) at com.netscape.management.client.comm.HttpsChannel.open(Unknown Source) at com.netscape.management.client.comm.CommManager.send(Unknown Source) at com.netscape.management.client.comm.HttpManager.get(Unknown Source) at com.netscape.management.client.console.Console.invoke_task(Unknown Source) at com.netscape.management.client.console.Console.authenticate_user(Unknown Source) at com.netscape.management.client.console.Console.(Unknown Source) at com.netscape.management.client.console.Console.main(Unknown Source) Downgrading the libjss-java package to version 4.3.1-7build1 from Ubuntu 17.04 fixes the problem. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/389-console/+bug/1730039/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1773843] Re: cannot upgrade freeipa-server
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: freeipa (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1773843 Title: cannot upgrade freeipa-server Status in freeipa package in Ubuntu: Confirmed Bug description: I am trying to upgrade from freeipa 4.7.0~pre1 to 4.7.0~pre2-0~ppa3 of the staging repository. The install fails with the following error: RemoteRetrieveError: Failed to authenticate to CA REST API In the past, I also tried upgrading freeipa 4.7.0~pre1 to 4.7.0~pre2-0~ppa2 or from 4.7.0~pre2-0~ppa2 to 4.7.0~pre2-0~ppa3. All these attempts failed with the same error. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1773843/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1813916] Re: incorrect classpath in pki/cli/main.py
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: dogtag-pki (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to dogtag-pki in Ubuntu. https://bugs.launchpad.net/bugs/1813916 Title: incorrect classpath in pki/cli/main.py Status in dogtag-pki package in Ubuntu: Confirmed Bug description: Ubuntu 18.04 Running the 'pki' command will fail when python executes java. The cmd array on line 101 in pki/cli/main.py has an incorrect classpath. Instead of '-Djava.ext.dirs=' + pki_lib, it needs to be: '-Djava.ext.dirs=' + pki_lib + ':/usr/share/java', To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1813916/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1813919] Re: Incorrect trust flags in NSSDB when renewing subsystem certificates
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: dogtag-pki (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to dogtag-pki in Ubuntu. https://bugs.launchpad.net/bugs/1813919 Title: Incorrect trust flags in NSSDB when renewing subsystem certificates Status in dogtag-pki package in Ubuntu: Confirmed Bug description: OS: ubuntu 18.04 Dogtag: 10.6.0 When renewing subsystem certificates in dogtag (by following the process described here: https://www.dogtagpki.org/wiki/System_Certificate_Renewal), OCSP will break due to incorrect trust flags in NSS. The certificate IDs are: 'ocsp_signing'(gets 'u,u,u' should get 'CTu,Cu,Cu') 'ocsp_audit_signing' (gets 'u,u,u' should get 'u,u,Pu') 'ca_audit_signing'(gets 'u,u,u' should get 'u,u,Pu') To fix this certutil must be executed to correct them. In case anyone else finds this bugreport and need an emergency fix, certutil -M -t 'CTU,Cu,Cu' -d 'sql:/etc/pki/pki-tomcat/alias' -n 'ocspSigningCert cert-pki-tomcat OCSP' certutil -M -t 'u,u,Pu' -d 'sql:/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-tomcat OCSP' certutil -M -t 'u,u,Pu' -d 'sql:/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-tomcat CA' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1813919/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1800631] Re: ipa-server-upgrade fail
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: freeipa (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1800631 Title: ipa-server-upgrade fail Status in freeipa package in Ubuntu: Confirmed Bug description: when upgrade package from an old version to the last freeipa-server package 4.3.1, it fails on freeipa-server-upgrade command with this error: 2018-10-30T09:54:10Z INFO [Add default CA ACL] 2018-10-30T09:54:10Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-10-30T09:54:10Z INFO Default CA ACL already added 2018-10-30T09:54:10Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2018-10-30T09:54:10Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_upgrade.py", line 48, in run server.upgrade() File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", line 1713, in upgrade upgrade_configuration() File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", line 1655, in upgrade_configuration set_sssd_domain_option('ipa_server_mode', 'True') File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", line 1268, in set_sssd_domain_option domain.set_option(option, value) File "/usr/lib/python2.7/dist-packages/SSSDConfig/__init__.py", line 1143, in set_option (self.name, option)) 2018-10-30T09:54:10Z DEBUG The ipa-server-upgrade command failed, exception: NoOptionError: Section [mydomainmasked.tld] has no option [ipa_server_mode] 2018-10-30T09:54:10Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: NoOptionError: Section [mydomainmasked.tld] has no option [ipa_server_mode] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1800631/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1813155] Re: remove from disco-proposed, Dogtag doesn't support TLS 1.3/Java 11 yet
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: jss (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to dogtag-pki in Ubuntu. https://bugs.launchpad.net/bugs/1813155 Title: remove from disco-proposed, Dogtag doesn't support TLS 1.3/Java 11 yet Status in dogtag-pki package in Ubuntu: Confirmed Status in jss package in Ubuntu: Confirmed Status in resteasy3.0 package in Ubuntu: Confirmed Bug description: The current dogtag-pki stack in disco-proposed migrated to Java11 because everything built fine and was supposed to work. Turned out there are issues getting the tomcat instance up with ssl support, and upstream probably won't get to it before Fedora has switched to Java11. So, remove these from proposed and block re-entry for now, until the situation has improved.. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1813155/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1813155] Re: remove from disco-proposed, Dogtag doesn't support TLS 1.3/Java 11 yet
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: dogtag-pki (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to dogtag-pki in Ubuntu. https://bugs.launchpad.net/bugs/1813155 Title: remove from disco-proposed, Dogtag doesn't support TLS 1.3/Java 11 yet Status in dogtag-pki package in Ubuntu: Confirmed Status in jss package in Ubuntu: Confirmed Status in resteasy3.0 package in Ubuntu: Confirmed Bug description: The current dogtag-pki stack in disco-proposed migrated to Java11 because everything built fine and was supposed to work. Turned out there are issues getting the tomcat instance up with ssl support, and upstream probably won't get to it before Fedora has switched to Java11. So, remove these from proposed and block re-entry for now, until the situation has improved.. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1813155/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1813155] Re: remove from disco-proposed, Dogtag doesn't support TLS 1.3/Java 11 yet
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: resteasy3.0 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to dogtag-pki in Ubuntu. https://bugs.launchpad.net/bugs/1813155 Title: remove from disco-proposed, Dogtag doesn't support TLS 1.3/Java 11 yet Status in dogtag-pki package in Ubuntu: Confirmed Status in jss package in Ubuntu: Confirmed Status in resteasy3.0 package in Ubuntu: Confirmed Bug description: The current dogtag-pki stack in disco-proposed migrated to Java11 because everything built fine and was supposed to work. Turned out there are issues getting the tomcat instance up with ssl support, and upstream probably won't get to it before Fedora has switched to Java11. So, remove these from proposed and block re-entry for now, until the situation has improved.. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1813155/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769440] Re: freeipa server install fails - named-pkcs11 fails to run
This bug was fixed in the package bind9 - 1:9.11.3+dfsg-1ubuntu1.3 --- bind9 (1:9.11.3+dfsg-1ubuntu1.3) bionic; urgency=medium [ Karl Stenerud ] * d/p/skip-rtld-deepbind-for-dyndb.diff: fix named-pkcs11 crashing on startup. Thanks to Petr Menšík (LP: #1769440) -- Andreas Hasenack Wed, 10 Oct 2018 14:33:34 -0300 ** Changed in: bind9 (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - named-pkcs11 fails to run Status in bind9 package in Ubuntu: Fix Released Status in freeipa package in Ubuntu: Invalid Status in bind9 source package in Bionic: Fix Released Bug description: [Impact] Using RTLD_DEEPBIND in bind9 causes the FreeIPA serve install to fail. This patch, also applied in fedora and debian, disables use of RTLD_DEEPBIND. https://src.fedoraproject.org/rpms/bind/c/3d5ea105bd877f0069452e450320f8877b01cb52?branch=master https://salsa.debian.org/dns-team/bind9/commit/afc6b5fe2e359e4e7eadc256cd94481965418b4b [Test Case] # uvt-kvm create --memory 2048 cosmic-freeipa release=cosmic label=daily # uvt-kvm wait cosmic-freeipa # uvt-kvm ssh cosmic-freeipa Inside vm: # sudo su # apt purge -y cloud-init # echo "cosmic-freeipa.example.com" >/etc/hostname # sed -i 's/127.0.1.1.*cosmic.*//g' /etc/hosts # echo "$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/') cosmic-freeipa.example.com" >>/etc/hosts # apt update # apt dist-upgrade -y # reboot # apt install -y freeipa-server * Default Kerberos realm: EXAMPLE.COM * Kerberos servers: cosmic-freeipa.example.com * Administrative server: cosmic-freeipa.example.com Get machine's ip address. You'll be using the x.x.x.1 address for the DNS forwarder # ip addr # ipa-server-install --allow-zone-overlap * Do you want to configure integrated DNS (BIND): YES * Server host name: cosmic-freeipa.example.com * Please confirm the domain name: example.com * Please provide a realm name: EXAMPLE.COM * Directory Manager password: (anything) * IPA admin password: (anything) * Do you want to configure DNS forwarders: yes * Do you want to configure these servers as DNS forwarders?: no * Enter an IP address for a DNS forwarder, or press Enter to skip: (x.x.x.1 address from before) * Do you want to search for missing reverse zones?: yes Installation should fail. [Regression Potential] In theory, if another library with the exact same symbol is loaded, bind9 may end up calling the wrong function. This is, however, a potential problem with any program that loads shared libraries. [Original Description] Setting up FreeIPA server fails at "Configuring the web interface", step 12/21 It's in a cleanly started LXC Ubuntu Bionic container. The ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2 Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: backing up ssl.conf [3/21]: disabling nss.conf [4/21]: configuring mod_ssl certificate paths [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2 [6/21]: configuring mod_ssl log directory [7/21]: disabling mod_ssl OCSP [8/21]: adding URL rewriting rules [9/21]: configuring httpd [10/21]: setting up httpd keytab [11/21]: configuring Gssproxy [12/21]: setting up ssl [error] RuntimeError: Certificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information and in the log there is 2018-05-05T20:37:29Z DEBUG stderr= 2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec 2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl 2018-05-05T20:37:33Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1) 2018-05-05T20:37:38Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1) 2018-05-05T20:37:42Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl passwd_fname=key_passwd_file File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert raise RuntimeError("Certificate issuance failed ({})".format(state)) RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance
[Freeipa] [Bug 1769440] Re: freeipa server install fails - named-pkcs11 fails to run
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/bind9/+git/bind9/+merge/356439 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - named-pkcs11 fails to run Status in bind9 package in Ubuntu: Fix Released Status in freeipa package in Ubuntu: Invalid Status in bind9 source package in Bionic: In Progress Bug description: [Impact] Using RTLD_DEEPBIND in bind9 causes the FreeIPA serve install to fail. This patch, also applied in fedora and debian, disables use of RTLD_DEEPBIND. https://src.fedoraproject.org/rpms/bind/c/3d5ea105bd877f0069452e450320f8877b01cb52?branch=master https://salsa.debian.org/dns-team/bind9/commit/afc6b5fe2e359e4e7eadc256cd94481965418b4b [Test Case] # uvt-kvm create --memory 2048 cosmic-freeipa release=cosmic label=daily # uvt-kvm wait cosmic-freeipa # uvt-kvm ssh cosmic-freeipa Inside vm: # sudo su # apt purge -y cloud-init # echo "cosmic-freeipa.example.com" >/etc/hostname # sed -i 's/127.0.1.1.*cosmic.*//g' /etc/hosts # echo "$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/') cosmic-freeipa.example.com" >>/etc/hosts # apt update # apt dist-upgrade -y # reboot # apt install -y freeipa-server * Default Kerberos realm: EXAMPLE.COM * Kerberos servers: cosmic-freeipa.example.com * Administrative server: cosmic-freeipa.example.com Get machine's ip address. You'll be using the x.x.x.1 address for the DNS forwarder # ip addr # ipa-server-install --allow-zone-overlap * Do you want to configure integrated DNS (BIND): YES * Server host name: cosmic-freeipa.example.com * Please confirm the domain name: example.com * Please provide a realm name: EXAMPLE.COM * Directory Manager password: (anything) * IPA admin password: (anything) * Do you want to configure DNS forwarders: yes * Do you want to configure these servers as DNS forwarders?: no * Enter an IP address for a DNS forwarder, or press Enter to skip: (x.x.x.1 address from before) * Do you want to search for missing reverse zones?: yes Installation should fail. [Regression Potential] In theory, if another library with the exact same symbol is loaded, bind9 may end up calling the wrong function. This is, however, a potential problem with any program that loads shared libraries. [Original Description] Setting up FreeIPA server fails at "Configuring the web interface", step 12/21 It's in a cleanly started LXC Ubuntu Bionic container. The ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2 Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: backing up ssl.conf [3/21]: disabling nss.conf [4/21]: configuring mod_ssl certificate paths [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2 [6/21]: configuring mod_ssl log directory [7/21]: disabling mod_ssl OCSP [8/21]: adding URL rewriting rules [9/21]: configuring httpd [10/21]: setting up httpd keytab [11/21]: configuring Gssproxy [12/21]: setting up ssl [error] RuntimeError: Certificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information and in the log there is 2018-05-05T20:37:29Z DEBUG stderr= 2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec 2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl 2018-05-05T20:37:33Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1) 2018-05-05T20:37:38Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1) 2018-05-05T20:37:42Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl passwd_fname=key_passwd_file File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert raise RuntimeError("Certificate issuance failed ({})".format(state)) RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec ute ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1769440/+subscriptions
[Freeipa] [Bug 1793994] Re: freeipa server upgrade fails trying to switch to authselect
This bug was fixed in the package freeipa - 4.7.1-1 --- freeipa (4.7.1-1) unstable; urgency=medium * New upstream release. - fix-replicainstall.diff dropped, not applicable anymore - ipa-httpd-pwdreader-force-fqdn.diff dropped, obsolete - refresh patches - server: drop ipa-replica-prepare * dont-migrate-to-authselect.diff We don't have authselect, so just return true when trying to migrate to it. (LP: #1793994) * control: Move client dependency on chrony to recommends. (Closes: #909803) * control: Build server on any arch again. * tests: Don't fail the tests, just dump the log if something goes wrong. -- Timo Aaltonen Tue, 09 Oct 2018 10:30:09 +0300 ** Changed in: freeipa (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1793994 Title: freeipa server upgrade fails trying to switch to authselect Status in freeipa package in Ubuntu: Fix Released Bug description: On upgrading freeipa using the staging ppa, I encountered the following failure: traceback: 2018-09-03T17:46:05Z INFO [Migrating to authselect profile] 2018-09-03T17:46:05Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-09-03T17:46:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2018-09-03T17:46:05Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2018-09-03T17:46:05Z DEBUG Starting external process 2018-09-03T17:46:05Z DEBUG args=[None, 'select', 'sssd', '--force'] 2018-09-03T17:46:06Z DEBUG Process execution failed 2018-09-03T17:46:06Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2018-09-03T17:46:06Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_upgrade.py", line 52, in run server.upgrade() File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", line 2103, in upgrade upgrade_configuration() File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", line 1982, in upgrade_configuration migrate_to_authselect() File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", line 1696, in migrate_to_authselect tasks.migrate_auth_configuration(statestore) File "/usr/lib/python2.7/dist-packages/ipaplatform/redhat/tasks.py", line 238, in migrate_auth_configuration ipautil.run(authselect_cmd) File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 518, in run preexec_fn=preexec_fn) File "/usr/lib/python2.7/subprocess.py", line 394, in __init__ errread, errwrite) File "/usr/lib/python2.7/subprocess.py", line 1047, in _execute_child raise child_exception 2018-09-03T17:46:06Z DEBUG The ipa-server-upgrade command failed, exception: AttributeError: 'NoneType' object has no attribute 'rfind' 2018-09-03T17:46:06Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: AttributeError: 'NoneType' object has no attribute 'rfind' 2018-09-03T17:46:06Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information Looking through /usr/lib/python2.7/dist- packages/ipaplatform/debian/tasks.py, I note that debian doesn't use authconfig. Presuming (perhaps wrongly) that authselect is similarly inapplicable, I modified def migrate_to_authselect() in /usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py to just return. With this change, upgrade completed successfully. I'm not sure if this is the correct approach. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1793994/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769485] Re: freeipa install server fails - cannot start apache server with SSL
This bug was fixed in the package freeipa - 4.7.0-1ubuntu4 --- freeipa (4.7.0-1ubuntu4) cosmic; urgency=medium * Actually build server on architecture any. -- Dimitri John Ledkov Tue, 02 Oct 2018 23:32:01 +0100 ** Changed in: freeipa (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769485 Title: freeipa install server fails - cannot start apache server with SSL Status in freeipa package in Ubuntu: Fix Released Status in freeipa source package in Bionic: Confirmed Bug description: After having installed the new version of Tomcat 8, compatible with JDK 8 (see https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1765616), I am still stucked with freeipa-server on Ubuntu 18.04. The ipa-server-install script fails during step "[19/21]: starting httpd" of HTTP configuration. From my investigation, it seems that the problem is that the SSL private key in /var/lib/ipa/private/httpd.key has a passphrase, saved in /var/lib/ipa/-443-RSA. The passphrase is correct (I checked with openssl), but Apache does not find it. [Test Case] Add repository ppa:freeipa/ppa, install freeipa-server, run ipa- server-install. [What expected] ipa-server-install terminates without errors. [What happens] ipa-server-install fails. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769485/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1772921] Re: freeipa web ui -- incorrect configuration for awesome fonts
This bug was fixed in the package freeipa - 4.7.0-1ubuntu4 --- freeipa (4.7.0-1ubuntu4) cosmic; urgency=medium * Actually build server on architecture any. -- Dimitri John Ledkov Tue, 02 Oct 2018 23:32:01 +0100 ** Changed in: freeipa (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1772921 Title: freeipa web ui -- incorrect configuration for awesome fonts Status in freeipa package in Ubuntu: Fix Released Bug description: Hi, another bug for FreeIPA, but this is quite trivial and not very important either. The file /usr/share/ipa/ipa.conf.template containw the line Alias /ipa/ui/fonts/fontawesome "${FONTS_DIR}/fontawesome" for providing the Awesome font to web browsers. $FONTS_DIR si correctly replaced with /usr/share/fonts/truetype/ when the template is copied into the Apache configuration directory, but the name of the directory (fontawesome) is wrong in Ubuntu, since the font is actually installed into /usr/share/fonts/truetype/font-awesome/ (with the minus sign). As a result, the web ui is full of unrecognized UTF-8 glyphs. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772921/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1772447] Re: freeipa installation - directory /var/lib/krb5kdc is not accessible by Apache
This bug was fixed in the package freeipa - 4.7.0-1ubuntu4 --- freeipa (4.7.0-1ubuntu4) cosmic; urgency=medium * Actually build server on architecture any. -- Dimitri John Ledkov Tue, 02 Oct 2018 23:32:01 +0100 ** Changed in: freeipa (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1772447 Title: freeipa installation - directory /var/lib/krb5kdc is not accessible by Apache Status in freeipa package in Ubuntu: Fix Released Bug description: After having installed FreeIPA on Ubuntu 18.04, I cannot login by the web interface. I think the problem is that Apache uses the certificate in /var/lib/krb5kdc/kdc.crt to get Kerberos credentials. Although this file is readable by everyone, the directory /var/lib/krb5kdc is only accessible by root. After a 'chmod 0755 /var/lib/krb5kdc' it is possible to login trough the web interface. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772447/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1772450] Re: freeipa server -- problems with certificates
This bug was fixed in the package freeipa - 4.7.0-1ubuntu4 --- freeipa (4.7.0-1ubuntu4) cosmic; urgency=medium * Actually build server on architecture any. -- Dimitri John Ledkov Tue, 02 Oct 2018 23:32:01 +0100 ** Changed in: freeipa (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1772450 Title: freeipa server -- problems with certificates Status in freeipa package in Ubuntu: Fix Released Bug description: After having installed FreeIPA server on Ubuntu 18.04 and having sorted out all the other bugs, I still have problems with certificates. In the web interface, every attempt to select the "Authentication -> Certificates" tab ends with the following error IPA Error 4301: CertificateOperationError Certificate operation cannot be completed: Unable to communicate with CMS (Start tag expected, '<' not found, line 1, column 1) The problem also occur with command line utilities. For example, 'ipa cert-show 1' returns the error: 'ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500)' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772450/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1778236] Re: missing GZIP path in freeipa platform configuration
This bug was fixed in the package freeipa - 4.7.0-1ubuntu4 --- freeipa (4.7.0-1ubuntu4) cosmic; urgency=medium * Actually build server on architecture any. -- Dimitri John Ledkov Tue, 02 Oct 2018 23:32:01 +0100 ** Changed in: freeipa (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1778236 Title: missing GZIP path in freeipa platform configuration Status in freeipa package in Ubuntu: Fix Released Bug description: The file "/usr/lib/python2.7/dist- packages/ipaplatform/debian/paths.py" is missing the line GZIP = "/bin/gzip" Without this definition, the default incorrect value of "/usr/bin/gzip" is used. Among the others, this is required by the "ipa-backup" command. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1778236/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769440] Re: freeipa server install fails - named-pkcs11 fails to run
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: bind9 (Ubuntu Bionic) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - named-pkcs11 fails to run Status in bind9 package in Ubuntu: Fix Released Status in freeipa package in Ubuntu: Invalid Status in bind9 source package in Bionic: Confirmed Bug description: [Impact] Using RTLD_DEEPBIND in bind9 causes the FreeIPA serve install to fail. This patch, also applied in fedora and debian, disables use of RTLD_DEEPBIND. https://src.fedoraproject.org/rpms/bind/c/3d5ea105bd877f0069452e450320f8877b01cb52?branch=master https://salsa.debian.org/dns-team/bind9/commit/afc6b5fe2e359e4e7eadc256cd94481965418b4b [Test Case] # uvt-kvm create --memory 2048 cosmic-freeipa release=cosmic label=daily # uvt-kvm wait cosmic-freeipa # uvt-kvm ssh cosmic-freeipa Inside vm: # sudo su # apt purge -y cloud-init # echo "cosmic-freeipa.example.com" >/etc/hostname # sed -i 's/127.0.1.1.*cosmic.*//g' /etc/hosts # echo "$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/') cosmic-freeipa.example.com" >>/etc/hosts # apt update # apt dist-upgrade -y # reboot # apt install -y freeipa-server * Default Kerberos realm: EXAMPLE.COM * Kerberos servers: cosmic-freeipa.example.com * Administrative server: cosmic-freeipa.example.com Get machine's ip address. You'll be using the x.x.x.1 address for the DNS forwarder # ip addr # ipa-server-install --allow-zone-overlap * Do you want to configure integrated DNS (BIND): YES * Server host name: cosmic-freeipa.example.com * Please confirm the domain name: example.com * Please provide a realm name: EXAMPLE.COM * Directory Manager password: (anything) * IPA admin password: (anything) * Do you want to configure DNS forwarders: yes * Do you want to configure these servers as DNS forwarders?: no * Enter an IP address for a DNS forwarder, or press Enter to skip: (x.x.x.1 address from before) * Do you want to search for missing reverse zones?: yes Installation should fail. [Regression Potential] In theory, if another library with the exact same symbol is loaded, bind9 may end up calling the wrong function. This is, however, a potential problem with any program that loads shared libraries. [Original Description] Setting up FreeIPA server fails at "Configuring the web interface", step 12/21 It's in a cleanly started LXC Ubuntu Bionic container. The ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2 Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: backing up ssl.conf [3/21]: disabling nss.conf [4/21]: configuring mod_ssl certificate paths [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2 [6/21]: configuring mod_ssl log directory [7/21]: disabling mod_ssl OCSP [8/21]: adding URL rewriting rules [9/21]: configuring httpd [10/21]: setting up httpd keytab [11/21]: configuring Gssproxy [12/21]: setting up ssl [error] RuntimeError: Certificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information and in the log there is 2018-05-05T20:37:29Z DEBUG stderr= 2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec 2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl 2018-05-05T20:37:33Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1) 2018-05-05T20:37:38Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1) 2018-05-05T20:37:42Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl passwd_fname=key_passwd_file File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert raise RuntimeError("Certificate issuance failed ({})".format(state)) RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec ute ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1769440/+subscriptions
[Freeipa] [Bug 1769440] Re: freeipa server install fails - named-pkcs11 fails to run
This bug was fixed in the package bind9 - 1:9.11.4+dfsg-3ubuntu2 --- bind9 (1:9.11.4+dfsg-3ubuntu2) cosmic; urgency=medium * d/p/skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11 crashing on startup. (LP: #1769440) -- Karl Stenerud Thu, 30 Aug 2018 07:11:39 -0700 ** Changed in: bind9 (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - named-pkcs11 fails to run Status in bind9 package in Ubuntu: Fix Released Status in freeipa package in Ubuntu: Invalid Bug description: [Impact] Using RTLD_DEEPBIND in bind9 causes the FreeIPA serve install to fail. This patch, also applied in fedora and debian, disables use of RTLD_DEEPBIND. https://src.fedoraproject.org/rpms/bind/c/3d5ea105bd877f0069452e450320f8877b01cb52?branch=master https://salsa.debian.org/dns-team/bind9/commit/afc6b5fe2e359e4e7eadc256cd94481965418b4b [Test Case] # uvt-kvm create --memory 2048 cosmic-freeipa release=cosmic label=daily # uvt-kvm wait cosmic-freeipa # uvt-kvm ssh cosmic-freeipa Inside vm: # sudo su # apt purge -y cloud-init # echo "cosmic-freeipa.example.com" >/etc/hostname # sed -i 's/127.0.1.1.*cosmic.*//g' /etc/hosts # echo "$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/') cosmic-freeipa.example.com" >>/etc/hosts # apt update # apt dist-upgrade -y # reboot # apt install -y freeipa-server * Default Kerberos realm: EXAMPLE.COM * Kerberos servers: cosmic-freeipa.example.com * Administrative server: cosmic-freeipa.example.com Get machine's ip address. You'll be using the x.x.x.1 address for the DNS forwarder # ip addr # ipa-server-install --allow-zone-overlap * Do you want to configure integrated DNS (BIND): YES * Server host name: cosmic-freeipa.example.com * Please confirm the domain name: example.com * Please provide a realm name: EXAMPLE.COM * Directory Manager password: (anything) * IPA admin password: (anything) * Do you want to configure DNS forwarders: yes * Do you want to configure these servers as DNS forwarders?: no * Enter an IP address for a DNS forwarder, or press Enter to skip: (x.x.x.1 address from before) * Do you want to search for missing reverse zones?: yes Installation should fail. [Regression Potential] In theory, if another library with the exact same symbol is loaded, bind9 may end up calling the wrong function. This is, however, a potential problem with any program that loads shared libraries. [Original Description] Setting up FreeIPA server fails at "Configuring the web interface", step 12/21 It's in a cleanly started LXC Ubuntu Bionic container. The ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2 Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: backing up ssl.conf [3/21]: disabling nss.conf [4/21]: configuring mod_ssl certificate paths [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2 [6/21]: configuring mod_ssl log directory [7/21]: disabling mod_ssl OCSP [8/21]: adding URL rewriting rules [9/21]: configuring httpd [10/21]: setting up httpd keytab [11/21]: configuring Gssproxy [12/21]: setting up ssl [error] RuntimeError: Certificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information and in the log there is 2018-05-05T20:37:29Z DEBUG stderr= 2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec 2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl 2018-05-05T20:37:33Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1) 2018-05-05T20:37:38Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1) 2018-05-05T20:37:42Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl passwd_fname=key_passwd_file File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert raise RuntimeError("Certificate issuance failed ({})".format(state)) RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG File
[Freeipa] [Bug 1769440] Re: freeipa server install fails - named-pkcs11 fails to run
** Merge proposal linked: https://code.launchpad.net/~kstenerud/ubuntu/+source/bind9/+git/bind9/+merge/354002 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - named-pkcs11 fails to run Status in bind9 package in Ubuntu: Confirmed Status in freeipa package in Ubuntu: Invalid Bug description: Setting up FreeIPA server fails at "Configuring the web interface", step 12/21 It's in a cleanly started LXC Ubuntu Bionic container. The ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2 Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: backing up ssl.conf [3/21]: disabling nss.conf [4/21]: configuring mod_ssl certificate paths [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2 [6/21]: configuring mod_ssl log directory [7/21]: disabling mod_ssl OCSP [8/21]: adding URL rewriting rules [9/21]: configuring httpd [10/21]: setting up httpd keytab [11/21]: configuring Gssproxy [12/21]: setting up ssl [error] RuntimeError: Certificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information and in the log there is 2018-05-05T20:37:29Z DEBUG stderr= 2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec 2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl 2018-05-05T20:37:33Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1) 2018-05-05T20:37:38Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1) 2018-05-05T20:37:42Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl passwd_fname=key_passwd_file File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert raise RuntimeError("Certificate issuance failed ({})".format(state)) RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec ute ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1769440/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1772405] Re: freeipa dns install does not correctly configure reverse zones due to systemd-resolved
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: systemd (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1772405 Title: freeipa dns install does not correctly configure reverse zones due to systemd-resolved Status in freeipa package in Ubuntu: Triaged Status in systemd package in Ubuntu: Confirmed Bug description: In Ubuntu 18.04, ipa-dns-intall (or ipa-server-install when asking to configure BIND) does not create reverse DNS zones for my domain. Note that I already fixed (or more correctly, circumvented) other bugs involving BIND, such as https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440. The problem seems due to the presence of systemd-resolved. When ipa- dns-install valuates whether to create a reverse DNS zone, it tries to use the local DNS for resolving the IP address of the server. When you want to install BIND alongside IPA, this normally fails, and the installer knows he needs to configure an appropriate reverse zone. But when systemd-resolved is active, it takes the role of local DNS and answers this query: therefore, the installer thinks a reverse DNS zone is already present. To fix this problem I had to perform the following steps before calling ipa-dns-install (or ipa-server-install): 1) stop systemd-resolved with "systemctl stop systemd-resolved". 2) disable systemd-resolved with "systemctl disable systemd-resolved". 3) delete the file "/etc/resolv.conf", which is a symlink to a file created by systemd. 4) optionally, recreate "/etc/resolv.conf" pointing to the (real) local DNS. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772405/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1784399] Re: package freeipa-server 4.7.0~pre1+git20180411-2ubuntu2 failed to install/upgrade: installed freeipa-server package post-installation script subprocess returned error exit s
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: freeipa (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1784399 Title: package freeipa-server 4.7.0~pre1+git20180411-2ubuntu2 failed to install/upgrade: installed freeipa-server package post-installation script subprocess returned error exit status 1 Status in freeipa package in Ubuntu: Confirmed Bug description: I was trying to upgrade a freeipa server running ubuntu 16.04 to 18.04. ProblemType: Package DistroRelease: Ubuntu 18.04 Package: freeipa-server 4.7.0~pre1+git20180411-2ubuntu2 ProcVersionSignature: Ubuntu 4.15.0-29.31~16.04.1-generic 4.15.18 Uname: Linux 4.15.0-29-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.2 Architecture: amd64 Date: Mon Jul 30 14:32:34 2018 ErrorMessage: installed freeipa-server package post-installation script subprocess returned error exit status 1 InstallationDate: Installed on 2018-05-29 (62 days ago) InstallationMedia: Ubuntu-Server 16.04.3 LTS "Xenial Xerus" - Release amd64 (20170801) Python3Details: /usr/bin/python3.6, Python 3.6.5, python3-minimal, 3.6.5-3ubuntu1 PythonDetails: /usr/bin/python2.7, Python 2.7.15rc1, python-minimal, 2.7.15~rc1-1 RelatedPackageVersions: dpkg 1.19.0.5ubuntu2 apt 1.6.3 SourcePackage: freeipa Title: package freeipa-server 4.7.0~pre1+git20180411-2ubuntu2 failed to install/upgrade: installed freeipa-server package post-installation script subprocess returned error exit status 1 UpgradeStatus: Upgraded to bionic on 2018-07-30 (0 days ago) modified.conffile..etc.default.ipa-dnskeysyncd: [modified] mtime.conffile..etc.default.ipa-dnskeysyncd: 2018-06-19T16:17:32.099908 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1784399/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1785157] [NEW] external (letsencrypt) certs failing to parse due to pyasn1
You have been subscribed to a public bug by Timo Aaltonen (tjaalton): attempting a clean installation of freeipa-server on bionic using letsencrypt certs passed as arguments fails with an error similar to: not in asn1Spec: encoding iso-8859-1> The ipa-server-certinstall command failed I was able to bypass this by downgrading pyasn1 and pyasn1-modules: rm -rf /usr/lib/python2.7/dist-packages/pyasn1 rm -rf /usr/lib/python2.7/dist-packages/pyasn1-0.4.2.egg-info/ rm -rf /usr/lib/python2.7/dist-packages/pyasn1_modules rm -rf /usr/lib/python2.7/dist-packages/pyasn1_modules-0.2.1.egg-info apt install python-pip pip install pyasn1==0.2.3 pip install pyasn1-modules==0.0.9 After that, installation is able to proceed with letsencrypt certificates passed in. ** Affects: pyasn1 (Ubuntu) Importance: Undecided Status: New -- external (letsencrypt) certs failing to parse due to pyasn1 https://bugs.launchpad.net/bugs/1785157 You received this bug notification because you are a member of FreeIPA, which is subscribed to the bug report. ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769485] Re: freeipa install server fails - cannot start apache server with SSL
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: freeipa (Ubuntu Bionic) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769485 Title: freeipa install server fails - cannot start apache server with SSL Status in freeipa package in Ubuntu: In Progress Status in freeipa source package in Bionic: Confirmed Bug description: After having installed the new version of Tomcat 8, compatible with JDK 8 (see https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1765616), I am still stucked with freeipa-server on Ubuntu 18.04. The ipa-server-install script fails during step "[19/21]: starting httpd" of HTTP configuration. From my investigation, it seems that the problem is that the SSL private key in /var/lib/ipa/private/httpd.key has a passphrase, saved in /var/lib/ipa/-443-RSA. The passphrase is correct (I checked with openssl), but Apache does not find it. [Test Case] Add repository ppa:freeipa/ppa, install freeipa-server, run ipa- server-install. [What expected] ipa-server-install terminates without errors. [What happens] ipa-server-install fails. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769485/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1768865] Re: freeipa server installation fails on Bionic due to tomcat conflict
*** This bug is a duplicate of bug 1765616 *** https://bugs.launchpad.net/bugs/1765616 Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: freeipa (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1768865 Title: freeipa server installation fails on Bionic due to tomcat conflict Status in freeipa package in Ubuntu: Confirmed Bug description: Installing freeipa server fails at configuring certificate server (pki-tomcatd). ... Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpGu_KPq'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 300s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Looking more closely in /var/log/pki/pki-tomcat/catalina.out there are a bunch of java.io.FileNotFoundException root@usrv1:~# grep java.io.FileNotFoundException /var/log/pki/pki-tomcat/catalina.out java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/tomcat-annotations-api.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/el-api-2.1.jar (No such file or directory) java.io.FileNotFoundException: /usr/share/java/oscache.jar (No such file or directory) This have been discussed on the FreeIPA users list, and the conclusion was: "If Ubuntu 18.04 has Tomcat 8.5, you are not going to get it working with the current release of FreeIPA. We have been working on FreeIPA 4.7 for about a half a year now and only recently dogtag got support for tomcat 8.5. There are still bits and pieces which being fixed in dogtag to support FreeIPA 4.7. I guess currently you aren't going to get any luck with Ubuntu/Debian builds." To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1768865/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1730039] Re: 389-console fails to connect with TLSv1.2
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: jss (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to jss in Ubuntu. https://bugs.launchpad.net/bugs/1730039 Title: 389-console fails to connect with TLSv1.2 Status in 389-console package in Ubuntu: New Status in jss package in Ubuntu: Confirmed Bug description: 389-console on Ubuntu 17.10 fails to connect to an instance of dirsrv- admin that has been configured to allow only TLSv1.2 connections (389-console on Ubuntu 17.04 works fine against the same instance). 389-console -D 9 debug shows the following error: CREATE JSS SSLSocket Unable to create ssl socket org.mozilla.jss.ssl.SSLSocketException: SSL_VersionRangeSetDefault() for variant=0 with min=768 max=770 out of range (769:772): 0: (0) Unknown error at org.mozilla.jss.ssl.SSLSocket.setSSLVersionRangeDefault(Native Method) at org.mozilla.jss.ssl.SSLSocket.setSSLVersionRangeDefault(SSLSocket.java:1398) at com.netscape.management.client.comm.HttpsChannel.open(Unknown Source) at com.netscape.management.client.comm.CommManager.send(Unknown Source) at com.netscape.management.client.comm.HttpManager.get(Unknown Source) at com.netscape.management.client.console.Console.invoke_task(Unknown Source) at com.netscape.management.client.console.Console.authenticate_user(Unknown Source) at com.netscape.management.client.console.Console.(Unknown Source) at com.netscape.management.client.console.Console.main(Unknown Source) Downgrading the libjss-java package to version 4.3.1-7build1 from Ubuntu 17.04 fixes the problem. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/389-console/+bug/1730039/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: freeipa (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl Status in freeipa package in Ubuntu: Confirmed Bug description: Setting up FreeIPA server fails at "Configuring the web interface", step 12/21 It's in a cleanly started LXC Ubuntu Bionic container. The ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2 Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: backing up ssl.conf [3/21]: disabling nss.conf [4/21]: configuring mod_ssl certificate paths [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2 [6/21]: configuring mod_ssl log directory [7/21]: disabling mod_ssl OCSP [8/21]: adding URL rewriting rules [9/21]: configuring httpd [10/21]: setting up httpd keytab [11/21]: configuring Gssproxy [12/21]: setting up ssl [error] RuntimeError: Certificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information and in the log there is 2018-05-05T20:37:29Z DEBUG stderr= 2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec 2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl 2018-05-05T20:37:33Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1) 2018-05-05T20:37:38Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1) 2018-05-05T20:37:42Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl passwd_fname=key_passwd_file File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert raise RuntimeError("Certificate issuance failed ({})".format(state)) RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec ute ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1772205] [NEW] freeipa install does not correctly setup krb5-admin-server
You have been subscribed to a public bug: In Ubuntu 18.04, ipa-server-install does not correctly configures krb5 -admin-server. Therefore, the kadmin server does not start. The problem is that the krb5-admin-server service needs the file /etc/krb5kdc/kadm5.acl. This file may be empty, but it should exists, otherwise the server does not start. However, the krb5-admin-server does not contain such a file, nor the ipa-server-install command creates it during its execution. Note this was different in Ubuntu 16.04, where krb5-admin-server used to start even without the ACL file. ** Affects: freeipa (Ubuntu) Importance: Undecided Status: New -- freeipa install does not correctly setup krb5-admin-server https://bugs.launchpad.net/bugs/1772205 You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
This bug was fixed in the package tomcat8 - 8.5.30-1ubuntu2 --- tomcat8 (8.5.30-1ubuntu2) cosmic; urgency=medium * support-jre8.diff: Fix running tomcat with JRE8. (LP: #1765616) -- Timo AaltonenTue, 24 Apr 2018 23:47:45 +0300 ** Changed in: tomcat8 (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: Fix Released Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Status in tomcat8 package in Debian: New Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: tomcat8 (Ubuntu Bionic) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: In Progress Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1765616] Re: freeipa server install fails - RuntimeError: CA configuration failed.
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: freeipa (Ubuntu Bionic) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1765616 Title: freeipa server install fails - RuntimeError: CA configuration failed. Status in freeipa package in Ubuntu: Invalid Status in tomcat8 package in Ubuntu: In Progress Status in freeipa source package in Bionic: Invalid Status in tomcat8 source package in Bionic: Confirmed Bug description: [Impact] The issue occurs while installing IPA server. More specifically whist configuring pki-tomcatd. The following error is produced. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpEHq9Ex'] returned non-zero exit status 1: u"pkispawn: ERROR ... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!\npkispawn : ERROR... server did not start after 60s\npkispawn: ERROR ... server failed to restart\n") ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERRORCA configuration failed. ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information The cause for this is that tomcat8 is built with JDK9 and is not compatible with instances that have to use JRE8 for other reasons. [Test Case] Install freeipa-server, run ipa-server-install. [Regression Potential] The fix is a fairly big patch for tomcat8 to modify the code so that it runs with JRE8. It passes the upstream test suite though, when run with JRE8 though tomcat itself was built with the default JDK. [Other info] Patch will be sent upstream too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1765616/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1717998] Re: Please remove tomcat8.0 before 18.04 releases
This bug was fixed in the package tomcat8 - 8.5.30-1ubuntu1 --- tomcat8 (8.5.30-1ubuntu1) bionic; urgency=medium * control: Break/replace tomcat8.0 binaries. (LP: #1717998) -- Timo AaltonenThu, 19 Apr 2018 14:53:19 +0300 ** Changed in: tomcat8 (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to tomcat8.0 in Ubuntu. https://bugs.launchpad.net/bugs/1717998 Title: Please remove tomcat8.0 before 18.04 releases Status in tomcat8 package in Ubuntu: Fix Released Status in tomcat8.0 package in Ubuntu: Triaged Bug description: This package is meant to be temporary to allow tomcatjss, dogtag-pki (and thus freeipa) to work until upstream has ported the components for tomcat 8.5 and up. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1717998/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1733571] Re: unable to access kerberized nfs4 shares with keyring ccache
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: nfs-utils (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1733571 Title: unable to access kerberized nfs4 shares with keyring ccache Status in freeipa package in Ubuntu: Confirmed Status in nfs-utils package in Ubuntu: Confirmed Bug description: # Problem With default `ipa-client-install` method, users authenticated to kerberos cannot access kerberized nfs shares from other ipa joined ubuntu hosts, even though permissions are correct. # Steps to reproduce 1. Set up FreeIPA server on CentOS 7 per default docs 2. Set up two Ubuntu 16.04 hosts, one `server.domain.tld` one `client.domain.tld`, join both to FreeIPA 3. Create principals `nfs/server.domain.tld` and `nfs/client.domain.tld` 4. Create user in FreeIPA `testuser` 5. Install `nfs-kernel-server` on `server.domain.tld` and share `/srv/nfs4`: `/srv/nfs4 *(sec=krb5i,rw,fsid=root,crossmnt,no_subtree_check,root_squash)`, run `exportfs -rav` 6. Create some files and directories in `/srv/nfs4` owned by `testuser:testuser` 7. Install `nfs-common` on `client.domain.tld` and mount: `mount -t nfs4 server.domain.tld:/ /srv/nfs4` 8. Log in as `testuser` and `kinit testuser` if necessary 9. `cd /srv/nfs4; ls /srv/nfs4; touch /srv/nfs4/some_file` # Expected result Changing of working directory to `/srv/nfs4`, listing directory contents and creating new file # Actual result `Permission denied` # Reason After quite some time debugging I found that `gssd` in Ubuntu 16.04 cannot read kernel persistent keyrings for kerberos' ccache. Removing the line `default_ccache_name = KEYRING:persistent:%{uid}` from `/etc/krb5.conf` solved the issue. This config file is created by `ipa-client-install` in `configure_krb5_conf()` after `#configure KEYRING CCACHE if supported`. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: freeipa-client 4.3.1-0ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-101.124-generic 4.4.95 Uname: Linux 4.4.0-101-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.12 Architecture: amd64 Date: Tue Nov 21 12:41:59 2017 JournalErrors: Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system. Users in the 'systemd-journal' group can see all messages. Pass -q to turn off this notice. No journal files were opened due to insufficient permissions. SourcePackage: freeipa UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1733571/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1716842] Re: dogtag-pki needs porting work for tomcat 8.5
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: freeipa (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to dogtag-pki in Ubuntu. https://bugs.launchpad.net/bugs/1716842 Title: dogtag-pki needs porting work for tomcat 8.5 Status in dogtag-pki package in Ubuntu: Incomplete Status in freeipa package in Ubuntu: Confirmed Status in dogtag-pki package in Debian: Fix Released Bug description: dogtag-pki needs porting work for tomcat8, demoting to proposed for now, plus the freeipa dependency. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1716842/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1693154] Re: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library
This bug was fixed in the package freeipa - 4.4.3-3ubuntu2.1 --- freeipa (4.4.3-3ubuntu2.1) zesty; urgency=medium * client.dirs: Ship /etc/krb5.conf.d, because not having that breaks the installer when krb5.conf tries to include it. (LP: #1693154) -- Timo AaltonenWed, 14 Jun 2017 13:56:03 +0300 ** Changed in: freeipa (Ubuntu Zesty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1693154 Title: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library Status in freeipa package in Ubuntu: Fix Released Status in freeipa source package in Zesty: Fix Released Status in kerberos-configs package in Debian: New Bug description: [Impact] ipa-client-install fails because it modifies /etc/krb5.conf to include /etc/krb5.conf.d which doesn't exist, so kinit fails. The (temporary) fix is to add /etc/krb5.conf.d directory to freeipa- client. [Test case] Enroll an IPA client with ipa-client-install, it should pass. [Regression potential] None, this is a safe addition. [original description] Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS) wrt. joining a FreeIPA kerberos server. I am running a server on 10.111.112.100 with a COCKPIT.LAN domain (from the "ipa-*" image on https://fedorapeople.org/groups/cockpit/images/), and realmd.service fails. Running ipa-client-install manually shows why: $ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd sssd-tools packagekit $ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf $ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W --force-ntpd -w foobarfoo Discovery was successful! Client hostname: autopkgtest Realm: COCKPIT.LAN DNS Domain: cockpit.lan IPA Server: f0.cockpit.lan BaseDN: dc=cockpit,dc=lan Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library Installation failed. Rolling back changes. IPA client is not configured on this system. stracing shows that it tries to access /etc/krb5.conf.d/ which does not exist. mkdir'ing this is sufficient to fix it. I'm not entirely sure if this is really in freeipa-client or krb5-user (kinit), but running "kinit -f ad...@cockpit.lan" directly succeeds. ProblemType: Bug DistroRelease: Ubuntu 17.04 Package: freeipa-client 4.4.3-3ubuntu2 ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11 Uname: Linux 4.10.0-21-generic x86_64 ApportVersion: 2.20.4-0ubuntu4.1 Architecture: amd64 Date: Wed May 24 09:30:57 2017 ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: freeipa UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1693154/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1691655] Re: pki-base postinst creates corrupt /etc/pki/pki.version
This bug was fixed in the package dogtag-pki - 10.3.5+12-4 --- dogtag-pki (10.3.5+12-4) unstable; urgency=medium * pki-tomcatd.init: If no instance is configured, the initscript machinery would return error value 5 or 6. This messes up systemd, so just use 'exit 1' on every non-zero return value. (LP: #1664453) * pki-server.postinst: Clarify pki-tomcatd initial start failure message a bit. * Depend libresteasy-java << 3.1.0, because the new on doesn't work even after fixing the build. * pki-tools.links: Fix the convenience links DRMTool -> KRATool. (Closes: #857209) * pki-base.postinst: Force recreating pki.version if upgrading from older than 10.3.5-1. (LP: #1691655) -- Timo AaltonenThu, 18 May 2017 09:10:17 +0300 ** Changed in: dogtag-pki (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to dogtag-pki in Ubuntu. https://bugs.launchpad.net/bugs/1691655 Title: pki-base postinst creates corrupt /etc/pki/pki.version Status in dogtag-pki package in Ubuntu: Fix Released Status in dogtag-pki source package in Zesty: New Bug description: [Impact] Upgrading pki-base from xenial to zesty fails, because /etc/pki/pki.versio created on xenial looks like this: Configuration-Version: 10.2.6+git20160317 while it should just have 10.2.6. To fix the upgrade, the file should be recreated if old pki-base is older than 10.3.5-1. [Test case] Install pki-base on a xenial chroot, sed -i 's/xenial/zesty' /etc/apt/sources.list, apt dist-upgrade. It should not fail. [Regression potential] Can't think of any. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1691655/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1635568] Re: freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert
[Expired for freeipa (Ubuntu) because there has been no activity for 60 days.] ** Changed in: freeipa (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1635568 Title: freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert Status in freeipa package in Ubuntu: Expired Bug description: Ubuntu version - Ubuntu 14.04.5 LTS freeipa-client package version - 3.3.4-0ubuntu3.1 What is expected: root@ip-10-5-0-73:/home/ubuntu# ipa-client-install --mkhomedir Discovery was successful! Client hostname: ip-10-5-0-73.eu-west-1.compute.internal Realm: ID.DOMAIN.COM DNS Domain: id.domain.com IPA Server: directory.id.domain.com BaseDN: dc=id,dc=domain,dc=com Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. User authorized to enroll computers: enroll.user Password for enroll.u...@id.domain.com: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=ID.DOMAIN.COM Issuer: CN=Certificate Authority,O=ID.DOMAIN.COM Valid From: Wed Oct 19 14:54:08 2016 UTC Valid Until: Sun Oct 19 14:54:08 2036 UTC Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Tue Jan 19 00:00:00 2010 UTC Valid Until: Mon Jan 18 23:59:59 2038 UTC Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Wed Feb 12 00:00:00 2014 UTC Valid Until: Sun Feb 11 23:59:59 2029 UTC Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Wed Feb 12 00:00:00 2014 UTC Valid Until: Sun Feb 11 23:59:59 2029 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Tue Jan 19 00:00:00 2010 UTC Valid Until: Mon Jan 18 23:59:59 2038 UTC Enrolled in IPA realm ID.DOMAIN.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ID.DOMAIN.COM trying https://directory.id.domain.com/ipa/json Forwarding 'ping' to json server 'https://directory.id.domain.com/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://directory.id.domain.com/ipa/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to json server 'https://directory.id.domain.com/ipa/json' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring id.domain.com as NIS domain. Client configuration complete. What happend instead: root@ip-10-5-0-73:/home/ubuntu#
[Freeipa] [Bug 1677139] Re: pkcs11 setup needs fixes for SoftHSM 2.2
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: freeipa (Ubuntu Aa-series) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1677139 Title: pkcs11 setup needs fixes for SoftHSM 2.2 Status in freeipa package in Ubuntu: Confirmed Status in freeipa source package in Zesty: Confirmed Status in freeipa source package in aa-series: Confirmed Bug description: [Impact] https://pagure.io/freeipa/issue/6692 SoftHSM 2.2 broke freeipa DNS integration. [Test case] Install ipa server with 'ipa-server-install --setup-dns'. [Regression potential] The patch touches only the pkcs11 helper, so shouldn't regress anything else. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1677139/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1677139] Re: pkcs11 setup needs fixes for SoftHSM 2.2
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: freeipa (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1677139 Title: pkcs11 setup needs fixes for SoftHSM 2.2 Status in freeipa package in Ubuntu: Confirmed Status in freeipa source package in Zesty: Confirmed Status in freeipa source package in aa-series: Confirmed Bug description: [Impact] https://pagure.io/freeipa/issue/6692 SoftHSM 2.2 broke freeipa DNS integration. [Test case] Install ipa server with 'ipa-server-install --setup-dns'. [Regression potential] The patch touches only the pkcs11 helper, so shouldn't regress anything else. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1677139/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1635568] Re: freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: freeipa (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1635568 Title: freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert Status in freeipa package in Ubuntu: Confirmed Bug description: Ubuntu version - Ubuntu 14.04.5 LTS freeipa-client package version - 3.3.4-0ubuntu3.1 What is expected: root@ip-10-5-0-73:/home/ubuntu# ipa-client-install --mkhomedir Discovery was successful! Client hostname: ip-10-5-0-73.eu-west-1.compute.internal Realm: ID.DOMAIN.COM DNS Domain: id.domain.com IPA Server: directory.id.domain.com BaseDN: dc=id,dc=domain,dc=com Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. User authorized to enroll computers: enroll.user Password for enroll.u...@id.domain.com: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=ID.DOMAIN.COM Issuer: CN=Certificate Authority,O=ID.DOMAIN.COM Valid From: Wed Oct 19 14:54:08 2016 UTC Valid Until: Sun Oct 19 14:54:08 2036 UTC Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Tue Jan 19 00:00:00 2010 UTC Valid Until: Mon Jan 18 23:59:59 2038 UTC Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Wed Feb 12 00:00:00 2014 UTC Valid Until: Sun Feb 11 23:59:59 2029 UTC Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE Valid From: Tue May 30 10:48:38 2000 UTC Valid Until: Sat May 30 10:48:38 2020 UTC Subject: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Wed Feb 12 00:00:00 2014 UTC Valid Until: Sun Feb 11 23:59:59 2029 UTC Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Valid From: Tue Jan 19 00:00:00 2010 UTC Valid Until: Mon Jan 18 23:59:59 2038 UTC Enrolled in IPA realm ID.DOMAIN.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ID.DOMAIN.COM trying https://directory.id.domain.com/ipa/json Forwarding 'ping' to json server 'https://directory.id.domain.com/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://directory.id.domain.com/ipa/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to json server 'https://directory.id.domain.com/ipa/json' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring id.domain.com as NIS domain. Client configuration complete. What happend instead: root@ip-10-5-0-73:/home/ubuntu#
[Freeipa] [Bug 1630911] Re: freeipa-client has a hard dependency on "ntp" which is not wanted in lxd environment
This bug was fixed in the package freeipa - 4.4.3-3ubuntu1 --- freeipa (4.4.3-3ubuntu1) zesty; urgency=medium * fix-is-running.diff: Add a third argument to is_running() in ipaplatform/debian/services.py. -- Timo AaltonenFri, 17 Feb 2017 01:40:15 +0200 ** Changed in: freeipa (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1630911 Title: freeipa-client has a hard dependency on "ntp" which is not wanted in lxd environment Status in freeipa package in Ubuntu: Fix Released Bug description: [Note: the package is called "freeipa-client" but launchpad only lets me select "freeipa"] The "freeipa-client" package has a hard dependency on "ntp". However: when running Ubuntu inside an lxd container, ntpd cannot run: the host is responsible for setting the clock, not the container. Hence I want to "apt-get remove ntp" from inside the container. But if I do so, this forcibly removes the "freeipa-client" package as well, because of the dependency. This in turn leaves a whole heap of dangling packages - see below - which are vulnerable to being accidentally removed. Proposal: change to "Recommends: ntp" instead of "Depends: ntp" --- # apt-get remove ntp Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: bind9utils certmonger cracklib-runtime freeipa-common ieee-data iproute libavahi-client3 libavahi-common-data libavahi-common3 libbasicobjects0 libc-ares2 libcollection4 libcrack2 libcups2 libcurl3 libcurl3-nss libdhash1 libfreetype6 libini-config5 libipa-hbac0 libjbig0 libjpeg-turbo8 libjpeg8 liblcms2-2 libldb1 libnfsidmap2 libnl-3-200 libnl-route-3-200 libnspr4 libnss-sss libnss3 libnss3-nssdb libnss3-tools libopts25 libpam-pwquality libpam-sss libpath-utils1 libpwquality-common libpwquality1 libref-array1 libsmbclient libsss-idmap0 libsss-nss-idmap0 libsss-sudo libtdb1 libtevent0 libtiff5 libwebp5 libwebpmux1 libxmlrpc-core-c3 libxslt1.1 oddjob oddjob-mkhomedir python-bs4 python-cffi python-cffi-backend python-chardet python-cryptography python-dbus python-decorator python-dnspython python-enum34 python-gi python-gssapi python-html5lib python-idna python-imaging python-ipaclient python-ipaddress python-ipalib python-jwcrypto python-ldap python-libipa-hbac python-lxml python-memcache python-netaddr python-nss python-pil python-pkg-resources python-ply python-pyasn1 python-pycparser python-qrcode python-setuptools python-six python-sss python-talloc python-usb python-yubico samba-libs sssd sssd-ad sssd-ad-common sssd-common sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy Use 'apt autoremove' to remove them. The following packages will be REMOVED: freeipa-client ntp 0 upgraded, 0 newly installed, 2 to remove and 0 not upgraded. 1 not fully installed or removed. After this operation, 2002 kB disk space will be freed. Do you want to continue? [Y/n] n Abort. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: freeipa-client 4.3.1-0ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-34.53-generic 4.4.15 Uname: Linux 4.4.0-34-generic x86_64 NonfreeKernelModules: nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip6table_filter ip6_tables xt_conntrack ufs msdos xfs binfmt_misc veth ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack isofs xt_CHECKSUM iptable_mangle xt_tcpudp bridge stp llc iptable_filter ip_tables x_tables zfs zunicode zcommon znvpair spl zavl ppdev xen_fbfront syscopyarea sysfillrect sysimgblt fb_sys_fops serio_raw parport_pc parport ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd psmouse floppy ApportVersion: 2.20.1-0ubuntu2.1 Architecture: amd64 Date: Thu Oct 6 09:05:52 2016 Ec2AMI: ami-c06b1eb3 Ec2AMIManifest: (unknown) Ec2AvailabilityZone: eu-west-1a Ec2InstanceType: t2.medium Ec2Kernel: unavailable Ec2Ramdisk: unavailable ProcEnviron: TERM=xterm-256color PATH=(custom, no user) SourcePackage: freeipa UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1630911/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa
[Freeipa] [Bug 1640732] Re: krb5-otp package not being installed when ipa-server-install
This bug was fixed in the package freeipa - 4.4.3-3ubuntu1 --- freeipa (4.4.3-3ubuntu1) zesty; urgency=medium * fix-is-running.diff: Add a third argument to is_running() in ipaplatform/debian/services.py. -- Timo AaltonenFri, 17 Feb 2017 01:40:15 +0200 ** Changed in: freeipa (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1640732 Title: krb5-otp package not being installed when ipa-server-install Status in freeipa package in Ubuntu: Fix Released Bug description: While using Freeipa server with an external RADIUS server (which is in turn is connected to an OTP authenticator), freeipa-server fails to load the required krb5-otp module. That's because the module is simply not there and every request send by an user using FAST/OTP will fail. This is the message on /var/log/auth: NEEDED_PREAUTH: johndoe@REALM for krbtgt/REALM, Additional pre- authentication required The user gets (note that he is not prompted for OTP, the request simply dies): root@freeipa:~# KRB5_TRACE=/dev/stdout kinit -T KEYRING:persistent:0:0 johndoe [2872] 1478769982.447733: Resolving unique ccache of type KEYRING [2872] 1478769982.449824: Getting initial credentials for johndoe@REALM [2872] 1478769982.453943: FAST armor ccache: KEYRING:persistent:0:0 [2872] 1478769982.454171: Retrieving admin@REALM -> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM\@REALM@X-CACHECONF: from KEYRING:persistent:0:0 with result: 0/Success [2872] 1478769982.454284: Read config in KEYRING:persistent:0:0 for krbtgt/REALM@REALM: fast_avail: yes [2872] 1478769982.454396: Using FAST due to armor ccache negotiation result [2872] 1478769982.454484: Getting credentials admin@REALM -> krbtgt/REALM@REALM using ccache KEYRING:persistent:0:0 [2872] 1478769982.454637: Retrieving admin@REALM -> krbtgt/REALM@REALM from KEYRING:persistent:0:0 with result: 0/Success [2872] 1478769982.454733: Armor ccache sesion key: aes256-cts/03D3 [2872] 1478769982.454836: Creating authenticator for admin@REALM -> krbtgt/REALM@REALM, seqnum 0, subkey aes256-cts/8CB1, session key aes256-cts/03D3 [2872] 1478769982.455045: FAST armor key: aes256-cts/21EB [2872] 1478769982.455147: Encoding request body and padata into FAST request [2872] 1478769982.455272: Sending request (947 bytes) to REALM [2872] 1478769982.455437: Resolving hostname freeipa.realm.com [2872] 1478769982.455900: Initiating TCP connection to stream 10.80.40.243:88 [2872] 1478769982.456147: Sending TCP request to stream 10.80.40.243:88 [2872] 1478769982.464118: Received answer (488 bytes) from stream 10.80.40.243:88 [2872] 1478769982.464126: Terminating TCP connection to stream 10.80.40.243:88 [2872] 1478769982.464147: Response was from master KDC [2872] 1478769982.464161: Received error from KDC: -1765328359/Additional pre-authentication required [2872] 1478769982.464166: Decoding FAST response [2872] 1478769982.464438: Processing preauth types: 136, 133, 137 [2872] 1478769982.464446: Received cookie: MIT kinit: Generic preauthentication failure while getting initial credentials Solution: $ sudo apt-get install krb5-otp $ sudo service krb5-kdc restart $ sudo service krb5-admin-server restart After that everything works as expected: root@freeipa:~# KRB5_TRACE=/dev/stdout kinit -T KEYRING:persistent:0:0 johndoe [2924] 1478770020.592804: Resolving unique ccache of type KEYRING [2924] 1478770020.592994: Getting initial credentials for johndoe@REALM [2924] 1478770020.596893: FAST armor ccache: KEYRING:persistent:0:0 [2924] 1478770020.597091: Retrieving admin@REALM -> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM\@REALM@X-CACHECONF: from KEYRING:persistent:0:0 with result: 0/Success [2924] 1478770020.597744: Read config in KEYRING:persistent:0:0 for krbtgt/REALM@REALM: fast_avail: yes [2924] 1478770020.597822: Using FAST due to armor ccache negotiation result [2924] 1478770020.597884: Getting credentials admin@REALM -> krbtgt/REALM@REALM using ccache KEYRING:persistent:0:0 [2924] 1478770020.598012: Retrieving admin@REALM -> krbtgt/REALM@REALM from KEYRING:persistent:0:0 with result: 0/Success [2924] 1478770020.598102: Armor ccache sesion key: aes256-cts/03D3 [2924] 1478770020.598199: Creating authenticator for admin@REALM -> krbtgt/REALM@REALM, seqnum 0, subkey aes256-cts/E28F, session key aes256-cts/03D3 [2924] 1478770020.598381: FAST armor key: aes256-cts/8677 [2924] 1478770020.598471: Encoding request body and padata into FAST request [2924] 1478770020.598585: Sending request (947 bytes) to REALM [2924] 1478770020.598669: Resolving hostname freeipa.realm.com [2924] 1478770020.599039: Initiating TCP connection to stream 10.80.40.243:88 [2924] 1478770020.599366: Sending TCP request to stream
[Freeipa] [Bug 1664453] Re: autopkgtests failing with systemd-232
This bug was fixed in the package dogtag-pki - 10.3.5+12-3ubuntu1 --- dogtag-pki (10.3.5+12-3ubuntu1) zesty; urgency=medium * pki-tomcatd.init: If no instance is configured, the initscript machinery would return error value 5 or 6. This messes up systemd, so just use 'exit 1' on every non-zero return value. (LP: #1664453) -- Timo AaltonenThu, 16 Feb 2017 16:43:49 +0200 ** Changed in: dogtag-pki (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to dogtag-pki in Ubuntu. https://bugs.launchpad.net/bugs/1664453 Title: autopkgtests failing with systemd-232 Status in dogtag-pki package in Ubuntu: Fix Released Bug description: The autopkgtests for dogtag-pki are failing. It looks like this started with the upgrade of systemd to 232. Previously, pki-tomcatd was marked as failed on startup: Job for pki-tomcatd.service failed because the control process exited with error code. See "systemctl status pki-tomcatd.service" and "journalctl -xe" for details. invoke-rc.d: initscript pki-tomcatd, action "start" failed. ● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time Loaded: loaded (/etc/init.d/pki-tomcatd; generated; vendor preset: enabled) Active: failed (Result: exit-code) since Mon 2016-11-07 20:51:19 UTC; 14ms ago Docs: man:systemd-sysv-generator(8) Process: 8100 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, status=5) Now, the service is marked as started and exited: ● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time Loaded: loaded (/etc/init.d/pki-tomcatd; generated; vendor preset: enabled) Active: active (exited) since Tue 2017-02-14 06:02:25 UTC; 31s ago Docs: man:systemd-sysv-generator(8) Since systemd-sysv-generator uses RemainAfterExit=true, subsequent "systemctl start pki-tomcatd" invocations do nothing. I believe the relevant systemd change is: https://github.com/systemd/systemd/commit/41e2036eb83204df95a1c3e829bcfd78ee17aaa3 which fixed it to detect the special LSB exit codes as intended. I see that .../scriptlets/configuration.py issues start() when configuring the first tomcat instance and restart() for subsequent instances (line 364). Maybe one workaround would be to use restart() unconditionally for now? That looks like it does roughly the right thing. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1664453/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1664457] Re: dogtag-pki ftbfs with libresteasy-java 3.1.0
This bug was fixed in the package dogtag-pki - 10.3.5+12-3ubuntu1 --- dogtag-pki (10.3.5+12-3ubuntu1) zesty; urgency=medium * pki-tomcatd.init: If no instance is configured, the initscript machinery would return error value 5 or 6. This messes up systemd, so just use 'exit 1' on every non-zero return value. (LP: #1664453) -- Timo AaltonenThu, 16 Feb 2017 16:43:49 +0200 ** Changed in: dogtag-pki (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to dogtag-pki in Ubuntu. https://bugs.launchpad.net/bugs/1664457 Title: dogtag-pki ftbfs with libresteasy-java 3.1.0 Status in dogtag-pki package in Ubuntu: Fix Released Bug description: https://launchpadlibrarian.net/302962949/buildlog_ubuntu-zesty-amd64 .dogtag-pki_10.3.5-7_BUILDING.txt.gz com/netscape/certsrv/account/AccountResource.java:25: error: cannot find symbol import org.jboss.resteasy.annotations.ClientResponseType; ^ symbol: class ClientResponseType location: package org.jboss.resteasy.annotations I don't think there is a Debian bug yet for this specific issue. The current FTBFS there looks like it's related to tomcat 8.5. This class in particular seems to have moved to the resteasy-legacy jar: http://sources.debian.net/src/resteasy/3.1.0-1/resteasy- legacy/src/main/java/org/jboss/resteasy/annotations/legacy/ClientResponseType.java/ which unfortunately doesn't seem to be packaged... http://sources.debian.net/src/resteasy/3.1.0-1/debian/libresteasy- java.poms/#L54 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1664457/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1600513] Re: Depend on libnss-sss and libpam-sss
This bug was fixed in the package freeipa - 4.3.2-5 --- freeipa (4.3.2-5) unstable; urgency=medium * fix-cve-2016-5404.diff: Fix permission check bypass (Closes: #835131) - CVE-2016-5404 * ipa-kdb-support-dal-version-5-and-6.diff: Support mit-krb5 1.15. (Closes: #844114) -- Timo AaltonenSat, 03 Dec 2016 01:02:40 +0200 ** Changed in: freeipa (Ubuntu) Status: New => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-5404 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1600513 Title: Depend on libnss-sss and libpam-sss Status in freeipa package in Ubuntu: Fix Released Bug description: Currently libnss-sss and libpam-sss are marked as recommended on the sssd-common package. This however causes issues on systems that have installing recommended packages turned off (which I noticed was enabled on a VPS). The fact that those libaries are not installed means that the client install is not able to get a working setup running. It would probably be best if freeipa-client had a dependency on libnss-sss and libpam- nss as they're essentially necessary to get a working setup. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1600513/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1628884] Re: ipa-otpd@1-32385-0.service: Failed at step EXEC spawning /usr/lib/ipa-otpd: No such file or directory
This bug was fixed in the package freeipa - 4.3.2-5 --- freeipa (4.3.2-5) unstable; urgency=medium * fix-cve-2016-5404.diff: Fix permission check bypass (Closes: #835131) - CVE-2016-5404 * ipa-kdb-support-dal-version-5-and-6.diff: Support mit-krb5 1.15. (Closes: #844114) -- Timo AaltonenSat, 03 Dec 2016 01:02:40 +0200 ** Changed in: freeipa (Ubuntu) Status: Triaged => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-5404 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1628884 Title: ipa-otpd@1-32385-0.service: Failed at step EXEC spawning /usr/lib/ipa- otpd: No such file or directory Status in freeipa package in Ubuntu: Fix Released Bug description: In the "/lib/systemd/system/ipa-otpd@.service" file the ipa-otpd path is wrong: ExecStart=/usr/lib/ipa-otpd $ldap_uri The /usr/lib/ipa-otpd file not found in the package. The right path is /usr/lib/ipa/ipa-otpd. Please fix it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1628884/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1645201] Re: ipa-client-automount fails
This bug was fixed in the package freeipa - 4.3.2-5 --- freeipa (4.3.2-5) unstable; urgency=medium * fix-cve-2016-5404.diff: Fix permission check bypass (Closes: #835131) - CVE-2016-5404 * ipa-kdb-support-dal-version-5-and-6.diff: Support mit-krb5 1.15. (Closes: #844114) -- Timo AaltonenSat, 03 Dec 2016 01:02:40 +0200 ** Changed in: freeipa (Ubuntu) Status: In Progress => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-5404 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1645201 Title: ipa-client-automount fails Status in freeipa package in Ubuntu: Fix Released Bug description: Host was successfully enrolled with the FreeIPA server using the 'ipa- client-install' command. $ sudo ipa-client-automount Searching for IPA server... IPA server: DNS discovery Location: default Continue to configure the system with these values? [no]: y Configured /etc/default/nfs-common Configured /etc/idmapd.conf rpcidmapd failed to restart: Command '/bin/systemctl restart nfs-idmap.service' returned non-zero exit status 5 rpcgssd failed to restart: Command '/bin/systemctl restart nfs-secure.service' returned non-zero exit status 5 Restarting sssd, waiting for it to become available. Started autofs Distribution: Ubuntu 16.04 Architecture: amd64 Version: 4.3.1-0ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1645201/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1627371] Re: Timing problems with FreeIPA installation
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: dogtag-pki (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1627371 Title: Timing problems with FreeIPA installation Status in dogtag-pki package in Ubuntu: Confirmed Status in freeipa package in Ubuntu: Confirmed Bug description: While installing FreeIPA I came accross two situations that turned out to be timing problems. In both cases, the installation procedure was attempting to access the certificate server immediately after a restart, and the server was not listening. The first one is at step 10 of "Configuring certificate server (pki_tomcatd)": [10/28]: importing CA chain to RA certificate database [error] RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused ipa.ipapython.install.cli.install_tool(Server): ERROR Unable to retrieve CA chain: [Errno 111] Connection refused The second is at step 25: [25/28]: migrating certificate profiles to LDAP [error] NetworkError: cannot connect to 'https://server.name:8443/ca/rest/account/login': Could not connect to server.name using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR) Network address type not supported. My solution was to add a delay at the top of the functions for those steps. def __import_ca_chain(self): + ##== + # Add wait time to allow certificate server to start up + # + time.sleep(10) chain = self.__get_ca_chain() ... def migrate_profiles_to_ldap(): """Migrate profiles from filesystem to LDAP. This must be run *after* switching to the LDAPProfileSubsystem and restarting the CA. The profile might already exist, e.g. if a replica was already upgraded, so this case is ignored. """ + ##== + # Add wait time to allow certificate server to start up + # + time.sleep(20) ensure_ldap_profiles_container() It might be necessary to adjust the sleep time. These bugs are intermittent and they may not appear at all. In my case, one KVM machine had no problems whatsoever while another had problems at the "migrate profiles ..." step. Both problems showed up on one Raspberry Pi. There were also time differences between runs. So, one needs to be _very_ patient. This is all on Ubuntu Xenial. freeipa-server 4.3.1-0ubuntu1. The RaspberryPi is a pi 2B To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1627371/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1628884] [NEW] ipa-otpd@1-32385-0.service: Failed at step EXEC spawning /usr/lib/ipa-otpd: No such file or directory
You have been subscribed to a public bug: In the "/lib/systemd/system/ipa-otpd@.service" file the ipa-otpd path is wrong: ExecStart=/usr/lib/ipa-otpd $ldap_uri The /usr/lib/ipa-otpd file not found in the package. The right path is /usr/lib/ipa/ipa-otpd. Please fix it. ** Affects: freeipa (Ubuntu) Importance: Undecided Status: New -- ipa-otpd@1-32385-0.service: Failed at step EXEC spawning /usr/lib/ipa-otpd: No such file or directory https://bugs.launchpad.net/bugs/1628884 You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1543230] Re: After installing freeipa-server-trust-ad ipa tries to start smb.service which doesn't exist
This bug was fixed in the package freeipa - 4.3.1-0ubuntu1 --- freeipa (4.3.1-0ubuntu1) xenial; urgency=medium * Sync from Debian. freeipa (4.3.1-1) unstable; urgency=medium * New upstream release. (Closes: #781607, #786411) (LP: #1449304) - drop no-test-lang.diff, obsolete * fix-match-hostname.diff, control: Drop the patch and python-openssl deps, not needed anymore * rules, platform, server.dirs, server.install: Add support for DNSSEC. * control, rules: Add support for kdcproxy. * control, server: Migrate to mod-auth-gssapi. * control, rules, fix-ipa-conf.diff: Add support for custodia. * control: - Add python-cryptography to build-deps and python-freeipa deps. - Add libp11-kit-dev to build-deps, p11-kit to server deps. - Depend on python-gssapi instead of python-kerberos/-krbV. - Add libini-config-dev and python-dbus to build-deps, replace wget with curl. - Bump libkrb5-dev build-dep. - Add pki-base to build-deps and pki-kra to server deps, bump pki-ca version. - Drop python-m2crypto from deps, obsolete. - Bump sssd deps to 1.13.1. - Add python-six to build-deps and python-freeipa deps. - Split python stuff from server, client, tests to python- ipa{server,client,tests}, rename python-freeipa to match and move translations to freeipa-common. Mark them Arch:all where possible, and add Breaks/Replaces. - Add oddjob to server and oddjob-mkhomedir to client deps. - Add python-setuptools to python-ipalib deps. - Bump 389-ds-base* deps. - Bump server and python-ipaserver dependency on python-ldap to 2.4.22 to fix a bug on ipa-server-upgrade. - Add pki-tools to python-ipaserver deps. - Add zip to python-ipaserver depends. - Add python-systemd to server depends. - Add opendnssec to freeipa-server-dns depends. - Add python-cffi to python-ipalib depends. - Bump dep on bind9-dyndb-ldap. - Bump certmonger dependency to version that has helpers in the correct place. * patches: - prefix.patch: Fix ipalib install too. - Drop bits of platform.diff and other patches that are now upstream. - fix-kdcproxy-paths.diff: Fix paths in kdcproxy configs. - fix-oddjobs.diff: Fix paths and uids in oddjob configs. - fix-replicainstall.diff: Use ldap instead of ldaps for conncheck. - fix-dnssec-services.diff: Debianize ipa-dnskeysyncd & ipa-ods- exporter units. - create-sysconfig-ods.diff: Create an empty file for opendnssec daemons, until opendnssec itself is fixed. - purge-firefox-extension.diff: Clean obsolete kerberosauth.xpi. - enable-mod-nss-during-setup.diff: Split from platform.diff, call a2enmod/a2dismod from httpinstance.py. - fix-memcached.diff: Split from platform.diff, debianize memcached conf & unit. - hack-libarch.diff: Don't use fedora libpaths. * add-debian-platform.diff: - Update paths.py to include all variables, comment out ones we don't modify. - Use systemwide certificate store; put ipa-ca.crt in /usr/local/share/ca-certificates, and run update-ca-certificates - Map smb service to smbd (LP: #1543230) - Don't ship /var/cache/bind/data, fix named.conf a bit. - Use DebianNoService() for dbus. (LP: #1564981) - Add more constants * Split freeipa-server-dns from freeipa-server, add -dns to -server Recommends. * server.postinst: Use ipa-server-upgrade. * admintools: Use the new location for bash completions. * rules: Remove obsolete configure.jar, preferences.html. * platform: Fix ipautil.run stdout handling, add support for systemd. * server.postinst, tmpfile: Create state directories for mod_auth_gssapi. * rules, server.install: Install scripts under /usr/lib instead of multiarch path to avoid hacking the code too much. * fix-ipa-otpd-install.diff, rules, server.install: Put ipa-otpd in /usr/lib/ipa instead of directly under multiarch lib path. * control, server*.install: Move dirsrv plugins from server-trust-ad to server, needed on upgrades even if trust-ad isn't set up. * server: Enable mod_proxy_ajp and mod_proxy_http on postinst, disable on postrm. * rules: Add SKIP_API_VERSION_CHECK, and adjust directories to clean. * rules: Don't enable systemd units on install. * client: Don't create /etc/pki/nssdb on postinst, it's not used anymore. * platform.diff, rules, server.install: Drop generate-rndc-key.sh, bind already generates the keyfile. -- Timo AaltonenTue, 19 Apr 2016 00:15:05 +0300 ** Changed in: freeipa (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1543230 Title: After installing freeipa-server-trust-ad ipa tries to start smb.service which doesn't exist Status in freeipa package in Ubuntu:
[Freeipa] [Bug 1449304] Re: ipa-replica-prepare fails
This bug was fixed in the package freeipa - 4.3.1-0ubuntu1 --- freeipa (4.3.1-0ubuntu1) xenial; urgency=medium * Sync from Debian. freeipa (4.3.1-1) unstable; urgency=medium * New upstream release. (Closes: #781607, #786411) (LP: #1449304) - drop no-test-lang.diff, obsolete * fix-match-hostname.diff, control: Drop the patch and python-openssl deps, not needed anymore * rules, platform, server.dirs, server.install: Add support for DNSSEC. * control, rules: Add support for kdcproxy. * control, server: Migrate to mod-auth-gssapi. * control, rules, fix-ipa-conf.diff: Add support for custodia. * control: - Add python-cryptography to build-deps and python-freeipa deps. - Add libp11-kit-dev to build-deps, p11-kit to server deps. - Depend on python-gssapi instead of python-kerberos/-krbV. - Add libini-config-dev and python-dbus to build-deps, replace wget with curl. - Bump libkrb5-dev build-dep. - Add pki-base to build-deps and pki-kra to server deps, bump pki-ca version. - Drop python-m2crypto from deps, obsolete. - Bump sssd deps to 1.13.1. - Add python-six to build-deps and python-freeipa deps. - Split python stuff from server, client, tests to python- ipa{server,client,tests}, rename python-freeipa to match and move translations to freeipa-common. Mark them Arch:all where possible, and add Breaks/Replaces. - Add oddjob to server and oddjob-mkhomedir to client deps. - Add python-setuptools to python-ipalib deps. - Bump 389-ds-base* deps. - Bump server and python-ipaserver dependency on python-ldap to 2.4.22 to fix a bug on ipa-server-upgrade. - Add pki-tools to python-ipaserver deps. - Add zip to python-ipaserver depends. - Add python-systemd to server depends. - Add opendnssec to freeipa-server-dns depends. - Add python-cffi to python-ipalib depends. - Bump dep on bind9-dyndb-ldap. - Bump certmonger dependency to version that has helpers in the correct place. * patches: - prefix.patch: Fix ipalib install too. - Drop bits of platform.diff and other patches that are now upstream. - fix-kdcproxy-paths.diff: Fix paths in kdcproxy configs. - fix-oddjobs.diff: Fix paths and uids in oddjob configs. - fix-replicainstall.diff: Use ldap instead of ldaps for conncheck. - fix-dnssec-services.diff: Debianize ipa-dnskeysyncd & ipa-ods- exporter units. - create-sysconfig-ods.diff: Create an empty file for opendnssec daemons, until opendnssec itself is fixed. - purge-firefox-extension.diff: Clean obsolete kerberosauth.xpi. - enable-mod-nss-during-setup.diff: Split from platform.diff, call a2enmod/a2dismod from httpinstance.py. - fix-memcached.diff: Split from platform.diff, debianize memcached conf & unit. - hack-libarch.diff: Don't use fedora libpaths. * add-debian-platform.diff: - Update paths.py to include all variables, comment out ones we don't modify. - Use systemwide certificate store; put ipa-ca.crt in /usr/local/share/ca-certificates, and run update-ca-certificates - Map smb service to smbd (LP: #1543230) - Don't ship /var/cache/bind/data, fix named.conf a bit. - Use DebianNoService() for dbus. (LP: #1564981) - Add more constants * Split freeipa-server-dns from freeipa-server, add -dns to -server Recommends. * server.postinst: Use ipa-server-upgrade. * admintools: Use the new location for bash completions. * rules: Remove obsolete configure.jar, preferences.html. * platform: Fix ipautil.run stdout handling, add support for systemd. * server.postinst, tmpfile: Create state directories for mod_auth_gssapi. * rules, server.install: Install scripts under /usr/lib instead of multiarch path to avoid hacking the code too much. * fix-ipa-otpd-install.diff, rules, server.install: Put ipa-otpd in /usr/lib/ipa instead of directly under multiarch lib path. * control, server*.install: Move dirsrv plugins from server-trust-ad to server, needed on upgrades even if trust-ad isn't set up. * server: Enable mod_proxy_ajp and mod_proxy_http on postinst, disable on postrm. * rules: Add SKIP_API_VERSION_CHECK, and adjust directories to clean. * rules: Don't enable systemd units on install. * client: Don't create /etc/pki/nssdb on postinst, it's not used anymore. * platform.diff, rules, server.install: Drop generate-rndc-key.sh, bind already generates the keyfile. -- Timo AaltonenTue, 19 Apr 2016 00:15:05 +0300 ** Changed in: freeipa (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1449304 Title: ipa-replica-prepare fails Status in freeipa package in Ubuntu: Fix Released Status in freeipa package in Debian: New Bug
[Freeipa] [Bug 1564981] Re: freeipa install errors out with certmonger 'dbus' 'start' ''' returned non-zero exit status 4
This bug was fixed in the package freeipa - 4.3.1-0ubuntu1 --- freeipa (4.3.1-0ubuntu1) xenial; urgency=medium * Sync from Debian. freeipa (4.3.1-1) unstable; urgency=medium * New upstream release. (Closes: #781607, #786411) (LP: #1449304) - drop no-test-lang.diff, obsolete * fix-match-hostname.diff, control: Drop the patch and python-openssl deps, not needed anymore * rules, platform, server.dirs, server.install: Add support for DNSSEC. * control, rules: Add support for kdcproxy. * control, server: Migrate to mod-auth-gssapi. * control, rules, fix-ipa-conf.diff: Add support for custodia. * control: - Add python-cryptography to build-deps and python-freeipa deps. - Add libp11-kit-dev to build-deps, p11-kit to server deps. - Depend on python-gssapi instead of python-kerberos/-krbV. - Add libini-config-dev and python-dbus to build-deps, replace wget with curl. - Bump libkrb5-dev build-dep. - Add pki-base to build-deps and pki-kra to server deps, bump pki-ca version. - Drop python-m2crypto from deps, obsolete. - Bump sssd deps to 1.13.1. - Add python-six to build-deps and python-freeipa deps. - Split python stuff from server, client, tests to python- ipa{server,client,tests}, rename python-freeipa to match and move translations to freeipa-common. Mark them Arch:all where possible, and add Breaks/Replaces. - Add oddjob to server and oddjob-mkhomedir to client deps. - Add python-setuptools to python-ipalib deps. - Bump 389-ds-base* deps. - Bump server and python-ipaserver dependency on python-ldap to 2.4.22 to fix a bug on ipa-server-upgrade. - Add pki-tools to python-ipaserver deps. - Add zip to python-ipaserver depends. - Add python-systemd to server depends. - Add opendnssec to freeipa-server-dns depends. - Add python-cffi to python-ipalib depends. - Bump dep on bind9-dyndb-ldap. - Bump certmonger dependency to version that has helpers in the correct place. * patches: - prefix.patch: Fix ipalib install too. - Drop bits of platform.diff and other patches that are now upstream. - fix-kdcproxy-paths.diff: Fix paths in kdcproxy configs. - fix-oddjobs.diff: Fix paths and uids in oddjob configs. - fix-replicainstall.diff: Use ldap instead of ldaps for conncheck. - fix-dnssec-services.diff: Debianize ipa-dnskeysyncd & ipa-ods- exporter units. - create-sysconfig-ods.diff: Create an empty file for opendnssec daemons, until opendnssec itself is fixed. - purge-firefox-extension.diff: Clean obsolete kerberosauth.xpi. - enable-mod-nss-during-setup.diff: Split from platform.diff, call a2enmod/a2dismod from httpinstance.py. - fix-memcached.diff: Split from platform.diff, debianize memcached conf & unit. - hack-libarch.diff: Don't use fedora libpaths. * add-debian-platform.diff: - Update paths.py to include all variables, comment out ones we don't modify. - Use systemwide certificate store; put ipa-ca.crt in /usr/local/share/ca-certificates, and run update-ca-certificates - Map smb service to smbd (LP: #1543230) - Don't ship /var/cache/bind/data, fix named.conf a bit. - Use DebianNoService() for dbus. (LP: #1564981) - Add more constants * Split freeipa-server-dns from freeipa-server, add -dns to -server Recommends. * server.postinst: Use ipa-server-upgrade. * admintools: Use the new location for bash completions. * rules: Remove obsolete configure.jar, preferences.html. * platform: Fix ipautil.run stdout handling, add support for systemd. * server.postinst, tmpfile: Create state directories for mod_auth_gssapi. * rules, server.install: Install scripts under /usr/lib instead of multiarch path to avoid hacking the code too much. * fix-ipa-otpd-install.diff, rules, server.install: Put ipa-otpd in /usr/lib/ipa instead of directly under multiarch lib path. * control, server*.install: Move dirsrv plugins from server-trust-ad to server, needed on upgrades even if trust-ad isn't set up. * server: Enable mod_proxy_ajp and mod_proxy_http on postinst, disable on postrm. * rules: Add SKIP_API_VERSION_CHECK, and adjust directories to clean. * rules: Don't enable systemd units on install. * client: Don't create /etc/pki/nssdb on postinst, it's not used anymore. * platform.diff, rules, server.install: Drop generate-rndc-key.sh, bind already generates the keyfile. -- Timo AaltonenTue, 19 Apr 2016 00:15:05 +0300 ** Changed in: freeipa (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1564981 Title: freeipa install errors out with certmonger 'dbus' 'start' ''' returned non-zero exit status 4 Status in freeipa package in Ubuntu: Fix
[Freeipa] [Bug 1492229] Re: automount error due to syntax error in nsswitch.conf after ipa-client-install
[Expired for freeipa (Ubuntu) because there has been no activity for 60 days.] ** Changed in: freeipa (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1492229 Title: automount error due to syntax error in nsswitch.conf after ipa-client- install Status in freeipa package in Ubuntu: Expired Bug description: automount throws errors about an syntax error in /etc/nsswitch.conf after setting up automount using ipa-client-automount. It appears it's caused by the indentation used in the nsswitch.conf file. After aligning the automount part with the rest of the config the errors disappears and automount starts working. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: freeipa-client 3.3.4-0ubuntu3.1 Uname: Linux 2.6.32-39-pve i686 ApportVersion: 2.14.1-0ubuntu3.12 Architecture: i386 Date: Fri Sep 4 15:31:52 2015 ProcEnviron: TERM=xterm PATH=(custom, no user) SourcePackage: freeipa UpgradeStatus: Upgraded to trusty on 2015-09-04 (0 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1492229/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1492219] Re: ipa-client-install crashes when /usr/bin/nsupdate isn't installed
[Expired for freeipa (Ubuntu) because there has been no activity for 60 days.] ** Changed in: freeipa (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1492219 Title: ipa-client-install crashes when /usr/bin/nsupdate isn't installed Status in freeipa package in Ubuntu: Expired Bug description: The ipa-client-install crashes when /usr/bin/nsupdate is not available on the system. We're using OpenCZ containers which by default don't have dnsutils installed. I think it would be best to add dnsutils as dependency to freeipa-client. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: freeipa-client 3.3.4-0ubuntu3.1 Uname: Linux 2.6.32-39-pve i686 ApportVersion: 2.14.1-0ubuntu3.12 Architecture: i386 Date: Fri Sep 4 14:06:37 2015 ProcEnviron: TERM=xterm PATH=(custom, no user) SourcePackage: freeipa UpgradeStatus: Upgraded to trusty on 2015-05-15 (111 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1492219/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1492184] Re: ipa-server-install fails when using --external-ca option because of missong gnupg-agent package
This bug was fixed in the package freeipa - 4.1.4-1 --- freeipa (4.1.4-1) experimental; urgency=medium * New upstream release. (LP: #1492226) - Refresh patches - platform-support.diff: Added NAMED_VAR_DIR. - fix-bind-conf.diff: Dropped, obsolete with above. - disable-dnssec-support.patch: Disable DNSSEC-support as we're missing the dependencies for now. * control: Add python-usb to build-depends and to python-freeipa depends. * control: Bump SSSD dependencies. * control: Add libsofthsm2-dev to build-depends and softhsm2 to server depends. * freeipa-{server,client}.install: Add new files. * control: Bump Depends on slapi-nis for CVE fixes. * control: Bump 389-ds-base, pki-ca depends. * control: Drop dogtag-pki-server-theme from server depends, it's not needed. * control: Server needs newer python-ldap, bump build-dep too. * control: Bump certmonger depends. * control: Bump python-nss depends. * freeipa-client: Add /etc/ipa/nssdb, rework /etc/pki/nssdb handling. * platform: Add DebianNamedService. * platform, disable-dnssec-support.patch: Fix named.conf template. * server.postinst: Run ipa-ldap-updater and ipa-upgradeconfig on postinst. * Revert DNSSEC changes to schema and ACI, makes upgrade tools fail. * server.postrm: Clean logs on purge and disable apache modules on remove/purge. -- Timo AaltonenFri, 25 Sep 2015 14:07:40 +0300 ** Changed in: freeipa (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1492184 Title: ipa-server-install fails when using --external-ca option because of missong gnupg-agent package Status in freeipa package in Ubuntu: Fix Released Bug description: Using ipa-server-install fails when using the --external-ca option because the gnupg-agent package is not installed ProblemType: Bug DistroRelease: Ubuntu 15.04 Package: freeipa-server 4.0.5-3 [modified: usr/share/ipa/html/ca.crt usr/share/ipa/html/configure.jar usr/share/ipa/html/kerberosauth.xpi usr/share/ipa/html/krb.con usr/share/ipa/html/krb.js usr/share/ipa/html/krb5.ini usr/share/ipa/html/krbrealm.con usr/share/ipa/html/preferences.html] ProcVersionSignature: Ubuntu 3.19.0-26.28-generic 3.19.8-ckt4 Uname: Linux 3.19.0-26-generic x86_64 ApportVersion: 2.17.2-0ubuntu1.3 Architecture: amd64 Date: Fri Sep 4 11:48:18 2015 InstallationDate: Installed on 2015-09-02 (1 days ago) InstallationMedia: Ubuntu-Server 15.04 "Vivid Vervet" - Release amd64 (20150422) SourcePackage: freeipa UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1492184/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1492226] Re: ipa-client-install doesn't setup sudo as service
This bug was fixed in the package freeipa - 4.1.4-1 --- freeipa (4.1.4-1) experimental; urgency=medium * New upstream release. (LP: #1492226) - Refresh patches - platform-support.diff: Added NAMED_VAR_DIR. - fix-bind-conf.diff: Dropped, obsolete with above. - disable-dnssec-support.patch: Disable DNSSEC-support as we're missing the dependencies for now. * control: Add python-usb to build-depends and to python-freeipa depends. * control: Bump SSSD dependencies. * control: Add libsofthsm2-dev to build-depends and softhsm2 to server depends. * freeipa-{server,client}.install: Add new files. * control: Bump Depends on slapi-nis for CVE fixes. * control: Bump 389-ds-base, pki-ca depends. * control: Drop dogtag-pki-server-theme from server depends, it's not needed. * control: Server needs newer python-ldap, bump build-dep too. * control: Bump certmonger depends. * control: Bump python-nss depends. * freeipa-client: Add /etc/ipa/nssdb, rework /etc/pki/nssdb handling. * platform: Add DebianNamedService. * platform, disable-dnssec-support.patch: Fix named.conf template. * server.postinst: Run ipa-ldap-updater and ipa-upgradeconfig on postinst. * Revert DNSSEC changes to schema and ACI, makes upgrade tools fail. * server.postrm: Clean logs on purge and disable apache modules on remove/purge. -- Timo AaltonenFri, 25 Sep 2015 14:07:40 +0300 ** Changed in: freeipa (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1492226 Title: ipa-client-install doesn't setup sudo as service Status in freeipa package in Ubuntu: Fix Released Bug description: After the installation using ipa-client-install is done its not possible to use sudo as IPA user even though it has been allowed through the interface. Adding 'sudo' to the sssd services appears to solve this problem. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: freeipa-client 3.3.4-0ubuntu3.1 Uname: Linux 2.6.32-39-pve i686 ApportVersion: 2.14.1-0ubuntu3.12 Architecture: i386 Date: Fri Sep 4 15:25:42 2015 ProcEnviron: TERM=xterm PATH=(custom, no user) SourcePackage: freeipa UpgradeStatus: Upgraded to trusty on 2015-09-04 (0 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1492226/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp