------- Comment From [email protected] 2018-04-26 10:35 EDT------- The package is still failing to configure
root@fipas1:~# ipa-server-install --allow-zone-overlap The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the NTP client (chronyd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd Do you want to configure integrated DNS (BIND)? [no]: yes Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: master.example.com. Server host name [fipas1.rgy.net]: Warning: skipping DNS resolution of host fipas1.rgy.net The domain name has been determined based on the host name. Please confirm the domain name [rgy.net]: The kerberos protocol requires a Realm name to be defined. This is typically the domain name converted to uppercase. Please provide a realm name [RGY.NET]: Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and has full access to the Directory for system management tasks and will be added to the instance of directory server created for IPA. The password must be at least 8 characters long. Directory Manager password: Password (confirm): The IPA server requires an administrative user, named 'admin'. This user is a regular system account used for IPA server administration. IPA admin password: Password (confirm): Checking DNS domain rgy.net., please wait ... Do you want to configure DNS forwarders? [yes]: no No DNS forwarders configured Do you want to search for missing reverse zones? [yes]: no The IPA Master Server will be configured with: Hostname: fipas1.rgy.net IP address(es): 192.168.122.50 Domain name: rgy.net Realm name: RGY.NET The CA will be configured with: Subject DN: CN=Certificate Authority,O=RGY.NET Subject base: O=RGY.NET Chaining: self-signed BIND DNS server will be configured to serve IPA domain with: Forwarders: No forwarders Forward policy: only Reverse zone(s): No reverse zone Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Synchronizing time Using default chrony configuration. Time synchronization was successful. Configuring directory server (dirsrv). Estimated time: 30 seconds [1/44]: creating directory server instance [2/44]: enabling ldapi [3/44]: configure autobind for root [4/44]: stopping directory server [5/44]: updating configuration in dse.ldif [6/44]: starting directory server [error] ACIError: Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method) ipapython.admintool: ERROR Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method) ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information root@fipas1:~# I had run an apt update in advance of installing freeipa and after adding the canonical staging repository root@fipas1:~# apt update Hit:1 http://ppa.launchpad.net/canonical-x/x-staging/ubuntu bionic InRelease Hit:2 http://ports.ubuntu.com/ubuntu-ports bionic InRelease Hit:3 http://ports.ubuntu.com/ubuntu-ports bionic-updates InRelease Hit:4 http://ports.ubuntu.com/ubuntu-ports bionic-backports InRelease Hit:5 http://ports.ubuntu.com/ubuntu-ports bionic-security InRelease Reading package lists... Done Building dependency tree Reading state information... Done All packages are up to date. root@fipas1:~# End of the install log contains 2018-04-26T14:31:25Z DEBUG args=['/bin/systemctl', 'is-active', '[email protected]'] 2018-04-26T14:31:25Z DEBUG Process finished, return code=0 2018-04-26T14:31:25Z DEBUG stdout=active 2018-04-26T14:31:25Z DEBUG stderr= 2018-04-26T14:31:25Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2018-04-26T14:31:25Z DEBUG waiting for port: 389 2018-04-26T14:31:25Z DEBUG SUCCESS: port: 389 2018-04-26T14:31:25Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 669, in __start_instance self.start(self.serverid) File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 644, in start api.Backend.ldap2.connect() File "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 69, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/ldap2.py", line 179, in create_connection client_controls=clientctrls) File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1153, in external_bind '', auth_tokens, server_controls, client_controls) File "/usr/lib/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1066, in error_handler raise errors.ACIError(info='%s (%s)' % (info,desc)) ACIError: Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method) 2018-04-26T14:31:25Z DEBUG [error] ACIError: Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method) 2018-04-26T14:31:25Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipapython/install/cli.py", line 319, in run return cfgr.run() File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 364, in run return self.execute() File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 389, in execute for rval in self._executor(): File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 658, in _configure next(executor) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 521, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 518, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/dist-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/__init__.py", line 581, in main master_install(self) File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 252, in decorated func(installer) File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 800, in install setup_pkinit=not options.no_pkinit) File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 345, in create_instance self.start_creation(runtime=30) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 669, in __start_instance self.start(self.serverid) File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 644, in start api.Backend.ldap2.connect() File "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 69, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/ldap2.py", line 179, in create_connection client_controls=clientctrls) File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1153, in external_bind '', auth_tokens, server_controls, client_controls) File "/usr/lib/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1066, in error_handler raise errors.ACIError(info='%s (%s)' % (info,desc)) 2018-04-26T14:31:25Z DEBUG The ipa-server-install command failed, exception: ACIError: Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method) 2018-04-26T14:31:25Z ERROR Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method) 2018-04-26T14:31:25Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information root@fipas1:~# Suggestions? -- You received this bug notification because you are a member of Ubuntu 389 Directory Server, which is subscribed to 389-ds-base in Ubuntu. https://bugs.launchpad.net/bugs/1764744 Title: Support of freeipa-server for s390x Status in Ubuntu on IBM z Systems: Fix Released Status in 389-ds-base package in Ubuntu: Fix Released Status in freeipa package in Ubuntu: Fix Released Bug description: freeipa fails to configure on s390x. (Configuration being handled by the freeipa-server-install script) This script has two failure points. The first is below: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1600634 describes a known bug but it was only resolved for x86_64. In the falling scenario the install log will have entries like the following: 2018-04-10T18:53:01Z DEBUG nsslapd-pluginenabled: 2018-04-10T18:53:01Z DEBUG on 2018-04-10T18:53:01Z DEBUG nsslapd-pluginpath: 2018-04-10T18:53:01Z DEBUG /usr/lib/x86_64-linux-gnu/dirsrv/plugins/schemacompat-plugin.so 2018-04-10T18:53:01Z DEBUG nsslapd-pluginversion: 2018-04-10T18:53:01Z DEBUG 0.8 Obviously on s390x /usr/lib/x86_64-linux-gnu/dirsrv/plugins/schemacompat-plugin.so will never be found. Now if I create a symbolic link with the above name that is linked to the same location but with s390x where x86_64 is located, the install will proceed past this failing location. The second failure point in the freeipa-server-install script is near the end, after the script has completed the freeipa-server-install and where it attempts to install the freeipa-client. The client install appears to fail because of a problem with certificates related to the server install. 2018-04-17T12:14:59Z ERROR Cannot connect to the server due to generic error: Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method) The above appears to be related to an issue with the key database # certutil -L certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. # ipa cert-show 1 ipa: ERROR: cannot connect to 'https://fipas1.pdl.pok.ibm.com/ipa/json': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. # ipa user-add First name: Richard >>> First name: Leading and trailing spaces are not allowed First name: Richard Last name: Young User login [ryoung]: ryoung1 ipa: ERROR: cannot connect to 'https://fipas1.pdl.pok.ibm.com/ipa/json': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1764744/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~ubuntu-389-directory-server Post to : [email protected] Unsubscribe : https://launchpad.net/~ubuntu-389-directory-server More help : https://help.launchpad.net/ListHelp
