This is a recipe with all the work-arounds needed to get a freeipa
server with integrated DNS going on Ubuntu bionic/18.04 LTS or later.
Without these workarounds, you will hit so many bugs the system is
uninstallable as of 6/23/18.
I chose Lubuntu as a platform as I wanted an integrated browser as a way
to check for good operations without the complexity of most of the
networking stack in the chain.
I started with a ‘clean install’ of Lubuntu 18.04. I needed 4 CPU cores
and 4GB of memory to avoid most of the race conditions that kill the
installer. You can reduce these to 1 core and 2GB after installation
(that’s a ‘low demand minimum’).
Where you see 192.168.50.64 below, replace that with the IP address of your
freeipa machine.
Where you see ri.mamabosso.com below, replace that with the private IP address
range of the sub-domain you’ll use for the freeipa server. (If your public
domain is xyz.com, it’s best practice to add a subdomain for the private
addresses, so local.xyz.com to resolve them. Split-view and the like generate
more problems than they solve).
You should see no error messages at any point in this process. If you
do, stop to puzzle them out before moving on.
Get to a command prompt as root:
apt update
apt upgrade
apt install freeipa-server-dns python-psutil haveged
Cause /etc/hosts to look like:
127.0.0.1 localhost
192.168.50.64 directory1.ri.mamabosso.com directory1
127.0.1.1 directory1.ri.mamabosso.com directory1
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Cause /etc/hostname to look like:
directory1.ri.mamabosso.com
Remove anything in /etc/netplan unless your sure otherwise. In /etc/netplan
add file:
/etc/netplan/01-networkd.yaml with the below (change addresses and domains to
yours):
network:
version: 2
renderer: networkd
ethernets:
ens3:
addresses:
- 192.168.50.64/24
gateway4: 192.168.50.1
nameservers:
search: [ri.mamabosso.com, mamabosso.com]
addresses: [127.0.0.1]
These commands are needed to avoid several bugs later on:
systemctl disable systemd-resolved
systemctl disable network-manager
systemctl disable NetworkManager
mv /lib/systemd/system/NetworkManager.service NetworkManager.service.res
usermod bind -aG softhsm
mkdir /var/lib/softhsm/tokens
chown root:softhsm /var/lib/softhsm/tokens
chmod 0770 /var/lib/softhsm/tokens
chmod g+s /var/lib/softhsm/tokens
mv /usr/sbin/named-pkcs11 /usr/sbin/named-pkcs11-dpkg-dist
cp /usr/sbin/named /usr/sbin/named-pkcs11
#The dependency on named-pkcs11 is a fedora legacy and is no longer necessary
#which is fortunate as named-pkcs11 crashes on startup leaving the system with
#no resolver.
Make /etc/resolv.conf:
nameserver 127.0.0.1
search <your local domain here, ri.mamabosso.com in my case>
patch freeipa’s installer to avoid race conditions that otherwise would
crash it:
Note: you should exactly match the indenting you find in the programs
to be edited below, using spaces and not tabs.
in /usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py after
import tempfile
add
import psutil
In function "migrate_profiles_to_ldap"
before:
for profile_id in profile_ids:
change
time.sleep(80)
to
time.sleep(30)
then just after,
for profile_id in profile_ids:
add
while psutil.cpu_percent() > 9: time.sleep(2)
And, in /usr/lib/python2.7/dist-packages/ipaserver/install/bindinstance.py, add
after line 753 which should read ‘self.restart()’ in procedure __start:
while psutil.cpu_percent() > 9: time.sleep(2)
in the same file, at the top right after import time, add:
import psutil
this will make sure all the services restarted prior can satisfy the coming
requests without timing out as the service startup hasn’t settled.
Reboot to see if all is well.
Make sure /etc/hosts and /etc/hostname is correct. Do an “apt update” to make
sure the internet is up.
Then give the command:
ipa-server-install --setup-dns --no-forwarders
accept defaults, enter passwords, answer ‘yes’ at the end of the
questions to accept.
Accept all defaults (except answer ‘yes’ to ‘continue..’). You should see the
correct domain and reverse ip in the list.
You should see no errors or complaints during the entire process. After
waiting for that to complete, do:
chgrp ipaapi /var/lib/krb5kdc #so freeipa admin log in can find key.
chmod g+rx /var/lib/krb5kdc
So that you can log in to the web interface (without access to that, the
login fails for no obvious reason).
Reboot (mostly to make sure all is well upon reboots)
Log in via the web gui (https://system.domain.com etc..) , look around
for normal operations. Surf to a website to make sure dns is up.
This recipe worked perfectly as of 6/23/18.
Some day soon (I hope), the needless dependency on buggy named-pkcs11 which
crashes named ans so integrated DNS with it (see
https://pagure.io/bind-dyndb-ldap/c/4fb51bac7f4f739975a2afb857b686869eff92b6?branch=master
) will be removed.
Hope the day I lost debugging this helps you!
Harry Coin
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1769440
Title:
freeipa server install fails - named-pkcs11 fails to run
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1769440/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
