freeipa server install fails - named-pkcs11 fails to run
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
bind9 (Ubuntu) |
Fix Released
|
High
|
Karl Stenerud | ||
Bionic |
Fix Released
|
High
|
Andreas Hasenack | ||
freeipa (Ubuntu) |
Invalid
|
High
|
Unassigned |
Bug Description
[Impact]
Using RTLD_DEEPBIND in bind9 causes the FreeIPA serve install to fail.
This patch, also applied in fedora and debian, disables use of RTLD_DEEPBIND.
https:/
https:/
[Test Case]
# uvt-kvm create --memory 2048 cosmic-freeipa release=cosmic label=daily
# uvt-kvm wait cosmic-freeipa
# uvt-kvm ssh cosmic-freeipa
Inside vm:
# sudo su
# apt purge -y cloud-init
# echo "cosmic-
# sed -i 's/127.
# echo "$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/') cosmic-
# apt update
# apt dist-upgrade -y
# reboot
# apt install -y freeipa-server
* Default Kerberos realm: EXAMPLE.COM
* Kerberos servers: cosmic-
* Administrative server: cosmic-
Get machine's ip address. You'll be using the x.x.x.1 address for the DNS forwarder
# ip addr
# ipa-server-install --allow-
* Do you want to configure integrated DNS (BIND): YES
* Server host name: cosmic-
* Please confirm the domain name: example.com
* Please provide a realm name: EXAMPLE.COM
* Directory Manager password: (anything)
* IPA admin password: (anything)
* Do you want to configure DNS forwarders: yes
* Do you want to configure these servers as DNS forwarders?: no
* Enter an IP address for a DNS forwarder, or press Enter to skip: (x.x.x.1 address from before)
* Do you want to search for missing reverse zones?: yes
Installation should fail.
[Regression Potential]
In theory, if another library with the exact same symbol is loaded, bind9 may end up calling the wrong function. This is, however, a potential problem with any program that loads shared libraries.
[Original Description]
Setting up FreeIPA server fails at "Configuring the web interface", step 12/21
It's in a cleanly started LXC Ubuntu Bionic container. The ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[error] RuntimeError: Certificate issuance failed (CA_REJECTED)
ipapython.
ipapython.
and in the log there is
2018-05-
2018-05-
2018-05-
2018-05-
2018-05-
2018-05-
File "/usr/lib/
run_
File "/usr/lib/
method()
File "/usr/lib/
passwd_
File "/usr/lib/
raise RuntimeError(
RuntimeError: Certificate issuance failed (CA_REJECTED)
2018-05-
2018-05-
ute
...
Related branches
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 752 lines (+472/-83)10 files modifieddebian/bind9.install (+0/-2)
debian/changelog (+400/-0)
debian/control (+2/-5)
debian/dnsutils.install (+0/-2)
debian/libdns1104.symbols (+0/-66)
debian/patches/enable-udp-in-host-command.diff (+26/-0)
debian/patches/fix-shutdown-race.diff (+41/-0)
debian/patches/series (+2/-0)
debian/rules (+1/-4)
debian/tests/simpletest (+0/-4)
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
- Canonical Server Core Reviewers: Pending requested
-
Diff: 60 lines (+38/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/series (+1/-0)
debian/patches/skip-rtld-deepbind-for-dyndb.diff (+29/-0)
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
- Canonical Server Core Reviewers: Pending requested
-
Diff: 53 lines (+31/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/skip-rtld-deepbind-for-dyndb.diff (+23/-0)
Changed in freeipa (Ubuntu): | |
importance: | Undecided → High |
Changed in bind9 (Ubuntu): | |
importance: | Undecided → High |
Changed in bind9 (Ubuntu): | |
assignee: | nobody → Karl Stenerud (kstenerud) |
description: | updated |
description: | updated |
no longer affects: | freeipa (Ubuntu Bionic) |
See also https:/ /bugs.launchpad .net/ubuntu/ +source/ freeipa/ +bug/1765616/ comments/ 9