Ubuntu
freeipa package

pkcs11 setup needs fixes for SoftHSM 2.2

Bug #1677139 reported by Timo Aaltonen
36
This bug affects 6 people
Affects Status Importance Assigned to Milestone
freeipa (Ubuntu)
Fix Released
Undecided
Timo Aaltonen
Zesty
Confirmed
Undecided
Unassigned
Artful
Fix Released
Undecided
Timo Aaltonen

Bug Description

[Impact]

https://pagure.io/freeipa/issue/6692

SoftHSM 2.2 broke freeipa DNS integration.

[Test case]

Install ipa server with 'ipa-server-install --setup-dns'.

[Regression potential]

The patch touches only the pkcs11 helper, so shouldn't regress anything else.

See original description
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

looks like there will be a patch to freeipa instead

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

the patch for freeipa works

affects: softhsm2 (Ubuntu) → freeipa (Ubuntu)
Timo Aaltonen (tjaalton)
description: updated
summary: - softhsm 2.2.0 is broken
+ pkcs11 setup needs fixes for SoftHSM 2.2
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in freeipa (Ubuntu):
status: New → Confirmed
Revision history for this message
4tro (finke-lamein) wrote :

looks like this will allow you to finish the installation, but with bind9-pkcs11 in failed status:

root@cw-ipa0:~# journalctl -xe
Apr 21 09:52:44 cw-ipa0.ipa.catawiki.net named-pkcs11[21389]: ----------------------------------------------------
Apr 21 09:52:44 cw-ipa0.ipa.catawiki.net named-pkcs11[21389]: adjusted limit on open files from 4096 to 1048576
Apr 21 09:52:44 cw-ipa0.ipa.catawiki.net named-pkcs11[21389]: found 2 CPUs, using 2 worker threads
Apr 21 09:52:44 cw-ipa0.ipa.catawiki.net named-pkcs11[21389]: using 2 UDP listeners per interface
Apr 21 09:52:44 cw-ipa0.ipa.catawiki.net named-pkcs11[21389]: using up to 4096 sockets
Apr 21 09:52:44 cw-ipa0.ipa.catawiki.net named-pkcs11[21389]: initializing DST: no PKCS#11 provider
Apr 21 09:52:44 cw-ipa0.ipa.catawiki.net named-pkcs11[21389]: exiting (due to fatal error)
Apr 21 09:52:44 cw-ipa0.ipa.catawiki.net rndc[21395]: rndc: connect failed: 127.0.0.1#953: connection refused
Apr 21 09:52:44 cw-ipa0.ipa.catawiki.net audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=bind9-pk
Apr 21 09:52:44 cw-ipa0.ipa.catawiki.net audispd[488]: type=SERVICE_STOP msg=audit(1492761164.380:1635): pid=1 uid=0 auid=429
Apr 21 09:52:44 cw-ipa0.ipa.catawiki.net systemd[1]: bind9-pkcs11.service: Control process exited, code=exited status=1
Apr 21 09:52:44 cw-ipa0.ipa.catawiki.net systemd[1]: bind9-pkcs11.service: Unit entered failed state.
Apr 21 09:52:44 cw-ipa0.ipa.catawiki.net systemd[1]: bind9-pkcs11.service: Failed with result 'exit-code'.

Revision history for this message
4tro (finke-lamein) wrote :

Found the reason for this failure, installer uses a library on the following path: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so

This path is not present on default installation of ubuntu with softhsm2.

This is becoming a theme with IPA packaging it seems.
So either make sure there's a symlink for it in the package, or start patching the installer to account for all the differences in paths between RHEL and Ubuntu.

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

yes that's another bug:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860722

Brian Murray (brian-murray)
Changed in freeipa (Ubuntu Artful):
assignee: nobody → Dimitri John Ledkov (xnox)
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

I'll deal with this

Changed in freeipa (Ubuntu Artful):
assignee: Dimitri John Ledkov (xnox) → Timo Aaltonen (tjaalton)
Revision history for this message
dh (dcharvey) wrote :

I see 4.4.4-1 in artful proposed, and "looked" like that has the necessary fixes on the changelog?
Is there any update on this on Zesty, or likelihood that the proposed package will make it to stable for Artful?

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

yes, artful is fixed, perhaps won't fix it in zesty but we'll see

Changed in freeipa (Ubuntu Artful):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.