Ubuntu
freeipa package

Support of freeipa-server for s390x

Bug #1764744 reported by bugproxy on 2018-04-17

This bug affects 1 person

	Status	Importance	Assigned to
Ubuntu on IBM z Systems	Fix Released	High	Unassigned
389-ds-base (Ubuntu)	Fix Released	Undecided	Unassigned
freeipa (Ubuntu)	Fix Released	Undecided	Skipper Bug Screeners

Bug Description

freeipa fails to configure on s390x. (Configuration being handled by the freeipa-server-install script) This script has two failure points. The first is below:

https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1600634 describes a known bug but it was only resolved for x86_64.

In the falling scenario the install log will have entries like the following:

2018-04-10T18:53:01Z DEBUG nsslapd-pluginenabled:
2018-04-10T18:53:01Z DEBUG on
2018-04-10T18:53:01Z DEBUG nsslapd-pluginpath:
2018-04-10T18:53:01Z DEBUG /usr/lib/x86_64-linux-gnu/dirsrv/plugins/schemacompat-plugin.so
2018-04-10T18:53:01Z DEBUG nsslapd-pluginversion:
2018-04-10T18:53:01Z DEBUG 0.8

Obviously on s390x /usr/lib/x86_64-linux-gnu/dirsrv/plugins/schemacompat-plugin.so will never be found.

Now if I create a symbolic link with the above name that is linked to the same location but with s390x where x86_64 is located, the install will proceed past this failing location.

The second failure point in the freeipa-server-install script is near the end, after the script has completed the freeipa-server-install and where it attempts to install the freeipa-client. The client install appears to fail because of a problem with certificates related to the server install.

2018-04-17T12:14:59Z ERROR Cannot connect to the server due to generic error: Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method)

The above appears to be related to an issue with the key database

# certutil -L
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

# ipa cert-show 1
ipa: ERROR: cannot connect to 'https://fipas1.pdl.pok.ibm.com/ipa/json': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

# ipa user-add
First name: Richard
>>> First name: Leading and trailing spaces are not allowed
First name: Richard
Last name: Young
User login [ryoung]: ryoung1
ipa: ERROR: cannot connect to 'https://fipas1.pdl.pok.ibm.com/ipa/json': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

Tags:

bugproxy (bugproxy) on 2018-04-17

tags:	added: architecture-s39064 bugnameltc-166796 severity-high targetmilestone-inin1604
Changed in ubuntu:
assignee:	nobody → Skipper Bug Screeners (skipper-screen-team)
affects:	ubuntu → linux (Ubuntu)

Frank Heimes (fheimes) on 2018-04-17

affects:

linux (Ubuntu) → freeipa (Ubuntu)

Frank Heimes (fheimes) on 2018-04-17

Changed in ubuntu-z-systems:
status:	New → Triaged
importance:	Undecided → High

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2018-04-17:

which version is this? bionic-proposed has a newer version that should not trip on the certdb issues

Frank Heimes (fheimes) on 2018-04-17

tags:

added: universe

Revision history for this message

Frank Heimes (fheimes) wrote on 2018-04-17:

Because of the "targetmilestone-inin1604" tag (that's synch-ed over by 'bugproxy') this problem seem to occur on Xenial.

Steve Langasek (vorlon) on 2018-04-17

Changed in freeipa (Ubuntu):
status:	New → Incomplete

Revision history for this message

bugproxy (bugproxy) wrote on 2018-04-17: Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2018-04-17 10:55 EDT-------
Changed target milestone to 18.04

------- Comment From <email address hidden> 2018-04-17 10:59 EDT-------
I had tried first, freeipa with bionic beta2/final, however new s390x freeipa server binary was found

root@lbskvm3:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu Bionic Beaver (development branch)
Release: 18.04
Codename: bionic

root@lbskvm3:~# uname -a
Linux lbskvm3 4.15.0-13-generic #14-Ubuntu SMP Sat Mar 17 13:42:52 UTC 2018 s390x s390x s390x GNU/Linux

root@lbskvm3:~# apt-cache search freeipa
libipa-hbac-dev - FreeIPA HBAC Evaluator library -- development files
libipa-hbac0 - FreeIPA HBAC Evaluator library
libnss-sss - Nss library for the System Security Services Daemon
libpam-sss - Pam module for the System Security Services Daemon
python3-sss - Python3 module for the System Security Services Daemon
sssd - System Security Services Daemon -- metapackage
sssd-common - System Security Services Daemon -- common files
sssd-tools - System Security Services Daemon -- tools
python-libipa-hbac - Python bindings for the FreeIPA HBAC Evaluator library
python-sss - Python module for the System Security Services Daemon
python3-libipa-hbac - Python3 bindings for the FreeIPA HBAC Evaluator library
root@lbskvm3:~#

tags:

added: targetmilestone-inin1804
removed: targetmilestone-inin1604

Steve Langasek (vorlon) on 2018-04-17

Changed in freeipa (Ubuntu):
status:	Incomplete → Triaged

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2018-04-17:

Yeah, need to enable bionic-proposed for that.

Revision history for this message

Steve Langasek (vorlon) wrote on 2018-04-17:

Currently, there is no version of freeipa in the bionic release pocket because it was previously unreleasable. The version in bionic-proposed may make it into release, in which case it appears this is fixed for all architectures; or it may not, in which case there are no further bugs to be fixed.

Changed in freeipa (Ubuntu):
status:	Triaged → Fix Committed
status:	Fix Committed → Fix Released

Frank Heimes (fheimes) on 2018-04-17

Changed in ubuntu-z-systems:
status:	Triaged → Fix Released

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2018-04-17:

actually, that SASL issue is likely due to 389-ds-base hardcoding the saslpath for x86 and arm.. Here's a version of it for bionic which adds support for s390x (and ppc64el), if you're able to test:

https://launchpad.net/~canonical-x/+archive/ubuntu/x-staging

yes, it's a silly ppa but one that has builders for all archs :)

grepping for sasl2 gives the right path in libslapd.so.0.1.0 at least..

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-04-18:

This bug was fixed in the package 389-ds-base - 1.3.7.10-1ubuntu1

---------------
389-ds-base (1.3.7.10-1ubuntu1) bionic; urgency=medium

* fix-saslpath.diff: Updated to support ppc64el and s390x. (LP:
#1764744)

-- Timo Aaltonen <email address hidden> Tue, 17 Apr 2018 20:45:32 +0300

Changed in 389-ds-base (Ubuntu):
status:	New → Fix Released

Revision history for this message

bugproxy (bugproxy) wrote on 2018-04-26:

Download full text (10.7 KiB)

------- Comment From <email address hidden> 2018-04-26 10:35 EDT-------
The package is still failing to configure

root@fipas1:~# ipa-server-install --allow-zone-overlap

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.

This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the NTP client (chronyd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

WARNING: conflicting time&date synchronization service 'ntp' will be disabled
in favor of chronyd

Do you want to configure integrated DNS (BIND)? [no]: yes

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.

Server host name [fipas1.rgy.net]:

Warning: skipping DNS resolution of host fipas1.rgy.net
The domain name has been determined based on the host name.

Please confirm the domain name [rgy.net]:

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [RGY.NET]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password:
Password (confirm):

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password:
Password (confirm):

Checking DNS domain rgy.net., please wait ...
Do you want to configure DNS forwarders? [yes]: no
No DNS forwarders configured
Do you want to search for missing reverse zones? [yes]: no

The IPA Master Server will be configured with:
Hostname: fipas1.rgy.net
IP address(es): 192.168.122.50
Domain name: rgy.net
Realm name: RGY.NET

The CA will be configured with:
Subject DN: CN=Certificate Authority,O=RGY.NET
Subject base: O=RGY.NET
Chaining: self-signed

BIND DNS server will be configured to serve IPA domain with:
Forwarders: No forwarders
Forward policy: only
Reverse zone(s): No reverse zone

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

------- Comment From ryoung1@us.ibm.com 2018-04-26 10:35 EDT-------
The package is still failing to configure

root@fipas1:~# ipa-server-install --allow-zone-overlap

To accept the default shown in brackets, press the Enter key.

WARNING: conflicting time&date synchronization service 'ntp' will be disabled
in favor of chronyd

Do you want to configure integrated DNS (BIND)? [no]: yes

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.

Server host name [fipas1.rgy.net]:

Warning: skipping DNS resolution of host fipas1.rgy.net
The domain name has been determined based on the host name.

Please confirm the domain name [rgy.net]:

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Directory Manager password:
Password (confirm):

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password:
Password (confirm):

Checking DNS domain rgy.net., please wait ...
Do you want to configure DNS forwarders? [yes]: no
No DNS forwarders configured
Do you want to search for missing reverse zones? [yes]: no

The IPA Master Server will be configured with:
Hostname:       fipas1.rgy.net
IP address(es): 192.168.122.50
Domain name:    rgy.net
Realm name:     RGY.NET

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=RGY.NET
Subject base: O=RGY.NET
Chaining:     self-signed

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       No forwarders
Forward policy:   only
Reverse zone(s):  No reverse zone

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Synchronizing time
Using default chrony configuration.
Time synchronization was successful.
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/44]: creating directory server instance
[2/44]: enabling ldapi
[3/44]: configure autobind for root
[4/44]: stopping directory server
[5/44]: updating configuration in dse.ldif
[6/44]: starting directory server
[error] ACIError: Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method)
ipapython.admintool: ERROR    Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method)
ipapython.admintool: ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
root@fipas1:~#

I had run an apt update in advance of installing freeipa and after adding the canonical staging repository

root@fipas1:~# apt update
Hit:1 http://ppa.launchpad.net/canonical-x/x-staging/ubuntu bionic InRelease
Hit:2 http://ports.ubuntu.com/ubuntu-ports bionic InRelease
Hit:3 http://ports.ubuntu.com/ubuntu-ports bionic-updates InRelease
Hit:4 http://ports.ubuntu.com/ubuntu-ports bionic-backports InRelease
Hit:5 http://ports.ubuntu.com/ubuntu-ports bionic-security InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
root@fipas1:~#

End of the install log contains

2018-04-26T14:31:25Z DEBUG args=['/bin/systemctl', 'is-active', 'dirsrv@RGY-NET.service']
2018-04-26T14:31:25Z DEBUG Process finished, return code=0
2018-04-26T14:31:25Z DEBUG stdout=active

2018-04-26T14:31:25Z DEBUG stderr=
2018-04-26T14:31:25Z DEBUG wait_for_open_ports: localhost [389] timeout 300
2018-04-26T14:31:25Z DEBUG waiting for port: 389
2018-04-26T14:31:25Z DEBUG SUCCESS: port: 389
2018-04-26T14:31:25Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 669, in __start_instance
self.start(self.serverid)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 644, in start
api.Backend.ldap2.connect()
File "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 69, in connect
conn = self.create_connection(*args, **kw)
File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/ldap2.py", line 179, in create_connection
client_controls=clientctrls)
File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1153, in external_bind
'', auth_tokens, server_controls, client_controls)
File "/usr/lib/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1066, in error_handler
raise errors.ACIError(info='%s (%s)' % (info,desc))
ACIError: Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method)

2018-04-26T14:31:25Z DEBUG   [error] ACIError: Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method)
2018-04-26T14:31:25Z DEBUG   File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute
return_value = self.run()
File "/usr/lib/python2.7/dist-packages/ipapython/install/cli.py", line 319, in run
return cfgr.run()
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 364, in run
return self.execute()
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 389, in execute
for rval in self._executor():
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 434, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 424, in __runner
step()
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 658, in _configure
next(executor)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 434, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 521, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 518, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 424, in __runner
step()
File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/dist-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/__init__.py", line 581, in main
master_install(self)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 252, in decorated
func(installer)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 800, in install
setup_pkinit=not options.no_pkinit)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 345, in create_instance
self.start_creation(runtime=30)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 669, in __start_instance
self.start(self.serverid)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 644, in start
api.Backend.ldap2.connect()
File "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 69, in connect
conn = self.create_connection(*args, **kw)
File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/ldap2.py", line 179, in create_connection
client_controls=clientctrls)
File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1153, in external_bind
'', auth_tokens, server_controls, client_controls)
File "/usr/lib/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1066, in error_handler
raise errors.ACIError(info='%s (%s)' % (info,desc))

2018-04-26T14:31:25Z DEBUG The ipa-server-install command failed, exception: ACIError: Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method)
2018-04-26T14:31:25Z ERROR Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method)
2018-04-26T14:31:25Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
root@fipas1:~#

Suggestions?

Revision history for this message

Frank Heimes (fheimes) wrote on 2018-05-02:

Please could you attach the logs like the /var/log/syslog as well as the ipa install log:
/var/log/ipaserver-install.log
and in case available any other ipa related logs, too - means: /var/log/ipa*

And also share how the content of the folder: ls -la /etc/ipa/

Thx

Revision history for this message

bugproxy (bugproxy) wrote on 2018-05-02: free IPA install failure logs

#10