Ubuntu on IBM z Systems

freeipa-server installation/configuration problem on s390x

Bug #1769631 reported by bugproxy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Expired
Medium
Unassigned
389-ds-base (Ubuntu)
Invalid
Undecided
Skipper Bug Screeners

Bug Description

Problem desctriptin for following already Fix Releaed Bug:
https://bugzilla.linux.ibm.com/show_bug.cgi?id=166796
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1764744

The package is still failing to configure

root@fipas1:~# ipa-server-install --allow-zone-overlap

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the NTP client (chronyd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

WARNING: conflicting time&date synchronization service 'ntp' will be disabled
in favor of chronyd

Do you want to configure integrated DNS (BIND)? [no]: yes

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.

Server host name [fipas1.rgy.net]:

Warning: skipping DNS resolution of host fipas1.rgy.net
The domain name has been determined based on the host name.

Please confirm the domain name [rgy.net]:

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [RGY.NET]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password:
Password (confirm):

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password:
Password (confirm):

Checking DNS domain rgy.net., please wait ...
Do you want to configure DNS forwarders? [yes]: no
No DNS forwarders configured
Do you want to search for missing reverse zones? [yes]: no

The IPA Master Server will be configured with:
Hostname: fipas1.rgy.net
IP address(es): 192.168.122.50
Domain name: rgy.net
Realm name: RGY.NET

The CA will be configured with:
Subject DN: CN=Certificate Authority,O=RGY.NET
Subject base: O=RGY.NET
Chaining: self-signed

BIND DNS server will be configured to serve IPA domain with:
Forwarders: No forwarders
Forward policy: only
Reverse zone(s): No reverse zone

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Synchronizing time
Using default chrony configuration.
Time synchronization was successful.
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/44]: creating directory server instance
  [2/44]: enabling ldapi
  [3/44]: configure autobind for root
  [4/44]: stopping directory server
  [5/44]: updating configuration in dse.ldif
  [6/44]: starting directory server
  [error] ACIError: Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method)
ipapython.admintool: ERROR Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method)
ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
root@fipas1:~#

I had run an apt update in advance of installing freeipa and after adding the canonical staging repository

root@fipas1:~# apt update
Hit:1 http://ppa.launchpad.net/canonical-x/x-staging/ubuntu bionic InRelease
Hit:2 http://ports.ubuntu.com/ubuntu-ports bionic InRelease
Hit:3 http://ports.ubuntu.com/ubuntu-ports bionic-updates InRelease
Hit:4 http://ports.ubuntu.com/ubuntu-ports bionic-backports InRelease
Hit:5 http://ports.ubuntu.com/ubuntu-ports bionic-security InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
root@fipas1:~#

End of the install log contains

2018-04-26T14:31:25Z DEBUG args=['/bin/systemctl', 'is-active', '<email address hidden>']
2018-04-26T14:31:25Z DEBUG Process finished, return code=0
2018-04-26T14:31:25Z DEBUG stdout=active

2018-04-26T14:31:25Z DEBUG stderr=
2018-04-26T14:31:25Z DEBUG wait_for_open_ports: localhost [389] timeout 300
2018-04-26T14:31:25Z DEBUG waiting for port: 389
2018-04-26T14:31:25Z DEBUG SUCCESS: port: 389
2018-04-26T14:31:25Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step
    method()
  File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 669, in __start_instance
    self.start(self.serverid)
  File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 644, in start
    api.Backend.ldap2.connect()
  File "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 69, in connect
    conn = self.create_connection(*args, **kw)
  File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/ldap2.py", line 179, in create_connection
    client_controls=clientctrls)
  File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1153, in external_bind
    '', auth_tokens, server_controls, client_controls)
  File "/usr/lib/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1066, in error_handler
    raise errors.ACIError(info='%s (%s)' % (info,desc))
ACIError: Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method)

2018-04-26T14:31:25Z DEBUG [error] ACIError: Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method)
2018-04-26T14:31:25Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/dist-packages/ipapython/install/cli.py", line 319, in run
    return cfgr.run()
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 364, in run
    return self.execute()
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 389, in execute
    for rval in self._executor():
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 434, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 424, in __runner
    step()
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 421, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 658, in _configure
    next(executor)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 434, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 463, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 521, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 518, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 453, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 424, in __runner
    step()
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 421, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/__init__.py", line 581, in main
    master_install(self)
  File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 252, in decorated
    func(installer)
  File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/install.py", line 800, in install
    setup_pkinit=not options.no_pkinit)
  File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 345, in create_instance
    self.start_creation(runtime=30)
  File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step
    method()
  File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 669, in __start_instance
    self.start(self.serverid)
  File "/usr/lib/python2.7/dist-packages/ipaserver/install/dsinstance.py", line 644, in start
    api.Backend.ldap2.connect()
  File "/usr/lib/python2.7/dist-packages/ipalib/backend.py", line 69, in connect
    conn = self.create_connection(*args, **kw)
  File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/ldap2.py", line 179, in create_connection
    client_controls=clientctrls)
  File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1153, in external_bind
    '', auth_tokens, server_controls, client_controls)
  File "/usr/lib/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/dist-packages/ipapython/ipaldap.py", line 1066, in error_handler
    raise errors.ACIError(info='%s (%s)' % (info,desc))

2018-04-26T14:31:25Z DEBUG The ipa-server-install command failed, exception: ACIError: Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method)
2018-04-26T14:31:25Z ERROR Insufficient access: SASL(-4): no mechanism available: No worthy mechs found (Unknown authentication method)
2018-04-26T14:31:25Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
root@fipas1:~#

Suggestions?

[reply] [-]
Comment 19 bugproxy bugproxy 2018-05-02 03:18:57 CDT

### External Comment ###

------- Comment From frank-heimes 2018-05-02 13:25:26 UTC-------
Please could you attach the logs like the /var/log/syslog as well as the ipa install log:
/var/log/ipaserver-install.log
and in case available any other ipa related logs, too - means: /var/log/ipa*

And also share how the content of the folder: ls -la /etc/ipa/

Thx

[reply] [-]
Comment 20 Richard G. Young 2018-05-02 08:49:59 CDT

free IPA install failure logs

Requested logs attached in TAR

Add Comment

Revision history for this message
bugproxy (bugproxy) wrote : free-ipa install failure log

Default Comment by Bridge

tags: added: architecture-s39064 bugnameltc-167506 severity-high targetmilestone-inin1804
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Frank Heimes (fheimes)
affects: linux (Ubuntu) → freeipa (Ubuntu)
tags: added: s390x universe
summary: - freeipa-server installatio/configuration problem for s390x
+ freeipa-server installation/configuration problem on s390x
Changed in ubuntu-z-systems:
importance: Undecided → Medium
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

what do you have in /usr/lib/s390x-linux-gnu/sasl2 ?

Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2018-05-07 18:43 EDT-------
root@fipas1:/usr/lib/s390x-linux-gnu/sasl2# ls -la
total 340
drwxr-xr-x 2 root root 4096 Apr 26 10:01 .
drwxr-xr-x 39 root root 20480 Apr 26 10:23 ..
lrwxrwxrwx 1 root root 22 Feb 5 11:48 libanonymous.so -> libanonymous.so.2.0.25
lrwxrwxrwx 1 root root 22 Feb 5 11:48 libanonymous.so.2 -> libanonymous.so.2.0.25
-rw-r--r-- 1 root root 18400 Feb 5 11:48 libanonymous.so.2.0.25
lrwxrwxrwx 1 root root 20 Feb 5 11:48 libcrammd5.so -> libcrammd5.so.2.0.25
lrwxrwxrwx 1 root root 20 Feb 5 11:48 libcrammd5.so.2 -> libcrammd5.so.2.0.25
-rw-r--r-- 1 root root 22520 Feb 5 11:48 libcrammd5.so.2.0.25
lrwxrwxrwx 1 root root 22 Feb 5 11:48 libdigestmd5.so -> libdigestmd5.so.2.0.25
lrwxrwxrwx 1 root root 22 Feb 5 11:48 libdigestmd5.so.2 -> libdigestmd5.so.2.0.25
-rw-r--r-- 1 root root 55656 Feb 5 11:48 libdigestmd5.so.2.0.25
lrwxrwxrwx 1 root root 16 Feb 5 11:48 libgs2.so -> libgs2.so.2.0.25
lrwxrwxrwx 1 root root 16 Feb 5 11:48 libgs2.so.2 -> libgs2.so.2.0.25
-rw-r--r-- 1 root root 34584 Feb 5 11:48 libgs2.so.2.0.25
lrwxrwxrwx 1 root root 21 Feb 5 11:48 libgssapiv2.so -> libgssapiv2.so.2.0.25
lrwxrwxrwx 1 root root 21 Feb 5 11:48 libgssapiv2.so.2 -> libgssapiv2.so.2.0.25
-rw-r--r-- 1 root root 35000 Feb 5 11:48 libgssapiv2.so.2.0.25
lrwxrwxrwx 1 root root 18 Feb 5 11:48 liblogin.so -> liblogin.so.2.0.25
lrwxrwxrwx 1 root root 18 Feb 5 11:48 liblogin.so.2 -> liblogin.so.2.0.25
-rw-r--r-- 1 root root 18400 Feb 5 11:48 liblogin.so.2.0.25
lrwxrwxrwx 1 root root 17 Feb 5 11:48 libntlm.so -> libntlm.so.2.0.25
lrwxrwxrwx 1 root root 17 Feb 5 11:48 libntlm.so.2 -> libntlm.so.2.0.25
-rw-r--r-- 1 root root 34792 Feb 5 11:48 libntlm.so.2.0.25
lrwxrwxrwx 1 root root 18 Feb 5 11:48 libplain.so -> libplain.so.2.0.25
lrwxrwxrwx 1 root root 18 Feb 5 11:48 libplain.so.2 -> libplain.so.2.0.25
-rw-r--r-- 1 root root 18400 Feb 5 11:48 libplain.so.2.0.25
lrwxrwxrwx 1 root root 19 Feb 5 11:48 libsasldb.so -> libsasldb.so.2.0.25
lrwxrwxrwx 1 root root 19 Feb 5 11:48 libsasldb.so.2 -> libsasldb.so.2.0.25
-rw-r--r-- 1 root root 26440 Feb 5 11:48 libsasldb.so.2.0.25
lrwxrwxrwx 1 root root 18 Feb 5 11:48 libscram.so -> libscram.so.2.0.25
lrwxrwxrwx 1 root root 18 Feb 5 11:48 libscram.so.2 -> libscram.so.2.0.25
-rw-r--r-- 1 root root 38904 Feb 5 11:48 libscram.so.2.0.25
root@fipas1:/usr/lib/s390x-linux-gnu/sasl2#

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

ok that looks normal, and 389 should do the right thing now but something is still missing and I don't know what.. but the bug isn't in freeipa itself so moving it over to 389 for now

if you have a way to test SASL/GSSAPI on the architecture that'd be good

affects: freeipa (Ubuntu) → 389-ds-base (Ubuntu)
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

paste the output of

 ldapsearch -h localhost -p 389 -x -b "" -s base -LLL supportedSASLMechanisms

Changed in 389-ds-base (Ubuntu):
status: New → Incomplete
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2018-05-08 20:12 EDT-------
Currently there is nothing listening on 389

root@fipas1:~#
LMechanisms:~# ldapsearch -h localhost -p 389 -x -b "" -s base -LLL supportedSASL
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
root@fipas1:~# netstat -ltpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.122.50:53 0.0.0.0:* LISTEN 720/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 720/named
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 626/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1141/sshd
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 720/named
tcp6 0 0 :::80 :::* LISTEN 1199/apache2
tcp6 0 0 :::53 :::* LISTEN 720/named
tcp6 0 0 :::22 :::* LISTEN 1141/sshd
tcp6 0 0 ::1:953 :::* LISTEN 720/named
tcp6 0 0 :::443 :::* LISTEN 1199/apache2
root@fipas1:~#

NOTE:

root@fipas1:~# apt list --installed | grep 389

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

389-ds-base/bionic,now 1.3.7.10-1ubuntu1 s390x [installed,automatic]
389-ds-base-libs/bionic,now 1.3.7.10-1ubuntu1 s390x [installed,automatic]
root@fipas1:~#

NOTE:

root@fipas1:~# systemctl status dirsrv.service
? dirsrv.service
Loaded: masked (/dev/null; bad)
Active: inactive (dead)
root@fipas1:~# ls -la /lib/systemd/system/dirsrv.service
lrwxrwxrwx 1 root root 9 Apr 17 13:45 /lib/systemd/system/dirsrv.service -> /dev/null
root@fipas1:~#

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

forget about ipa-server-install for now, use setup-ds to get an instance up

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Just to clarify, the error is from 389-ds-base not getting set up, so take freeipa out of the picture by testing if you can run setup-ds successfully..

Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for Ubuntu on IBM z Systems because there has been no activity for 60 days.]

Changed in ubuntu-z-systems:
status: Incomplete → Expired
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2018-11-14 21:40 EDT-------
Sorry, I have not had time to get back to this one yet.

The suggestion was to setup 389 manually. However there is no documentation that I found on how to setup 389 manually to be used by FreeIPA.

The "setup" is part of the freeipa provided scripts. The instructions I find all say to run the freeipa scripts that set everything up for you automatically.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

If you still have questions about freeipa / 389-ds-base on s390x please work with upstream projects to gain s390x support for them.

Closing this issue due to inactivity.

Changed in 389-ds-base (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.