This is a recipe with all the work-arounds needed to get a freeipa server with integrated DNS going on Ubuntu bionic/18.04 LTS or later. 

Without these workarounds, you will hit so many bugs the system is uninstallable as of 6/23/18.

I chose Lubuntu as a platform as I wanted an integrated browser as a way to check for good operations without the complexity of most of the networking stack in the chain.

I started with a ‘clean install’ of Lubuntu 18.04.  I needed 4 CPU cores and 4GB of memory to avoid most of the race conditions that kill the installer.  You can reduce these to 1 core and 2GB after installation (that’s a ‘low demand minimum’).

Where you see 192.168.50.64 below, replace that with the IP address of your freeipa machine.
Where you see ri.mamabosso.com below, replace that with the private IP address range of the sub-domain you’ll use for the freeipa server.  (If your public domain is xyz.com, it’s best practice to add a subdomain for the private addresses, so local.xyz.com to resolve them.  Split-view and the like generate more problems than they solve).

You should see no error messages at any point in this process.  If you do, stop to puzzle them out before moving on.

Get to a command prompt as root:

apt update
apt upgrade

apt install freeipa-server-dns python-psutil haveged

Cause /etc/hosts to look like:

127.0.0.1	localhost
192.168.50.64	directory1.ri.mamabosso.com directory1
127.0.1.1	directory1.ri.mamabosso.com directory1

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Cause /etc/hostname to look like:
directory1.ri.mamabosso.com


Remove anything in /etc/netplan unless your sure otherwise.  In /etc/netplan add file:
/etc/netplan/01-networkd.yaml  with the below (change addresses and domains to yours):

network:
  version: 2
  renderer: networkd
  ethernets:
    ens3:
      addresses:
        - 192.168.50.64/24
      gateway4: 192.168.50.1
      nameservers:
          search: [ri.mamabosso.com, mamabosso.com]
          addresses: [127.0.0.1]

These commands are needed to avoid several bugs later on:


systemctl disable systemd-resolved
systemctl disable network-manager
systemctl disable NetworkManager
mv /lib/systemd/system/NetworkManager.service NetworkManager.service.res
usermod bind -aG softhsm
mkdir /var/lib/softhsm/tokens
chown root:softhsm /var/lib/softhsm/tokens
chmod 0770 /var/lib/softhsm/tokens
chmod g+s /var/lib/softhsm/tokens
mv /usr/sbin/named-pkcs11 /usr/sbin/named-pkcs11-dpkg-dist
cp /usr/sbin/named /usr/sbin/named-pkcs11 
#The dependency on named-pkcs11 is a fedora legacy and is no longer necessary
#which is fortunate as named-pkcs11 crashes on startup leaving the system with
#no resolver.

Make  /etc/resolv.conf:

nameserver 127.0.0.1
search <your local domain here, ri.mamabosso.com in my case>

patch freeipa’s installer to avoid race conditions that otherwise would crash it:

Note:  you should exactly match the indenting you find in the programs to be edited below, using spaces and not tabs.

in /usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py after 
import tempfile
add
import psutil

In function "migrate_profiles_to_ldap"

before:
for profile_id in profile_ids:
change 
 time.sleep(80)
to 
time.sleep(30)

then just after, 
for profile_id in profile_ids:
add
while psutil.cpu_percent() > 9: time.sleep(2)

And, in /usr/lib/python2.7/dist-packages/ipaserver/install/bindinstance.py, add after line 753 which should read ‘self.restart()’ in procedure __start:
while psutil.cpu_percent() > 9: time.sleep(2)
in the same file, at the top right after import time, add:
import psutil


this will make sure all the services restarted prior can satisfy the coming 
requests without timing out as the service startup hasn’t settled.  

Reboot to see if all is well.  
Make sure /etc/hosts and /etc/hostname is correct.  Do an “apt update” to make sure the internet is up.

Then give the command:

ipa-server-install --setup-dns --no-forwarders

accept defaults, enter passwords, answer ‘yes’ at the end of the questions to accept.


Accept all defaults (except answer ‘yes’ to ‘continue..’).  You should see the correct domain and reverse ip in the list.

You should see no errors or complaints during the entire process.  After waiting for that to complete, do:

chgrp ipaapi /var/lib/krb5kdc  #so freeipa admin log in can find key.
chmod g+rx /var/lib/krb5kdc

So that you can log in to the web interface (without access to that, the login fails for no obvious reason).

Reboot (mostly to make sure all is well upon reboots)

Log in via the web gui (https://system.domain.com etc..) , look around for normal operations.  Surf to a website to make sure dns is up.

This recipe worked perfectly as of 6/23/18.

Some day soon (I hope), the needless dependency on buggy named-pkcs11 which crashes named ans so integrated DNS with it (see 
https://pagure.io/bind-dyndb-ldap/c/4fb51bac7f4f739975a2afb857b686869eff92b6?branch=master
) will be removed.

Hope the day I lost debugging this helps you!

Harry Coin