freeipa install errors out with certmonger 'dbus' 'start' ''' returned non-zero exit status 4

Bug #1564981 reported by Bryan Quigley on 2016-04-01
This bug affects 1 person
Affects Status Importance Assigned to Milestone
freeipa (Ubuntu)

Bug Description

When running sudo ipa-server-install --no-ntp
it fails with certmonger error:
  [21/27]: issuing RA agent certificate
  [22/27]: adding RA agent as a trusted user
  [23/27]: configure certmonger for renewals
  [error] CalledProcessError: Command ''/usr/sbin/service' 'dbus' 'start' ''' returned non-zero exit status 4
Unexpected error - see /var/log/ipaserver-install.log for details:

Seems like this might be a known issue given -, but didn't see it in the tracker.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: freeipa-server 4.1.4-1
ProcVersionSignature: Ubuntu 4.4.0-16.32-generic 4.4.6
Uname: Linux 4.4.0-16-generic x86_64
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
Date: Fri Apr 1 16:01:20 2016
Ec2AMI: ami-00001042
Ec2AMIManifest: FIXME
Ec2AvailabilityZone: nova
Ec2InstanceType: m1.medium
Ec2Kernel: aki-0000022a
Ec2Ramdisk: ari-0000022a
 PATH=(custom, no user)
SourcePackage: freeipa
UpgradeStatus: No upgrade log present (probably fresh install)

Bryan Quigley (bryanquigley) wrote :
Timo Aaltonen (tjaalton) wrote :

Right, I think the server will be removed from xenial and instead point folks to use a ppa with freeipa 4.3.1 plus other bits that are needed and which are too late to get in before release (bind9 with native pkcs11, apache with systemd integration)

You can try it out now, client promotion to a replica works as well which is the big thing compared to the old version:

Timo Aaltonen (tjaalton) wrote :

actually, another plan would be to disable just freeipa-server-dns from the new version.. that would avoid needing pkcs11 in bind9 but still being able to upgrade current servers, though I'm not sure what happens if someone has enabled dns before :/

Bryan Quigley (bryanquigley) wrote :

Maybe alert the bind users they need to use a PPA? It is set to "no" by default.

Is it too late to get a FFe for the bind change?

I absolutely love how easy it was to get it to work with the PPA. That was awesome! Thank you!

Timo Aaltonen (tjaalton) wrote :

yeah alert would be one way, at least --dnssec-master should yell something

I'm discussing the bind change with lamont, he'll have a look tomorrow. And thanks for trying it out :) Apache systemd integration now has a bug too

and a new apache is now on the ppa which merges 2.4.18-2 and adds untested support for instances

Launchpad Janitor (janitor) wrote :
Download full text (4.5 KiB)

This bug was fixed in the package freeipa - 4.3.1-0ubuntu1

freeipa (4.3.1-0ubuntu1) xenial; urgency=medium

  * Sync from Debian.

freeipa (4.3.1-1) unstable; urgency=medium

  * New upstream release. (Closes: #781607, #786411) (LP: #1449304)
    - drop no-test-lang.diff, obsolete
  * fix-match-hostname.diff, control: Drop the patch and python-openssl
    deps, not needed anymore
  * rules, platform, server.dirs, server.install:
    Add support for DNSSEC.
  * control, rules: Add support for kdcproxy.
  * control, server: Migrate to mod-auth-gssapi.
  * control, rules, fix-ipa-conf.diff: Add support for custodia.
  * control:
    - Add python-cryptography to build-deps and python-freeipa deps.
    - Add libp11-kit-dev to build-deps, p11-kit to server deps.
    - Depend on python-gssapi instead of python-kerberos/-krbV.
    - Add libini-config-dev and python-dbus to build-deps, replace wget
      with curl.
    - Bump libkrb5-dev build-dep.
    - Add pki-base to build-deps and pki-kra to server deps, bump pki-ca
    - Drop python-m2crypto from deps, obsolete.
    - Bump sssd deps to 1.13.1.
    - Add python-six to build-deps and python-freeipa deps.
    - Split python stuff from server, client, tests to python-
      ipa{server,client,tests}, rename python-freeipa to match and move
      translations to freeipa-common. Mark them Arch:all where possible,
      and add Breaks/Replaces.
    - Add oddjob to server and oddjob-mkhomedir to client deps.
    - Add python-setuptools to python-ipalib deps.
    - Bump 389-ds-base* deps.
    - Bump server and python-ipaserver dependency on python-ldap to 2.4.22
      to fix a bug on ipa-server-upgrade.
    - Add pki-tools to python-ipaserver deps.
    - Add zip to python-ipaserver depends.
    - Add python-systemd to server depends.
    - Add opendnssec to freeipa-server-dns depends.
    - Add python-cffi to python-ipalib depends.
    - Bump dep on bind9-dyndb-ldap.
    - Bump certmonger dependency to version that has helpers in the correct
  * patches:
    - prefix.patch: Fix ipalib install too.
    - Drop bits of platform.diff and other patches that are now upstream.
    - fix-kdcproxy-paths.diff: Fix paths in kdcproxy configs.
    - fix-oddjobs.diff: Fix paths and uids in oddjob configs.
    - fix-replicainstall.diff: Use ldap instead of ldaps for conncheck.
    - fix-dnssec-services.diff: Debianize ipa-dnskeysyncd & ipa-ods-
      exporter units.
    - create-sysconfig-ods.diff: Create an empty file for opendnssec
      daemons, until opendnssec itself is fixed.
    - purge-firefox-extension.diff: Clean obsolete kerberosauth.xpi.
    - enable-mod-nss-during-setup.diff: Split from platform.diff, call
      a2enmod/a2dismod from
    - fix-memcached.diff: Split from platform.diff, debianize memcached
      conf & unit.
    - hack-libarch.diff: Don't use fedora libpaths.
  * add-debian-platform.diff:
    - Update to include all variables, comment out ones we don't
    - Use systemwide certificate store; put ipa-ca.crt in
      /usr/local/share/ca-certificates, and run update-ca-certificates
    - Map smb service to smbd (...


Changed in freeipa (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers