| 2017-05-24 09:36:23 |
Martin Pitt |
bug |
|
|
added bug |
| 2017-05-24 10:05:03 |
Timo Aaltonen |
freeipa (Ubuntu): status |
New |
Fix Released |
|
| 2017-05-24 10:05:16 |
Timo Aaltonen |
nominated for series |
|
Ubuntu Zesty |
|
| 2017-05-24 10:05:16 |
Timo Aaltonen |
bug task added |
|
freeipa (Ubuntu Zesty) |
|
| 2017-05-24 10:08:14 |
Timo Aaltonen |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858970 |
|
| 2017-05-24 10:08:14 |
Timo Aaltonen |
bug task added |
|
kerberos-configs (Debian) |
|
| 2017-05-24 11:14:34 |
Bug Watch Updater |
kerberos-configs (Debian): status |
Unknown |
New |
|
| 2017-06-14 11:01:18 |
Timo Aaltonen |
description |
Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS) wrt. joining a FreeIPA kerberos server. I am running a server on 10.111.112.100 with a COCKPIT.LAN domain (from the "ipa-*" image on https://fedorapeople.org/groups/cockpit/images/), and realmd.service fails. Running ipa-client-install manually shows why:
$ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd sssd-tools packagekit
$ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf
$ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W --force-ntpd -w foobarfoo
Discovery was successful!
Client hostname: autopkgtest
Realm: COCKPIT.LAN
DNS Domain: cockpit.lan
IPA Server: f0.cockpit.lan
BaseDN: dc=cockpit,dc=lan
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library
Installation failed. Rolling back changes.
IPA client is not configured on this system.
stracing shows that it tries to access /etc/krb5.conf.d/ which does not exist. mkdir'ing this is sufficient to fix it.
I'm not entirely sure if this is really in freeipa-client or krb5-user (kinit), but running "kinit -f admin@COCKPIT.LAN" directly succeeds.
ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: freeipa-client 4.4.3-3ubuntu2
ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11
Uname: Linux 4.10.0-21-generic x86_64
ApportVersion: 2.20.4-0ubuntu4.1
Architecture: amd64
Date: Wed May 24 09:30:57 2017
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: freeipa
UpgradeStatus: No upgrade log present (probably fresh install) |
[Impact]
ipa-client-install fails because it modifies /etc/krb5.conf to include /etc/krb5.conf.d which doesn't exist, so kinit fails.
The (temporary) fix is to add /etc/krb5.conf.d directory to freeipa-client.
[Test case]
Enroll an IPA client with ipa-client-install, it should pass.
[Regression potential]
None, this is a safe addition.
[original description]
Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS) wrt. joining a FreeIPA kerberos server. I am running a server on 10.111.112.100 with a COCKPIT.LAN domain (from the "ipa-*" image on https://fedorapeople.org/groups/cockpit/images/), and realmd.service fails. Running ipa-client-install manually shows why:
$ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd sssd-tools packagekit
$ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf
$ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W --force-ntpd -w foobarfoo
Discovery was successful!
Client hostname: autopkgtest
Realm: COCKPIT.LAN
DNS Domain: cockpit.lan
IPA Server: f0.cockpit.lan
BaseDN: dc=cockpit,dc=lan
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library
Installation failed. Rolling back changes.
IPA client is not configured on this system.
stracing shows that it tries to access /etc/krb5.conf.d/ which does not exist. mkdir'ing this is sufficient to fix it.
I'm not entirely sure if this is really in freeipa-client or krb5-user (kinit), but running "kinit -f admin@COCKPIT.LAN" directly succeeds.
ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: freeipa-client 4.4.3-3ubuntu2
ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11
Uname: Linux 4.10.0-21-generic x86_64
ApportVersion: 2.20.4-0ubuntu4.1
Architecture: amd64
Date: Wed May 24 09:30:57 2017
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: freeipa
UpgradeStatus: No upgrade log present (probably fresh install) |
|
| 2017-06-14 11:01:47 |
Timo Aaltonen |
freeipa (Ubuntu Zesty): status |
New |
In Progress |
|
| 2017-06-14 11:01:47 |
Timo Aaltonen |
freeipa (Ubuntu Zesty): assignee |
|
Timo Aaltonen (tjaalton) |
|
| 2017-07-04 14:08:30 |
Łukasz Zemczak |
freeipa (Ubuntu Zesty): status |
In Progress |
Fix Committed |
|
| 2017-07-04 14:08:32 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2017-07-04 14:08:35 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
| 2017-07-04 14:08:37 |
Łukasz Zemczak |
tags |
amd64 apport-bug zesty |
amd64 apport-bug verification-needed verification-needed-zesty zesty |
|
| 2017-09-14 10:24:32 |
Martin Pitt |
tags |
amd64 apport-bug verification-needed verification-needed-zesty zesty |
amd64 apport-bug verification-done-zesty verification-needed zesty |
|
| 2017-09-14 10:24:41 |
Martin Pitt |
tags |
amd64 apport-bug verification-done-zesty verification-needed zesty |
amd64 apport-bug verification-done-zesty zesty |
|
| 2017-09-14 17:31:58 |
Launchpad Janitor |
freeipa (Ubuntu Zesty): status |
Fix Committed |
Fix Released |
|
| 2017-09-14 17:32:09 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
