6:29 a.m.
Hi Team,
During the FreeIPA installation on Linux, particularly on Linux and Ubuntu, I've faced
numerous hurdles and made significant observations. Despite configuring the URL for
FreeIPA LDAP setup, we've encountered difficulties accessing it. Even after multiple
attempts to reset the admin and user accounts, we continue to encounter authentication
failures when trying to access the portal. Notably, both Apache and Kerberos services are
operational. We've observed Kerberos Authentication Issues repeatedly. Please find the
attached document for more details.
URLs:
https://ipa-1.devices.devops.tcpwave.com/ipa/ui/
https://ipa-2.devices.devops.tcpwave.com/ipa/ui/
Additionally, we've encountered challenges related to installation and package
availability, particularly on Ubuntu machines. The occurrence of errors related to GSSAPI
authentication, errors 'gss_accept_sec_context() failed' message. Furthermore,
we've faced issues with Kerberos ticket handling, including problems obtaining and
verifying tickets, which may indicate potential concerns with the Key Distribution Center
(KDC).
7:37 a.m.
Veera K via FreeIPA-devel wrote:
Hi Team,
During the FreeIPA installation on Linux, particularly on Linux and Ubuntu, I've
faced numerous hurdles and made significant observations. Despite configuring the URL for
FreeIPA LDAP setup, we've encountered difficulties accessing it. Even after multiple
attempts to reset the admin and user accounts, we continue to encounter authentication
failures when trying to access the portal. Notably, both Apache and Kerberos services are
operational. We've observed Kerberos Authentication Issues repeatedly. Please find the
attached document for more details.
URLs:
https://ipa-1.devices.devops.tcpwave.com/ipa/ui/
https://ipa-2.devices.devops.tcpwave.com/ipa/ui/
Additionally, we've encountered challenges related to installation and package
availability, particularly on Ubuntu machines. The occurrence of errors related to GSSAPI
authentication, errors 'gss_accept_sec_context() failed' message. Furthermore,
we've faced issues with Kerberos ticket handling, including problems obtaining and
verifying tickets, which may indicate potential concerns with the Key Distribution Center
(KDC).
You didn't include an attachment.
I don't know the current status of Ubuntu as an IPA server but in the
past it has not worked well. There are a lot of moving parts in IPA and
there is basically one maintainer in Debian trying to herd all the cats.
rob
9:16 a.m.
Veera K via FreeIPA-devel wrote:
You didn't include an attachment.
I don't know the current status of Ubuntu as an IPA server but in the
past it has not worked well. There are a lot of moving parts in IPA and
there is basically one maintainer in Debian trying to herd all the cats.
rob
Given that I also use Debian (and Ubuntu at times), how can I help?
9:29 a.m.
Mauricio Tavares via FreeIPA-devel wrote:
> Veera K via FreeIPA-devel wrote:
>
>
> You didn't include an attachment.
>
> I don't know the current status of Ubuntu as an IPA server but in the
> past it has not worked well. There are a lot of moving parts in IPA and
> there is basically one maintainer in Debian trying to herd all the cats.
>
> rob
Given that I also use Debian (and Ubuntu at times), how can I help?
Oh cool, thanks. I've cc'd Timo. He is the Debian/Ubuntu maintainer.
rob
11:34 a.m.
Rob Crittenden kirjoitti 8.5.2024 klo 17.29:
Mauricio Tavares via FreeIPA-devel wrote:
>> Veera K via FreeIPA-devel wrote:
>>
>>
>> You didn't include an attachment.
>>
>> I don't know the current status of Ubuntu as an IPA server but in the
>> past it has not worked well. There are a lot of moving parts in IPA and
>> there is basically one maintainer in Debian trying to herd all the cats.
>>
>> rob
>
> Given that I also use Debian (and Ubuntu at times), how can I help?
Oh cool, thanks. I've cc'd Timo. He is the Debian/Ubuntu maintainer.
rob
Ah, sadly my favourite topic :)
The blockers right now are:
* bind-dyndb-ldap doesn't support bind9 9.19.x [1]
* bind-dyndb-ldap also needs to be rebuilt for every bind9 upload, and
it might also break when bind9 is updated, which makes it unreleaseable
on Debian. The solution to this would be to release it with a license
which is compatible with upstream, which should allow merging it
upstream (and fix the first issue) [2]
* tomcat9 is basically gone from Debian/Ubuntu, but jss (which merged
tomcatjss) or dogtag itself don't support 10.x yet [3]. I was told 10.1
should be in rawhide by now-ish, but it's still not there, so porting is
blocked AIUI.
In the past I've run the azure test suite on an older Debian/Ubuntu
release with select backports (bypassing the above issues), and the pass
rate of all the tests was > 90%, so it's not perfect. To get to full
100% there are still things to skip or rework to pass on a .deb distro.
But it's rather pointless to work on a frankendistro, I don't have time
for that. So it's client only for now, and 389 and others are available
waiting for a brighter (unrealistic?) future to arrive...
HTH
[1] https://pagure.io/bind-dyndb-ldap/issue/222
[2] https://pagure.io/bind-dyndb-ldap/issue/225
[3] https://github.com/dogtagpki/pki/issues/4551
--
t
11:01 a.m.
On May 8, 2024 12:34:01 PM EDT, Timo Aaltonen <tjaalton(a)ubuntu.com> wrote:
Rob Crittenden kirjoitti 8.5.2024 klo 17.29:
> Mauricio Tavares via FreeIPA-devel wrote:
>>> Veera K via FreeIPA-devel wrote:
>>>
>>>
>>> You didn't include an attachment.
>>>
>>> I don't know the current status of Ubuntu as an IPA server but in the
>>> past it has not worked well. There are a lot of moving parts in IPA and
>>> there is basically one maintainer in Debian trying to herd all the cats.
>>>
>>> rob
>>
>> Given that I also use Debian (and Ubuntu at times), how can I help?
>
>
> Oh cool, thanks. I've cc'd Timo. He is the Debian/Ubuntu maintainer.
>
> rob
Ah, sadly my favourite topic :)
The blockers right now are:
* bind-dyndb-ldap doesn't support bind9 9.19.x [1]
* bind-dyndb-ldap also needs to be rebuilt for every bind9 upload, and it might also break
when bind9 is updated, which makes it unreleaseable on Debian. The solution to this would
be to release it with a license which is compatible with upstream, which should allow
merging it upstream (and fix the first issue) [2]
* tomcat9 is basically gone from Debian/Ubuntu, but jss (which merged tomcatjss) or dogtag
itself don't support 10.x yet [3]. I was told 10.1 should be in rawhide by now-ish,
but it's still not there, so porting is blocked AIUI.
In the past I've run the azure test suite on an older Debian/Ubuntu release with
select backports (bypassing the above issues), and the pass rate of all the tests was >
90%, so it's not perfect. To get to full 100% there are still things to skip or rework
to pass on a .deb distro. But it's rather pointless to work on a frankendistro, I
don't have time for that. So it's client only for now, and 389 and others are
available waiting for a brighter (unrealistic?) future to arrive...
HTH
[1] https://pagure.io/bind-dyndb-ldap/issue/222
[2] https://pagure.io/bind-dyndb-ldap/issue/225
[3] https://github.com/dogtagpki/pki/issues/4551
What have I got involved into?! Well, I am here for the entertainment (even
if I learn something(!) in the process); let me build a test environment so I can
understand it better; it does seem this will require helping other stuff to work the way
we need before actually building it.
11:45 a.m.
Mauricio Tavares kirjoitti 10.5.2024 klo 19.01:
On May 8, 2024 12:34:01 PM EDT, Timo Aaltonen
<tjaalton(a)ubuntu.com> wrote:
> Rob Crittenden kirjoitti 8.5.2024 klo 17.29:
>> Mauricio Tavares via FreeIPA-devel wrote:
>>>> Veera K via FreeIPA-devel wrote:
>>>>
>>>>
>>>> You didn't include an attachment.
>>>>
>>>> I don't know the current status of Ubuntu as an IPA server but in
the
>>>> past it has not worked well. There are a lot of moving parts in IPA and
>>>> there is basically one maintainer in Debian trying to herd all the cats.
>>>>
>>>> rob
>>>
>>> Given that I also use Debian (and Ubuntu at times), how can I help?
>>
>>
>> Oh cool, thanks. I've cc'd Timo. He is the Debian/Ubuntu maintainer.
>>
>> rob
>
> Ah, sadly my favourite topic :)
>
> The blockers right now are:
>
> * bind-dyndb-ldap doesn't support bind9 9.19.x [1]
>
> * bind-dyndb-ldap also needs to be rebuilt for every bind9 upload, and it might also
break when bind9 is updated, which makes it unreleaseable on Debian. The solution to this
would be to release it with a license which is compatible with upstream, which should
allow merging it upstream (and fix the first issue) [2]
>
> * tomcat9 is basically gone from Debian/Ubuntu, but jss (which merged tomcatjss) or
dogtag itself don't support 10.x yet [3]. I was told 10.1 should be in rawhide by
now-ish, but it's still not there, so porting is blocked AIUI.
>
>
> In the past I've run the azure test suite on an older Debian/Ubuntu release with
select backports (bypassing the above issues), and the pass rate of all the tests was >
90%, so it's not perfect. To get to full 100% there are still things to skip or rework
to pass on a .deb distro. But it's rather pointless to work on a frankendistro, I
don't have time for that. So it's client only for now, and 389 and others are
available waiting for a brighter (unrealistic?) future to arrive...
>
> HTH
>
> [1] https://pagure.io/bind-dyndb-ldap/issue/222
> [2] https://pagure.io/bind-dyndb-ldap/issue/225
> [3] https://github.com/dogtagpki/pki/issues/4551
>
What have I got involved into?! Well, I am here for the entertainment (even if I
learn something(!) in the process); let me build a test environment so I can understand
it better; it does seem this will require helping other stuff to work the way we need
before actually building it.
Yeah, I realized that I didn't actually answer your question. It could
be useful to have an environment where dogtag & bind-dyndb-ldap are able
to work, and then sort out any integration issues there might still be.
--
t
7
days inactive
21
days old
freeipa-devel@lists.fedorahosted.org
6 comments
4 participants
participants (4)
-
Mauricio Tavares -
Rob Crittenden -
Timo Aaltonen -
Veera K