Hi Team,
During the FreeIPA installation on Linux, particularly on Linux and Ubuntu, I've faced numerous hurdles and made significant observations. Despite configuring the URL for FreeIPA LDAP setup, we've encountered difficulties accessing it. Even after multiple attempts to reset the admin and user accounts, we continue to encounter authentication failures when trying to access the portal. Notably, both Apache and Kerberos services are operational. We've observed Kerberos Authentication Issues repeatedly. Please find the attached document for more details.
URLs: https://ipa-1.devices.devops.tcpwave.com/ipa/ui/ https://ipa-2.devices.devops.tcpwave.com/ipa/ui/
Additionally, we've encountered challenges related to installation and package availability, particularly on Ubuntu machines. The occurrence of errors related to GSSAPI authentication, errors 'gss_accept_sec_context() failed' message. Furthermore, we've faced issues with Kerberos ticket handling, including problems obtaining and verifying tickets, which may indicate potential concerns with the Key Distribution Center (KDC).
Veera K via FreeIPA-devel wrote:
Hi Team,
During the FreeIPA installation on Linux, particularly on Linux and Ubuntu, I've faced numerous hurdles and made significant observations. Despite configuring the URL for FreeIPA LDAP setup, we've encountered difficulties accessing it. Even after multiple attempts to reset the admin and user accounts, we continue to encounter authentication failures when trying to access the portal. Notably, both Apache and Kerberos services are operational. We've observed Kerberos Authentication Issues repeatedly. Please find the attached document for more details.
URLs: https://ipa-1.devices.devops.tcpwave.com/ipa/ui/ https://ipa-2.devices.devops.tcpwave.com/ipa/ui/
Additionally, we've encountered challenges related to installation and package availability, particularly on Ubuntu machines. The occurrence of errors related to GSSAPI authentication, errors 'gss_accept_sec_context() failed' message. Furthermore, we've faced issues with Kerberos ticket handling, including problems obtaining and verifying tickets, which may indicate potential concerns with the Key Distribution Center (KDC).
You didn't include an attachment.
I don't know the current status of Ubuntu as an IPA server but in the past it has not worked well. There are a lot of moving parts in IPA and there is basically one maintainer in Debian trying to herd all the cats.
rob
Veera K via FreeIPA-devel wrote:
You didn't include an attachment.
I don't know the current status of Ubuntu as an IPA server but in the past it has not worked well. There are a lot of moving parts in IPA and there is basically one maintainer in Debian trying to herd all the cats.
rob
Given that I also use Debian (and Ubuntu at times), how can I help?
Mauricio Tavares via FreeIPA-devel wrote:
Veera K via FreeIPA-devel wrote:
You didn't include an attachment.
I don't know the current status of Ubuntu as an IPA server but in the past it has not worked well. There are a lot of moving parts in IPA and there is basically one maintainer in Debian trying to herd all the cats.
rob
Given that I also use Debian (and Ubuntu at times), how can I help?
Oh cool, thanks. I've cc'd Timo. He is the Debian/Ubuntu maintainer.
rob
Rob Crittenden kirjoitti 8.5.2024 klo 17.29:
Mauricio Tavares via FreeIPA-devel wrote:
Veera K via FreeIPA-devel wrote:
You didn't include an attachment.
I don't know the current status of Ubuntu as an IPA server but in the past it has not worked well. There are a lot of moving parts in IPA and there is basically one maintainer in Debian trying to herd all the cats.
rob
Given that I also use Debian (and Ubuntu at times), how can I help?
Oh cool, thanks. I've cc'd Timo. He is the Debian/Ubuntu maintainer.
rob
Ah, sadly my favourite topic :)
The blockers right now are:
* bind-dyndb-ldap doesn't support bind9 9.19.x [1]
* bind-dyndb-ldap also needs to be rebuilt for every bind9 upload, and it might also break when bind9 is updated, which makes it unreleaseable on Debian. The solution to this would be to release it with a license which is compatible with upstream, which should allow merging it upstream (and fix the first issue) [2]
* tomcat9 is basically gone from Debian/Ubuntu, but jss (which merged tomcatjss) or dogtag itself don't support 10.x yet [3]. I was told 10.1 should be in rawhide by now-ish, but it's still not there, so porting is blocked AIUI.
In the past I've run the azure test suite on an older Debian/Ubuntu release with select backports (bypassing the above issues), and the pass rate of all the tests was > 90%, so it's not perfect. To get to full 100% there are still things to skip or rework to pass on a .deb distro. But it's rather pointless to work on a frankendistro, I don't have time for that. So it's client only for now, and 389 and others are available waiting for a brighter (unrealistic?) future to arrive...
HTH
[1] https://pagure.io/bind-dyndb-ldap/issue/222 [2] https://pagure.io/bind-dyndb-ldap/issue/225 [3] https://github.com/dogtagpki/pki/issues/4551
On May 8, 2024 12:34:01 PM EDT, Timo Aaltonen tjaalton@ubuntu.com wrote:
Rob Crittenden kirjoitti 8.5.2024 klo 17.29:
Mauricio Tavares via FreeIPA-devel wrote:
Veera K via FreeIPA-devel wrote:
You didn't include an attachment.
I don't know the current status of Ubuntu as an IPA server but in the past it has not worked well. There are a lot of moving parts in IPA and there is basically one maintainer in Debian trying to herd all the cats.
rob
Given that I also use Debian (and Ubuntu at times), how can I help?
Oh cool, thanks. I've cc'd Timo. He is the Debian/Ubuntu maintainer.
rob
Ah, sadly my favourite topic :)
The blockers right now are:
bind-dyndb-ldap doesn't support bind9 9.19.x [1]
bind-dyndb-ldap also needs to be rebuilt for every bind9 upload, and it might also break when bind9 is updated, which makes it unreleaseable on Debian. The solution to this would be to release it with a license which is compatible with upstream, which should allow merging it upstream (and fix the first issue) [2]
tomcat9 is basically gone from Debian/Ubuntu, but jss (which merged tomcatjss) or dogtag itself don't support 10.x yet [3]. I was told 10.1 should be in rawhide by now-ish, but it's still not there, so porting is blocked AIUI.
In the past I've run the azure test suite on an older Debian/Ubuntu release with select backports (bypassing the above issues), and the pass rate of all the tests was > 90%, so it's not perfect. To get to full 100% there are still things to skip or rework to pass on a .deb distro. But it's rather pointless to work on a frankendistro, I don't have time for that. So it's client only for now, and 389 and others are available waiting for a brighter (unrealistic?) future to arrive...
HTH
[1] https://pagure.io/bind-dyndb-ldap/issue/222 [2] https://pagure.io/bind-dyndb-ldap/issue/225 [3] https://github.com/dogtagpki/pki/issues/4551
What have I got involved into?! Well, I am here for the entertainment (even if I learn something(!) in the process); let me build a test environment so I can understand it better; it does seem this will require helping other stuff to work the way we need before actually building it.
Mauricio Tavares kirjoitti 10.5.2024 klo 19.01:
On May 8, 2024 12:34:01 PM EDT, Timo Aaltonen tjaalton@ubuntu.com wrote:
Rob Crittenden kirjoitti 8.5.2024 klo 17.29:
Mauricio Tavares via FreeIPA-devel wrote:
Veera K via FreeIPA-devel wrote:
You didn't include an attachment.
I don't know the current status of Ubuntu as an IPA server but in the past it has not worked well. There are a lot of moving parts in IPA and there is basically one maintainer in Debian trying to herd all the cats.
rob
Given that I also use Debian (and Ubuntu at times), how can I help?
Oh cool, thanks. I've cc'd Timo. He is the Debian/Ubuntu maintainer.
rob
Ah, sadly my favourite topic :)
The blockers right now are:
bind-dyndb-ldap doesn't support bind9 9.19.x [1]
bind-dyndb-ldap also needs to be rebuilt for every bind9 upload, and it might also break when bind9 is updated, which makes it unreleaseable on Debian. The solution to this would be to release it with a license which is compatible with upstream, which should allow merging it upstream (and fix the first issue) [2]
tomcat9 is basically gone from Debian/Ubuntu, but jss (which merged tomcatjss) or dogtag itself don't support 10.x yet [3]. I was told 10.1 should be in rawhide by now-ish, but it's still not there, so porting is blocked AIUI.
In the past I've run the azure test suite on an older Debian/Ubuntu release with select backports (bypassing the above issues), and the pass rate of all the tests was > 90%, so it's not perfect. To get to full 100% there are still things to skip or rework to pass on a .deb distro. But it's rather pointless to work on a frankendistro, I don't have time for that. So it's client only for now, and 389 and others are available waiting for a brighter (unrealistic?) future to arrive...
HTH
[1] https://pagure.io/bind-dyndb-ldap/issue/222 [2] https://pagure.io/bind-dyndb-ldap/issue/225 [3] https://github.com/dogtagpki/pki/issues/4551
What have I got involved into?! Well, I am here for the entertainment (even if I learn something(!) in the process); let me build a test environment so I can understand it better; it does seem this will require helping other stuff to work the way we need before actually building it.
Yeah, I realized that I didn't actually answer your question. It could be useful to have an environment where dogtag & bind-dyndb-ldap are able to work, and then sort out any integration issues there might still be.
freeipa-devel@lists.fedorahosted.org