freeipa team mailing list archive

[Harry Coin <hcoin@xxxxxxxxxxxxxxxxx>]

This is a recipe with all the work-arounds needed to get a freeipa
server with integrated DNS going on Ubuntu bionic/18.04 LTS or later.

Without these workarounds, you will hit so many bugs the system is
uninstallable as of 6/23/18.

I chose Lubuntu as a platform as I wanted an integrated browser as a way
to check for good operations without the complexity of most of the
networking stack in the chain.

I started with a ‘clean install’ of Lubuntu 18.04.  I needed 4 CPU cores
and 4GB of memory to avoid most of the race conditions that kill the
installer.  You can reduce these to 1 core and 2GB after installation
(that’s a ‘low demand minimum’).

Where you see 192.168.50.64 below, replace that with the IP address of your freeipa machine.
Where you see ri.mamabosso.com below, replace that with the private IP address range of the sub-domain you’ll use for the freeipa server.  (If your public domain is xyz.com, it’s best practice to add a subdomain for the private addresses, so local.xyz.com to resolve them.  Split-view and the like generate more problems than they solve).

You should see no error messages at any point in this process.  If you
do, stop to puzzle them out before moving on.

Get to a command prompt as root:

apt update
apt upgrade

apt install freeipa-server-dns python-psutil haveged

Cause /etc/hosts to look like:

127.0.0.1	localhost
192.168.50.64	directory1.ri.mamabosso.com directory1
127.0.1.1	directory1.ri.mamabosso.com directory1

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Cause /etc/hostname to look like:
directory1.ri.mamabosso.com


Remove anything in /etc/netplan unless your sure otherwise.  In /etc/netplan add file:
/etc/netplan/01-networkd.yaml  with the below (change addresses and domains to yours):

network:
  version: 2
  renderer: networkd
  ethernets:
    ens3:
      addresses:
        - 192.168.50.64/24
      gateway4: 192.168.50.1
      nameservers:
          search: [ri.mamabosso.com, mamabosso.com]
          addresses: [127.0.0.1]

These commands are needed to avoid several bugs later on:


systemctl disable systemd-resolved
systemctl disable network-manager
systemctl disable NetworkManager
mv /lib/systemd/system/NetworkManager.service NetworkManager.service.res
usermod bind -aG softhsm
mkdir /var/lib/softhsm/tokens
chown root:softhsm /var/lib/softhsm/tokens
chmod 0770 /var/lib/softhsm/tokens
chmod g+s /var/lib/softhsm/tokens
mv /usr/sbin/named-pkcs11 /usr/sbin/named-pkcs11-dpkg-dist
cp /usr/sbin/named /usr/sbin/named-pkcs11 
#The dependency on named-pkcs11 is a fedora legacy and is no longer necessary
#which is fortunate as named-pkcs11 crashes on startup leaving the system with
#no resolver.

Make  /etc/resolv.conf:

nameserver 127.0.0.1
search <your local domain here, ri.mamabosso.com in my case>

patch freeipa’s installer to avoid race conditions that otherwise would
crash it:

Note:  you should exactly match the indenting you find in the programs
to be edited below, using spaces and not tabs.

in /usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py after 
import tempfile
add
import psutil

In function "migrate_profiles_to_ldap"

before:
for profile_id in profile_ids:
change 
 time.sleep(80)
to 
time.sleep(30)

then just after, 
for profile_id in profile_ids:
add
while psutil.cpu_percent() > 9: time.sleep(2)

And, in /usr/lib/python2.7/dist-packages/ipaserver/install/bindinstance.py, add after line 753 which should read ‘self.restart()’ in procedure __start:
while psutil.cpu_percent() > 9: time.sleep(2)
in the same file, at the top right after import time, add:
import psutil


this will make sure all the services restarted prior can satisfy the coming 
requests without timing out as the service startup hasn’t settled.  

Reboot to see if all is well.  
Make sure /etc/hosts and /etc/hostname is correct.  Do an “apt update” to make sure the internet is up.

Then give the command:

ipa-server-install --setup-dns --no-forwarders

accept defaults, enter passwords, answer ‘yes’ at the end of the
questions to accept.


Accept all defaults (except answer ‘yes’ to ‘continue..’).  You should see the correct domain and reverse ip in the list.

You should see no errors or complaints during the entire process.  After
waiting for that to complete, do:

chgrp ipaapi /var/lib/krb5kdc  #so freeipa admin log in can find key.
chmod g+rx /var/lib/krb5kdc

So that you can log in to the web interface (without access to that, the
login fails for no obvious reason).

Reboot (mostly to make sure all is well upon reboots)

Log in via the web gui (https://system.domain.com etc..) , look around
for normal operations.  Surf to a website to make sure dns is up.

This recipe worked perfectly as of 6/23/18.

Some day soon (I hope), the needless dependency on buggy named-pkcs11 which crashes named ans so integrated DNS with it (see 
https://pagure.io/bind-dyndb-ldap/c/4fb51bac7f4f739975a2afb857b686869eff92b6?branch=master
) will be removed.

Hope the day I lost debugging this helps you!

Harry Coin

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1769440

Title:
  freeipa server install fails - named-pkcs11 fails to run

Status in bind9 package in Ubuntu:
  Triaged
Status in freeipa package in Ubuntu:
  Confirmed

Bug description:
  Setting up FreeIPA server fails at "Configuring the web interface",
  step 12/21

  It's in a cleanly started LXC Ubuntu Bionic container. The
  ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2

  Configuring the web interface (httpd)
    [1/21]: stopping httpd
    [2/21]: backing up ssl.conf
    [3/21]: disabling nss.conf
    [4/21]: configuring mod_ssl certificate paths
    [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2
    [6/21]: configuring mod_ssl log directory
    [7/21]: disabling mod_ssl OCSP
    [8/21]: adding URL rewriting rules
    [9/21]: configuring httpd
    [10/21]: setting up httpd keytab
    [11/21]: configuring Gssproxy
    [12/21]: setting up ssl
    [error] RuntimeError: Certificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERROR    Certificate issuance failed (CA_REJECTED)
  ipapython.admintool: ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

  and in the log there is

  2018-05-05T20:37:29Z DEBUG stderr=
  2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec
  2018-05-05T20:37:29Z DEBUG   [12/21]: setting up ssl
  2018-05-05T20:37:33Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1)
  2018-05-05T20:37:38Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1)
  2018-05-05T20:37:42Z DEBUG Traceback (most recent call last):
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation
      run_step(full_msg, method)
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step
      method()
    File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl
      passwd_fname=key_passwd_file
    File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert
      raise RuntimeError("Certificate issuance failed ({})".format(state))
  RuntimeError: Certificate issuance failed (CA_REJECTED)

  2018-05-05T20:37:42Z DEBUG   [error] RuntimeError: Certificate issuance failed (CA_REJECTED)
  2018-05-05T20:37:42Z DEBUG   File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec
  ute
  ...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1769440/+subscriptions