← Back to team overview

ubuntu-389-directory-server team mailing list archive

[Bug 1764744] Re: Support of freeipa-server for s390x


------- Comment From heinz-werner_seeck@xxxxxxxxxx 2018-05-07 07:35 EDT-------
IBM bugzilla status closed; Fix Released, Follow-on problem tracked via https://bugzilla.linux.ibm.com/show_bug.cgi?id=167506

** Bug watch added: bugzilla.linux.ibm.com/ #167506

You received this bug notification because you are a member of Ubuntu
389 Directory Server, which is subscribed to 389-ds-base in Ubuntu.

  Support of freeipa-server for s390x

Status in Ubuntu on IBM z Systems:
  Fix Released
Status in 389-ds-base package in Ubuntu:
  Fix Released
Status in freeipa package in Ubuntu:
  Fix Released

Bug description:
  freeipa fails to configure on s390x.   (Configuration being handled by
  the freeipa-server-install script)    This script has two failure
  points.   The first is below:

  describes a known bug but it was only resolved for x86_64.

  In the falling scenario the install log will have entries like the

  2018-04-10T18:53:01Z DEBUG nsslapd-pluginenabled:
  2018-04-10T18:53:01Z DEBUG      on
  2018-04-10T18:53:01Z DEBUG nsslapd-pluginpath:
  2018-04-10T18:53:01Z DEBUG      /usr/lib/x86_64-linux-gnu/dirsrv/plugins/schemacompat-plugin.so
  2018-04-10T18:53:01Z DEBUG nsslapd-pluginversion:
  2018-04-10T18:53:01Z DEBUG      0.8

  Obviously on s390x /usr/lib/x86_64-linux-gnu/dirsrv/plugins/schemacompat-plugin.so will never be found.

  Now if I create a symbolic link with the above name that is linked to
  the same location but with s390x where x86_64 is located, the install
  will proceed past this failing location.

  The second failure point in the freeipa-server-install script is near
  the end, after the script has completed the freeipa-server-install and
  where it attempts to install the freeipa-client.  The client install
  appears to fail because of a problem with certificates related to the
  server install.

  2018-04-17T12:14:59Z ERROR Cannot connect to the server due to generic
  error: Insufficient access: SASL(-4): no mechanism available: No
  worthy mechs found (Unknown authentication method)

  The above appears to be related to an issue with the key database

  # certutil -L
  certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

  # ipa cert-show 1
  ipa: ERROR: cannot connect to 'https://fipas1.pdl.pok.ibm.com/ipa/json': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

  # ipa user-add 
  First name: Richard 
  >>> First name: Leading and trailing spaces are not allowed
  First name: Richard
  Last name: Young
  User login [ryoung]: ryoung1
  ipa: ERROR: cannot connect to 'https://fipas1.pdl.pok.ibm.com/ipa/json': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

To manage notifications about this bug go to: