Comments

27 Comments

I have run some FreeIPA integration tests with the new build and they all passed.

What FreeIPA version did you install? FreeIPA 4.4 and earlier added the required system users dynamically during server/replica install. Commit https://github.com/freeipa/freeipa/commit/e8a429d9e170955919f2e53e66b580be95e908d9 removed this behavior and we now rely on system users provided by RPM installation. That's why FreeIPA 4.4 will work but 4.5 development version would not.

So basically older IPA covered the packaging errors/bugs of its dependencies, newer versions will not.

This update breaks development versions of FreeIPA since it now relies on RPM installs to create system users like dirsrv. The new update no longer adds this user, however:

[root@replica1 ~]# getent passwd dirsrv
[root@replica1 ~]# rpm -q 389-ds-base
389-ds-base-1.3.5.17-2.fc25.x86_64

Subsequent installation of 4.5 FreeIPA server/replica from git fails on missing user:

Checking DNS forwarders, please wait ...
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/40]: creating directory server instance
  [error] KeyError: 'getpwnam(): name not found: dirsrv'
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    'getpwnam(): name not found: dirsrv'
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

After downgrading to latest stable version I can see the dirsrv user appearing again:

[root@replica1 ~]# getent passwd dirsrv 
dirsrv:x:389:389:389-ds-base:/usr/share/dirsrv:/sbin/nologin
[root@replica1 ~]# rpm -q 389-ds-base
389-ds-base-1.3.5.16-1.fc25.x86_64
karma

Update breaks CA clone deployment on FreeIPA replica, see: https://paste.fedoraproject.org/paste/Qofu9fa06OBjA4P5opaAZV5M1UNdIGYhyRLivL9gydE=/

Package versions:

$ rpm -q pki-ca
pki-ca-10.4.0-1.fc25.noarch
[root@replica1 ~]# rpm -q tomcatjss
tomcatjss-7.2.1-1.fc25.noarch
[root@replica1 ~]# rpm -q jss
jss-4.4.0-2.fc25.x86_64

I have also seens some vault plugin tests crashing but I have not enough info to blame this update.

karma

The rebase broke Dogtag CA configuration on ipa-server-install

Mar 15 08:22:35 master1.ipa.test server[8656]: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: [false]
Mar 15 08:22:36 master1.ipa.test server[8656]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'enableOCSP' to 'false' did not find a matching property.
Mar 15 08:22:36 master1.ipa.test server[8656]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderURL' to 'http://master1.ipa.test:9080/ca/ocsp' did not find a matching property.
Mar 15 08:22:36 master1.ipa.test server[8656]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspResponderCertNickname' to 'ocspSigningCert cert-pki-ca' did not find a matching property.
Mar 15 08:22:36 master1.ipa.test server[8656]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspCacheSize' to '1000' did not find a matching property.
Mar 15 08:22:36 master1.ipa.test server[8656]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMinCacheEntryDuration' to '60' did not find a matching property.
Mar 15 08:22:36 master1.ipa.test server[8656]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a matching property.
Mar 15 08:22:36 master1.ipa.test server[8656]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ocspTimeout' to '10' did not find a matching property.
Mar 15 08:22:36 master1.ipa.test server[8656]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'strictCiphers' to 'true' did not find a matching property.
Mar 15 08:22:36 master1.ipa.test server[8656]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not find a matching property.
Mar 15 08:22:36 master1.ipa.test server[8656]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_C
Mar 15 08:22:36 master1.ipa.test server[8656]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-
Mar 15 08:22:36 master1.ipa.test server[8656]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES
Mar 15 08:22:36 master1.ipa.test server[8656]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeStream' to 'tls1_0:tls1_2' did not find a matching property.
Mar 15 08:22:36 master1.ipa.test server[8656]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslVersionRangeDatagram' to 'tls1_1:tls1_2' did not find a matching property.
Mar 15 08:22:36 master1.ipa.test server[8656]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslRangeCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH
Mar 15 08:22:36 master1.ipa.test server[8656]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property.
Mar 15 08:22:36 master1.ipa.test server[8656]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property.
Mar 15 08:22:36 master1.ipa.test server[8656]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property.
Mar 15 08:22:36 master1.ipa.test server[8656]: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property.
Mar 15 08:22:36 master1.ipa.test server[8656]: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host/Valve} Setting property 'resolveHosts' to 'false' did not find a matching property.
Mar 15 08:22:36 master1.ipa.test server[8656]: PKIListener: org.apache.catalina.core.StandardServer[before_init]
Mar 15 08:22:36 master1.ipa.test server[8656]: JSSSocketFactory init - exception thrown:java.lang.IllegalArgumentException: JSS SSLSocket SSLVersionRange: arguments out of range
BZ#1431937 Rebase jss to 4.4.0 in Fedora 25+

Fixes selinux issues reported during testing of FreeIPA server in container.

Works with FreeIPA/openldap-clients

Works with FreeIPA and openldap-clients.

BZ#1404718 CVE-2016-9575 freeipa: ipa: Insufficient permission check in certprofile-mod [fedora-all]
BZ#1404690 CVE-2016-7030 freeipa: ipa: DoS attack against kerberized services by abusing password policy [fedora-all]
karma

Works as expected.

BZ#1395311 CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod
BZ#1404718 CVE-2016-9575 freeipa: ipa: Insufficient permission check in certprofile-mod [fedora-all]
BZ#1370493 CVE-2016-7030 ipa: DoS attack against kerberized services by abusing password policy
BZ#1404690 CVE-2016-7030 freeipa: ipa: DoS attack against kerberized services by abusing password policy [fedora-all]
karma

This update broke Dogtag PKI setup during FreeIPA server installation:

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/25]: creating certificate server user
  [2/25]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f    /tmp/tmp9kNE80' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
 Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR    CA configuration failed.
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

See also the following cornucopia of stack traces in the pki-tomcat service journal log: https://paste.fedoraproject.org/460589/77394029

giving negative karma until the issue is fixed either on tomcat or dogtag side.

FreeIPA 4.4.2 works

I was not able to reproduce it anymore either. I guess it was caused by something fishy in my development environment so go ahead and push it. Sorry for false alarm.

This build breaks DNS record manipulation and checks in FreeIPA, see https://paste.fedoraproject.org/447568/76088066/

karma

This update results in following exceptions thrown when using FreeIPA client API:

# ipa ping
exception in SSLSocket.handshake_callback
Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/ipapython/nsslib.py", line 258, in handshake_callback
    channel = sock.get_ssl_channel_info()
nss.error.NSPRError: (SEC_ERROR_INVALID_ARGS) security    library: invalid arguments.
--------------------------------------------
IPA server version 4.4.90. API version 2.215
--------------------------------------------

Downgrading to python-nss.x86_64 1.0.0-beta1.2.fc24.1 fixed the problem.

This build breaks total update during FreeIPA replica installation. The regression is probably caused by fix of https://fedorahosted.org/389/ticket/48755

See the logs from the failed replica install:

https://paste.fedoraproject.org/378950/06087146 https://paste.fedoraproject.org/378949/46590602

This build breaks KRA clone installation on FreeIPA 4.3.1 replica, see https://fedorahosted.org/pki/ticket/2247