Ubuntu
freeipa package

freeipa installation - directory /var/lib/krb5kdc is not accessible by Apache

Bug #1772447 reported by gianluca
36
This bug affects 5 people
Affects Status Importance Assigned to Milestone
freeipa (Ubuntu)
Fix Released
High
Unassigned
Bionic
New
Undecided
Unassigned

Bug Description

After having installed FreeIPA on Ubuntu 18.04, I cannot login by the web interface. I think the problem is that Apache uses the certificate in /var/lib/krb5kdc/kdc.crt to get Kerberos credentials. Although this file is readable by everyone, the directory /var/lib/krb5kdc is only accessible by root. After a 'chmod 0755 /var/lib/krb5kdc' it is possible to login trough the web interface.

gianluca (amato)
summary: - freeipa installation - directory / is nvar/lib/krb5kdcot accessible by
- Apache
+ freeipa installation - directory /var/lib/krb5kdcot accessible by Apache
summary: - freeipa installation - directory /var/lib/krb5kdcot accessible by Apache
+ freeipa installation - directory /var/lib/krb5kdc is not accessible by
+ Apache
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

that's not referenced in any apache config at least, so not sure why it wouldn't work

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

ok, it's rpcserver.py.. probably need to put these in /var/lib/ipa/certs

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

fixed in git

Changed in freeipa (Ubuntu):
importance: Undecided → High
status: New → In Progress
Revision history for this message
gianluca (amato) wrote :

Confirming that it works!

Revision history for this message
Kees Bakker (keestux) wrote :

Sorry for the duplicate in https://bugs.launchpad.net/bugs/1791325. I should have paid more attention.

Anyway, there is a fix, what's holding it up? Right now FreeIPA server is useless in 18.04

Revision history for this message
Kees Bakker (keestux) wrote :

Side note for Timo. There is no tag in the git repo for debian/4.7.0~pre1+git20180411-2 (commit fb666595)

Revision history for this message
Kees Bakker (keestux) wrote :

Since not everyone knows about the staging PPA (I just found it),
the PPA can be found here:
  https://launchpad.net/~freeipa/+archive/ubuntu/staging

With the PPA (4.7.0~pre2-0~ppa3) the installation completes
without a problem.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package freeipa - 4.7.0-1ubuntu4

---------------
freeipa (4.7.0-1ubuntu4) cosmic; urgency=medium

  * Actually build server on architecture any.

 -- Dimitri John Ledkov <email address hidden> Tue, 02 Oct 2018 23:32:01 +0100

Changed in freeipa (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Kees Bakker (keestux) wrote :

@tjaalton What happened to 4.7.0~pre2-0~ppa3 in the staging PPA?

Today I wanted to repeat the installation of freeipa-server on 18.04 (now that
the bind9 update is available in -proposed). I wanted to use the staging PPA,
because the current package in bionic is unusable.

Notice that the fix went into cosmic, but again that's useless for
me. I only want to use LTS.

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Sorry about that, I uploaded a backport which doesn't work, but I fixed that now with another backport which should be SRU'able to bionic, I hope. It's the same version as in cosmic, should be built soon.

Revision history for this message
Giovanni Vecchi (g.vecchi) wrote :

Hi everybody,

I can confirmi bug is still present: any ETA for cosmic backports?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.