There's a point during the ipa-server-install process where it tries to use `/usr/bin/signtool` to sign a Firefox extension. According to rcrit, this extension isn't even used any more. In Fedora 27+, signtool is no longer supported: https://fedoraproject.org/wiki/Changes/NSSSigntoolDeprecation and the binary has been moved to `%{_libdir}/nss/unsupported-tools/` instead of `/usr/bin/`, so the script will blow up as soon as it reaches this point. It sounds like the 'correct' fix here is just to get rid of all the stuff dealing with this extension, if it's really no longer used, rather than find a different way to sign it. Nominating as an F27 Beta blocker, as this breaks FreeIPA server deployment: "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried." - https://fedoraproject.org/wiki/Fedora_27_Alpha_Release_Criteria#Role_definition_requirements . Domain controller is a release-blocking role. Note this change was also mistakenly sent to Fedora 26 in a candidate update, but openQA caught the breakage of FreeIPA and we were able to avoid the update going stable: https://bodhi.fedoraproject.org/updates/FEDORA-2017-3f11b3237a#comment-648102 . The update has now been revised so signtool is not moved (the change will happen only in F27+).
Created attachment 1315406 [details] ipaserver-install.log from an affected deployment attempt (with the bad F26 update)
Discussed during blocker review [1]: AcceptedBlocker (Beta) - breaks deployment of FreeIPA servers, clear violation of Alpha criterion "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started..." for the domain controller role [1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-08-21/
*** Bug 1486383 has been marked as a duplicate of this bug. ***
Upstream ticket: https://pagure.io/freeipa/issue/7135
FreeIPA 4.6 which will land in F27 removes the extension. But there is also some cleanup required so upstream ticket 7135 was opened. https://github.com/freeipa/freeipa/pull/1034
389-ds-base-1.3.7.3-1.fc27 freeipa-4.6.0-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a79e85e4d3
It looks like the 4.6.0 changes fix things sufficiently that deployment succeeds, which is all this bug is really about. So I've set the 4.6.0 update as fixing it. I guess you're OK tracking the cleanups in upstream tickets?
Yes, since https://bugzilla.redhat.com/show_bug.cgi?id=1488640 already has a beta blocker status, it is sufficient to us to unblock base functionality in web UI.
389-ds-base-1.3.7.3-1.fc27, freeipa-4.6.0-2.fc27, python-pyldap-2.4.37-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a79e85e4d3
389-ds-base-1.3.7.3-1.fc27, freeipa-4.6.0-2.fc27, python-pyldap-2.4.37-2.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.