In current Fedora Rawhide (and, I expect, F28, as soon as we have a compose with bind-dyndb-ldap-11.1-10.fc28 in it), FreeIPA server deployment fails with an error from ipapython/ipaldap.py : "This entry already exists" I'm not sure yet what 'entry' it means or why it already exists, but this looks like a clear Beta blocker, per Basic criterion "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried", as domain controller is one of the release-blocking roles. Will attach all logs soon.
Created attachment 1404408 [details] Complete /var/log archive (will also attach specific log files)
Created attachment 1404409 [details] ipaserver-install.log
Created attachment 1404410 [details] /var/log/messages
Discussed at blocker bug meeting [1]: AcceptedBlocker (Beta) - clear violation of "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried" for the domain controller role [1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2018-03-05/
Upstream ticket: https://pagure.io/freeipa/issue/7434
An upstream ticket already exists for this issue: https://pagure.io/freeipa/issue/7393 And the ticket has been fixed in ipa-4-6 and master branches Fixed upstream: master https://pagure.io/freeipa/c/939db89cacdd9450400093be33af891d17545c10 ipa-4-6 https://pagure.io/freeipa/c/1f942efab7ca47382209cb6b83d82051d73220bf
so, Beta go/no-go is in 10 days (2018-03-22) and we still do not have a working FreeIPA. Could we please get an update of the overall plan to get a working FreeIPA into F28, preferably with specific dates of when stuff is going to show up? Thanks. As a reminder, *any* package which is necessary to make FreeIPA in F28 work needs to be part of an update that is marked as fixing this bug, https://bugzilla.redhat.com/show_bug.cgi?id=1496562 , https://bugzilla.redhat.com/show_bug.cgi?id=1552318 , or another appropriate blocker/FE bug. Thanks!
I have a candidate build that I've tested with updated dogtag, tomcat and tomcatjss bits (and perhaps a few other things). To date I've only tested new installs and it seems to function as expected. Endi from the dogtag team has confirmed that the build is installable. I will coordinate the release with the dogtag team.
The duplicate error is fixed in: master: 939db89 Update existing 389-DS cn=RSA,cn=encryption config ipa-4-6: 1f942ef Update existing 389-DS cn=RSA,cn=encryption config
freeipa-4.6.90.pre1-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2fd7295cb9
dogtag-pki-10.6.0-0.2.fc28, dogtag-pki-theme-10.6.0-0.2.fc28, freeipa-4.6.90.pre1-1.fc28, pki-console-10.6.0-0.2.fc28, pki-core-10.6.0-0.2.fc28, tomcat-8.5.29-1.fc28, tomcatjss-7.3.0-0.2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2fd7295cb9
dogtag-pki-10.6.0-0.2.fc28, dogtag-pki-theme-10.6.0-0.2.fc28, freeipa-4.6.90.pre1-1.fc28, pki-console-10.6.0-0.2.fc28, pki-core-10.6.0-0.2.fc28, tomcat-8.5.29-1.fc28, tomcatjss-7.3.0-0.2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.