[CentOS-devel] new krb5 packages brake freeIPA

Fri Jul 3 00:36:05 UTC 2020
Nico Kadel-Garcia <nkadel at gmail.com>

On Thu, Jul 2, 2020 at 3:38 AM Alexander Bokovoy <abokovoy at redhat.com> wrote:
>
> On ke, 01 heinä 2020, Brian Stinson wrote:
> >On Wed, Jul 1, 2020, at 14:33, Alexander Bokovoy wrote:
> >> On ke, 01 heinä 2020, lejeczek via CentOS-devel wrote:
> >> >hi guys
> >> >
> >> >latest in the repo krb5 packages - 1.18.2-2.el8 - brake
> >> >freeIPA if already installed and conflict if want to install.
> >> >
> >> ># dnf install -y ipa-server-dns
> >> >Last metadata expiration check: 1:21:31 ago on Wed 01 Jul
> >> >2020 11:00:25 BST.
> >> >Error:
> >> > Problem: package
> >> >ipa-server-dns-4.8.4-7.module_el8.2.0+374+0d2d74a1.noarch
> >> >requires ipa-server = 4.8.4-7.module_el8.2.0+374+0d2d74a1,
> >> >but none of the providers can be installed
> >> >  - conflicting requests
> >> >  - nothing provides krb5-kdb-version = 7.0 needed by
> >> >ipa-server-4.8.4-7.module_el8.2.0+374+0d2d74a1.x86_64
> >>
> >> Going back to the actual issue, the only solution right now is not to
> >> use CentOS 8 Stream, at least until all the required rebuilds are in
> >> place.
> >>
> >> Right now CentOS 8 Stream contains exactly same IPA version as CentOS
> >> 8.2.2004. So you are not gaining anything by using the stream right now.
> >
> >In CentOS Stream we're working on staying caught up to RHEL 8.3
> >development to jumpstart the automation that will handle this going
> >forward. During this process we're finding that modules are a little
> >bit unwieldy.
>
> There are several rebases in RHEL 8.3 that require rebuild of idm module
> streams: krb5, samba, libldb are the requirements that need to be
> rebuilt before idm modules streams can be built. And changes in those
> packages also require rebuilding SSSD.

I'm going to restrain my commentary on the decisions for Samba to use
Heimdal kerberos, Red Hat to use MIT kerberos, and the theory that
those would someday be resolved. They're not, and support for Samba to
use MIT kerberos remains listed in samba-4.12.5 released a few days
ago as "experimental". I'm also miffed at Red Hat's continuing
packaging of a "samba-dc" package that doesn't actually contain a
domain controller.

samba-4.12.5 came out very recently, I've not tested that yet. I might
be able to test the latest krb5 experimental integration with that,
but no promises.

> I don't think there is a support for a combined non-modular + modular
> sidetag rebuild in CentOS (it does not exist anywhere else too), so I
> would suggest taking care of the rebuilds together before pushing them
> into a publicly accessible tree. Otherwise there will be breakages like
> this -- which apparently is there for more than 3 weeks already.

Modularity is not my friend, I'm hoping it is deprecated if not
discarded entirely for future RHEL releases. Fedora has backed off
profoundly from the original enthusiasm for i.