[CentOS-devel] new krb5 packages brake freeIPA

Wed Jul 1 18:13:10 UTC 2020
lejeczek <peljasz at yahoo.co.uk>


On 01/07/2020 17:55, Alexander Bokovoy wrote:
> On ke, 01 heinä 2020, lejeczek via CentOS-devel wrote:
>> hi guys
>>
>> latest in the repo krb5 packages - 1.18.2-2.el8 - brake
>> freeIPA if already installed and conflict if want to
>> install.
>>
>> # dnf install -y ipa-server-dns
>> Last metadata expiration check: 1:21:31 ago on Wed 01 Jul
>> 2020 11:00:25 BST.
>> Error:
>>  Problem: package
>> ipa-server-dns-4.8.4-7.module_el8.2.0+374+0d2d74a1.noarch
>> requires ipa-server = 4.8.4-7.module_el8.2.0+374+0d2d74a1,
>> but none of the providers can be installed
>>   - conflicting requests
>>   - nothing provides krb5-kdb-version = 7.0 needed by
>> ipa-server-4.8.4-7.module_el8.2.0+374+0d2d74a1.x86_64
>
> There should be no 1.18 in RHEL 8.2 at all, therefore
> CentOS 8.2 should
> not have krb5 1.18.
>
> If you are using CentOS Stream, please make it clear in
> describing your
> configuration.
>
> I can see krb5-1.18.2 in c8s branch here:
> https://git.centos.org/rpms/krb5/c/10fa7093df15784c58e82f89ba3e2a5ee0245991?branch=c8s
>
> There is no corresponding update for idm module, though.
>
> There is no c8s-version of c8-stream-DL1 branch and
> therefore there is
> no idm:DL1 module rebuild.
>
> Until that part is fixed, CentOS Stream is unusable for
> IdM deployments.
>
> Please note that none of RHEL developers responsible for
> IdM have any
> say or control how things get merged into CentOS. If there
> are problems
> like this one nobody but CentOS maintainers could help. In
> case of
> CentOS 8 stream, it seems the whole process is done by a
> robot and I
> have no idea how this robot handles modular builds (and
> when).
>
>
And that seems to be a great shame, quite frankly I felt
this way for a long months, probably since C8 release.

Maybe you guys @redhat could(should ?) take over "idm"
module in Centos, or Centos' owners could ask for help and
delegate "idm" over to you.

FreeIPA is way!!! to import to afford such cock-ups and it's
been quite a wobbly ride on C8 since the beginning.
Centos is a poor man choice but still seriously taken &
deployed to critical environments and if my opinion is not
an isolated one, then everybody will agree freeIPA must be
taken care of properly.

many thanks, L.