freeipa install errors out with certmonger 'dbus' 'start' ''' returned non-zero exit status 4

Right, I think the server will be removed from xenial and instead point folks to use a ppa with freeipa 4.3.1 plus other bits that are needed and which are too late to get in before release (bind9 with native pkcs11, apache with systemd integration)

You can try it out now, client promotion to a replica works as well which is the big thing compared to the old version:

https://launchpad.net/~freeipa/+archive/ubuntu/ppa

actually, another plan would be to disable just freeipa-server-dns from the new version.. that would avoid needing pkcs11 in bind9 but still being able to upgrade current servers, though I'm not sure what happens if someone has enabled dns before :/

Maybe alert the bind users they need to use a PPA? It is set to "no" by default.

Is it too late to get a FFe for the bind change?

I absolutely love how easy it was to get it to work with the PPA. That was awesome! Thank you!

yeah alert would be one way, at least --dnssec-master should yell something

I'm discussing the bind change with lamont, he'll have a look tomorrow. And thanks for trying it out :) Apache systemd integration now has a bug too https://bugs.launchpad.net/debian/+source/apache2/+bug/1566519

and a new apache is now on the ppa which merges 2.4.18-2 and adds untested support for instances

This bug was fixed in the package freeipa - 4.3.1-0ubuntu1

---------------
freeipa (4.3.1-0ubuntu1) xenial; urgency=medium

  * Sync from Debian.

freeipa (4.3.1-1) unstable; urgency=medium

  * New upstream release. (Closes: #781607, #786411) (LP: #1449304)
    - drop no-test-lang.diff, obsolete
  * fix-match-hostname.diff, control: Drop the patch and python-openssl
    deps, not needed anymore
  * rules, platform, server.dirs, server.install:
    Add support for DNSSEC.
  * control, rules: Add support for kdcproxy.
  * control, server: Migrate to mod-auth-gssapi.
  * control, rules, fix-ipa-conf.diff: Add support for custodia.
  * control:
    - Add python-cryptography to build-deps and python-freeipa deps.
    - Add libp11-kit-dev to build-deps, p11-kit to server deps.
    - Depend on python-gssapi instead of python-kerberos/-krbV.
    - Add libini-config-dev and python-dbus to build-deps, replace wget
      with curl.
    - Bump libkrb5-dev build-dep.
    - Add pki-base to build-deps and pki-kra to server deps, bump pki-ca
      version.
    - Drop python-m2crypto from deps, obsolete.
    - Bump sssd deps to 1.13.1.
    - Add python-six to build-deps and python-freeipa deps.
    - Split python stuff from server, client, tests to python-
      ipa{server,client,tests}, rename python-freeipa to match and move
      translations to freeipa-common. Mark them Arch:all where possible,
      and add Breaks/Replaces.
    - Add oddjob to server and oddjob-mkhomedir to client deps.
    - Add python-setuptools to python-ipalib deps.
    - Bump 389-ds-base* deps.
    - Bump server and python-ipaserver dependency on python-ldap to 2.4.22
      to fix a bug on ipa-server-upgrade.
    - Add pki-tools to python-ipaserver deps.
    - Add zip to python-ipaserver depends.
    - Add python-systemd to server depends.
    - Add opendnssec to freeipa-server-dns depends.
    - Add python-cffi to python-ipalib depends.
    - Bump dep on bind9-dyndb-ldap.
    - Bump certmonger dependency to version that has helpers in the correct
      place.
  * patches:
    - prefix.patch: Fix ipalib install too.
    - Drop bits of platform.diff and other patches that are now upstream.
    - fix-kdcproxy-paths.diff: Fix paths in kdcproxy configs.
    - fix-oddjobs.diff: Fix paths and uids in oddjob configs.
    - fix-replicainstall.diff: Use ldap instead of ldaps for conncheck.
    - fix-dnssec-services.diff: Debianize ipa-dnskeysyncd & ipa-ods-
      exporter units.
    - create-sysconfig-ods.diff: Create an empty file for opendnssec
      daemons, until opendnssec itself is fixed.
    - purge-firefox-extension.diff: Clean obsolete kerberosauth.xpi.
    - enable-mod-nss-during-setup.diff: Split from platform.diff, call
      a2enmod/a2dismod from httpinstance.py.
    - fix-memcached.diff: Split from platform.diff, debianize memcached
      conf & unit.
    - hack-libarch.diff: Don't use fedora libpaths.
  * add-debian-platform.diff:
    - Update paths.py to include all variables, comment out ones we don't
      modify.
    - Use systemwide certificate store; put ipa-ca.crt in
      /usr/local/share/ca-certificates, and run update-ca-certificates
    - Map smb service to smbd (...