Make ipa-client-join work and fulfil my requirements
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| freeipa (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned | ||
Bug Description
From a fresh install of Ubuntu 13.10, I'd like the following to happen:
- ipa-client-install actually works
- options to configure sudo and public key auth
I'll go through this in detail. Hostnames and domain names changed to protect the innocent.
# apt-get install freeipa-client
Item #1 (bug): IPA client already configured. Package installer shouldn't to that.
# ipa-client-install
IPA client is already configured on this system.
If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'.
Workaround: rm /etc/ipa/
Item #2 (bug/feature request): ipa-client-install should configure chronyd
# ipa-client-install
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd
Item #3 (bug): ipa-client-install --no-ntp still complains about NTP
# ipa-client-install --no-ntp
Discovery was successful!
Hostname: myhostname.
Realm: MYDOMAIN.COM
DNS Domain: mydomain.com
IPA Server: myipaserver.
BaseDN: dc=mydomain,dc=com
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Item #4 (bug): Client install fails and also fails to rollback.
# ipa-client-install --no-ntp
Discovery was successful!
Hostname: myhostname.
Realm: MYDOMAIN.COM
DNS Domain: mydomain.com
IPA Server: myipaserver.
BaseDN: dc=mydomain,dc=com
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Password for <email address hidden>:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,
Issuer: CN=Certificate Authority,
Valid From: Sun Jan 12 11:57:44 2014 UTC
Valid Until: Thu Jan 12 11:57:44 2034 UTC
Enrolled in IPA realm MYDOMAIN.COM
Created /etc/ipa/
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Failed to add CA to the default NSS database.
Installation failed. Rolling back changes.
Unconfigured automount client failed: Command 'ipa-client-
certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1
certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/
Unenrolling client from IPA server
Unenrolling host failed: Error getting default Kerberos realm: Configuration file does not specify default realm.
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Failed to remove krb5/LDAP configuration:
Workaround:
# rm /etc/ipa/
# mkdir -p /etc/pki/nssdb
# certutil -N --empty-password -d /etc/pki/nssdb
remove host entry on server or use --force-join
Item #5 (bug): auth doesn't work until after reboot
It would be nice if the installer told me to reboot.
Item #6 (bug): --mkhomedir flag doesn't work
Workaround: after install:
echo 'session required pam_mkhomedir.so' >> /etc/pam.
Item #7 (bug): uninstall doesn't work
# ipa-client-install --no-ntp --force-join --no-dns-sshfp
IPA client is already configured on this system.
If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'.
# ipa-client-install --uninstall
certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1
Disabling client Kerberos and LDAP configurations
Failed to remove krb5/LDAP configuration:
At this point I usually give up and revert my client VM to a snapshot.
Putting the workarounds together, I end up with this script:
apt-get update &&
apt-get install -y freeipa-client &&
mkdir -p /etc/pki/nssdb &&
certutil -N --empty-password -d /etc/pki/nssdb &&
mkdir -p /var/run/ipa &&
rm -f /etc/ipa/
ipa-client-install --no-ntp --no-dns-sshfp --mkhomedir --force-join &&
echo 'session required pam_mkhomedir.so' >> /etc/pam.
reboot
And after that I can login with my domain user. Hooray!
But, not all is quite hunky-dory.
Firstly.
Item #8 (feature request): Option to enable sudo.
Something like --sudo-
Manual process:
Edit /etc/sssd.conf
Add this to the [domain/
sudo_provider = ldap
ldap_uri = ldap://
ldap_sudo_
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/myhostname
ldap_sasl_realm = MYDOMAIN.COM
krb5_server = myipaserver.
Change the services line to include sudo. e.g.
services = nss, pam, ssh, sudo
See, an automated process would be great here, because most of those values are already detected by the script during the dns autodetection.
Item #9 (feature request): ability to configure sudo with ipa provider
I believe this would be a feature request for sssd.
Item #10 (feature request): Option to enable public key auth
Something like --enable-
The freeipa server has the ability to store public keys for user accounts.
The sss_ssh_
Just need to wire them together.
Manual process:
Add to /etc/ssh/
AuthorizedKeysC
GSSAPIAuthentic
AuthorizedKeysC
Also, the ssh manual says that you should create a dedicated user for the AuthorizedKeysC
Support info:
$ lsb_release -rd
Description: Ubuntu 13.10
Release: 13.10
$ apt-cache policy freeipa-client
freeipa-client:
Installed: 3.2.1-0ubuntu1
Candidate: 3.2.1-0ubuntu1
Version table:
*** 3.2.1-0ubuntu1 0
500 http://
100 /var/lib/
| Timo Aaltonen (tjaalton) wrote | #1 |
| Changed in freeipa (Ubuntu): | |
| status: | New → Won't Fix |
| dylan@techtangents.com (dylan-q) wrote | #2 |
| Timo Aaltonen (tjaalton) wrote | #3 |
| sabin ranjit (sabinranjit) wrote | #4 |
| Fink Nottle (finknottle) wrote | #5 |
you won't get those with 13.10, try trusty instead