freeipa client missing

Thank you for taking the time to report this bug and helping to make Ubuntu better.

I am going to assume you are running Ubuntu bionic, since there seems to be a newer version pending in bionic-proposed, but none in the regular archives (https://bugs.launchpad.net/ubuntu/+source/freeipa/4.6.3-1ubuntu1). If this is not correct, please remove the "bionic" tag again.

Confirming. And of course I find out after my upgrade is complete but I can no longer login to my system. It never, ever occurred to me that Ubuntu might drop a package that was in the previous 2 LTS releases.

Not cool! (To put it mildly.)

It had to be dropped temporarily to unblock other things from migrating to bionic.

But I'm sure this has nothing to do with login issues, since freeipa-client is mostly just a wrapper to configure sssd and so on. Or are you saying it got removed from the system?

Bionic beta is already here but freeipa is still in proposed repo. I suppose it is not gone be included in release. And it is bad cause automatically provision will not work. And easy enrollment too.

Status changed to 'Confirmed' because the bug affects multiple users.

@Timo at what point can we expect that the freeipa packages are back in bionic? I'm not being impatient, just curious when I can start doing some experiments with freeipa (+samba) on bionic.

I don't know yet, might be after Easter though. Maybe I should push it to a ppa in the meantime.

..maybe not, since it's available in bionic-proposed anyway

I'm taking a look

So far my investigation is revolving around a java9 incompatibility, which is the default jre/jdk in bionic.

I'm down to this issue now:
root@freeipa:~# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20180328210952':
 status: CA_UNREACHABLE
 ca-error: Error 77 connecting to https://freeipa.lxd:8443/ca/agent/ca//profileReview: Problem with the SSL CA cert (path? access rights?).
 stuck: no
 key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
 certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
 CA: dogtag-ipa-ca-renew-agent
 issuer:
 subject:
 expires: unknown
 pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
 post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
 track: yes
 auto-renew: yes

The autopkgtests fail (or used to fail) because of missing libnsspem.so, but if we don't get that in bionic to unblock the server, I'll make freeipa client-only. Could be that there are other things broken now, I'll have a look soon..

Freeipa client is very important thing the only needed. Server can be installed in centos or docker.

I don't know if others are getting this, but when I try to enroll a host after a fresh install of 18.04 using freeipa-client I get this when running ipa-client-install.

A host that was enrolled on 17.10 and then upgraded seems to work fine though.

2018-03-29T21:19:10Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/dist-packages/ipapython/install/cli.py", line 319, in run
    cfgr.run()
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 364, in run
    self.execute()
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 388, in execute
    for _nothing in self._executor():
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 430, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 459, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 449, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 420, in __runner
    step()
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 417, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 654, in _configure
    next(executor)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 430, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 459, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 517, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 449, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 514, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 449, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 420, in __runner
    step()
  File "/usr/lib/python2.7/dist-packages/ipapython/install/core.py", line 417, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/dist-packages/ipapython/install/common.py", line 66, in _install
    for unused in self._installer(sel...

I've pushed a newer version to https://launchpad.net/~freeipa/+archive/ubuntu/ppa

should fix at least the error in #14. It also supports client-only builds, if bionic needs that.

I tried to install freeipa client from PPA
but i have no success
maybe I must create bug in PPA bugs instead of writing here?
here is listing of apt
apt-get install freeipa-client -o Dpkg::Options::="--debug=40"
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  freeipa-common python-ipaclient python-ipalib
Suggested packages:
  libpam-krb5
The following NEW packages will be installed:
  freeipa-client freeipa-common python-ipaclient python-ipalib
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/878 kB of archives.
After this operation, 8 617 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Selecting previously unselected package freeipa-common.
(Reading database ... 153864 files and directories currently installed.)
Preparing to unpack .../freeipa-common_4.6.3-2~ppa1_all.deb ...
Unpacking freeipa-common (4.6.3-2~ppa1) ...
Selecting previously unselected package python-ipalib.
Preparing to unpack .../python-ipalib_4.6.3-2~ppa1_all.deb ...
Unpacking python-ipalib (4.6.3-2~ppa1) ...
Selecting previously unselected package python-ipaclient.
Preparing to unpack .../python-ipaclient_4.6.3-2~ppa1_all.deb ...
Unpacking python-ipaclient (4.6.3-2~ppa1) ...
Selecting previously unselected package freeipa-client.
Preparing to unpack .../freeipa-client_4.6.3-2~ppa1_amd64.deb ...
Unpacking freeipa-client (4.6.3-2~ppa1) ...
D000040: checking dependencies of freeipa-client:amd64 (- <none>)
D000040: ok 1 msgs >><<
D000040: checking dependencies of freeipa-common:all (- <none>)
D000040: ok 2 msgs >><<
D000040: checking Breaks
Setting up freeipa-common (4.6.3-2~ppa1) ...
D000040: checking dependencies of python-ipaclient:all (- <none>)
D000040: ok 1 msgs >><<
D000040: checking dependencies of man-db:amd64 (- <none>)
D000040: ok 2 msgs >><<
Processing triggers for man-db (2.8.2-1) ...
D000040: checking dependencies of python-ipalib:all (- <none>)
D000040: ok 2 msgs >><<
D000040: checking Breaks
Setting up python-ipalib (4.6.3-2~ppa1) ...
Sorry: IndentationError: unexpected unindent (tasks.py, line 22)
dpkg: error processing package python-ipalib (--configure):
 installed python-ipalib package post-installation script subprocess returned error exit status 101
D000040: checking dependencies of freeipa-client:amd64 (- <none>)
D000040: ok 1 msgs >><<
D000040: checking dependencies of python-ipaclient:all (- <none>)
D000040: ok 0 msgs >> python-ipaclient depends on python-ipalib (>= 4.6.3-2~ppa1); however:
  Package python-ipalib is not configured yet.
<<
D000040: checking Breaks
dpkg: dependency problems prevent configuration of python-ipaclient:
 python-ipaclient depends on python-ipalib (>= 4.6.3-2~ppa1); however:
  Package python-ipalib is not configured yet.

dpkg: error processing package python-ipaclient (--configure):
 dependency problems - leaving unconfigured
D000040: checking dependencies of freeipa-client:amd64 (- <none>)
D000040: ok 0 msgs >> freeipa-client depends on python-ipaclient (= 4.6.3-2~ppa1); however:
  Package python-ipaclient is not configured yet.
<<
D000040: checking ...

no that's fine, there was a typo in a new patch, should be fixed now after ~ppa2 is built

There is another bug in freeipa-client package.
there is need some fixes in file to continue installation

Setting up python-ipalib (4.6.3-2~ppa2) ...
  File "/usr/lib/python2.7/dist-packages/ipaplatform/debian/tasks.py", line 21
    else:
       ^
SyntaxError: invalid syntax

dpkg: error processing package python-ipalib (--configure):
 installed python-ipalib package post-installation script subprocess returned error exit status 101
dpkg: dependency problems prevent configuration of python-ipaclient:
 python-ipaclient depends on python-ipalib (>= 4.6.3-2~ppa2); however:
  Package python-ipalib is not configured yet.

dpkg: error processing package python-ipaclient (--configure):
 dependency problems - leaving unconfigured
dpkg: dependency problems prevent configuration of freeipa-client:
 freeipa-client depends on python-ipaclient (= 4.6.3-2~ppa2); however:
  Package python-ipaclient is not configured yet.

dpkg: error processing package freeipa-client (--configure):
No apport report written because the error message indicates its a followup error from a previous failure.
                 No apport report written because the error message indicates its a followup error from a previous failure.
                                   dependency problems - leaving unconfigured
Errors were encountered while processing:
 python-ipalib
 python-ipaclient
 freeipa-client
E: Sub-process /usr/bin/dpkg returned an error code (1)

haha, ~ppa3 uploaded, though again untested..

The problem seems the python-ipalib.
Error message is:

python-ipalib (4.6.3-2~ppa3) wird eingerichtet ...
Sorry: IndentationError: unexpected unindent (tasks.py, line 37)
dpkg: Fehler beim Bearbeiten des Paketes python-ipalib (--configure):
 Unterprozess installed python-ipalib package post-installation script gab den Fehler-Ausgangsstatus 101 zurück
dpkg: Abhängigkeitsprobleme verhindern Konfiguration von python-ipaclient:
 python-ipaclient hängt ab von python-ipalib (>= 4.6.3-2~ppa3); aber:
  Paket python-ipalib ist noch nicht konfiguriert.

You can comment "try" blocks around mkhomedir. Anyways pam-auth-update have unresolved bugs. It no enales mkhomedir anyway even from command line.

I guess freeipa-client not included in officially bionic repository.
Very sad cause we use it in our company. Now we and we can`t upgrade to 18.04.

not yet

I have the same issue with "ubuntu-18.04-beta2-desktop-amd64.iso". BUT I could find a workaround which seems working currently ... at least I can log in :-)

I downloaded the necessary packages:
https://launchpad.net/ubuntu/bionic/amd64/freeipa-common/4.6.3-1ubuntu1
https://launchpad.net/ubuntu/bionic/amd64/python-ipalib/4.6.3-1ubuntu1
https://launchpad.net/ubuntu/bionic/amd64/python-ipaclient/4.6.3-1ubuntu1
https://launchpad.net/ubuntu/bionic/amd64/freeipa-client/4.6.3-1ubuntu1

And did the installation in the following order:
sudo apt-get install ntp
sudo apt-get install certmonger curl
sudo apt-get install ./freeipa-common_4.6.3-1ubuntu1_all.deb
sudo apt-get install ./python-ipalib_4.6.3-1ubuntu1_all.deb
sudo apt-get install ./python-ipaclient_4.6.3-1ubuntu1_all.deb
sudo apt-get install certmonger
sudo apt-get install libxmlrpc-core-c3
sudo apt-get install ./freeipa-client_4.6.3-1ubuntu1_amd64.deb

Then I configured NTP to synch with the NTP running on my server.
AND LAST BUT NOT LEAST TO LOG IN I DID THE FOLLOWING:
sudo vi /etc/pam.d/common-session
...
session required pam_permit.so
session required pam_mkhomedir.so skel=/etc/skel/
...
The first line "session required pam_permit.so" already exists, important is here to add just below the following entry: "session required pam_mkhomedir.so skel=/etc/skel/"

Just for completeness I ran the following (unattended) ipa-client installation command:
sudo ipa-client-install --mkhomedir --no-ntp --enable-dns-updates --principal=admin --password=... --unattended

I've uploaded a new package to ppa:freeipa/ppa which matches what will be synced to bionic once it's made it through to Debian experimental

freeipa (4.7.0~pre1+git20180411-2ubuntu1) bionic; urgency=medium

  * tests/server-install: Fix the fake domain, single label domains are not
    supported anymore.
  * tests: If the server install fails, just dump the log and exit
    successfully.

 -- Timo Aaltonen <email address hidden> Wed, 18 Apr 2018 17:50:11 +0300

freeipa (4.7.0~pre1+git20180411-2) experimental; urgency=medium

  * fix-bind-ldap-so-path.diff: Dropped, the plugin uses non-MA path
    now, fix depends to match.
  * control: Add python-augeas to python-ipaclient depends. (LP: #1764615)
  * ldap-multiarch.diff: Replace hack-libarch.diff with a new patch to
    support more than x86. (LP: #1600634)

 -- Timo Aaltonen <email address hidden> Tue, 17 Apr 2018 23:47:32 +0300

freeipa (4.7.0~pre1+git20180411-1) experimental; urgency=medium

  * New upstream prerelease + git snapshot.
  * tests: Fix whitespace.
  * client.dirs: Add /var/lib/ipa-client/pki.
  * server.post*: Enable session, session_cookie apache modules.
  * control: Add sssd-dbus to server Depends.
  * fix-httpd-group.diff: Fix apache group for Debian.
  * control: Bump dependency on certmonger.
  * support-pam-mkhomedir.diff: Add support for enabling pam_mkhomedir.
    (LP: #1336869)
  * control: Add libsss-certmap-dev to build-depends.
  * control: Drop hardcoded libcurl3 dependency from client.
  * control*, rules: Add support for client-only build.
  * Fold admintools into the client package.
  * fix-bind-ldap-so-path.diff: Use multiarch path to bind/ldap.so.
  * fix-ipa-conf.diff: Dropped, upstream.
  * rules: Force building with python2.
  * server.install: Updated.
  * debian/.gitignore: Ignore d/control.
  * rules: If git is installed, revert po/ on clean.
  * server.dirs: Add missing directories, fix some permissions in
    postinst.
  * control.server: Bump dogtag dependencies to 10.6.0~.
  * control.server: Drop mod-nss from Depends, mod_ssl is used instead.
  * enable-mod-nss-during-setup.diff: Dropped, not needed anymore.
  * server.postinst/postrm: Enable/disable mod_ssl.
  * control: Bump 389-ds-base dependency.
  * rules: Modify python scripts to use python2.
  * fix-paths.diff: Add some paths to platform data.
  * hack-tomcat-race.diff: Restarting pki-tomcatd takes time, and renew_ca_cert
    does that several times in a row, so wait for 80s before starting migrating
    profiles to ldap to make sure the instance is up.
  * fix-apache-ssl-setup.diff: Fix mod_ssl setup.
  * hack-duplicate-cert-directive.diff: Delete a duplicate
    SSLCertificateFile directive until upstream is fixed.
  * server.postinst: Enable default-ssl site.
  * control: Depend on chrony instead of ntp.
  * fix-paths.diff: Add CHRONY_CONF.
  * python-ipaserver.install: Updated after dropping NTP.
  * fix-version.diff: Append +git to prerelease tag, don't require git.
  * pydist_overrides: Added.
  * rules: Update clean target.
  * control: Bump depends on bind9.

 -- Timo Aaltonen <email address hidden> Thu, 12 Apr 2018 14:01:56 +0300

Curious as to the rationale behind using the v4.7 prerelease, as opposed to the current v4.6.3 release. Is there something broken for Ubuntu/Debian in v4.6.3 that v4.7 fixes?

Somewhat related, is there any reason the version packaged for Ubuntu/Debian doesn't track with that packaged from Red Hat/CentOS (v4.5.4 as of RHEL 7.5)? Doing so would help avert any possible conflicts/incompatibilities in heterogenous environments.

4.7 migrated off mod_nss, and to using openssl more, same as the rest of the stack (dogtag mostly)

There's no way to track RHEL, because they have the rest of the stack frozen unlike on Debian/Ubuntu, where updates to tomcat and alike broke things for a long time. Besides, RHEL8 will get ipa 4.7.

Seems reasonable. I hadn't seen anything in the changelog that made clear why a prerelease was being used. Thanks for the update.