Make ipa-client-join work and fulfil my requirements

Bug #1280215 reported by dylan@techtangents.com on 2014-02-14
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
freeipa (Ubuntu)
Undecided
Unassigned

Bug Description

From a fresh install of Ubuntu 13.10, I'd like the following to happen:

- ipa-client-install actually works
- options to configure sudo and public key auth

I'll go through this in detail. Hostnames and domain names changed to protect the innocent.

# apt-get install freeipa-client

Item #1 (bug): IPA client already configured. Package installer shouldn't to that.

# ipa-client-install
IPA client is already configured on this system.
If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'.

Workaround: rm /etc/ipa/default.conf

Item #2 (bug/feature request): ipa-client-install should configure chronyd

# ipa-client-install
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Item #3 (bug): ipa-client-install --no-ntp still complains about NTP

# ipa-client-install --no-ntp
Discovery was successful!
Hostname: myhostname.mydomain.com
Realm: MYDOMAIN.COM
DNS Domain: mydomain.com
IPA Server: myipaserver.mydomain.com
BaseDN: dc=mydomain,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.

Item #4 (bug): Client install fails and also fails to rollback.

# ipa-client-install --no-ntp
Discovery was successful!
Hostname: myhostname.mydomain.com
Realm: MYDOMAIN.COM
DNS Domain: mydomain.com
IPA Server: myipaserver.mydomain.com
BaseDN: dc=mydomain,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Password for <email address hidden>:
Successfully retrieved CA cert
    Subject: CN=Certificate Authority,O=MYDOMAIN.COM
    Issuer: CN=Certificate Authority,O=MYDOMAIN.COM
    Valid From: Sun Jan 12 11:57:44 2014 UTC
    Valid Until: Thu Jan 12 11:57:44 2034 UTC

Enrolled in IPA realm MYDOMAIN.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Failed to add CA to the default NSS database.
Installation failed. Rolling back changes.
Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1
certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1
certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'
Unenrolling client from IPA server
Unenrolling host failed: Error getting default Kerberos realm: Configuration file does not specify default realm.

Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Failed to remove krb5/LDAP configuration:

Workaround:
# rm /etc/ipa/default.conf
# mkdir -p /etc/pki/nssdb
# certutil -N --empty-password -d /etc/pki/nssdb
remove host entry on server or use --force-join

Item #5 (bug): auth doesn't work until after reboot

It would be nice if the installer told me to reboot.

Item #6 (bug): --mkhomedir flag doesn't work

Workaround: after install:
echo 'session required pam_mkhomedir.so' >> /etc/pam.d/common-session

Item #7 (bug): uninstall doesn't work

# ipa-client-install --no-ntp --force-join --no-dns-sshfp
IPA client is already configured on this system.
If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'.
# ipa-client-install --uninstall
certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1
Disabling client Kerberos and LDAP configurations
Failed to remove krb5/LDAP configuration:

At this point I usually give up and revert my client VM to a snapshot.

Putting the workarounds together, I end up with this script:

apt-get update &&
apt-get install -y freeipa-client &&
mkdir -p /etc/pki/nssdb &&
certutil -N --empty-password -d /etc/pki/nssdb &&
mkdir -p /var/run/ipa &&
rm -f /etc/ipa/default.conf &&
ipa-client-install --no-ntp --no-dns-sshfp --mkhomedir --force-join &&
echo 'session required pam_mkhomedir.so' >> /etc/pam.d/common-session &&
reboot

And after that I can login with my domain user. Hooray!

But, not all is quite hunky-dory.

Firstly.

Item #8 (feature request): Option to enable sudo.

Something like --sudo-group=sudoers

Manual process:

Edit /etc/sssd.conf

Add this to the [domain/mydomain.com] section:
sudo_provider = ldap
ldap_uri = ldap://myipaserver.mydomain.com
ldap_sudo_search_base = ou=sudoers,dc=mydomain,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/myhostname.mydomain.com
ldap_sasl_realm = MYDOMAIN.COM
krb5_server = myipaserver.mydomain.com

Change the services line to include sudo. e.g.
services = nss, pam, ssh, sudo

See, an automated process would be great here, because most of those values are already detected by the script during the dns autodetection.

Item #9 (feature request): ability to configure sudo with ipa provider

I believe this would be a feature request for sssd.

Item #10 (feature request): Option to enable public key auth

Something like --enable-public-key-auth

The freeipa server has the ability to store public keys for user accounts.
The sss_ssh_authorizedkeys can list these public keys for a user.
Just need to wire them together.

Manual process:

Add to /etc/ssh/sshd_config:

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
GSSAPIAuthentication yes
AuthorizedKeysCommandUser nobody

Also, the ssh manual says that you should create a dedicated user for the AuthorizedKeysCommand. Would be nice if this was done automatically. Note: the freeipa server uses the above config.

Support info:

$ lsb_release -rd
Description: Ubuntu 13.10
Release: 13.10

$ apt-cache policy freeipa-client
freeipa-client:
  Installed: 3.2.1-0ubuntu1
  Candidate: 3.2.1-0ubuntu1
  Version table:
 *** 3.2.1-0ubuntu1 0
        500 http://mirror.internode.on.net/pub/ubuntu/ubuntu/ saucy/universe amd64 Packages
        100 /var/lib/dpkg/status

Timo Aaltonen (tjaalton) wrote :

you won't get those with 13.10, try trusty instead

Changed in freeipa (Ubuntu):
status: New → Won't Fix

13.10 is the most recent supported release.

Are you saying all of my issues are fixed in Trusty?

Timo Aaltonen (tjaalton) wrote :

at least some are, and a bug should only be about one issue at a time, not seven

sabin ranjit (sabinranjit) wrote :

hi,
im using the freeipa server 3.0.0 on CentOS 6.4 and ubuntu 13.10 with the freeipa-client 3.2. i followed the Dylan's script, because I faced the same exact problems as Dylan have mentioned, with the fresh installation of the ubuntu 13.10 but the server threw me this error.

" Enrolled in IPA realm MY-DOMAIN.COM
Created /etc/ipa/default.conf
Domain my-domain.com is already configured in existing SSSD config, creating a new one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm MY-DOMAIN.COM
trying https://ipa.my-domain.com/ipa/xml
Forwarding 'env' to server 'https://ipa.my-domain.com/ipa/xml'
certmonger request for host certificate failed
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server 'https://ipa.my-domain.com/ipa/xml'
host_mod: 2.58 client incompatible with 2.49 server at u'https://ipa.my-domain.com/ipa/xml'
Failed to upload host SSH public keys. "

what does this mean? is this bug in freeipa or i misconfigured something? please help.
thanks.

Fink Nottle (finknottle) wrote :

A lot of these issues still persist on precise in spite of using the ipa and sssd ppas. Is there a way to reopen/refactor this bug report so that it reaches some resolution ?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers