14.04 freeipa ipa-client-install fails

please attach logs next time..

ok I've reproduced this.. fixed a couple of smaller issues but the xml-rpc error remains

Hello,

I've run into this issue too, on Ubuntu 14.04. I managed to figure out that this is caused by a different version of the python-kerberos package. The authGSSClientInit method signature has changed.

I checked out the "release-3-3-4" tag in git, and made the following change to fix it:

    diff --git a/ipalib/rpc.py b/ipalib/rpc.py
    index 81e7aa3..ce5f2a0 100644
    --- a/ipalib/rpc.py
    +++ b/ipalib/rpc.py
    @@ -380,7 +380,7 @@ class KerbTransport(SSLTransport):
             service = "HTTP@" + host.split(':')[0]

             try:
    - (rc, vc) = kerberos.authGSSClientInit(service, self.flags)
    + (rc, vc) = kerberos.authGSSClientInit(service, gssflags=self.flags)
             except kerberos.GSSError, e:
                 self._handle_exception(e)

I'm still getting the following error after this fix, and will post another comment if I manage to fix that one too.

    Traceback (most recent call last):
      File "/usr/sbin/ipa-client-install", line 2605, in <module>
        sys.exit(main())
      File "/usr/sbin/ipa-client-install", line 2586, in main
        rval = install(options, env, fstore, statestore)
      File "/usr/sbin/ipa-client-install", line 2463, in install
        auth_config.execute()
      File "/usr/lib/python2.7/dist-packages/ipapython/platform/debian/auth.py", line 41, in execute
        ipautil.run(["/usr/sbin/pam-auth-update"]+args,env)
    NameError: global name 'ipautil' is not defined

Thank you!!! Yeah I was convinced this used to work with my local branch on 13.10 but broke when I pushed it to trusty... I'll fix that in the distro soon.

The other error is already fixed in git, disabled the auth-module since it doesn't really make sense to fiddle with pam-auth-update after all.

Here's the fix for the final error in "ipapython/platform/debian/auth.py". After applying this patch, the whole installation process works like a charm.

Changes:

* Need to import ipautil
* Use continue to remove extra '--package ' args from empty strings
* Need to return args at the end of the function. args was always 'None' before this change
* The correct env var is DEBIAN_FRONTEND, the debian docs were incorrect for a while
* ipautil.run call was incorrect, the second function argument is "stdin", not "env".

diff --git a/ipapython/platform/debian/auth.py b/ipapython/platform/debian/auth.py
index 020a949..ac168f1 100644
--- a/auth-orig.py
+++ b/auth.py
@@ -1,4 +1,5 @@
 from ipapython.platform import base
+from ipapython import ipautil

 class DebianAuthConfig(base.AuthConfig):
     """
@@ -21,7 +22,7 @@ class DebianAuthConfig(base.AuthConfig):
                 option = "sss"
             # only sssd supported, filter the dupe
             elif option in ["sssd", "krb5", "ldap", "update"]:
- option = ""
+ continue
             if type(value) is bool:
                 if value:
                     if not "package" in args:
@@ -33,10 +34,11 @@ class DebianAuthConfig(base.AuthConfig):
                         args.append("--remove %s" % (option))
                     else:
                         args.append("%s" % (option))
+ return args

     def execute(self):
- env = "DEBCONF_FRONTEND=noninteractive"
+ env = {"DEBIAN_FRONTEND": "noninteractive"}
         args = self.__build_args()
- ipautil.run(["/usr/sbin/pam-auth-update"]+args,env)
+ ipautil.run(["/usr/sbin/pam-auth-update"] + args, env = env)

Sorry, I just saw your comment now. I believe the pam-auth-update code is necessary if we want to use the 'mkhomedir' option, right? Otherwise that line won't be added to the PAM config

nah that's fine, I'll fix that too!

and yes I think mkhomedir was the motivation to keep it but disabled, can't remember anymore

could you try what happens on --uninstall? It's asking what pam modules to enable, weirdness by pam-auth-update..

--uninstall is working fine for me, on my patched 3.3.4 client. Not sure about the latest version.

log output:

root@trusty:/usr/lib/python2.7/dist-packages/ipapython/platform/debian# ipa-client-install --uninstall
certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
The original nsswitch.conf configuration has been restored.
You may need to restart services or reboot the machine.
Do you want to reboot the machine? [no]: n
root@trusty:/usr/lib/python2.7/dist-packages/ipapython/platform/debian#

ok that's reassuring to hear, maybe something wrong on my side then..

Sorry, it wasn't actually working for me, it was doing nothing, because I forgot to install the mkhomedir file for pam. I've attached a patch that fixes it properly this time. Either pam-auth-update has really changed, or the original author didn't read the man page. "pam-auth-update" doesn't take any packages as arguments, unless you are removing them. Specifying the '--package' argument just means that it won't prompt for user input. It will override the common- files with whatever the defaults are in /usr/share/pam-configs/. You can also specify the '--remove' flag if you want to remove some of those default packages from the overridden config.

P.S. This doesn't work unless you create a file at "/usr/share/pam-configs/mkhomedir", containing the following:

Name: Create home directory during login
Default: yes
Priority: 0
Session-Type: Additional
Session-Final:
    required pam_mkhomedir.so skel=/etc/skel umask=0022 silent

The attachment "debian-auth.py.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Well I'm the original author of auth.py, but it has changed many times in search for a working solution :)

I need to test your patch later to see if it works for me too.. thanks!

also, there are a few bugs against pam that are related

https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1192719
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/557013

having the mkhomedir config shipped by libpam-modules makes sense, since that's where the module is..

The patch doesn't work for me, it's asking again what profiles to enable..

bah, it was a typo in my attempt to 'patch' auth.py.. works fine now

also, mkhomedir can't be Default like on your example config, so https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1192719 needs to be fixed before --mkhomedir option works

This bug was fixed in the package freeipa - 3.3.4-0ubuntu3

---------------
freeipa (3.3.4-0ubuntu3) trusty; urgency=medium

  * Merge from unreleased debian git:
    Fix ipa-client-install issues (LP: #1282818)
    - fix auth platform module
    - use new pykerberos api
    - don't install a default conf
    - use sqlite-based nssdb's instead of old
 -- Timo Aaltonen <email address hidden> Thu, 10 Apr 2014 11:57:53 +0300