freeipa team mailing list archive
-
freeipa team
-
Mailing list archive
-
Message #00194
[Bug 1280215] [NEW] Make ipa-client-join work and fulfil my requirements
Public bug reported:
>From a fresh install of Ubuntu 13.10, I'd like the following to happen:
- ipa-client-install actually works
- options to configure sudo and public key auth
I'll go through this in detail. Hostnames and domain names changed to protect the innocent.
# apt-get install freeipa-client
Item #1 (bug): IPA client already configured. Package installer shouldn't to that.
# ipa-client-install
IPA client is already configured on this system.
If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'.
Workaround: rm /etc/ipa/default.conf
Item #2 (bug/feature request): ipa-client-install should configure chronyd
# ipa-client-install
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd
Item #3 (bug): ipa-client-install --no-ntp still complains about NTP
# ipa-client-install --no-ntp
Discovery was successful!
Hostname: myhostname.mydomain.com
Realm: MYDOMAIN.COM
DNS Domain: mydomain.com
IPA Server: myipaserver.mydomain.com
BaseDN: dc=mydomain,dc=com
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Item #4 (bug): Client install fails and also fails to rollback.
# ipa-client-install --no-ntp
Discovery was successful!
Hostname: myhostname.mydomain.com
Realm: MYDOMAIN.COM
DNS Domain: mydomain.com
IPA Server: myipaserver.mydomain.com
BaseDN: dc=mydomain,dc=com
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Password for admin@xxxxxxxxxxxx:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=MYDOMAIN.COM
Issuer: CN=Certificate Authority,O=MYDOMAIN.COM
Valid From: Sun Jan 12 11:57:44 2014 UTC
Valid Until: Thu Jan 12 11:57:44 2034 UTC
Enrolled in IPA realm MYDOMAIN.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Failed to add CA to the default NSS database.
Installation failed. Rolling back changes.
Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1
certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1
certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'
Unenrolling client from IPA server
Unenrolling host failed: Error getting default Kerberos realm: Configuration file does not specify default realm.
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Failed to remove krb5/LDAP configuration:
Workaround:
# rm /etc/ipa/default.conf
# mkdir -p /etc/pki/nssdb
# certutil -N --empty-password -d /etc/pki/nssdb
remove host entry on server or use --force-join
Item #5 (bug): auth doesn't work until after reboot
It would be nice if the installer told me to reboot.
Item #6 (bug): --mkhomedir flag doesn't work
Workaround: after install:
echo 'session required pam_mkhomedir.so' >> /etc/pam.d/common-session
Item #7 (bug): uninstall doesn't work
# ipa-client-install --no-ntp --force-join --no-dns-sshfp
IPA client is already configured on this system.
If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'.
# ipa-client-install --uninstall
certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1
Disabling client Kerberos and LDAP configurations
Failed to remove krb5/LDAP configuration:
At this point I usually give up and revert my client VM to a snapshot.
Putting the workarounds together, I end up with this script:
apt-get update &&
apt-get install -y freeipa-client &&
mkdir -p /etc/pki/nssdb &&
certutil -N --empty-password -d /etc/pki/nssdb &&
mkdir -p /var/run/ipa &&
rm -f /etc/ipa/default.conf &&
ipa-client-install --no-ntp --no-dns-sshfp --mkhomedir --force-join &&
echo 'session required pam_mkhomedir.so' >> /etc/pam.d/common-session &&
reboot
And after that I can login with my domain user. Hooray!
But, not all is quite hunky-dory.
Firstly.
Item #8 (feature request): Option to enable sudo.
Something like --sudo-group=sudoers
Manual process:
Edit /etc/sssd.conf
Add this to the [domain/mydomain.com] section:
sudo_provider = ldap
ldap_uri = ldap://myipaserver.mydomain.com
ldap_sudo_search_base = ou=sudoers,dc=mydomain,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/myhostname.mydomain.com
ldap_sasl_realm = MYDOMAIN.COM
krb5_server = myipaserver.mydomain.com
Change the services line to include sudo. e.g.
services = nss, pam, ssh, sudo
See, an automated process would be great here, because most of those values are already detected by the script during the dns autodetection.
Item #9 (feature request): ability to configure sudo with ipa provider
I believe this would be a feature request for sssd.
Item #10 (feature request): Option to enable public key auth
Something like --enable-public-key-auth
The freeipa server has the ability to store public keys for user accounts.
The sss_ssh_authorizedkeys can list these public keys for a user.
Just need to wire them together.
Manual process:
Add to /etc/ssh/sshd_config:
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
GSSAPIAuthentication yes
AuthorizedKeysCommandUser nobody
Also, the ssh manual says that you should create a dedicated user for
the AuthorizedKeysCommand. Would be nice if this was done automatically.
Note: the freeipa server uses the above config.
Support info:
$ lsb_release -rd
Description: Ubuntu 13.10
Release: 13.10
$ apt-cache policy freeipa-client
freeipa-client:
Installed: 3.2.1-0ubuntu1
Candidate: 3.2.1-0ubuntu1
Version table:
*** 3.2.1-0ubuntu1 0
500 http://mirror.internode.on.net/pub/ubuntu/ubuntu/ saucy/universe amd64 Packages
100 /var/lib/dpkg/status
** Affects: freeipa (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1280215
Title:
Make ipa-client-join work and fulfil my requirements
Status in “freeipa” package in Ubuntu:
New
Bug description:
From a fresh install of Ubuntu 13.10, I'd like the following to happen:
- ipa-client-install actually works
- options to configure sudo and public key auth
I'll go through this in detail. Hostnames and domain names changed to protect the innocent.
# apt-get install freeipa-client
Item #1 (bug): IPA client already configured. Package installer shouldn't to that.
# ipa-client-install
IPA client is already configured on this system.
If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'.
Workaround: rm /etc/ipa/default.conf
Item #2 (bug/feature request): ipa-client-install should configure chronyd
# ipa-client-install
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd
Item #3 (bug): ipa-client-install --no-ntp still complains about NTP
# ipa-client-install --no-ntp
Discovery was successful!
Hostname: myhostname.mydomain.com
Realm: MYDOMAIN.COM
DNS Domain: mydomain.com
IPA Server: myipaserver.mydomain.com
BaseDN: dc=mydomain,dc=com
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Item #4 (bug): Client install fails and also fails to rollback.
# ipa-client-install --no-ntp
Discovery was successful!
Hostname: myhostname.mydomain.com
Realm: MYDOMAIN.COM
DNS Domain: mydomain.com
IPA Server: myipaserver.mydomain.com
BaseDN: dc=mydomain,dc=com
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Password for admin@xxxxxxxxxxxx:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=MYDOMAIN.COM
Issuer: CN=Certificate Authority,O=MYDOMAIN.COM
Valid From: Sun Jan 12 11:57:44 2014 UTC
Valid Until: Thu Jan 12 11:57:44 2034 UTC
Enrolled in IPA realm MYDOMAIN.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Failed to add CA to the default NSS database.
Installation failed. Rolling back changes.
Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1
certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1
certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'
Unenrolling client from IPA server
Unenrolling host failed: Error getting default Kerberos realm: Configuration file does not specify default realm.
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Failed to remove krb5/LDAP configuration:
Workaround:
# rm /etc/ipa/default.conf
# mkdir -p /etc/pki/nssdb
# certutil -N --empty-password -d /etc/pki/nssdb
remove host entry on server or use --force-join
Item #5 (bug): auth doesn't work until after reboot
It would be nice if the installer told me to reboot.
Item #6 (bug): --mkhomedir flag doesn't work
Workaround: after install:
echo 'session required pam_mkhomedir.so' >> /etc/pam.d/common-session
Item #7 (bug): uninstall doesn't work
# ipa-client-install --no-ntp --force-join --no-dns-sshfp
IPA client is already configured on this system.
If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'.
# ipa-client-install --uninstall
certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1
Disabling client Kerberos and LDAP configurations
Failed to remove krb5/LDAP configuration:
At this point I usually give up and revert my client VM to a snapshot.
Putting the workarounds together, I end up with this script:
apt-get update &&
apt-get install -y freeipa-client &&
mkdir -p /etc/pki/nssdb &&
certutil -N --empty-password -d /etc/pki/nssdb &&
mkdir -p /var/run/ipa &&
rm -f /etc/ipa/default.conf &&
ipa-client-install --no-ntp --no-dns-sshfp --mkhomedir --force-join &&
echo 'session required pam_mkhomedir.so' >> /etc/pam.d/common-session &&
reboot
And after that I can login with my domain user. Hooray!
But, not all is quite hunky-dory.
Firstly.
Item #8 (feature request): Option to enable sudo.
Something like --sudo-group=sudoers
Manual process:
Edit /etc/sssd.conf
Add this to the [domain/mydomain.com] section:
sudo_provider = ldap
ldap_uri = ldap://myipaserver.mydomain.com
ldap_sudo_search_base = ou=sudoers,dc=mydomain,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/myhostname.mydomain.com
ldap_sasl_realm = MYDOMAIN.COM
krb5_server = myipaserver.mydomain.com
Change the services line to include sudo. e.g.
services = nss, pam, ssh, sudo
See, an automated process would be great here, because most of those values are already detected by the script during the dns autodetection.
Item #9 (feature request): ability to configure sudo with ipa provider
I believe this would be a feature request for sssd.
Item #10 (feature request): Option to enable public key auth
Something like --enable-public-key-auth
The freeipa server has the ability to store public keys for user accounts.
The sss_ssh_authorizedkeys can list these public keys for a user.
Just need to wire them together.
Manual process:
Add to /etc/ssh/sshd_config:
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
GSSAPIAuthentication yes
AuthorizedKeysCommandUser nobody
Also, the ssh manual says that you should create a dedicated user for
the AuthorizedKeysCommand. Would be nice if this was done
automatically. Note: the freeipa server uses the above config.
Support info:
$ lsb_release -rd
Description: Ubuntu 13.10
Release: 13.10
$ apt-cache policy freeipa-client
freeipa-client:
Installed: 3.2.1-0ubuntu1
Candidate: 3.2.1-0ubuntu1
Version table:
*** 3.2.1-0ubuntu1 0
500 http://mirror.internode.on.net/pub/ubuntu/ubuntu/ saucy/universe amd64 Packages
100 /var/lib/dpkg/status
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1280215/+subscriptions
Follow ups
References
