← Back to team overview

freeipa team mailing list archive

  1. freeipa team
  2. Mailing list archive
  3. Message #00196

[Bug 1280215] Re: Make ipa-client-join work and fulfil my requirements

  Thread PreviousDate PreviousThread Next 
you won't get those with 13.10, try trusty instead

** Changed in: freeipa (Ubuntu)
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1280215

Title:
  Make ipa-client-join work and fulfil my requirements

Status in “freeipa” package in Ubuntu:
  Won't Fix

Bug description:
  
  From a fresh install of Ubuntu 13.10, I'd like the following to happen:

  - ipa-client-install actually works
  - options to configure sudo and public key auth

  
  I'll go through this in detail. Hostnames and domain names changed to protect the innocent.

  
  # apt-get install freeipa-client

  
  Item #1 (bug): IPA client already configured. Package installer shouldn't to that.

  # ipa-client-install
  IPA client is already configured on this system.
  If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'.

  Workaround: rm /etc/ipa/default.conf

  
  Item #2 (bug/feature request): ipa-client-install should configure chronyd

  # ipa-client-install
  WARNING: ntpd time&date synchronization service will not be configured as
  conflicting service (chronyd) is enabled
  Use --force-ntpd option to disable it and force configuration of ntpd

  
  Item #3 (bug): ipa-client-install --no-ntp still complains about NTP

  # ipa-client-install --no-ntp
  Discovery was successful!
  Hostname: myhostname.mydomain.com
  Realm: MYDOMAIN.COM
  DNS Domain: mydomain.com
  IPA Server: myipaserver.mydomain.com
  BaseDN: dc=mydomain,dc=com

  Continue to configure the system with these values? [no]: yes
  User authorized to enroll computers: admin
  Synchronizing time with KDC...
  Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.

  
  Item #4 (bug): Client install fails and also fails to rollback.

  # ipa-client-install --no-ntp
  Discovery was successful!
  Hostname: myhostname.mydomain.com
  Realm: MYDOMAIN.COM
  DNS Domain: mydomain.com
  IPA Server: myipaserver.mydomain.com
  BaseDN: dc=mydomain,dc=com

  Continue to configure the system with these values? [no]: yes
  User authorized to enroll computers: admin
  Synchronizing time with KDC...
  Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
  Password for admin@xxxxxxxxxxxx:
  Successfully retrieved CA cert
      Subject:     CN=Certificate Authority,O=MYDOMAIN.COM
      Issuer:      CN=Certificate Authority,O=MYDOMAIN.COM
      Valid From:  Sun Jan 12 11:57:44 2014 UTC
      Valid Until: Thu Jan 12 11:57:44 2034 UTC

  Enrolled in IPA realm MYDOMAIN.COM
  Created /etc/ipa/default.conf
  New SSSD config will be created
  Configured /etc/sssd/sssd.conf
  Failed to add CA to the default NSS database.
  Installation failed. Rolling back changes.
  Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1
  certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1
  certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list'
  Unenrolling client from IPA server
  Unenrolling host failed: Error getting default Kerberos realm: Configuration file does not specify default realm.

  Removing Kerberos service principals from /etc/krb5.keytab
  Disabling client Kerberos and LDAP configurations
  Failed to remove krb5/LDAP configuration:

  
  Workaround:
  # rm /etc/ipa/default.conf
  # mkdir -p /etc/pki/nssdb
  # certutil -N --empty-password -d /etc/pki/nssdb
  remove host entry on server or use --force-join

  Item #5 (bug): auth doesn't work until after reboot

  It would be nice if the installer told me to reboot.

  Item #6 (bug): --mkhomedir flag doesn't work

  Workaround: after install:
  echo 'session    required   pam_mkhomedir.so' >> /etc/pam.d/common-session

  Item #7 (bug): uninstall doesn't work

  # ipa-client-install --no-ntp --force-join --no-dns-sshfp
  IPA client is already configured on this system.
  If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'.
  # ipa-client-install --uninstall
  certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1
  Disabling client Kerberos and LDAP configurations
  Failed to remove krb5/LDAP configuration:



  At this point I usually give up and revert my client VM to a snapshot.

  
  Putting the workarounds together, I end up with this script:

  apt-get update &&
  apt-get install -y freeipa-client &&
  mkdir -p /etc/pki/nssdb &&
  certutil -N --empty-password -d /etc/pki/nssdb &&
  mkdir -p /var/run/ipa &&
  rm -f /etc/ipa/default.conf &&
  ipa-client-install --no-ntp --no-dns-sshfp --mkhomedir --force-join &&
  echo 'session    required   pam_mkhomedir.so' >> /etc/pam.d/common-session &&
  reboot

  
  And after that I can login with my domain user. Hooray!

  But, not all is quite hunky-dory.

  Firstly.

  Item #8 (feature request): Option to enable sudo.

  Something like --sudo-group=sudoers

  Manual process:

  Edit /etc/sssd.conf

  Add this to the [domain/mydomain.com] section:
  sudo_provider = ldap
  ldap_uri = ldap://myipaserver.mydomain.com
  ldap_sudo_search_base = ou=sudoers,dc=mydomain,dc=com
  ldap_sasl_mech = GSSAPI
  ldap_sasl_authid = host/myhostname.mydomain.com
  ldap_sasl_realm = MYDOMAIN.COM
  krb5_server = myipaserver.mydomain.com

  Change the services line to include sudo. e.g.
  services = nss, pam, ssh, sudo

  
  See, an automated process would be great here, because most of those values are already detected by the script during the dns autodetection.

  
  Item #9 (feature request): ability to configure sudo with ipa provider

  I believe this would be a feature request for sssd.

  
  Item #10 (feature request): Option to enable public key auth

  Something like --enable-public-key-auth

  The freeipa server has the ability to store public keys for user accounts.
  The sss_ssh_authorizedkeys can list these public keys for a user.
  Just need to wire them together.

  Manual process:

  Add to /etc/ssh/sshd_config:

  AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
  GSSAPIAuthentication yes
  AuthorizedKeysCommandUser nobody

  Also, the ssh manual says that you should create a dedicated user for
  the AuthorizedKeysCommand. Would be nice if this was done
  automatically. Note: the freeipa server uses the above config.


  Support info:

  $ lsb_release -rd
  Description:  Ubuntu 13.10
  Release:  13.10

  
  $ apt-cache policy freeipa-client
  freeipa-client:
    Installed: 3.2.1-0ubuntu1
    Candidate: 3.2.1-0ubuntu1
    Version table:
   *** 3.2.1-0ubuntu1 0
          500 http://mirror.internode.on.net/pub/ubuntu/ubuntu/ saucy/universe amd64 Packages
          100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1280215/+subscriptions

References

  Thread PreviousDate PreviousThread Next