Yeah, ubuntu's ipa-client doesn't work for 12.04.  I wish it had been easier to 
find this out, but you can benefit from my weeks of hard work!  :-)

install the ipa client from the freeIPA PPA:

apt-add-repository ppa:freeipa/ppa

You'll also need the sssd updates PPA:

apt-add-repository ppa:sssd/updates

Run apt-get update, then

apt-get -y install openssh-server freeipa-client sssd

That may work.  If it doesn't install those packages, run apt-get dist-upgrade.

Next run ipa-client install.  You need to add a -N so that it doesn't check for 
ntp.  That's broken on ubuntu for some reason.  If the install doesn't work, 
and it tells you to uninstall first, check for /etc/ipa/default.conf and remove 
it.  If it still doesn't work, remove the files under 
/var/lib/ipa-client/sysrestore/ and run the ipa-client install again.  You'll 
get many warning & error messages, even with a successful install.  After 
install you can do a "ipa host-find host.domain" on your ipa server and you 
should see "Keytab: True"

restart sssd to get ssh authentication to work.

The ubuntu client install does not seem to do anything with the --mkhomedir 
switch, so you need to do that yourself.  create the file 
/usr/share/pam-configs/mkhomedir with the contents:
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
        required               umask=0022 

and run pam-auth-update

That should do it.

MANY thanks to tjaalton of ubuntu-freeipa for helping me out with most of this!!

On 06/13/2013 06:47 PM, Marcelo Carvalho wrote:
My first question is answered.

It took aa "ipa-client-install --uninstall"  to clean up all the mess done up 
to now and a new


It is working on the CentOS 6.4 but this did not clean the mess at the Ubuntu 

On Thu, Jun 13, 2013 at 3:24 PM, Marcelo Carvalho 
<<>> wrote:
Sorry I do not use Ubuntu as my main desktop, and got confused by it.  All 
files are in /home/root-local.

I can login as root-local from the console using the local password.   From the 
GUI it show <user> name and does not allow me to login with either the local 
passwd nor the IPA one.

On Thu, Jun 13, 2013 at 2:48 PM, Marcelo Carvalho 
<<>> wrote:
"It shows on the Login GUI" I meant.

On Thu, Jun 13, 2013 at 2:47 PM, Marcelo Carvalho 
<<>> wrote:
Ubuntu 12.04.2

This is a box I use very often for testing and now after the ipa-client-install 
and a reboot, I complete lost my local user.  I show on the Login GUI but does 
not allow me to authenticate any password, not the IPA one not the local user 
one.  In fact I just logged as root and the local user is not even listed on 
the passwd file and there is NO files left on the /home/user directory.  
/home/user is empty, but exist.

On Thu, Jun 13, 2013 at 2:21 PM, Guy Matz 
<<>> wrote:
Which version of ubuntu are you using?

On 06/13/2013 04:12 PM, Marcelo Carvalho wrote:
> Hi Folks.
> I have installed an ipa server and a replica on linux CentOS release
> 6.4 (Final).  It is using outside DNS.  I have https console access
> authenticating admin user through kerberos, and have migrated
> information on 80+ users and groups to it from a LDAP server.
> Packages related to ipa installed at main server are:
> [root ~]# rpm -qa | grep ipa
> ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> libipa_hbac-1.9.2-82.el6.x86_64
> ipa-python-3.0.0-26.el6_4.2.x86_64
> ipa-admintools-3.0.0-26.el6_4.2.x86_64
> ipa-client-3.0.0-26.el6_4.2.x86_64
> python-iniparse-0.3.1-2.1.el6.noarch
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> libipa_hbac-python-1.9.2-82.el6.x86_64
> ipa-server-3.0.0-26.el6_4.2.x86_64
> [root ~]#
> I am now on the process of installing a CentOS 6.4 as IPA client, and
> switch my Ubuntu desktop to use IPA as well.
> 1- On the CentOS 6.4 as IPA client:
> Packages installed are:
>  $ rpm -qa | grep ipa
> ipa-client-3.0.0-26.el6_4.2.x86_64
> ipa-python-3.0.0-26.el6_4.2.x86_64
> python-iniparse-0.3.1-2.1.el6.noarch
> libipa_hbac-python-1.9.2-82.el6.x86_64
> libipa_hbac-1.9.2-82.el6.x86_64
> I run installation line as follows and
>     ipa-client-install
> --realm=XXXXXX.XXX
> Id did go well and I see output line:
>     Client configuration complete.
> Although all of the above I still cannot login into this new node
> using IPA.  It still checks the local users.
> 2- On the Ubunto desktop
>    I am locked out.  It now does not accept my IPA user-passwd not my
> local-user-passwd.
> Please advise on both.
> Many thanks,
> Marcelo
> _______________________________________________
> Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to