Public bug reported:
>From a fresh install of Ubuntu 13.10, I'd like the following to happen: - ipa-client-install actually works - options to configure sudo and public key auth I'll go through this in detail. Hostnames and domain names changed to protect the innocent. # apt-get install freeipa-client Item #1 (bug): IPA client already configured. Package installer shouldn't to that. # ipa-client-install IPA client is already configured on this system. If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'. Workaround: rm /etc/ipa/default.conf Item #2 (bug/feature request): ipa-client-install should configure chronyd # ipa-client-install WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd Item #3 (bug): ipa-client-install --no-ntp still complains about NTP # ipa-client-install --no-ntp Discovery was successful! Hostname: myhostname.mydomain.com Realm: MYDOMAIN.COM DNS Domain: mydomain.com IPA Server: myipaserver.mydomain.com BaseDN: dc=mydomain,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Item #4 (bug): Client install fails and also fails to rollback. # ipa-client-install --no-ntp Discovery was successful! Hostname: myhostname.mydomain.com Realm: MYDOMAIN.COM DNS Domain: mydomain.com IPA Server: myipaserver.mydomain.com BaseDN: dc=mydomain,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Password for ad...@mydomain.com: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=MYDOMAIN.COM Issuer: CN=Certificate Authority,O=MYDOMAIN.COM Valid From: Sun Jan 12 11:57:44 2014 UTC Valid Until: Thu Jan 12 11:57:44 2034 UTC Enrolled in IPA realm MYDOMAIN.COM Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Failed to add CA to the default NSS database. Installation failed. Rolling back changes. Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1 certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1 certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' Unenrolling client from IPA server Unenrolling host failed: Error getting default Kerberos realm: Configuration file does not specify default realm. Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Failed to remove krb5/LDAP configuration: Workaround: # rm /etc/ipa/default.conf # mkdir -p /etc/pki/nssdb # certutil -N --empty-password -d /etc/pki/nssdb remove host entry on server or use --force-join Item #5 (bug): auth doesn't work until after reboot It would be nice if the installer told me to reboot. Item #6 (bug): --mkhomedir flag doesn't work Workaround: after install: echo 'session required pam_mkhomedir.so' >> /etc/pam.d/common-session Item #7 (bug): uninstall doesn't work # ipa-client-install --no-ntp --force-join --no-dns-sshfp IPA client is already configured on this system. If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'. # ipa-client-install --uninstall certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1 Disabling client Kerberos and LDAP configurations Failed to remove krb5/LDAP configuration: At this point I usually give up and revert my client VM to a snapshot. Putting the workarounds together, I end up with this script: apt-get update && apt-get install -y freeipa-client && mkdir -p /etc/pki/nssdb && certutil -N --empty-password -d /etc/pki/nssdb && mkdir -p /var/run/ipa && rm -f /etc/ipa/default.conf && ipa-client-install --no-ntp --no-dns-sshfp --mkhomedir --force-join && echo 'session required pam_mkhomedir.so' >> /etc/pam.d/common-session && reboot And after that I can login with my domain user. Hooray! But, not all is quite hunky-dory. Firstly. Item #8 (feature request): Option to enable sudo. Something like --sudo-group=sudoers Manual process: Edit /etc/sssd.conf Add this to the [domain/mydomain.com] section: sudo_provider = ldap ldap_uri = ldap://myipaserver.mydomain.com ldap_sudo_search_base = ou=sudoers,dc=mydomain,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/myhostname.mydomain.com ldap_sasl_realm = MYDOMAIN.COM krb5_server = myipaserver.mydomain.com Change the services line to include sudo. e.g. services = nss, pam, ssh, sudo See, an automated process would be great here, because most of those values are already detected by the script during the dns autodetection. Item #9 (feature request): ability to configure sudo with ipa provider I believe this would be a feature request for sssd. Item #10 (feature request): Option to enable public key auth Something like --enable-public-key-auth The freeipa server has the ability to store public keys for user accounts. The sss_ssh_authorizedkeys can list these public keys for a user. Just need to wire them together. Manual process: Add to /etc/ssh/sshd_config: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys GSSAPIAuthentication yes AuthorizedKeysCommandUser nobody Also, the ssh manual says that you should create a dedicated user for the AuthorizedKeysCommand. Would be nice if this was done automatically. Note: the freeipa server uses the above config. Support info: $ lsb_release -rd Description: Ubuntu 13.10 Release: 13.10 $ apt-cache policy freeipa-client freeipa-client: Installed: 3.2.1-0ubuntu1 Candidate: 3.2.1-0ubuntu1 Version table: *** 3.2.1-0ubuntu1 0 500 http://mirror.internode.on.net/pub/ubuntu/ubuntu/ saucy/universe amd64 Packages 100 /var/lib/dpkg/status ** Affects: freeipa (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1280215 Title: Make ipa-client-join work and fulfil my requirements Status in “freeipa” package in Ubuntu: New Bug description: From a fresh install of Ubuntu 13.10, I'd like the following to happen: - ipa-client-install actually works - options to configure sudo and public key auth I'll go through this in detail. Hostnames and domain names changed to protect the innocent. # apt-get install freeipa-client Item #1 (bug): IPA client already configured. Package installer shouldn't to that. # ipa-client-install IPA client is already configured on this system. If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'. Workaround: rm /etc/ipa/default.conf Item #2 (bug/feature request): ipa-client-install should configure chronyd # ipa-client-install WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd Item #3 (bug): ipa-client-install --no-ntp still complains about NTP # ipa-client-install --no-ntp Discovery was successful! Hostname: myhostname.mydomain.com Realm: MYDOMAIN.COM DNS Domain: mydomain.com IPA Server: myipaserver.mydomain.com BaseDN: dc=mydomain,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Item #4 (bug): Client install fails and also fails to rollback. # ipa-client-install --no-ntp Discovery was successful! Hostname: myhostname.mydomain.com Realm: MYDOMAIN.COM DNS Domain: mydomain.com IPA Server: myipaserver.mydomain.com BaseDN: dc=mydomain,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Password for ad...@mydomain.com: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=MYDOMAIN.COM Issuer: CN=Certificate Authority,O=MYDOMAIN.COM Valid From: Sun Jan 12 11:57:44 2014 UTC Valid Until: Thu Jan 12 11:57:44 2034 UTC Enrolled in IPA realm MYDOMAIN.COM Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Failed to add CA to the default NSS database. Installation failed. Rolling back changes. Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1 certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1 certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' Unenrolling client from IPA server Unenrolling host failed: Error getting default Kerberos realm: Configuration file does not specify default realm. Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Failed to remove krb5/LDAP configuration: Workaround: # rm /etc/ipa/default.conf # mkdir -p /etc/pki/nssdb # certutil -N --empty-password -d /etc/pki/nssdb remove host entry on server or use --force-join Item #5 (bug): auth doesn't work until after reboot It would be nice if the installer told me to reboot. Item #6 (bug): --mkhomedir flag doesn't work Workaround: after install: echo 'session required pam_mkhomedir.so' >> /etc/pam.d/common-session Item #7 (bug): uninstall doesn't work # ipa-client-install --no-ntp --force-join --no-dns-sshfp IPA client is already configured on this system. If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'. # ipa-client-install --uninstall certmonger failed to start: Command '/usr/sbin/service certmonger start ' returned non-zero exit status 1 Disabling client Kerberos and LDAP configurations Failed to remove krb5/LDAP configuration: At this point I usually give up and revert my client VM to a snapshot. Putting the workarounds together, I end up with this script: apt-get update && apt-get install -y freeipa-client && mkdir -p /etc/pki/nssdb && certutil -N --empty-password -d /etc/pki/nssdb && mkdir -p /var/run/ipa && rm -f /etc/ipa/default.conf && ipa-client-install --no-ntp --no-dns-sshfp --mkhomedir --force-join && echo 'session required pam_mkhomedir.so' >> /etc/pam.d/common-session && reboot And after that I can login with my domain user. Hooray! But, not all is quite hunky-dory. Firstly. Item #8 (feature request): Option to enable sudo. Something like --sudo-group=sudoers Manual process: Edit /etc/sssd.conf Add this to the [domain/mydomain.com] section: sudo_provider = ldap ldap_uri = ldap://myipaserver.mydomain.com ldap_sudo_search_base = ou=sudoers,dc=mydomain,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/myhostname.mydomain.com ldap_sasl_realm = MYDOMAIN.COM krb5_server = myipaserver.mydomain.com Change the services line to include sudo. e.g. services = nss, pam, ssh, sudo See, an automated process would be great here, because most of those values are already detected by the script during the dns autodetection. Item #9 (feature request): ability to configure sudo with ipa provider I believe this would be a feature request for sssd. Item #10 (feature request): Option to enable public key auth Something like --enable-public-key-auth The freeipa server has the ability to store public keys for user accounts. The sss_ssh_authorizedkeys can list these public keys for a user. Just need to wire them together. Manual process: Add to /etc/ssh/sshd_config: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys GSSAPIAuthentication yes AuthorizedKeysCommandUser nobody Also, the ssh manual says that you should create a dedicated user for the AuthorizedKeysCommand. Would be nice if this was done automatically. Note: the freeipa server uses the above config. Support info: $ lsb_release -rd Description: Ubuntu 13.10 Release: 13.10 $ apt-cache policy freeipa-client freeipa-client: Installed: 3.2.1-0ubuntu1 Candidate: 3.2.1-0ubuntu1 Version table: *** 3.2.1-0ubuntu1 0 500 http://mirror.internode.on.net/pub/ubuntu/ubuntu/ saucy/universe amd64 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1280215/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp