Hi, I've been testing FreeIPA client on Ubuntu Oneiric during the past few days and with some patching and tweaking ipa-client-install now works and configures Kerberos and SSSD correctly.
Below are steps to reproduce. Note that quite a few tickets were filed during this exercise so it might well be that after few weeks not all the steps are necessary as fixes land on FreeIPA upstream and/or Ubuntu. Also some of the currently required tweaks should make it very clear this is not quite yet ready for production environments but paves the way for further work on this front. With the above remarks in mind here are the steps to make your Ubuntu Oneiric to work as an IPA client. 1) Install Ubuntu Oneiric No need to add any specific packages during installation, the following steps will cover installation of all the needed packages for IPA client. 2) SSSD in Oneiric repositories doesn't work properly due to https://bugs.launchpad.net/bugs/746981 https://bugs.launchpad.net/bugs/859602 https://bugs.launchpad.net/bugs/859611 And for ipa-client-install also a newer version is required: https://bugs.launchpad.net/bugs/860297 Until those issues have been fix use the build with all the needed fixes from this PPA (thanks to Timo for fixing the above issues quickly): https://launchpad.net/~tjaalton/+archive/ppa But do note that due to https://fedorahosted.org/sssd/ticket/1011 https://bugs.launchpad.net/bugs/860488 local users are unable to login when SSSD is not running even with the latest SSSD build in use once enabled in PAM configuration (so you might want at least set a password for root). Once you have sssd installed, stop it and wipe old logs/DBs: # rm -rf /var/lib/sss/db/* /var/log/sss/* ipa-client-install will start SSSD later with proper configuration. To enable SSSD in NSS/PAM configuration make sure you have: # apt-get install libnss-sss libpam-sss 3) Install the packages needed to build and run IPA client: # apt-get install autoconf automake build-essential git libtool python-dev python-kerberos python-ldap python-netaddr python-openssl python-setuptools gettext libnss3-dev libnspr4-dev libkrb5-dev libldap2-dev libpopt-dev libsasl2-dev libcurl4-nss-dev libxmlrpc-c3-dev krb5-user libnss3-tools chkconfig libsasl2-modules-gssapi-mit bind9utils openntpd wget 4) Install python-nss python-nss is currently not packaged for Ubuntu so grab the tar ball (at least version 0.12.0) from: http://ftp.mozilla.org/pub/mozilla.org/security/python-nss/releases/ Then build and install: # python setup.py build # python setup.py install 5) Install python-krbV python-krb is currently not packaged for Ubuntu so grab the latest tar ball from: https://fedorahosted.org/python-krbV/wiki/Releases Then build and install (make install puts the module under site-packages from where it isn't found so copy it manually): # ./configure --prefix=/usr/local/lib # cp -p .libs/krbVmodule.so /usr/local/lib/python2.7/dist-packages/ 6) Clone freeipa.git # git clone git://git.fedorahosted.org/freeipa.git freeipa.git # cd freeipa.git 7) Due to https://fedorahosted.org/freeipa/ticket/1837 in ipapython/dnsclient.py comment "import acutil" out and change: - answer = acutil.res_send(data) + answer = None 8) Due to CVE-2011-2192 there has been API changes in libcurl/xmlrpc-c which have not yet all propagated to Ubuntu. So for the time being uncomment the two lines in ipa-client/ipa-join.c containing references to "gssapi_delegation" to allow ipa-join.c to compile. (We will deal with the consequences later.) 9) From https://fedorahosted.org/freeipa/ticket/1887 copy the ubuntu.py platform specific code as ipapython/platform/ubuntu.py. See the next step for explanation for apache2. 10) Since certmonger is not yet available for Ubuntu, see https://fedorahosted.org/freeipa/ticket/1852 We'll fool the installer and map the certmonger service to apache2 - this keeps the installer happy and affects only to certificate related parts of IPA: # apt-get install apache2 # mkdir -p /var/lib/certmonger/cas # mkdir -p /var/lib/certmonger/requests 11) Compile and install the client # make SUPPORTED_PLATFORM=ubuntu client # make SUPPORTED_PLATFORM=ubuntu client-install 12) Due to https://fedorahosted.org/freeipa/ticket/1844 https://fedorahosted.org/freeipa/ticket/1849 create few needed runtime directories: # mkdir -p /etc/ipa # mkdir -p /var/lib/ipa-client/sysrestore 13) Due to https://fedorahosted.org/freeipa/ticket/1844 create a dummy NSS db with empty password to keep certutil happy: # mkdir -p /etc/pki/nssdb # certutil -N -d /etc/pki/nssdb And install the master CA certificate manually: # wget http://master.ipa.example.com/ipa/config/ca.crt -O /usr/share/ca-certificates/ipa-ca.crt # echo ipa-ca.crt >> /etc/ca-certificates.conf # update-ca-certificates 14) Fix for https://bugzilla.redhat.com/show_bug.cgi?id=714823 is not yet available for Ubuntu so just in case add both the client and the IPA master to /etc/hosts. 15) Due to https://fedorahosted.org/freeipa/ticket/1850 # mkdir -p /etc/sysconfig 16) Due to 8) above grab libcurl3_7.21.6-1_amd64.deb from snapshot.debian.org, extract it, and use it: # ar xv libcurl3_7.21.6-1_amd64.deb # tar zxf data.tar.gz # cp -p /usr/lib/x86_64-linux-gnu/libcurl.so.4.2.0 /usr/lib/x86_64-linux-gnu/libcurl.so.4.2.0.orig # cp -p usr/lib/libcurl.so.4.2.0 /usr/lib/x86_64-linux-gnu/libcurl.so.4.2.0.test # cp -p usr/lib/libcurl.so.4.2.0 /usr/lib/x86_64-linux-gnu/libcurl.so.4.2.0 # apt-get install libssh2-1 Note! This downgrades libcurl.so which is affected by CVE-2011-2192. 17) Run ipa-client-install # ipa-client-install --domain=ipa.example.com --server=master.ipa.example.com --hostname=ubuntu1.ipa.example.com --mkhomedir --enable-dns-updates 18) While the script prompts for NSS/PAM changes for the first time, start SSSD and make sure "getent passwd admin" works. 19) When the script prompts for NSS/PAM changes for the second time, just hit enter, see https://bugzilla.redhat.com/show_bug.cgi?id=737048 20) Due to https://fedorahosted.org/freeipa/ticket/1851 there might be dbus service related errors, those can be ignored. 21) Verify from the IPA master that the Ubuntu client has been successfully enrolled and login as a user managed in IPA! So, with those "few" "simple" steps Ubuntu Oneiric can be enrolled to an IPA domain. As mentioned, all this is far from being ready for production but hopefully this shows what needs to be done to next to make FreeIPA client usable on Ubuntu. Cheers, -- Marko Myllynen _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel