[Freeipa-devel] FreeIPA Client on Ubuntu Oneiric
Marko Myllynen
myllynen at redhat.com
Tue Sep 27 17:49:02 UTC 2011
Hi,
I've been testing FreeIPA client on Ubuntu Oneiric during the past few
days and with some patching and tweaking ipa-client-install now works
and configures Kerberos and SSSD correctly.
Below are steps to reproduce. Note that quite a few tickets were filed
during this exercise so it might well be that after few weeks not all
the steps are necessary as fixes land on FreeIPA upstream and/or Ubuntu.
Also some of the currently required tweaks should make it very clear
this is not quite yet ready for production environments but paves the
way for further work on this front.
With the above remarks in mind here are the steps to make your Ubuntu
Oneiric to work as an IPA client.
1) Install Ubuntu Oneiric
No need to add any specific packages during installation, the following
steps will cover installation of all the needed packages for IPA client.
2) SSSD in Oneiric repositories doesn't work properly due to
https://bugs.launchpad.net/bugs/746981
https://bugs.launchpad.net/bugs/859602
https://bugs.launchpad.net/bugs/859611
And for ipa-client-install also a newer version is required:
https://bugs.launchpad.net/bugs/860297
Until those issues have been fix use the build with all the needed fixes
from this PPA (thanks to Timo for fixing the above issues quickly):
https://launchpad.net/~tjaalton/+archive/ppa
But do note that due to
https://fedorahosted.org/sssd/ticket/1011
https://bugs.launchpad.net/bugs/860488
local users are unable to login when SSSD is not running even with the
latest SSSD build in use once enabled in PAM configuration (so you might
want at least set a password for root).
Once you have sssd installed, stop it and wipe old logs/DBs:
# rm -rf /var/lib/sss/db/* /var/log/sss/*
ipa-client-install will start SSSD later with proper configuration.
To enable SSSD in NSS/PAM configuration make sure you have:
# apt-get install libnss-sss libpam-sss
3) Install the packages needed to build and run IPA client:
# apt-get install autoconf automake build-essential git libtool
python-dev python-kerberos python-ldap python-netaddr python-openssl
python-setuptools gettext libnss3-dev libnspr4-dev libkrb5-dev
libldap2-dev libpopt-dev libsasl2-dev libcurl4-nss-dev libxmlrpc-c3-dev
krb5-user libnss3-tools chkconfig libsasl2-modules-gssapi-mit bind9utils
openntpd wget
4) Install python-nss
python-nss is currently not packaged for Ubuntu so grab the tar ball (at
least version 0.12.0) from:
http://ftp.mozilla.org/pub/mozilla.org/security/python-nss/releases/
Then build and install:
# python setup.py build
# python setup.py install
5) Install python-krbV
python-krb is currently not packaged for Ubuntu so grab the latest tar
ball from:
https://fedorahosted.org/python-krbV/wiki/Releases
Then build and install (make install puts the module under site-packages
from where it isn't found so copy it manually):
# ./configure --prefix=/usr/local/lib
# cp -p .libs/krbVmodule.so /usr/local/lib/python2.7/dist-packages/
6) Clone freeipa.git
# git clone git://git.fedorahosted.org/freeipa.git freeipa.git
# cd freeipa.git
7) Due to
https://fedorahosted.org/freeipa/ticket/1837
in ipapython/dnsclient.py comment "import acutil" out and change:
- answer = acutil.res_send(data)
+ answer = None
8) Due to CVE-2011-2192 there has been API changes in libcurl/xmlrpc-c
which have not yet all propagated to Ubuntu. So for the time being
uncomment the two lines in ipa-client/ipa-join.c containing references
to "gssapi_delegation" to allow ipa-join.c to compile. (We will deal
with the consequences later.)
9) From
https://fedorahosted.org/freeipa/ticket/1887
copy the ubuntu.py platform specific code as
ipapython/platform/ubuntu.py. See the next step for explanation for apache2.
10) Since certmonger is not yet available for Ubuntu, see
https://fedorahosted.org/freeipa/ticket/1852
We'll fool the installer and map the certmonger service to apache2 -
this keeps the installer happy and affects only to certificate related
parts of IPA:
# apt-get install apache2
# mkdir -p /var/lib/certmonger/cas
# mkdir -p /var/lib/certmonger/requests
11) Compile and install the client
# make SUPPORTED_PLATFORM=ubuntu client
# make SUPPORTED_PLATFORM=ubuntu client-install
12) Due to
https://fedorahosted.org/freeipa/ticket/1844
https://fedorahosted.org/freeipa/ticket/1849
create few needed runtime directories:
# mkdir -p /etc/ipa
# mkdir -p /var/lib/ipa-client/sysrestore
13) Due to
https://fedorahosted.org/freeipa/ticket/1844
create a dummy NSS db with empty password to keep certutil happy:
# mkdir -p /etc/pki/nssdb
# certutil -N -d /etc/pki/nssdb
And install the master CA certificate manually:
# wget http://master.ipa.example.com/ipa/config/ca.crt -O
/usr/share/ca-certificates/ipa-ca.crt
# echo ipa-ca.crt >> /etc/ca-certificates.conf
# update-ca-certificates
14) Fix for
https://bugzilla.redhat.com/show_bug.cgi?id=714823
is not yet available for Ubuntu so just in case add both the client and
the IPA master to /etc/hosts.
15) Due to
https://fedorahosted.org/freeipa/ticket/1850
# mkdir -p /etc/sysconfig
16) Due to 8) above grab libcurl3_7.21.6-1_amd64.deb from
snapshot.debian.org, extract it, and use it:
# ar xv libcurl3_7.21.6-1_amd64.deb
# tar zxf data.tar.gz
# cp -p /usr/lib/x86_64-linux-gnu/libcurl.so.4.2.0
/usr/lib/x86_64-linux-gnu/libcurl.so.4.2.0.orig
# cp -p usr/lib/libcurl.so.4.2.0
/usr/lib/x86_64-linux-gnu/libcurl.so.4.2.0.test
# cp -p usr/lib/libcurl.so.4.2.0 /usr/lib/x86_64-linux-gnu/libcurl.so.4.2.0
# apt-get install libssh2-1
Note! This downgrades libcurl.so which is affected by CVE-2011-2192.
17) Run ipa-client-install
# ipa-client-install --domain=ipa.example.com
--server=master.ipa.example.com --hostname=ubuntu1.ipa.example.com
--mkhomedir --enable-dns-updates
18) While the script prompts for NSS/PAM changes for the first time,
start SSSD and make sure "getent passwd admin" works.
19) When the script prompts for NSS/PAM changes for the second time,
just hit enter, see
https://bugzilla.redhat.com/show_bug.cgi?id=737048
20) Due to
https://fedorahosted.org/freeipa/ticket/1851
there might be dbus service related errors, those can be ignored.
21) Verify from the IPA master that the Ubuntu client has been
successfully enrolled and login as a user managed in IPA!
So, with those "few" "simple" steps Ubuntu Oneiric can be enrolled to an
IPA domain. As mentioned, all this is far from being ready for
production but hopefully this shows what needs to be done to next to
make FreeIPA client usable on Ubuntu.
Cheers,
--
Marko Myllynen
More information about the Freeipa-devel
mailing list