[Freeipa-devel] FreeIPA Client on Ubuntu Oneiric

Marko Myllynen myllynen at redhat.com
Tue Sep 27 17:49:02 UTC 2011


Hi,

I've been testing FreeIPA client on Ubuntu Oneiric during the past few
days and with some patching and tweaking ipa-client-install now works
and configures Kerberos and SSSD correctly.

Below are steps to reproduce. Note that quite a few tickets were filed
during this exercise so it might well be that after few weeks not all
the steps are necessary as fixes land on FreeIPA upstream and/or Ubuntu.

Also some of the currently required tweaks should make it very clear
this is not quite yet ready for production environments but paves the
way for further work on this front.

With the above remarks in mind here are the steps to make your Ubuntu
Oneiric to work as an IPA client.


1) Install Ubuntu Oneiric

No need to add any specific packages during installation, the following
steps will cover installation of all the needed packages for IPA client.

2) SSSD in Oneiric repositories doesn't work properly due to

https://bugs.launchpad.net/bugs/746981
https://bugs.launchpad.net/bugs/859602
https://bugs.launchpad.net/bugs/859611

And for ipa-client-install also a newer version is required:

https://bugs.launchpad.net/bugs/860297

Until those issues have been fix use the build with all the needed fixes
from this PPA (thanks to Timo for fixing the above issues quickly):

https://launchpad.net/~tjaalton/+archive/ppa

But do note that due to

https://fedorahosted.org/sssd/ticket/1011
https://bugs.launchpad.net/bugs/860488

local users are unable to login when SSSD is not running even with the
latest SSSD build in use once enabled in PAM configuration (so you might
want at least set a password for root).

Once you have sssd installed, stop it and wipe old logs/DBs:

# rm -rf /var/lib/sss/db/* /var/log/sss/*

ipa-client-install will start SSSD later with proper configuration.

To enable SSSD in NSS/PAM configuration make sure you have:

# apt-get install libnss-sss libpam-sss

3) Install the packages needed to build and run IPA client:

# apt-get install autoconf automake build-essential git libtool
python-dev python-kerberos python-ldap python-netaddr python-openssl
python-setuptools gettext libnss3-dev libnspr4-dev libkrb5-dev
libldap2-dev libpopt-dev libsasl2-dev libcurl4-nss-dev libxmlrpc-c3-dev
krb5-user libnss3-tools chkconfig libsasl2-modules-gssapi-mit bind9utils
openntpd wget

4) Install python-nss

python-nss is currently not packaged for Ubuntu so grab the tar ball (at
least version 0.12.0) from:

http://ftp.mozilla.org/pub/mozilla.org/security/python-nss/releases/

Then build and install:

# python setup.py build
# python setup.py install

5) Install python-krbV

python-krb is currently not packaged for Ubuntu so grab the latest tar
ball from:

https://fedorahosted.org/python-krbV/wiki/Releases

Then build and install (make install puts the module under site-packages
from where it isn't found so copy it manually):

# ./configure --prefix=/usr/local/lib
# cp -p .libs/krbVmodule.so /usr/local/lib/python2.7/dist-packages/

6) Clone freeipa.git

# git clone git://git.fedorahosted.org/freeipa.git freeipa.git
# cd freeipa.git

7) Due to

https://fedorahosted.org/freeipa/ticket/1837

in ipapython/dnsclient.py comment "import acutil" out and change:

- answer = acutil.res_send(data)
+ answer = None

8) Due to CVE-2011-2192 there has been API changes in libcurl/xmlrpc-c
which have not yet all propagated to Ubuntu. So for the time being
uncomment the two lines in ipa-client/ipa-join.c containing references
to "gssapi_delegation" to allow ipa-join.c to compile. (We will deal
with the consequences later.)

9) From

https://fedorahosted.org/freeipa/ticket/1887

copy the ubuntu.py platform specific code as
ipapython/platform/ubuntu.py. See the next step for explanation for apache2.

10) Since certmonger is not yet available for Ubuntu, see

https://fedorahosted.org/freeipa/ticket/1852

We'll fool the installer and map the certmonger service to apache2 -
this keeps the installer happy and affects only to certificate related
parts of IPA:

# apt-get install apache2
# mkdir -p /var/lib/certmonger/cas
# mkdir -p /var/lib/certmonger/requests

11) Compile and install the client

# make SUPPORTED_PLATFORM=ubuntu client
# make SUPPORTED_PLATFORM=ubuntu client-install

12) Due to

https://fedorahosted.org/freeipa/ticket/1844
https://fedorahosted.org/freeipa/ticket/1849

create few needed runtime directories:

# mkdir -p /etc/ipa
# mkdir -p /var/lib/ipa-client/sysrestore

13) Due to

https://fedorahosted.org/freeipa/ticket/1844

create a dummy NSS db with empty password to keep certutil happy:

# mkdir -p /etc/pki/nssdb
# certutil -N -d /etc/pki/nssdb

And install the master CA certificate manually:

# wget http://master.ipa.example.com/ipa/config/ca.crt -O
/usr/share/ca-certificates/ipa-ca.crt
# echo ipa-ca.crt >> /etc/ca-certificates.conf
# update-ca-certificates

14) Fix for

https://bugzilla.redhat.com/show_bug.cgi?id=714823

is not yet available for Ubuntu so just in case add both the client and
the IPA master to /etc/hosts.

15) Due to

https://fedorahosted.org/freeipa/ticket/1850

# mkdir -p /etc/sysconfig

16) Due to 8) above grab libcurl3_7.21.6-1_amd64.deb from
snapshot.debian.org, extract it, and use it:

# ar xv libcurl3_7.21.6-1_amd64.deb
# tar zxf data.tar.gz
# cp -p /usr/lib/x86_64-linux-gnu/libcurl.so.4.2.0
/usr/lib/x86_64-linux-gnu/libcurl.so.4.2.0.orig
# cp -p usr/lib/libcurl.so.4.2.0
/usr/lib/x86_64-linux-gnu/libcurl.so.4.2.0.test
# cp -p usr/lib/libcurl.so.4.2.0 /usr/lib/x86_64-linux-gnu/libcurl.so.4.2.0
# apt-get install libssh2-1

Note! This downgrades libcurl.so which is affected by CVE-2011-2192.

17) Run ipa-client-install

# ipa-client-install --domain=ipa.example.com
--server=master.ipa.example.com --hostname=ubuntu1.ipa.example.com
--mkhomedir --enable-dns-updates

18) While the script prompts for NSS/PAM changes for the first time,
start SSSD and make sure "getent passwd admin" works.

19) When the script prompts for NSS/PAM changes for the second time,
just hit enter, see

https://bugzilla.redhat.com/show_bug.cgi?id=737048

20) Due to

https://fedorahosted.org/freeipa/ticket/1851

there might be dbus service related errors, those can be ignored.

21) Verify from the IPA master that the Ubuntu client has been
successfully enrolled and login as a user managed in IPA!


So, with those "few" "simple" steps Ubuntu Oneiric can be enrolled to an
IPA domain. As mentioned, all this is far from being ready for
production but hopefully this shows what needs to be done to next to
make FreeIPA client usable on Ubuntu.

Cheers,

-- 
Marko Myllynen




More information about the Freeipa-devel mailing list