Dropping maintainer since I’ve had zero time to fix this lately.
Search Criteria
Package Details: freeipa-client 4.12.2-1
Package Actions
Git Clone URL: | https://aur.archlinux.org/freeipa.git (read-only, click to copy) |
---|---|
Package Base: | freeipa |
Description: | IPA authentication for use on clients |
Upstream URL: | http://www.freeipa.org/ |
Keywords: | freeipa identity management policy trusts |
Licenses: | GPL3 |
Submitter: | chenxiaolong |
Maintainer: | patlefort |
Last Packager: | patlefort |
Votes: | 24 |
Popularity: | 0.41 |
First Submitted: | 2012-11-15 23:50 (UTC) |
Last Updated: | 2024-09-02 18:01 (UTC) |
Dependencies (37)
- authselectAUR
- autofsAUR
- bind-tools (bind-gitAUR, bind)
- certmongerAUR
- chrony
- curl (curl-quiche-gitAUR, curl-http3-ngtcp2AUR, curl-gitAUR, curl-c-aresAUR)
- cyrus-sasl-gssapi
- freeipa-client-commonAUR
- freeipa-commonAUR
- krb5 (krb5-gitAUR)
- libxmlrpc
- nfs-utils
- nfsidmap
- nss (nss-hgAUR)
- ntp (ntpsec-gitAUR, ntpsecAUR)
- oddjob-selinuxAUR
- python-augeas
- python-gssapi
- python-ipaclientAUR
- sssd (sssd-gitAUR, sssd-nosmbAUR)
- Show 17 more dependencies...
Required by (0)
Sources (4)
backerman commented on 2021-03-21 04:06 (UTC)
patlefort commented on 2021-03-21 03:51 (UTC) (edited on 2021-03-21 03:54 (UTC) by patlefort)
I've created a package for authselect. I tested it on my machine and so far it's working, but before using you should backup your /etc/pam.d
and /etc/nsswitch.conf
.
As for certificates, I made /etc/pki/ca-trust/source
a link to /etc/ca-certificates/trust-source/anchors
.
I solved my problem on Fedora: it seems that pam_sss doesn't like when you authenticate with a user when it's also a local user, I could login but not get a kerberos ticket, but on my arch it's not a problem.
I think a comment with extra information on things that the package can't do should be pinned.
patlefort commented on 2021-03-20 09:10 (UTC) (edited on 2021-03-20 09:14 (UTC) by patlefort)
I managed to make it work. In addition to steps mentioned below, I had to remove the python-nss
dependency from PKGBUILD which btw is currently broken, create a /etc/sysconfig
and a /etc/pki
directory, create a dummy nis-domainname.service with the following content:
[Unit]
Description=Dummy service
[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=true
[Install]
WantedBy=multi-user.target
Then I had to copy /usr/share/ipa
into my Arch machine from another Fedora installation with freeipa-client installed. Funnily, it works on my Arch machine but not on Fedora which is getting a strange problem I can't explain. The only thing not working is the certificate, which is imported into /etc/pki
and not read by arch.
fishbone222 commented on 2020-12-11 12:45 (UTC) (edited on 2020-12-11 12:49 (UTC) by fishbone222)
ipa-client-install fails after the update:
$ /usr/bin/ipa-client-install
Traceback (most recent call last):
File /usr/bin/ipa-client-install, line 22, in <module>
from ipaclient.install import ipa_client_install
ModuleNotFoundError: No module named 'ipaclient.install'
asbhad2c commented on 2020-09-15 09:53 (UTC)
to get past the issues reported by yougotborked, I had to:
1) install unlisted build dependencies:
ding-libs, openldap, python-jinja, python-pyasn1-modules, xmlrpc-c
2) install unlisted dependencies from AUR:
python-gssapi, python-nss, python-yubico, yp-tool, certmonger, oddjob, python-ipaclient, python-ipalib
3) fix around things arch does not have (but Fedora/CentOS do)
$ mkdir /etc/krb5.conf.d
$ ln -sf /usr/bin/true /usr/bin/authselect
$ mkdir /etc/authselect
$ cp /etc/nsswitch.conf /etc/authselect/user-nsswitch.conf
$ cat /etc/krb5.conf.d/freeipa
[libdefaults]
spake_preauth_groups = edwards25519
Its about the presence of these files and dirs.
After that freeipa-client did build and a join using ipa-client-install
... succeeded.
To get users visible (ie with id
) I then had to:
4) manually setup nsswitch.conf
by adding to the top:
passwd: sss files systemd
shadow: files sss
group: sss files systemd
netgroup: sss files
automount: sss files
services: sss files
sudoers: files sss
To get users authenticated I had to:
5) manually setup PAM as described here https://wiki.archlinux.org/index.php/LDAP_authentication#PAM_Configuration_2
the last two are apparently necessary cause arch has no authconfig.
crazzyfool commented on 2020-08-24 18:01 (UTC)
Same issue as yougotborked :-(
yougotborked commented on 2020-07-23 03:56 (UTC) (edited on 2020-07-23 03:59 (UTC) by yougotborked)
the package is missing a chrony dependancy, ipa-client-install fails setting up ntp without it
Continue to configure the system with these values? [no]: yes
Synchronizing time
Configuration of chrony was changed by installer.
CalledProcessError(Command ['/bin/systemctl', 'restart', 'chronyd.service'] returned non-zero exit status 5: 'Failed to restart chronyd.service: Unit chronyd.service not found.\n')
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
next ipa-client-install is missing access to some template files
Could not remove /tmp/tmpp8azpdku.ipabkp
[Errno 2] No such file or directory: '/usr/share/ipa/client/freeipa.template'
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
Next, when trying to uninstall with ipa-client-install --uninstall we get another missing dependency "authselect"
[awing /]# ipa-client-install --uninstall
Disabling client Kerberos and LDAP configurations
Failed to remove krb5/LDAP configuration: [Errno 2] No such file or directory: '/usr/bin/authselect'
The ipa-client-install command failed. See /var/log/ipaclient-uninstall.log for more information
hadogenes commented on 2020-06-22 09:52 (UTC) (edited on 2020-06-22 10:57 (UTC) by hadogenes)
Could you add --with-ipaplatform=arch to ./configure to allow building on manjaro
Pinned Comments
patlefort commented on 2024-07-23 11:37 (UTC)
Keys are in
keys/pgp
of this package.