Package Details: freeipa-client 4.12.2-1

Git Clone URL: https://aur.archlinux.org/freeipa.git (read-only, click to copy)
Package Base: freeipa
Description: IPA authentication for use on clients
Upstream URL: http://www.freeipa.org/
Keywords: freeipa identity management policy trusts
Licenses: GPL3
Submitter: chenxiaolong
Maintainer: patlefort
Last Packager: patlefort
Votes: 24
Popularity: 0.41
First Submitted: 2012-11-15 23:50 (UTC)
Last Updated: 2024-09-02 18:01 (UTC)

Pinned Comments

patlefort commented on 2024-07-23 11:37 (UTC)

Keys are in keys/pgp of this package.

Latest Comments

« First ‹ Previous 1 2 3 4 5 6 7 8 9 Next › Last »

backerman commented on 2021-03-21 04:06 (UTC)

Dropping maintainer since I’ve had zero time to fix this lately.

patlefort commented on 2021-03-21 03:51 (UTC) (edited on 2021-03-21 03:54 (UTC) by patlefort)

I've created a package for authselect. I tested it on my machine and so far it's working, but before using you should backup your /etc/pam.d and /etc/nsswitch.conf.

As for certificates, I made /etc/pki/ca-trust/source a link to /etc/ca-certificates/trust-source/anchors.

I solved my problem on Fedora: it seems that pam_sss doesn't like when you authenticate with a user when it's also a local user, I could login but not get a kerberos ticket, but on my arch it's not a problem.

I think a comment with extra information on things that the package can't do should be pinned.

patlefort commented on 2021-03-20 09:10 (UTC) (edited on 2021-03-20 09:14 (UTC) by patlefort)

I managed to make it work. In addition to steps mentioned below, I had to remove the python-nss dependency from PKGBUILD which btw is currently broken, create a /etc/sysconfig and a /etc/pki directory, create a dummy nis-domainname.service with the following content:

[Unit]
Description=Dummy service

[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=true

[Install]
WantedBy=multi-user.target

Then I had to copy /usr/share/ipa into my Arch machine from another Fedora installation with freeipa-client installed. Funnily, it works on my Arch machine but not on Fedora which is getting a strange problem I can't explain. The only thing not working is the certificate, which is imported into /etc/pki and not read by arch.

fishbone222 commented on 2020-12-11 12:45 (UTC) (edited on 2020-12-11 12:49 (UTC) by fishbone222)

ipa-client-install fails after the update:

$ /usr/bin/ipa-client-install 
    Traceback (most recent call last):
    File /usr/bin/ipa-client-install, line 22, in <module>
    from ipaclient.install import ipa_client_install
    ModuleNotFoundError: No module named 'ipaclient.install'

asbhad2c commented on 2020-09-15 09:53 (UTC)

to get past the issues reported by yougotborked, I had to:

1) install unlisted build dependencies:

ding-libs, openldap, python-jinja, python-pyasn1-modules, xmlrpc-c

2) install unlisted dependencies from AUR:

python-gssapi, python-nss, python-yubico, yp-tool, certmonger, oddjob, python-ipaclient, python-ipalib

3) fix around things arch does not have (but Fedora/CentOS do)

$ mkdir /etc/krb5.conf.d
$ ln -sf /usr/bin/true  /usr/bin/authselect
$ mkdir /etc/authselect
$ cp /etc/nsswitch.conf /etc/authselect/user-nsswitch.conf

$ cat /etc/krb5.conf.d/freeipa
[libdefaults]
    spake_preauth_groups = edwards25519

Its about the presence of these files and dirs.

After that freeipa-client did build and a join using ipa-client-install ... succeeded.

To get users visible (ie with id) I then had to:

4) manually setup nsswitch.conf by adding to the top:

passwd:     sss files systemd
shadow:     files sss
group:      sss files systemd
netgroup:   sss files
automount:  sss files
services:   sss files
sudoers:    files sss

To get users authenticated I had to:

5) manually setup PAM as described here https://wiki.archlinux.org/index.php/LDAP_authentication#PAM_Configuration_2

the last two are apparently necessary cause arch has no authconfig.

crazzyfool commented on 2020-08-24 18:01 (UTC)

Same issue as yougotborked :-(

yougotborked commented on 2020-07-23 03:56 (UTC) (edited on 2020-07-23 03:59 (UTC) by yougotborked)

the package is missing a chrony dependancy, ipa-client-install fails setting up ntp without it

Continue to configure the system with these values? [no]: yes
Synchronizing time
Configuration of chrony was changed by installer.
CalledProcessError(Command ['/bin/systemctl', 'restart', 'chronyd.service'] returned non-zero exit status 5: 'Failed to restart chronyd.service: Unit chronyd.service not found.\n')
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

next ipa-client-install is missing access to some template files

Could not remove /tmp/tmpp8azpdku.ipabkp
[Errno 2] No such file or directory: '/usr/share/ipa/client/freeipa.template'
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

Next, when trying to uninstall with ipa-client-install --uninstall we get another missing dependency "authselect"

[awing /]# ipa-client-install --uninstall
Disabling client Kerberos and LDAP configurations
Failed to remove krb5/LDAP configuration: [Errno 2] No such file or directory: '/usr/bin/authselect'
The ipa-client-install command failed. See /var/log/ipaclient-uninstall.log for more information

hadogenes commented on 2020-06-22 09:52 (UTC) (edited on 2020-06-22 10:57 (UTC) by hadogenes)

Could you add --with-ipaplatform=arch to ./configure to allow building on manjaro