Package Base Details: freeipa

Git Clone URL: (read-only)
Keywords: freeipa identity management policy trusts
Submitter: chenxiaolong
Maintainer: None
Last Packager: lonaowna
Votes: 11
Popularity: 0.007768
First Submitted: 2012-11-15 23:50
Last Updated: 2018-05-01 12:27

Latest Comments

beermann commented on 2018-01-03 23:24

When trying to install on Antagos i get the following error, is there anyway to fix this?

checking supported IPA platform... configure: error: IPA platform antergos is not supported

thanos commented on 2017-03-10 19:57

Rebuilding python2-gssapi fixed the problem.

grubber commented on 2017-03-10 17:54

@thanos, it is indeed odd. What happens when you run "python2 -c 'import gssapi'"?

thanos commented on 2017-03-10 15:22

Package refuses to build and it fails on make. Can't find gssapi module, which is odd, as it's installed and satisfied by the dependencies.

seberm commented on 2016-12-19 11:50

Please add missing build dependency - dbus-glib package must be installed.


Lompik commented on 2016-09-03 13:38

I tested version 4.4. Overall it seems to work. Thanks for bundling this.

There is still an issue domainname service which doesn't exist on Arch. The error is " Command '/bin/systemctl restart domainname.service' returned non-zero exit status 5". That will fail the ipa-client-install script but most things seems functional after that.

Also, dependency of python-ipalib and python-ipaclient aren't discovered automatically by yaourt when building but I guess this is not your problem.

grubber commented on 2016-06-28 05:24

Lompik, thanks for the report. My plan is to update the package to 4.4 once it's released (should be this week), as there are multiple portability improvements.

Lompik commented on 2016-06-07 14:13

I had two fatal errors testing the WIP ipa-client-install(4.2.3):

- Arch does not have a systemd domainname service (see for feodra's one):
> subprocess.CalledProcessError: Command ''/bin/systemctl' 'restart' 'domainname.service'' returned non-zero exit status

- issue with sshd service definition (get_config_dir() returns none instead of '/etc/sshd'):

> File "/usr/bin/ipa-client-install", line 1202, in configure_sssd_conf
> ssh_dir = services.knownservices.sshd.get_config_dir()

my fix was to replace archlinux_service_class_factory :

#def archlinux_service_class_factory(name):
# return ArchLinuxService(name)
from ipaplatform.redhat import services as redhat_services
def archlinux_service_class_factory(name):
return redhat_services.redhat_service_class_factory(name)

revellion commented on 2016-05-26 13:40

I'll give it a test and see if it works and report back.

grubber commented on 2016-05-19 17:39

I was waiting on some more reviews of the WIP package below before pushing it, but there weren't any. Does the WIP package work for you?

revellion commented on 2016-05-16 14:25

Any update on this package?. Or is it orphaned?

grubber commented on 2016-01-06 19:38

Hi qrkourier, thanks for testing, could you please upload /var/log/ipaclient-install.log for me somewhere?

Anyway, I have update the source package at:

qrkourier commented on 2016-01-05 23:44

After installing package groups "base" and "base-devel" and packages "openssh" and "subversion" I was able to satisfy the dependencies of AUR package "freeipa" by building and installing additional AUR packages "python2-kerberos", "python2-krbv", "python2-nss", "certmonger", "oddjob", and "pam-krb5" in Antergos Linux release 2015.12 (ISO-Rolling).

Still, while executing "$ ipa-client-install" I encountered an error that resulted in automatic rollback of the client's changes:

$ sudo ipa-client-install
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Failed to add CA to the default NSS database.
Installation failed. Rolling back changes.
messagebus failed to start: Command '/usr/bin/systemctl start messagebus.service' returned non-zero exit status 6
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Failed to remove krb5/LDAP configuration:

# I rebooted at this point in case changing the local hostname to an FQDN matching the realm name had somehow hosed the system

$ sudo ipa-client-install --uninstall
messagebus failed to start: Command '/usr/bin/systemctl start messagebus.service' returned non-zero exit status 6
Unenrolling client from IPA server
Unenrolling host failed: Error obtaining initial credentials: Key table entry not found.

Removing Kerberos service principals from /etc/krb5.keytab
Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r EXAMPLE.COM' returned non-zero exit status 5
Disabling client Kerberos and LDAP configurations
Failed to remove krb5/LDAP configuration:

# It's not clear how to unfuzz this situation.

grubber commented on 2015-12-22 09:16

Hi Dimitrije, thanks for testing!

Yes, there are indeed some AUR-only dependencies. The only dependency that is not available in the required minimal version in AUR is certmonger though. I have already notified the maintainer to update the package some time ago.

dimitrije commented on 2015-12-16 00:17

Hi all,

I tried Grubber's WIP, managed to install it. There were 5 dependencies that had to be installed via yaourt as pacman didn't found them in repos.
Also, dependencies which were needed to be installed via yaourt required changes to BUILD files due to newer versions needed, download URLs needed to be fixed and hashes changed accordingly and had dependencies of their own to tackle. At the end, all dependencies installed and FreeIPA, latest version installed.

Sorry for not giving more details, it's 2AM, and I didn't keep the track of what packages needed changes but the install process takes you through and is clear of what packages/BUILD files need to be installed/reconfigured.

When I get the time to configure IPA and test, will send more comments.


grubber commented on 2015-12-11 23:08

Here's a WIP to try:

fjim commented on 2015-12-02 08:23

@grubber 4.2 has been out for a while, is there any ETA? I was planning on having FreeIPA on Arch, but if there's no PKGBUILD in sight I'd have a look on creating one, or otherwise host a VM instead.

grubber commented on 2015-06-17 19:13

Well, I didn't do much maintaining so far, I was rather busy working on upstream. Once 4.2 is out (should be in a few days), I will look into porting it to Arch.

gehzumteufel commented on 2015-06-16 04:08

@grubber any idea if you're going to continue maintaining it?

senorsmile commented on 2015-01-30 00:33

@grubber: Great. Looking forward to some freeipa action in arch!

chenxiaolong commented on 2015-01-29 21:18

grubber: Absolutely! Feel free to use whatever you think might help.

grubber commented on 2015-01-29 21:03

I'm adopting the package. I'm upstream FreeIPA developer (

chenxiaolong, can I use your work as a base for upstream Arch support?

chenxiaolong commented on 2015-01-02 06:14

I've disowned this package. I'm finding I don't quite have the experience to package this and keep it working well.

I won't upload it to the AUR (because it needs python-yubico, which isn't packaged yet), but anyone is free to use my FreeIPA 4.1.2 packaging as a base:

fjim commented on 2014-10-09 09:56

FreeIPA is already 4.0.3, might be better supported now?

chenxiaolong commented on 2014-03-06 00:59

@t.ask: I spend a bit of time working to port FreeIPA to Arch and the IPA client mostly works (although I haven't had the time to properly test the past few versions). The FreeIPA server is not supported at the moment.

You can set up the client just as you would in Fedora: Arch doesn't have any nice tools to manage the /etc/pam.d/* and /etc/nsswitch.conf configuration files though, so you'll need to run this command to make the necessary changes:

$ sudo sss-auth-setup --enable-nss --enable-pam

t-ask commented on 2014-03-05 20:29

I'm a bit confused that we have an AUR package for FreeIPA, despite Arch isn't officially supported yb FreeIPA. Can I just install it and it guides me through all the setup instructions to configure all FreeIPA services locally without installing the corresponding Arch packages manually?

chenxiaolong commented on 2013-05-13 05:15

New release:

**IMPORTANT**: Run "sudo sss-auth-setup --disable-nss --disable-pam" before updating!

This new release contains a rewritten sss-auth-setup. It is now safe to run it with "--enable-pam" or "--disable-pam" multiple times.

Whenever a new package that uses PAM is installed or updated (anything that requires a login), just run "sudo sss-auth-setup --enable-pam". No need to disable first :)

chenxiaolong commented on 2013-05-12 21:15

More important information:

It's a *good* idea to run "sss-auth-setup --disable-pam" before "pacman -Syu" just in case something in case something in /etc/pam.d/ is added or updated. After the updates, run "sss-auth-setup --enable-pam" again.

I hope to have this fixed for the next release.

chenxiaolong commented on 2013-05-12 21:09

Updated to version 3.2.0. There are a huge amount changes for this release:

Installation is still the same as before:

1. Install freeipa
2. sudo sss-auth-setup --enable-nss --enable-pam
3. sudo ipa-client-install ...

Note: freeipa on Arch Linux is still untested :P

chenxiaolong commented on 2013-05-12 15:50

Hi Gwmngilfen:

My finals for school just finished two days ago, so I should have a lot more time to work on FreeIPA now. I'm guessing the dependencies are really outdated since I last updated the package. I'll fix all of those first :P

Gwmngilfen commented on 2013-05-12 12:53

Hi chenxiaolong,

Just a headsup - FreeIPA 3.2 is out; and presently your 3.1 package doesn't build. Some of the dependencies are now "python2-pylint" and "samba" but even then the patches don't seem to apply to the source properly. Log here:

I might see if I can fix it if I get time, but I'm not familiar with the IPA codebase (only just installed freeipa server on a spare fedora box :P)

psi.neamf commented on 2013-01-09 14:29

Hi chenxiaolong,

I've found for GSSAPI for SSH you need to change these to 'yes' :

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

in either /etc/ssh/ssh_config or ~/.ssh/config

chenxiaolong commented on 2012-12-28 17:05

@demaio (who flagged this package out of date): It may take me a little while (probably after New Year) to update this package. I have yet to upgrade my server to 3.1.0 and I still need to work out a few issues, such as making pam_mkhomedir or oddjob-mkhomedir work :)

chenxiaolong commented on 2012-12-01 21:04

@senorsmile: FreeIPA (the client) is partially working now. I would say it's usable :) Right now, I'm working on the PAM configuration files. There are some issues with the way it works. For example, if you press Control+C when you type the password to sudo, it will say that you typed the password incorrectly 3 times.

Other than that, the only issue I know of is that GSSAPI (single sign on) does not work with ssh. I think that it's a problem with Arch's packages.

I haven't written anything about using FreeIPA with Arch, so here's a basic rundown:

Basically, you'll need to install this freeipa package and run "sudo sss-auth-setup --enable-nss --enable-pam". That will modify /etc/nsswitch.conf and /etc/pam.d/* for freeipa. If pacman ever does anything in /etc/pam.d/, such as updating something or installing a new login manager, you'll need to run:

sudo sss-auth-setup --disable-pam
sudo sss-auth-setup --enable-pam

That's all for the Arch-specific FreeIPA changes. Afterwards, just run the usual "ipa-client-install" commands.

I hope that answered your questions :)

senorsmile commented on 2012-12-01 19:07

How is the freeipa package running on Arch? Is it very stable? At least usable?