Devuan join freeipa domain
FreeIPA is a great identity management domain for GNU/Linux systems. This post explains how to join a Devuan installation as a client to FreeIPA so that you can use centralized users, sudo policies, certificates, and everything else that is managed by freeipa.
Prerequisites
Running Devuan Ceres
You must be running Devuan ceres (unstable) to make the freeipa packages available. To get there, you need these exact apt sources:
deb http://packages.devuan.org/merged ceres main contrib non-free
deb-src http://packages.devuan.org/merged ceres main contrib non-free
To use the packages from these repos, you should do the normal update, upgrade, and dist-upgrade. Here is my full command for an unattended upgrade.
mkdir -p ~/log ; sudo apt-get update ;
_myact() {
sudo DEBIAN_FRONTEND=noninteractive apt-get -q -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-overwrite" upgrade ;
sudo DEBIAN_FRONTEND=noninteractive apt-get -q -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-overwrite" dist-upgrade ;
} ;
time _myact 2>&1 | tee -a ~/log/apt-get.upgrade.$( date "+%F" ).log
After a reboot, you are ready for the next steps.
Building custom oddjob-mkhomedir
You need a custom package, because in Devuan package oddjob is banned (because of systemd dependencies). I built a dummy package, which you can install from my OBS account. I will briefly describe the build process so you can do this in your environment. My build resources are in version control on my gitlab in two directories.
-
Build a dummy source tarball
mkdir -p ~/deb/oddjob-mkhomedir-0.0.1/ ; cd ~/deb/oddjob-mkhomedir ; echo "Dummy package" >> README-oddjob-mkhomedir.md
-
Build a debian/ directory
debmake
I modifed the debian control files to make it an all-architecture deb so I didn't have to recompile for i686 and x86_64, but for a one-off package for yourself, don't bother.
- Compile the package
debuild -us -uc
In the parent directory, which in my example is ~/deb, there should be the oddjob-mkhomedir_0.0.1-1_amd64.deb Loading it into an apt repository is beyond the scope of this conversation.
- Install the package
apt-get install ~/deb/oddjob-mkhomedir_0.0.1-1_amd64.deb
Because of this fake mkhomedir package, we will have to take steps to enable the mkhomedir behavior farther ahead.
Building custom python3-ipalib
Devuan bans python-ipalib because it depends on systemd. You can get around this by changing the deb Requires: statements. Download the released dpkg from http://ftp.us.debian.org/debian/pool/main/f/freeipa/python- ipalib_4.7.1-3_all.deb or whichever the latest is.
cd ~/Downloads
wget http://ftp.us.debian.org/debian/pool/main/f/freeipa/python-ipalib_4.7.1-3_all.deb
mkdir temp
dpkg-deb -R python-ipalib_4.7.1-3_all.deb temp
Manually fix DEBIAN/control file as needed. I used
#Depends: freeipa-common (= 4.7.1-3), gnupg2, gnupg-agent, keyutils, python-cffi, python-cryptography (>= 1.6), python-dbus, python-dnspython, python-gssapi, python-jwcrypto, python-ldap, python-libipa-hbac, python-lxml, python-netaddr, python-netifaces (>= 0.10.4), python-nss (>= 0.16.0), python-pyasn1, python-qrcode (>= 5.0.0), python-requests, python-setuptools, python-six, python-usb (>= 1.0.0~b2), python-yubico, python-pyasn1-modules, python:any (<< 2.8), python:any (>= 2.7~)
Depends: python-netaddr, python-netifaces (>= 0.10.4), python-dbus
I also customized the release number. Reassemble the dpkg.
dpkg-deb -b temp python-ipalib_4.7.1-3+stackrpms_all.deb
Install packages and files
Install the client software.
sudo apt-get -y install freeipa-client
You will need to have a dummy file for systemctl and for hostnamectl. Some components of freeipa are hardcoded to use that. Maybe we should recompile the freeipa package for Devuan instead of just using the debian one. But that sounds way beyond my capacity. So let's just keep hacking.
tf=/bin/systemctl
sudo touch "${tf}" ; sudo chmod 0755 "${tf}"
sudo tee "${tf}" <<EOF /dev/null
#!/bin/sh
true
EOF
tf=/usr/bin/hostnamectl
sudo touch "${tf}" ; sudo chmod 0755 "${tf}"
sudo tee "${tf}" <<EOF /dev/null
#!/bin/sh
true
EOF
Configure freeipa client
Now we are ready to do the main work! I found that I had to disable ntp so the script could do its thing, which recently has been installing chronyd. I guess I don't care; I just don't want drift. I picked my battles, and ntp clients is not the battle I will fight today.
sudo service ntp stop
The script does not make a few important directories, so just make these yourself, and then run the install script.
sudo mkdir -p /etc/ipa /var/lib/ipa-client/pki
sudo ipa-client-install --hostname="$( hostname --fqdn )" --mkhomedir --configure-firefox
Of course if you don't want those options, remove them. I think the configure- firefox step is broken anyway. I forget what it's supposed to do; maybe load the ipa CA cert into the nss database. I found that I always have to restart sssd after my initial client configuration. It's a small price to pay for domain user resolution, so just do it. In this case, actually stop it and then start it.
sudo service sssd stop ; sudo service sssd start
That should be the bare minimum to get freeipa domain user auth working.
Followup and extra goodies
For the quality-of-life improvements, you need a few extra steps.
Add mkhomedir
Now is the time to add pam_mkhomedir to the pam stack.
# add pam_mkhomedir
tf=/etc/pam.d/common-session ; ! grep -q 'mkhomedir' "${tf}" && { thisline="$(( $( grep -nE 'session\s+optional' "${tf}" | head -n1 | awk -F':' '{print $1}' ) - 0 ))" ; awk -v thisline="$thisline" 'NR == (thisline) {print "session optional pam_mkhomedir.so"; } {print;}' "${tf}" > "${tf}.2" ; test -f "${tf}.2" && mv "${tf}.2" "${tf}" ; }
This one-liner checks for the existence of the string "mkhomedir" in the common-session file and then adds the pam_mkhomedir.so lib to the pam session stack if it was absent. It cleverly sticks it at the beginning of the "session optional" section, because the order of pam statements is important. So if you have heavily customized your pam configuration, you need to be careful. This line works with a bog-standard pam config straight from the ISO. If you want to stick it in there yourself, you need this line:
session optional pam_mkhomedir.so
Kerberos trust dns
If you want to just use short hostnames to access other systems, you need to tell kerberos to trust dns. If you have bgscripts package installed, you can use the updateval command in a oneliner.
sudo updateval -a /etc/krb5.conf -s '[libdefaults]' '^(\s*dns_canonicalize_hostname\s*=\s*).*' ' dns_canonicalize_hostname = true'
Basically, in /etc/krb5.conf change dns_canonicalize_hostname to true.
Troubleshooting
If the install fails for any reason, before you reinstall it, you have to run ipa-client-install --uninstall. And in order for that second command to succeed, you probably have to run "certmonger" first. I don't really know why running that allows it to uninstall, but just take it under advisement.
References
Original research
Comments