Knowledge Base

Preserving for the future: Shell scripts, AoC, and more

Devuan join freeipa domain

bgstack15

Comments

FreeIPA is a great identity management domain for GNU/Linux systems. This post explains how to join a Devuan installation as a client to FreeIPA so that you can use centralized users, sudo policies, certificates, and everything else that is managed by freeipa.

Prerequisites

Running Devuan Ceres

You must be running Devuan ceres (unstable) to make the freeipa packages available. To get there, you need these exact apt sources:

deb http://packages.devuan.org/merged ceres main contrib non-free
deb-src http://packages.devuan.org/merged ceres main contrib non-free

To use the packages from these repos, you should do the normal update, upgrade, and dist-upgrade. Here is my full command for an unattended upgrade.

mkdir -p ~/log ; sudo apt-get update ;
_myact() {
   sudo DEBIAN_FRONTEND=noninteractive apt-get -q -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-overwrite" upgrade ;
   sudo DEBIAN_FRONTEND=noninteractive apt-get -q -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-overwrite" dist-upgrade ;
} ;
time _myact 2>&1 | tee -a ~/log/apt-get.upgrade.$( date "+%F" ).log

After a reboot, you are ready for the next steps.

Building custom oddjob-mkhomedir

You need a custom package, because in Devuan package oddjob is banned (because of systemd dependencies). I built a dummy package, which you can install from my OBS account. I will briefly describe the build process so you can do this in your environment. My build resources are in version control on my gitlab in two directories.

  1. Build a dummy source tarball 

    mkdir -p ~/deb/oddjob-mkhomedir-0.0.1/ ; cd ~/deb/oddjob-mkhomedir ; echo "Dummy package" >> README-oddjob-mkhomedir.md

  2. Build a debian/ directory 

    debmake

I modifed the debian control files to make it an all-architecture deb so I didn't have to recompile for i686 and x86_64, but for a one-off package for yourself, don't bother.

  1. Compile the package 
    debuild -us -uc

In the parent directory, which in my example is ~/deb, there should be the oddjob-mkhomedir_0.0.1-1_amd64.deb Loading it into an apt repository is beyond the scope of this conversation.

  1. Install the package 
    apt-get install ~/deb/oddjob-mkhomedir_0.0.1-1_amd64.deb

Because of this fake mkhomedir package, we will have to take steps to enable the mkhomedir behavior farther ahead.

Building custom python3-ipalib

Devuan bans python-ipalib because it depends on systemd. You can get around this by changing the deb Requires: statements. Download the released dpkg from http://ftp.us.debian.org/debian/pool/main/f/freeipa/python- ipalib_4.7.1-3_all.deb or whichever the latest is.

cd ~/Downloads
wget http://ftp.us.debian.org/debian/pool/main/f/freeipa/python-ipalib_4.7.1-3_all.deb
mkdir temp
dpkg-deb -R python-ipalib_4.7.1-3_all.deb temp

Manually fix DEBIAN/control file as needed. I used

#Depends: freeipa-common (= 4.7.1-3), gnupg2, gnupg-agent, keyutils, python-cffi, python-cryptography (>= 1.6), python-dbus, python-dnspython, python-gssapi, python-jwcrypto, python-ldap, python-libipa-hbac, python-lxml, python-netaddr, python-netifaces (>= 0.10.4), python-nss (>= 0.16.0), python-pyasn1, python-qrcode (>= 5.0.0), python-requests, python-setuptools, python-six, python-usb (>= 1.0.0~b2), python-yubico, python-pyasn1-modules, python:any (<< 2.8), python:any (>= 2.7~)
Depends: python-netaddr, python-netifaces (>= 0.10.4), python-dbus

I also customized the release number. Reassemble the dpkg.

dpkg-deb -b temp python-ipalib_4.7.1-3+stackrpms_all.deb

Install packages and files

Install the client software.

sudo apt-get -y install freeipa-client

You will need to have a dummy file for systemctl and for hostnamectl. Some components of freeipa are hardcoded to use that. Maybe we should recompile the freeipa package for Devuan instead of just using the debian one. But that sounds way beyond my capacity. So let's just keep hacking.

tf=/bin/systemctl
sudo touch "${tf}" ; sudo chmod 0755 "${tf}"
sudo tee "${tf}" <<EOF /dev/null
#!/bin/sh
true
EOF

tf=/usr/bin/hostnamectl
sudo touch "${tf}" ; sudo chmod 0755 "${tf}"
sudo tee "${tf}" <<EOF /dev/null
#!/bin/sh
true
EOF

Configure freeipa client

Now we are ready to do the main work! I found that I had to disable ntp so the script could do its thing, which recently has been installing chronyd. I guess I don't care; I just don't want drift. I picked my battles, and ntp clients is not the battle I will fight today.

sudo service ntp stop

The script does not make a few important directories, so just make these yourself, and then run the install script.

sudo mkdir -p /etc/ipa /var/lib/ipa-client/pki
sudo ipa-client-install --hostname="$( hostname --fqdn )" --mkhomedir --configure-firefox

Of course if you don't want those options, remove them. I think the configure- firefox step is broken anyway. I forget what it's supposed to do; maybe load the ipa CA cert into the nss database. I found that I always have to restart sssd after my initial client configuration. It's a small price to pay for domain user resolution, so just do it. In this case, actually stop it and then start it.

sudo service sssd stop ; sudo service sssd start

That should be the bare minimum to get freeipa domain user auth working.

Followup and extra goodies

For the quality-of-life improvements, you need a few extra steps.

Add mkhomedir

Now is the time to add pam_mkhomedir to the pam stack.

# add pam_mkhomedir
tf=/etc/pam.d/common-session ; ! grep -q 'mkhomedir' "${tf}" && { thisline="$(( $( grep -nE 'session\s+optional' "${tf}" | head -n1 | awk -F':' '{print $1}' ) - 0 ))" ; awk -v thisline="$thisline" 'NR == (thisline) {print "session optional        pam_mkhomedir.so"; } {print;}' "${tf}" > "${tf}.2" ; test -f "${tf}.2" && mv "${tf}.2" "${tf}" ; }

This one-liner checks for the existence of the string "mkhomedir" in the common-session file and then adds the pam_mkhomedir.so lib to the pam session stack if it was absent. It cleverly sticks it at the beginning of the "session optional" section, because the order of pam statements is important. So if you have heavily customized your pam configuration, you need to be careful. This line works with a bog-standard pam config straight from the ISO. If you want to stick it in there yourself, you need this line:

session optional        pam_mkhomedir.so

Kerberos trust dns

If you want to just use short hostnames to access other systems, you need to tell kerberos to trust dns. If you have bgscripts package installed, you can use the updateval command in a oneliner.

sudo updateval -a /etc/krb5.conf -s '[libdefaults]' '^(\s*dns_canonicalize_hostname\s*=\s*).*' '  dns_canonicalize_hostname = true'

Basically, in /etc/krb5.conf change dns_canonicalize_hostname to true.

Troubleshooting

If the install fails for any reason, before you reinstall it, you have to run ipa-client-install --uninstall. And in order for that second command to succeed, you probably have to run "certmonger" first. I don't really know why running that allows it to uninstall, but just take it under advisement.

References

Original research

Weblinks

  1. package management - Easily unpack DEB, edit postinst, and repack DEB - Unix & Linux Stack Exchange
  2. http://ftp.us.debian.org/debian/pool/main/f/freeipa/

Comments