Package Details: python-ipaclient 4.9.4-1

Git Clone URL: https://aur.archlinux.org/freeipa.git (read-only, click to copy)
Package Base: freeipa
Description: Python libraries used by IPA client
Upstream URL: http://www.freeipa.org/
Keywords: freeipa identity management policy trusts
Licenses: GPL3
Submitter: chenxiaolong
Maintainer: patlefort
Last Packager: patlefort
Votes: 20
Popularity: 0.22
First Submitted: 2012-11-15 23:50
Last Updated: 2021-06-08 20:20

Latest Comments

1 2 3 4 5 6 Next › Last »

patlefort commented on 2021-04-06 23:28

I've bumped the version to 4.9.2. 4.9.3 is missing the asc file atm. I've fixed most of the issues mentioned below.

yaleman commented on 2021-03-27 23:00

You'll need to import the GPG key of the FreeIPA Signer, from here: https://www.freeipa.org/page/Verify_Release_Signature

$ gpg --keyserver pool.sks-keyservers.net --recv-keys 0xF40800B6298EB963 0xA1FBA5F7EF8C4869
gpg: /home/username/.gnupg/trustdb.gpg: trustdb created
gpg: key A1FBA5F7EF8C4869: public key "Tomas Krizek <tomas.krizek@nic.cz>" imported
gpg: key F40800B6298EB963: public key "FreeIPA Master Signing Key" imported
gpg: Total number processed: 2
gpg:               imported: 2

backerman commented on 2021-03-21 04:06

Dropping maintainer since I’ve had zero time to fix this lately.

patlefort commented on 2021-03-21 03:51

I've created a package for authselect. I tested it on my machine and so far it's working, but before using you should backup your /etc/pam.d and /etc/nsswitch.conf.

As for certificates, I made /etc/pki/ca-trust/source a link to /etc/ca-certificates/trust-source/anchors.

I solved my problem on Fedora: it seems that pam_sss doesn't like when you authenticate with a user when it's also a local user, I could login but not get a kerberos ticket, but on my arch it's not a problem.

I think a comment with extra information on things that the package can't do should be pinned.

patlefort commented on 2021-03-20 09:10

I managed to make it work. In addition to steps mentioned below, I had to remove the python-nss dependency from PKGBUILD which btw is currently broken, create a /etc/sysconfig and a /etc/pki directory, create a dummy nis-domainname.service with the following content:

[Unit]
Description=Dummy service

[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=true

[Install]
WantedBy=multi-user.target

Then I had to copy /usr/share/ipa into my Arch machine from another Fedora installation with freeipa-client installed. Funnily, it works on my Arch machine but not on Fedora which is getting a strange problem I can't explain. The only thing not working is the certificate, which is imported into /etc/pki and not read by arch.

fishbone222 commented on 2020-12-11 12:45

ipa-client-install fails after the update:

$ /usr/bin/ipa-client-install 
    Traceback (most recent call last):
    File /usr/bin/ipa-client-install, line 22, in <module>
    from ipaclient.install import ipa_client_install
    ModuleNotFoundError: No module named 'ipaclient.install'

asbhad2c commented on 2020-09-15 09:53

to get past the issues reported by yougotborked, I had to:

1) install unlisted build dependencies:

ding-libs, openldap, python-jinja, python-pyasn1-modules, xmlrpc-c

2) install unlisted dependencies from AUR:

python-gssapi, python-nss, python-yubico, yp-tool, certmonger, oddjob, python-ipaclient, python-ipalib

3) fix around things arch does not have (but Fedora/CentOS do)

$ mkdir /etc/krb5.conf.d
$ ln -sf /usr/bin/true  /usr/bin/authselect
$ mkdir /etc/authselect
$ cp /etc/nsswitch.conf /etc/authselect/user-nsswitch.conf

$ cat /etc/krb5.conf.d/freeipa
[libdefaults]
    spake_preauth_groups = edwards25519

Its about the presence of these files and dirs.

After that freeipa-client did build and a join using ipa-client-install ... succeeded.

To get users visible (ie with id) I then had to:

4) manually setup nsswitch.conf by adding to the top:

passwd:     sss files systemd
shadow:     files sss
group:      sss files systemd
netgroup:   sss files
automount:  sss files
services:   sss files
sudoers:    files sss

To get users authenticated I had to:

5) manually setup PAM as described here https://wiki.archlinux.org/index.php/LDAP_authentication#PAM_Configuration_2

the last two are apparently necessary cause arch has no authconfig.

crazzyfool commented on 2020-08-24 18:01

Same issue as yougotborked :-(

yougotborked commented on 2020-07-23 03:56

the package is missing a chrony dependancy, ipa-client-install fails setting up ntp without it

Continue to configure the system with these values? [no]: yes
Synchronizing time
Configuration of chrony was changed by installer.
CalledProcessError(Command ['/bin/systemctl', 'restart', 'chronyd.service'] returned non-zero exit status 5: 'Failed to restart chronyd.service: Unit chronyd.service not found.\n')
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

next ipa-client-install is missing access to some template files

Could not remove /tmp/tmpp8azpdku.ipabkp
[Errno 2] No such file or directory: '/usr/share/ipa/client/freeipa.template'
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

Next, when trying to uninstall with ipa-client-install --uninstall we get another missing dependency "authselect"

[awing /]# ipa-client-install --uninstall
Disabling client Kerberos and LDAP configurations
Failed to remove krb5/LDAP configuration: [Errno 2] No such file or directory: '/usr/bin/authselect'
The ipa-client-install command failed. See /var/log/ipaclient-uninstall.log for more information

TheGoliath commented on 2020-06-24 11:51

Updated :)