freeipa: init at 4.10.1

[s1341]

Description of changes

This PR allows nixos to be a fully-fledged freeipa (https://www.freeipa.org/page/Main_Page) client, by adding an ipa configuration module, and all required tools.

This PR is a replacement for #22789, which updates all components and has been tested to work. I.e. I have tested that it is possible to login using credentials stored in the freeipa server. All credit goes to @outergod who did all the heavy lifting.

The configuration blob can be taken as is from the PR above.

Things still to do:

• Fix a quirk with the sssd pam configuration, which makes it impossible to change passwords. (I have a fix for this, but am unsure whether to include it in this PR).
• Fix sudo-ing using sssd and freeipa sudo-rules. Need help from freeipa developers to debug and resolve.
• Allow configuration of a FAST binding principal in the ipa configuration module.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.05 Release Notes (or backporting 22.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[s1341]

wow @SuperSandro2000 thanks for the amazingly in-depth review. I will address everything later today.

[s1341]

I believe I have addressed all review comments at this point.

[benley]

This looks awesome! I'll try setting up some nodes with the new module after I get back to work (next week)

[s1341]

Feel free to ping me on irc or matrix if you need help getting things working. It should just work but I’m available to help.

[s1341]

@bjornfor I cleaned up all the commits. Please take another look.

[s1341]

Can we merge this?

[SuperSandro2000]

please fix the build failure ofborg discovered

[s1341]

@SuperSandro2000 what build failure?

[benley]

I don't know what build failure @SuperSandro2000 is referring to either. If we can't find it and there are no specific objections, perhaps we can actually merge this PR soon?

[s1341]

I’d like that.

[s1341]

Yay! Thanks!

[benley]

Oh hm, it's going into the staging branch - does that get merged to master automatically at some point?

[s1341]

Yes... it just takes a few weeks I think

[SuperSandro2000]

Those build failures:

You should know about them, if you have commit rights.

Not sure where it exactly fails because ofborg interlaces the logs into one.

[benley]

Oh, I mistakenly assumed that the checks would display a red X for a failure. The grey square was too easy to overlook, sorry.

[SuperSandro2000]

Yeah, that is a known problem.

I think freeipa is not building, so when this PR reaches master it will likely also not build.

[benley]

I'm taking a look to see if these are easy fixes. If not I suppose we'll want to temporarily revert.

[benley]

fwiw it appears that freeipa builds cleanly if you cherry-pick the commits from this PR onto the master branch. It's going to take a while for me to build staging to see the failure.

[benley]

The build failures I'm now seeing on the staging branch are things that I don't think could be caused by this PR:

collect2: error: ld returned 1 exit status
make[3]: *** [../../gcc-12.2.0/gcc/lto/Make-lang.in:96: lto1] Error 1
make[3]: *** Waiting for unfinished jobs....
collect2: error: ld returned 1 exit status
make[3]: *** [../../gcc-12.2.0/gcc/cp/Make-lang.in:136: cc1plus] Error 1
make[3]: *** Waiting for unfinished jobs....
collect2: error: ld returned 1 exit status
make[3]: *** [../../gcc-12.2.0/gcc/lto/Make-lang.in:96: lto1] Error 1
collect2: error: ld returned 1 exit status
make[3]: *** [../../gcc-12.2.0/gcc/lto/Make-lang.in:102: lto-dump] Error 1
collect2: error: ld returned 1 exit status
make[3]: *** [../../gcc-12.2.0/gcc/c/Make-lang.in:87: cc1] Error 1
rm gcc.pod
make[3]: Leaving directory '/build/build/gcc'
make[2]: *** [Makefile:4961: all-stage1-gcc] Error 2
make[2]: Leaving directory '/build/build'
make[1]: *** [Makefile:25612: stage1-bubble] Error 2
make[1]: Leaving directory '/build/build'
make: *** [Makefile:25949: bootstrap] Error 2
error: builder for '/nix/store/sm9v2r9qsnidajynb21xc73ggl2w23j9-gfortran-12.2.0.drv' failed with exit code 2;
       last 10 log lines:
       > make[3]: *** [../../gcc-12.2.0/gcc/lto/Make-lang.in:102: lto-dump] Error 1
       > collect2: error: ld returned 1 exit status
       > make[3]: *** [../../gcc-12.2.0/gcc/c/Make-lang.in:87: cc1] Error 1
       > rm gcc.pod
       > make[3]: Leaving directory '/build/build/gcc'
       > make[2]: *** [Makefile:4961: all-stage1-gcc] Error 2
       > make[2]: Leaving directory '/build/build'
       > make[1]: *** [Makefile:25612: stage1-bubble] Error 2
       > make[1]: Leaving directory '/build/build'
       > make: *** [Makefile:25949: bootstrap] Error 2
       For full logs, run 'nix log /nix/store/sm9v2r9qsnidajynb21xc73ggl2w23j9-gfortran-12.2.0.drv'.
error: 1 dependencies of derivation '/nix/store/9ilxr4qw168x8gxhn5pna3fvp6dkw5nw-gfortran-wrapper-12.2.0.drv' failed to build
error: 1 dependencies of derivation '/nix/store/c64c4jb4iplgh6ffks9gk2wwjfm46ls3-python3.10-numpy-1.24.2.drv' failed to build
error: 1 dependencies of derivation '/nix/store/7w1bcry5fmdxlxbp96r2rqlkrcscx4gs-python3.10-scipy-1.10.1.drv' failed to build
error: 1 dependencies of derivation '/nix/store/9qnsyw74vpd8w2pwjmqx163px1gc5zv3-python3.10-fonttools-4.38.0.drv' failed to build
error: 1 dependencies of derivation '/nix/store/k3yinhpm0364llmqk514z24y7blacvq7-python3.10-pillow-9.4.0.drv' failed to build
error: 1 dependencies of derivation '/nix/store/0ymza05gqcanw14r0fb8127vdzngwl52-liberation-fonts-2.1.0.drv' failed to build
error: 1 dependencies of derivation '/nix/store/zvq7hb7p5lc8aqapl0fqiymgp59qj3rb-python3.10-qrcode-7.4.2.drv' failed to build
error: 1 dependencies of derivation '/nix/store/jv2chndjkvbks3hiij1419xnqq7x8dpd-freeipa-4.10.1.drv' failed to build

[benley]

I suspect this is going to be fine when it hits master. @SuperSandro2000 am I missing something glaringly obvious?

[SuperSandro2000]

Yes, gfortran will be certainly fixed before hitting master.

[trofi]

Fails to eval in staging as:

$ nix-env -qa --json --arg config 'import <nixpkgs/pkgs/top-level/packages-config.nix>' --option build-users-group  '""' -I nixpkgs=. -f .
error:
       … while calling the 'abort' builtin

         at /home/slyfox/dev/git/nixpkgs-staging/lib/customisation.nix:179:65:

          178|
          179|     in if missingArgs == [] then makeOverridable f allArgs else abort error;
             |                                                                 ^
          180|

       error: evaluation aborted with the following error message: 'Function called without required argument "pkgconfig" at /home/slyfox/dev/git/nixpkgs-staging/pkgs/os-specific/linux/freeipa/default.nix:4, did you mean "pkg-config" or "pkgconf"?'

Looks related?

[trofi]

Ah, it's the result of alias use. Attempting to fix as #224026

[Silver-Golden]

o/
I am testing this out on unstable.
By any chance does anyone have a config of this working?
And Looking at teh code it seems like computers cannot automatically enroll themselves, are there any plans for auto enroll?

[s1341]

@Silver-Golden I have it working. You need to have a freeipa server set up. This PR only adds the client and a module for client configuration. You need to enroll once. The reason there isn't auto-enroll is becuase you need a password for an ipa account which is allowed to enroll users.

If you want, I can share my freeipa-server and auto-enroll nix scripts.

[benley]

If you want, I can share my freeipa-server and auto-enroll nix scripts.

Please do, I would find an auto-enroll script useful too.

You don't have freeipa-server running on nixos, do you? Because that would be very cool.

[s1341]

I have freepia-server running in docker on nixos, with a declarative docker container. I will try to clean things up and post in the next couple of days.

[s1341]

@benley: I've posted my configs for a freeipa-server (docker) and an ipa-tuura (https://github.com/freeipa/ipa-tuura) instance. The ipa-tuura instance is an ipa client (using the module in this PR), and also has an auto-enroll service (see systemd.services.init-sssd). Let me know what you think.

https://gist.github.com/s1341/125b95ddc2edb4f7e174eca1ab217ca6