a bunch of changes

* update platform code
* refresh patches
* bump dependencies
* create /run/ipa, /run/ipa_memcached on postinst so installer
  works OOTB
* split tmpfiles.d conf for client and server
* clean up cruft on purge
* add new files to install
* rename ipa-memcached to ipa_memcached to match upstream
* link customizable web files to /etc/ipa/html
* fix apache module enabling and disabling in postinst/prerm
* fix apache ipa.conf paths
* don't bother installing any apache configs, installer creates and
  removes them

debian/control

@@ -4,7 +4,7 @@ Priority: extra
 Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>
 Uploaders: Timo Aaltonen <tjaalton@ubuntu.com>
 Build-Depends:
- 389-ds-base-dev (>= 1.1.3),
+ 389-ds-base-dev (>= 1.3.3.2),
  check,
  debhelper (>= 9),
  dh-autoreconf,
@@ -32,7 +32,7 @@ Build-Depends:
  libverto-dev,
  libxmlrpc-core-c3-dev (>= 1.33.14),
  python-all-dev,
- python-dnspython,
+ python-dnspython (>= 1.11.1),
  python-kerberos,
  python-krbv,
  python-ldap,
@@ -46,7 +46,7 @@ Build-Depends:
  python-openssl,
  python-polib,
  python-pyasn1,
- python-qrcode,
+ python-qrcode (>= 5.0.0),
  python-setuptools,
  python-sss (>= 1.8.0),
  python-yubico,
@@ -62,11 +62,12 @@ Homepage: http://www.freeipa.org
 Package: freeipa-server
 Architecture: any
 Depends:
- 389-ds-base,
+ 389-ds-base (>= 1.3.3.2),
  acl,
  apache2,
  bind9,
  bind9-dyndb-ldap,
+ certmonger (>= 0.75.14),
  dogtag-pki-server-theme,
  freeipa-admintools (= ${binary:Version}),
  freeipa-client (= ${binary:Version}),
@@ -89,7 +90,7 @@ Depends:
  python-krbv,
  python-ldap,
  python-pyasn1,
- slapi-nis,
+ slapi-nis (>= 0.54),
  ${misc:Depends},
  ${python:Depends},
  ${shlibs:Depends}
@@ -139,7 +140,7 @@ Depends:
  python-freeipa (= ${binary:Version}),
  python-krbv,
  python-ldap,
- sssd (>= 1.9.2),
+ sssd (>= 1.11.1),
  wget,
  ${misc:Depends},
  ${python:Depends},

debian/freeipa-client.install

@@ -1,4 +1,5 @@
 usr/lib/python*/dist-packages/ipaclient/*.py
+usr/lib/tmpfiles.d/freeipa-client.conf
 usr/sbin/ipa-client-automount
 usr/sbin/ipa-client-install
 usr/sbin/ipa-getkeytab

debian/freeipa-client.postinst

@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+if [ ! -e /run/ipa ]; then
+    mkdir -m 0700 /run/ipa
+fi
+
+#DEBHELPER#

debian/freeipa-client.postrm

@@ -0,0 +1,10 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = purge ]; then
+    rm -rf /var/lib/ipa-client
+    rm -f /etc/ipa/default.conf
+fi
+
+#DEBHELPER#
+

debian/freeipa-server.install

@@ -1,5 +1,4 @@
-etc/apache2/conf-available/*
-etc/default/ipa-memcached
+etc/default/ipa_memcached
 etc/ipa/html/*
 lib/systemd/system/*
 usr/lib/*/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -40,7 +39,7 @@ usr/lib/python*/dist-packages/ipaserver/install/sysupgrade.py
 usr/lib/python*/dist-packages/ipaserver/install/upgradeinstance.py
 usr/lib/python*/dist-packages/ipaserver/plugins/*
 usr/lib/python*/dist-packages/ipaserver/rpcserver*
-usr/lib/tmpfiles.d/freeipa.conf
+usr/lib/tmpfiles.d/freeipa-server.conf
 usr/sbin/ipa-advise
 usr/sbin/ipa-backup
 usr/sbin/ipa-ca-install

debian/freeipa-server.ipa_memcached.init

@@ -11,8 +11,8 @@ MAXCONN=1024
 CACHESIZE=64
 OPTIONS=""
 
-if [ -f /etc/default/ipa-memcached ];then
-    . /etc/default/ipa-memcached
+if [ -f /etc/default/ipa_memcached ];then
+    . /etc/default/ipa_memcached
 fi
 
 prog="ipa_memcached"
@@ -40,7 +40,7 @@ do_stop () {
 # See how we were called.
 case "$1" in
     start)
-        log_daemon_msg "Starting ipa-memcached"
+        log_daemon_msg "Starting ipa_memcached"
         do_start
         case "$?" in
                 0) log_end_msg 0 ;;
@@ -50,7 +50,7 @@ case "$1" in
         esac
         ;;
     stop)
-        log_daemon_msg "Stopping ipa-memcached"
+        log_daemon_msg "Stopping ipa_memcached"
         do_stop
         case "$?" in
                 0) log_end_msg 0 ;;

debian/freeipa-server.links

@@ -1,3 +1,8 @@
+/etc/ipa/html/ffconfig.js		usr/share/ipa/html/ffconfig.js
+/etc/ipa/html/ffconfig_page.js		usr/share/ipa/html/ffconfig_page.js
+/etc/ipa/html/ssbrowser.html		usr/share/ipa/html/ssbrowser.html
+/etc/ipa/html/unauthorized.html		usr/share/ipa/html/unauthorized.html
+/etc/ipa/html/browserconfig.html	usr/share/ipa/html/browserconfig.html
 /usr/share/javascript/prototype/prototype.js       	/usr/share/ipa/ipagui/static/javascript/prototype.js
 /usr/share/javascript/scriptaculous/scriptaculous.js	/usr/share/ipa/ipagui/static/javascript/scriptaculous.js
 /usr/share/javascript/scriptaculous/effects.js		/usr/share/ipa/ipagui/static/javascript/effects.js

debian/freeipa-server.lintian-overrides

@@ -1,2 +1,4 @@
 # lintian is lying
 python-script-but-no-python-dep
+# we really need apache2
+web-application-should-not-depend-unconditionally-on-apache2

debian/freeipa-server.postinst

@@ -2,10 +2,29 @@
 set -e
 
 if [ "$1" = configure ]; then
-    if [ -e /usr/share/apache2/apache2-maintscript-helper ] ; then
+    if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then
         . /usr/share/apache2/apache2-maintscript-helper
-        apache2_invoke enmod auth_kerb expires headers proxy rewrite || exit $?
+	if [ ! -e /etc/apache2/mods-enabled/auth_kerb.load ]; then
+            apache2_invoke enmod auth_kerb || exit $?
+        fi
+	if [ ! -e /etc/apache2/mods-enabled/expires.load ]; then
+            apache2_invoke enmod expires || exit $?
+        fi
+	if [ ! -e /etc/apache2/mods-enabled/headers.load ]; then
+            apache2_invoke enmod headers || exit $?
+        fi
+	if [ ! -e /etc/apache2/mods-enabled/proxy.load ]; then
+            apache2_invoke enmod proxy || exit $?
+        fi
+	if [ ! -e /etc/apache2/mods-enabled/rewrite.load ]; then
+            apache2_invoke enmod rewrite || exit $?
+        fi
     fi
 fi
 
+if [ ! -e /run/ipa_memcached ]; then
+    mkdir -m 0700 /run/ipa_memcached
+    chown www-data:www-data /run/ipa_memcached
+fi
+
 #DEBHELPER#

debian/freeipa-server.prerm

@@ -0,0 +1,23 @@
+#!/bin/sh
+set -e
+
+if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then
+    . /usr/share/apache2/apache2-maintscript-helper
+    if [ -e /etc/apache2/mods-enabled/auth_kerb ]; then
+        apache2_invoke dismod auth_kerb || exit $?
+    fi
+    if [ -e /etc/apache2/mods-enabled/expires  ]; then
+        apache2_invoke dismod expires || exit $?
+    fi
+    if [ -e /etc/apache2/mods-enabled/headers  ]; then
+        apache2_invoke dismod headers || exit $?
+    fi
+    if [ -e /etc/apache2/mods-enabled/proxy  ]; then
+        apache2_invoke dismod proxy || exit $?
+    fi
+    if [ -e /etc/apache2/mods-enabled/rewrite  ]; then
+        apache2_invoke dismod rewrite || exit $?
+    fi
+fi
+
+#DEBHELPER#

debian/patches/add-debian-platform.diff

@@ -31,7 +31,7 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +"""
 --- /dev/null
 +++ b/ipaplatform/debian/paths.py
-@@ -0,0 +1,65 @@
+@@ -0,0 +1,66 @@
 +# Authors:
 +#   Timo Aaltonen <tjaalton@ubuntu.com>
 +#
@@ -68,14 +68,15 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +    HTTPD_ALIAS_DIR = "/etc/apache2/nssdb"
 +    ALIAS_CACERT_ASC = "/etc/apache2/nssdb/cacert.asc"
 +    ALIAS_PWDFILE_TXT = "/etc/apache2/nssdb/pwdfile.txt"
-+    HTTPD_CONF_D_DIR = "/etc/apache2/conf-available/"
-+    HTTPD_IPA_PKI_PROXY_CONF = "/etc/apache2/conf-available/ipa-pki-proxy.conf"
-+    HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf"
-+    HTTPD_IPA_CONF = "/etc/apache2/conf-available/ipa.conf"
++    HTTPD_CONF_D_DIR = "/etc/apache2/conf-enabled/"
++    HTTPD_IPA_PKI_PROXY_CONF = "/etc/apache2/conf-enabled/ipa-pki-proxy.conf"
++    HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-enabled/ipa-rewrite.conf"
++    HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf"
 +    HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf"
-+    HTTPD_SSL_CONF = "/etc/apache2/conf-available/ssl.conf"
++    HTTPD_SSL_CONF = "/etc/apache2/conf-enabled/ssl.conf"
 +    IPA_KEYTAB = "/etc/apache2/ipa.keytab"
 +    HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf"
++    ETC_SYSCONFIG_DIR = "/etc/default"
 +    SYSCONFIG_PKI = "/etc/dogtag/"
 +    SYSCONFIG_PKI_TOMCAT = "/etc/default/pki-tomcat"
 +    SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/dogtag/tomcat/pki-tomcat"
@@ -99,7 +100,7 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +paths = DebianPathNamespace()
 --- /dev/null
 +++ b/ipaplatform/debian/services.py
-@@ -0,0 +1,161 @@
+@@ -0,0 +1,174 @@
 +# Authors:
 +#   Timo Aaltonen <tjaalton@ubuntu.com>
 +#
@@ -127,15 +128,26 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +
 +from ipaplatform.tasks import tasks
 +from ipaplatform.base import services as base_services
-+
++from ipaplatform.redhat import services as redhat_services
 +from ipapython import ipautil
 +from ipapython.ipa_log_manager import root_logger
 +from ipalib import api
 +from ipaplatform.paths import paths
 +
++# Mappings from service names as FreeIPA code references to these services
++# to their actual systemd service names
++debian_system_units = redhat_services.redhat_system_units
++
++debian_system_units['pki-tomcatd'] = 'pki-tomcatd.service'
++debian_system_units['pki_tomcatd'] = debian_system_units['pki-tomcatd']
++
 +# Service classes that implement Debian-specific behaviour
 +
-+class DebianService(base_services.PlatformService):
++class DebianService(redhat_services.RedHatService):
++    system_units = debian_system_units
++
++
++class DebianSysvService(base_services.PlatformService):
 +    def __wait_for_open_ports(self, instance_name=""):
 +        """
 +        If this is a service we need to wait for do so.
@@ -155,7 +167,7 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +            update_service_list = True
 +        else:
 +            update_service_list = False
-+        super(DebianService, self).stop(instance_name)
++        super(DebianSysvService, self).stop(instance_name)
 +
 +    def start(self, instance_name='', capture_output=True, wait=True):
 +        ipautil.run([paths.SBIN_SERVICE, self.service_name, "start",
@@ -166,7 +178,7 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +            update_service_list = False
 +        if wait and self.is_running(instance_name):
 +            self.__wait_for_open_ports(instance_name)
-+        super(DebianService, self).start(instance_name)
++        super(DebianSysvService, self).start(instance_name)
 +
 +    def restart(self, instance_name='', capture_output=True, wait=True):
 +        ipautil.run([paths.SBIN_SERVICE, self.service_name, "restart",
@@ -218,7 +230,7 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +        return True
 +
 +
-+class DebianSSHService(DebianService):
++class DebianSSHService(DebianSysvService):
 +    def get_config_dir(self, instance_name=""):
 +        return '/etc/ssh'
 +
@@ -226,20 +238,22 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +# of specified name
 +
 +def debian_service_class_factory(name):
++    if name == 'dirsrv':
++        return redhat_services.RedHatDirectoryService(name)
++    if name == 'ipa':
++        return redhat_services.RedHatIPAService(name)
 +    if name == 'httpd':
-+        return DebianService("apache2")
-+    if name == 'ipa_memcached':
-+        return DebianService("ipa-memcached")
++        return DebianSysvService("apache2")
 +    if name == 'kadmin':
-+        return DebianService("krb5-admin-server")
++        return DebianSysvService("krb5-admin-server")
 +    if name == 'krb5kdc':
-+        return DebianService("krb5-kdc")
++        return DebianSysvService("krb5-kdc")
 +    if name == 'messagebus':
-+        return DebianService("dbus")
++        return DebianSysvService("dbus")
 +    if name == 'named':
-+        return DebianService("bind9")
++        return DebianSysvService("bind9")
 +    if name == 'ntpd':
-+        return DebianService("ntp")
++        return DebianSysvService("ntp")
 +    if name == 'sshd':
 +        return DebianSSHService(name)
 +    return DebianService(name)
@@ -263,7 +277,7 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +knownservices = DebianServices()
 --- /dev/null
 +++ b/ipaplatform/debian/tasks.py
-@@ -0,0 +1,40 @@
+@@ -0,0 +1,53 @@
 +# Authors:
 +#   Timo Aaltonen <tjaalton@ubuntu.com>
 +#
@@ -293,15 +307,28 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
 +
 +class DebianTaskNamespace(RedHatTaskNamespace):
 +
-+    def restore_network_configuration(self, fstore, statestore):
-+        filepath = paths.ETC_HOSTNAME
-+        if fstore.has_file(filepath):
-+            fstore.restore_file(filepath)
-+            hostname_was_configured = True
-+
-+    def insert_ca_cert_into_systemwide_ca_store(self, cacert_path):
++    def restore_pre_ipa_client_configuration(self, fstore, statestore,
++                                             was_sssd_installed,
++                                             was_sssd_configured):
 +        return True
 +
++    def set_nisdomain(self, nisdomain):
++        return True
++
++    def modify_nsswitch_pam_stack(self, sssd, mkhomedir, statestore):
++        return True
++
++    def modify_pam_to_use_krb5(self, statestore):
++        return True
++
++    def insert_ca_cert_into_systemwide_ca_store(self, ca_certs):
++        return True
++
++    def remove_ca_certs_from_systemwide_ca_store(self):
++        return True
++
++    def restore_network_configuration(self, fstore, statestore):
++        return True
 +
 +tasks = DebianTaskNamespace()
 --- a/ipaplatform/setup.py.in
@@ -479,7 +506,7 @@ Date:   Fri Mar 1 12:21:00 2013 +0200
  [Service]
  Type=forking
 -EnvironmentFile=/etc/sysconfig/ipa_memcached
-+EnvironmentFile=/etc/default/ipa-memcached
++EnvironmentFile=/etc/default/ipa_memcached
  PIDFile=/var/run/ipa_memcached/ipa_memcached.pid
  ExecStart=/usr/bin/memcached -d -s $SOCKET_PATH -u $USER -m $CACHESIZE -c $MAXCONN -P /var/run/ipa_memcached/ipa_memcached.pid $OPTIONS
  

debian/patches/fix-hyphen-used-as-minus-sign.patch

@@ -5,7 +5,7 @@ Author: Benjamin Drung <benjamin.drung@profitbricks.com>
 
 --- a/install/tools/man/ipa-adtrust-install.1
 +++ b/install/tools/man/ipa-adtrust-install.1
-@@ -107,7 +107,7 @@
+@@ -107,7 +107,7 @@ The name of the user with administrative
  \fB\-a\fR, \fB\-\-admin\-password\fR=\fIpassword\fR
  The password of the user with administrative privileges for this IPA server. Will be asked interactively if \fB\-U\fR is not specified.
  .TP
@@ -16,7 +16,7 @@ Author: Benjamin Drung <benjamin.drung@profitbricks.com>
  Enables support for trusted domains users for old clients through Schema Compatibility plugin.
 --- a/install/tools/man/ipa-replica-conncheck.1
 +++ b/install/tools/man/ipa-replica-conncheck.1
-@@ -70,13 +70,13 @@
+@@ -70,13 +70,13 @@ Output only errors
  
  .SH "EXAMPLES"
  .TP
@@ -35,7 +35,7 @@ Author: Benjamin Drung <benjamin.drung@profitbricks.com>
  .SH "EXIT STATUS"
 --- a/install/tools/man/ipa-server-install.1
 +++ b/install/tools/man/ipa-server-install.1
-@@ -49,7 +49,7 @@
+@@ -49,7 +49,7 @@ Create home directories for users on the
  The fully\-qualified DNS name of this server. If the hostname does not match system hostname, the system hostname will be updated accordingly to prevent service failures.
  .TP
  \fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
@@ -44,18 +44,9 @@ Author: Benjamin Drung <benjamin.drung@profitbricks.com>
  .TP
  \fB\-N\fR, \fB\-\-no\-ntp\fR
  Do not configure NTP
-@@ -95,7 +95,7 @@
- 
- If the CA certificate chain is in PKCS#7 format you can convert it to PEM using:
- 
--    openssl pkcs7 -in PKCS7_FILE -print_certs -out PEM_FILE
-+    openssl pkcs7 \-in PKCS7_FILE \-print_certs \-out PEM_FILE
- .TP
- \fB\-\-no\-pkinit\fR
- Disables pkinit setup steps
 --- a/ipatests/man/ipa-test-config.1
 +++ b/ipatests/man/ipa-test-config.1
-@@ -22,7 +22,7 @@
+@@ -22,7 +22,7 @@ ipa\-test\-config \- Generate FreeIPA te
  .SH "SYNOPSIS"
  ipa\-test\-config [options]
  .br
@@ -64,7 +55,7 @@ Author: Benjamin Drung <benjamin.drung@profitbricks.com>
  .br
  ipa\-test\-config [options] hostname
  .SH "DESCRIPTION"
-@@ -37,7 +37,7 @@
+@@ -37,7 +37,7 @@ If run without arguments, it prints out
  host.
  Another host may be specified as an argument, or via the \-\-master,
  \-\-replica, and \-\-client options.

debian/patches/fix-ipa-conf.diff

@@ -0,0 +1,37 @@
+--- a/install/conf/ipa.conf
++++ b/install/conf/ipa.conf
+@@ -38,7 +38,7 @@ FileETag None
+ 
+ # FIXME: WSGISocketPrefix is a server-scope directive.  The mod_wsgi package
+ # should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
+-WSGISocketPrefix /run/httpd/wsgi
++WSGISocketPrefix /run/apache2/wsgi
+ 
+ 
+ # Configure mod_wsgi handler for /ipa
+@@ -71,7 +71,7 @@ KrbConstrainedDelegationLock ipa
+   KrbMethodK5Passwd off
+   KrbServiceName HTTP
+   KrbAuthRealms $REALM
+-  Krb5KeyTab /etc/httpd/conf/ipa.keytab
++  Krb5KeyTab /etc/apache2/ipa.keytab
+   KrbSaveCredentials on
+   KrbConstrainedDelegation on
+   Require valid-user
+@@ -175,14 +175,14 @@ Alias /ipa/wsgi "/usr/share/ipa/wsgi"
+ </Directory>
+ 
+ # Protect our CGIs
+-<Directory /var/www/cgi-bin>
++<Directory /usr/lib/cgi-bin>
+   AuthType Kerberos
+   AuthName "Kerberos Login"
+   KrbMethodNegotiate on
+   KrbMethodK5Passwd off
+   KrbServiceName HTTP
+   KrbAuthRealms $REALM
+-  Krb5KeyTab /etc/httpd/conf/ipa.keytab
++  Krb5KeyTab /etc/apache/ipa.keytab
+   KrbSaveCredentials on
+   Require valid-user
+   ErrorDocument 401 /ipa/errors/unauthorized.html

debian/patches/series

@@ -10,3 +10,4 @@ add-debian-platform.diff
 fix-hyphen-used-as-minus-sign.patch
 fix-manpage-has-errors-from-man.patch
 fix-typo.patch
+fix-ipa-conf.diff

debian/rules

@@ -51,12 +51,17 @@ endif
 override_dh_auto_test:
 
 override_dh_auto_install:
+	# tmpfiles.d
+	mkdir -p $(DESTDIR)/usr/lib/tmpfiles.d
+	echo "d /var/run/ipa 0700 root root" > \
+		$(DESTDIR)/usr/lib/tmpfiles.d/freeipa-client.conf
 ifneq ($(ONLY_CLIENT), 1)
+	echo "d /var/run/ipa_memcached 0700 www-data www-data" > \
+		$(DESTDIR)/usr/lib/tmpfiles.d/freeipa-server.conf
+
 	# Force re-generate of platform support
 	rm -f ipapython/services.py
 	make $(PLATFORM) IPA_VERSION_IS_GIT_SNAPSHOT=no install DESTDIR=$(DESTDIR)
-#	cd selinux
-#	make $(PLATFORM) IPA_VERSION_IS_GIT_SNAPSHOT=no install DESTDIR=$(DESTDIR)
 	cd ..
 
 	chmod 755 $(DESTDIR)/usr/lib/*/ipa/certmonger/*
@@ -66,18 +71,23 @@ ifneq ($(ONLY_CLIENT), 1)
 	ln -s /usr/share/javascript/dojo/dojo.js $(DESTDIR)/usr/share/ipa/ui/js/dojo/dojo.js
 	ln -s /usr/share/javascript/jquery/jquery.js $(DESTDIR)/usr/share/ipa/ui/js/libs/jquery.js
 
-	mkdir -m 700 $(DESTDIR)/var/lib/ipa/backup
+	mkdir -p -m 700 $(DESTDIR)/var/lib/ipa/backup
 
-	mkdir -p $(DESTDIR)/etc/apache2/conf-available \
-		 $(DESTDIR)/etc/bash_completion.d \
+	mkdir -p $(DESTDIR)/etc/bash_completion.d \
 		 $(DESTDIR)/etc/default \
 		 $(DESTDIR)/usr/share/ipa/html
-	touch $(DESTDIR)/etc/apache2/conf-available/ipa.conf
-	touch $(DESTDIR)/etc/apache2/conf-available/ipa-pki-proxy.conf
-	touch $(DESTDIR)/etc/apache2/conf-available/ipa-rewrite.conf
+
+	touch $(DESTDIR)/usr/share/ipa/html/ca.crt
+	touch $(DESTDIR)/usr/share/ipa/html/configure.jar
+	touch $(DESTDIR)/usr/share/ipa/html/kerberosauth.xpi
+	touch $(DESTDIR)/usr/share/ipa/html/krb.con
+	touch $(DESTDIR)/usr/share/ipa/html/krb.js
 	touch $(DESTDIR)/usr/share/ipa/html/krb5.ini
+	touch $(DESTDIR)/usr/share/ipa/html/krbrealm.con
+	touch $(DESTDIR)/usr/share/ipa/html/preferences.html
+
 	install -m 0644 contrib/completion/ipa.bash_completion $(DESTDIR)/etc/bash_completion.d/ipa
-	install -m 0644 init/ipa_memcached.conf $(DESTDIR)/etc/default/ipa-memcached
+	install -m 0644 init/ipa_memcached.conf $(DESTDIR)/etc/default/ipa_memcached
 	install -m 0644 init/systemd/ipa_memcached.service $(DESTDIR)/lib/systemd/system
 	install -m 0644 init/systemd/ipa.service $(DESTDIR)/lib/systemd/system
 	install -m 0755 debian/generate-rndc-key.sh $(DESTDIR)/usr/share/ipa
@@ -91,10 +101,6 @@ endif
 	find $(CURDIR)/debian/tmp -name '*.py[c,o]' -exec rm '{}' ';'
 	# fix permissions
 	find $(CURDIR)/debian/tmp -name "*.mo" -type f -exec chmod -x "{}" \;
-	# tmpfiles.d
-	mkdir -p $(CURDIR)/debian/tmp/usr/lib/tmpfiles.d
-	install -m 0644 $(CURDIR)/init/systemd/ipa.conf.tmpfiles \
-		$(CURDIR)/debian/tmp/usr/lib/tmpfiles.d/freeipa.conf
 
 override_dh_install:
 	dh_install --fail-missing