Join FreeIPA

From Gentoo Wiki
Jump to: navigation, search


This will guide you how to join Gentoo to an existing FreeIPA domain. This guide will NOT describe how to install FreeIPA server.

Installation

FQDN must work

root #hostname
host.domain.com

Returned hostname must match IPA hostname and primary hostname of keytab.

USE flags

You must enable following USE flags

FILE /etc/portage/package.use
net-misc/openssh kerberos
sys-auth/sssd -acl sudo ssh samba
dev-libs/nss utils
app-admin/sudo sssd
net-nds/openldap sasl
net-dns/bind-tools gssapi
dev-libs/cyrus-sasl kerberos
sys-libs/glibc nscd
sys-libs/tdb python
sys-libs/tevent python

IPA Server part

Login to your freeIPA server add-host and get-keytab

root #kinit admin
root #ipa host-add --force --ip-address=1.2.3.4 host.domain.com
root #ipa-getkeytab -s ipa_server.domain.com -p host/host.domain.com -k /tmp/ipaclient.keytab
root #scp /tmp/ipaclient.keytab host.domain.com:/etc/krb5.keytab
root #rm /tmp/ipaclient.keytab

Emerge

root #emerge --ask app-crypt/mit-krb5 sys-auth/sssd net-misc/ntp app-admin/sudo net-misc/openssh

Additional steps

root #mkdir /etc/ipa; wget --no-check-certificate -O /etc/ipa/ca.crt https://ipa_server.domain.com/ipa/config/ca.crt

Configuration

Change $IPA_DOMAIN to your FreeIPA domain and $IPA_SERVER to your FreeIPA server. Change $REALM.COM to your FreeIPA kerberos REALM. Change $domain.com to your DNS domain.

Kerberos

FILE /etc/krb5.conf
[logging]
        kdc = FILE:/var/log/kerberos/kdc.log
        admin_server = FILE:/var/log/kerberos/kadmin.log
        default = FILE:/var/log/kerberos/krb5.log

[libdefaults]
        default_realm = $REALM.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true
        rdns = false
        ticket_lifetime = 24h
        forwardable = yes
        udp_preference_limit = 0 
        default_ccache_name = KEYRING:persistent:%{uid}
        pkinit_anchors = FILE:/etc/ipa/ca.crt

[realms]
        $REALM.COM = {
                kdc = $IPA_SERVER
               }

[domain_realm]
        .$domain.com = $REALM.COM
        $domain.com = $REALM.COM

sssd

FILE /etc/sssd/sssd.conf
[domain/$IPA_DOMAIN]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = $IPA_DOMAIN
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = $IPA_SERVER, _srv_ # Remove this line if auto-discovery is enabled
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_tls_reqcert = demand
ldap_id_use_start_tls = true
ldap_sasl_mech = GSSAPI

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = $IPA_DOMAIN

[nss]
memcache_timeout = 600
homedir_substring = /home


root #chmod 600 /etc/sssd/sssd.conf

PAM

Enable SSS in PAM

FILE /etc/pam.d/system-auth
auth            required        pam_env.so
auth            [default=1 success=ok] pam_localuser.so
auth            [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth            sufficient      pam_sss.so forward_pass
auth            required        pam_deny.so
account         required        pam_unix.so
account         sufficient      pam_localuser.so
account         [default=bad success=ok user_unknown=ignore] pam_sss.so
account         required        pam_permit.so
password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        sufficient      pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password        sufficient      pam_sss.so use_authtok
password        required        pam_deny.so
session         required        pam_limits.so
session         optional        pam_mkhomedir.so umask=0077 skel=/etc/skel
session         required        pam_unix.so
session         optional        pam_sss.so

NSS

FILE /etc/nsswitch.conf
passwd:      compat sss files
shadow:      compat sss files
group:       compat sss files

hosts:       files dns
networks:    files dns

services:    db files sss
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files sss
bootparams:  files

automount:   files
aliases:     files

sudoers:     files sss

Service

OpenRC

root #/etc/init.d/sssd start; rc-update add sssd default

sshd

Setup sshd

FILE /etc/ssh/sshd_config
PubkeyAuthentication yes
UsePAM yes        
GSSAPIAuthentication yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

Usage

To obtain host/hostname.domain.com/REALM.COM ticket that your host use to prove its identity try

root #kinit -k
root #klist

This show that your Gentoo can use /etc/sssd/sssd.conf, /etc/krb5.conf and /etc/krb5.keytab to talk to freeipa over LDAP with SASL secured by Kerberos

root #id $USERNAME

Will print membership of $USERNAME in local and freeipa groups. It means that you can query freeipa over ldap.

root #sudo -ll -U $USERNAME

This will print sudo rules that comes from freeipa's HBAC.

Troubleshooting

It's also useful to troubleshot sssd like this

root #/etc/init.d/sssd stop
root #sssd -i -d5

External resources

  • [1] FreeIPA project


Category:Authentication