Join FreeIPA

From Gentoo Wiki
Jump to:navigation Jump to:search

This will guide you how to join Gentoo to an existing FreeIPA domain. This guide will NOT describe how to install FreeIPA server.


FQDN must work

root #hostname

Returned hostname must match IPA hostname and primary hostname of keytab.

USE flags

You must enable following USE flags

FILE /etc/portage/package.use
net-misc/openssh kerberos
sys-auth/sssd -acl sudo ssh samba
dev-libs/nss utils
app-admin/sudo sssd
net-nds/openldap sasl
net-dns/bind-tools gssapi
dev-libs/cyrus-sasl kerberos
sys-libs/glibc nscd
sys-libs/tdb python
sys-libs/tevent python

IPA Server part

Login to your freeIPA server add-host and get-keytab

root #kinit admin
root #ipa host-add --force --ip-address=
root #ipa-getkeytab -s -p host/ -k /tmp/ipaclient.keytab
root #scp /tmp/ipaclient.keytab
root #rm /tmp/ipaclient.keytab


root #emerge --ask app-crypt/mit-krb5 sys-auth/sssd net-misc/ntp app-admin/sudo net-misc/openssh

Additional steps

root #mkdir /etc/ipa; wget --no-check-certificate -O /etc/ipa/ca.crt


Change $IPA_DOMAIN to your FreeIPA domain and $IPA_SERVER to your FreeIPA server. Change $REALM.COM to your FreeIPA kerberos REALM. Change $ to your DNS domain.


FILE /etc/krb5.conf
        kdc = FILE:/var/log/kerberos/kdc.log
        admin_server = FILE:/var/log/kerberos/kadmin.log
        default = FILE:/var/log/kerberos/krb5.log

        default_realm = $REALM.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true
        rdns = false
        ticket_lifetime = 24h
        forwardable = yes
        udp_preference_limit = 0 
        default_ccache_name = KEYRING:persistent:%{uid}
        pkinit_anchors = FILE:/etc/ipa/ca.crt

        $REALM.COM = {
                kdc = $IPA_SERVER

        .$ = $REALM.COM
        $ = $REALM.COM


FILE /etc/sssd/sssd.conf
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = $IPA_DOMAIN
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = $IPA_SERVER, _srv_ # Remove this line if auto-discovery is enabled
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_tls_reqcert = demand
ldap_id_use_start_tls = true
ldap_sasl_mech = GSSAPI

services = nss, sudo, pam, ssh
config_file_version = 2
domains = $IPA_DOMAIN

memcache_timeout = 600
homedir_substring = /home

root #chmod 600 /etc/sssd/sssd.conf


Enable SSS in PAM

FILE /etc/pam.d/system-auth
auth            required
auth            [default=1 success=ok]
auth            [success=done ignore=ignore default=die] nullok try_first_pass
auth            sufficient forward_pass
auth            required
account         required
account         sufficient
account         [default=bad success=ok user_unknown=ignore]
account         required
password        required difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        sufficient sha512 shadow nullok try_first_pass use_authtok
password        sufficient use_authtok
password        required
session         required
session         optional umask=0077 skel=/etc/skel
session         required
session         optional


FILE /etc/nsswitch.conf
passwd:      compat sss files
shadow:      compat sss files
group:       compat sss files

hosts:       files dns
networks:    files dns

services:    db files sss
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files sss
bootparams:  files

automount:   files
aliases:     files

sudoers:     files sss



root #/etc/init.d/sssd start; rc-update add sssd default


Setup sshd

FILE /etc/ssh/sshd_config
PubkeyAuthentication yes
UsePAM yes        
GSSAPIAuthentication yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody


To obtain host/ ticket that your host use to prove its identity try

root #kinit -k
root #klist

This show that your Gentoo can use /etc/sssd/sssd.conf, /etc/krb5.conf and /etc/krb5.keytab to talk to freeipa over LDAP with SASL secured by Kerberos

root #id $USERNAME

Will print membership of $USERNAME in local and freeipa groups. It means that you can query freeipa over ldap.

root #sudo -ll -U $USERNAME

This will print sudo rules that comes from freeipa's HBAC.


It's also useful to troubleshot sssd like this

root #/etc/init.d/sssd stop
root #sssd -i -d5

External resources

  • [1] FreeIPA project