Join FreeIPA

Resources

This will guide you how to join Gentoo to an existing FreeIPA domain. This guide will NOT describe how to install FreeIPA server.

Installation

FQDN must work

root #hostname

host.domain.com

Returned hostname must match IPA hostname and primary hostname of keytab.

USE flags

You must enable following USE flags

FILE /etc/portage/package.use

net-misc/openssh kerberos
sys-auth/sssd -acl sudo ssh samba
dev-libs/nss utils
app-admin/sudo sssd
net-nds/openldap sasl
net-dns/bind-tools gssapi
dev-libs/cyrus-sasl kerberos
sys-libs/glibc nscd
sys-libs/tdb python
sys-libs/tevent python

IPA Server part

Login to your freeIPA server add-host and get-keytab

root #kinit admin

root #ipa host-add --force --ip-address=1.2.3.4 host.domain.com

root #ipa-getkeytab -s ipa_server.domain.com -p host/host.domain.com -k /tmp/ipaclient.keytab

root #scp /tmp/ipaclient.keytab host.domain.com:/etc/krb5.keytab

root #rm /tmp/ipaclient.keytab

Emerge

root #emerge --ask app-crypt/mit-krb5 sys-auth/sssd net-misc/ntp app-admin/sudo net-misc/openssh

Additional steps

root #mkdir /etc/ipa; wget --no-check-certificate -O /etc/ipa/ca.crt https://ipa_server.domain.com/ipa/config/ca.crt

Configuration

Change $IPA_DOMAIN to your FreeIPA domain and $IPA_SERVER to your FreeIPA server. Change $REALM.COM to your FreeIPA kerberos REALM. Change $domain.com to your DNS domain.

Kerberos

FILE /etc/krb5.conf

[logging]
        kdc = FILE:/var/log/kerberos/kdc.log
        admin_server = FILE:/var/log/kerberos/kadmin.log
        default = FILE:/var/log/kerberos/krb5.log

[libdefaults]
        default_realm = $REALM.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true
        rdns = false
        ticket_lifetime = 24h
        forwardable = yes
        udp_preference_limit = 0 
        default_ccache_name = KEYRING:persistent:%{uid}
        pkinit_anchors = FILE:/etc/ipa/ca.crt

[realms]
        $REALM.COM = {
                kdc = $IPA_SERVER
               }

[domain_realm]
        .$domain.com = $REALM.COM
        $domain.com = $REALM.COM

sssd

FILE /etc/sssd/sssd.conf

[domain/$IPA_DOMAIN]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = $IPA_DOMAIN
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = $IPA_SERVER, _srv_ # Remove this line if auto-discovery is enabled
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_tls_reqcert = demand
ldap_id_use_start_tls = true
ldap_sasl_mech = GSSAPI

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = $IPA_DOMAIN

[nss]
memcache_timeout = 600
homedir_substring = /home

root #chmod 600 /etc/sssd/sssd.conf

PAM

Enable SSS in PAM

FILE /etc/pam.d/system-auth

auth            required        pam_env.so
auth            [default=1 success=ok] pam_localuser.so
auth            [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth            sufficient      pam_sss.so forward_pass
auth            required        pam_deny.so
account         required        pam_unix.so
account         sufficient      pam_localuser.so
account         [default=bad success=ok user_unknown=ignore] pam_sss.so
account         required        pam_permit.so
password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        sufficient      pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password        sufficient      pam_sss.so use_authtok
password        required        pam_deny.so
session         required        pam_limits.so
session         optional        pam_mkhomedir.so umask=0077 skel=/etc/skel
session         required        pam_unix.so
session         optional        pam_sss.so

NSS

FILE /etc/nsswitch.conf

passwd:      compat sss files
shadow:      compat sss files
group:       compat sss files

hosts:       files dns
networks:    files dns

services:    db files sss
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files sss
bootparams:  files

automount:   files
aliases:     files

sudoers:     files sss

Service

OpenRC

root #/etc/init.d/sssd start; rc-update add sssd default

sshd

Setup sshd

FILE /etc/ssh/sshd_config

PubkeyAuthentication yes
UsePAM yes        
GSSAPIAuthentication yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

Usage

To obtain host/hostname.domain.com/REALM.COM ticket that your host use to prove its identity try

root #kinit -k

root #klist

This show that your Gentoo can use /etc/sssd/sssd.conf, /etc/krb5.conf and /etc/krb5.keytab to talk to freeipa over LDAP with SASL secured by Kerberos

root #id $USERNAME

Will print membership of $USERNAME in local and freeipa groups. It means that you can query freeipa over ldap.

root #sudo -ll -U $USERNAME

This will print sudo rules that comes from freeipa's HBAC.

Troubleshooting

It's also useful to troubleshot sssd like this

root #/etc/init.d/sssd stop

root #sssd -i -d5

External resources

[1] FreeIPA project

Category:Authentication