Join FreeIPA
This will guide you how to join Gentoo to an existing FreeIPA domain.
This guide will NOT describe how to install FreeIPA server.
Installation
FQDN must work
root #
hostname
host.domain.com
Returned hostname must match IPA hostname and primary hostname of keytab.
USE flags
You must enable following USE flags
/etc/portage/package.use
net-misc/openssh kerberos sys-auth/sssd -acl sudo ssh samba dev-libs/nss utils app-admin/sudo sssd net-nds/openldap sasl net-dns/bind-tools gssapi dev-libs/cyrus-sasl kerberos sys-libs/glibc nscd sys-libs/tdb python sys-libs/tevent python
IPA Server part
Login to your freeIPA server add-host and get-keytab
root #
kinit admin
root #
ipa host-add --force --ip-address=1.2.3.4 host.domain.com
root #
ipa-getkeytab -s ipa_server.domain.com -p host/host.domain.com -k /tmp/ipaclient.keytab
root #
scp /tmp/ipaclient.keytab host.domain.com:/etc/krb5.keytab
root #
rm /tmp/ipaclient.keytab
Emerge
root #
emerge --ask app-crypt/mit-krb5 sys-auth/sssd net-misc/ntp app-admin/sudo net-misc/openssh
Additional steps
root #
mkdir /etc/ipa; wget --no-check-certificate -O /etc/ipa/ca.crt https://ipa_server.domain.com/ipa/config/ca.crt
Configuration
Change $IPA_DOMAIN to your FreeIPA domain and $IPA_SERVER to your FreeIPA server. Change $REALM.COM to your FreeIPA kerberos REALM. Change $domain.com to your DNS domain.
Kerberos
/etc/krb5.conf
[logging] kdc = FILE:/var/log/kerberos/kdc.log admin_server = FILE:/var/log/kerberos/kadmin.log default = FILE:/var/log/kerberos/krb5.log [libdefaults] default_realm = $REALM.COM dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} pkinit_anchors = FILE:/etc/ipa/ca.crt [realms] $REALM.COM = { kdc = $IPA_SERVER } [domain_realm] .$domain.com = $REALM.COM $domain.com = $REALM.COM
sssd
/etc/sssd/sssd.conf
[domain/$IPA_DOMAIN] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = $IPA_DOMAIN id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = $IPA_SERVER, _srv_ # Remove this line if auto-discovery is enabled ldap_tls_cacert = /etc/ipa/ca.crt ldap_tls_reqcert = demand ldap_id_use_start_tls = true ldap_sasl_mech = GSSAPI [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = $IPA_DOMAIN [nss] memcache_timeout = 600 homedir_substring = /home
root #
chmod 600 /etc/sssd/sssd.conf
PAM
Enable SSS in PAM
/etc/pam.d/system-auth
auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session required pam_limits.so session optional pam_mkhomedir.so umask=0077 skel=/etc/skel session required pam_unix.so session optional pam_sss.so
NSS
/etc/nsswitch.conf
passwd: compat sss files shadow: compat sss files group: compat sss files hosts: files dns networks: files dns services: db files sss protocols: db files rpc: db files ethers: db files netmasks: files netgroup: files sss bootparams: files automount: files aliases: files sudoers: files sss
Service
OpenRC
root #
/etc/init.d/sssd start; rc-update add sssd default
sshd
Setup sshd
/etc/ssh/sshd_config
PubkeyAuthentication yes UsePAM yes GSSAPIAuthentication yes AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody
Usage
To obtain host/hostname.domain.com/REALM.COM ticket that your host use to prove its identity try
root #
kinit -k
root #
klist
This show that your Gentoo can use /etc/sssd/sssd.conf, /etc/krb5.conf and /etc/krb5.keytab to talk to freeipa over LDAP with SASL secured by Kerberos
root #
id $USERNAME
Will print membership of $USERNAME in local and freeipa groups. It means that you can query freeipa over ldap.
root #
sudo -ll -U $USERNAME
This will print sudo rules that comes from freeipa's HBAC.
Troubleshooting
It's also useful to troubleshot sssd like this
root #
/etc/init.d/sssd stop
root #
sssd -i -d5
External resources
- [1] FreeIPA project