Installing FreeIPA ################## Installation steps ================== Container problems ------------------ * Expand the UID map for the IPA install to evade LXC limitations. * The running container does not give you enough UIDs and Freeipa picks huge UIDs, hovering near MAXINT [#]_. .. code-block:: bash :caption: content for both /etc/subuid and /etc/subgid :linenos: root:5000000:2500000 * Sadly, this prompts a reboot. It's not required, but it avoids any need to tread lightly. Machine preparation ------------------- * Ensure the **static** IP is in /etc/hosts with the internal FQDN of your box. * Ensure the internal FQDN is the default hostname in /etc/hostname * Open the required ports. Choose one of the below approaches. .. code-block:: bash :caption: Add to /etc/sysconfig/iptables for IP tables config :linenos: # SSH -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT # Web -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT # LDAP -A INPUT -p tcp -m tcp --dport 389 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 636 -m state --state NEW,ESTABLISHED -j ACCEPT # Kerberos -A INPUT -p tcp -m tcp --dport 88 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 464 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --dport 88 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --dport 464 -m state --state NEW,ESTABLISHED -j ACCEPT # NTP -A INPUT -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT .. code-block:: bash :caption: run these commands for Firewalld config :linenos: firewall-cmd --add-service={ssh,http,https} --permanent firewall-cmd --add-service={ntp,dns,freeipa-ldap,freeipa-ldaps} --permanent firewall-cmd --reload * Prep the box and run the installer. .. code-block:: bash :linenos: yum install epel-release yum -y update # Really; SSH is missing by default from the Proxmox Centos template yum install openssh-server systemctl enable sshd; systemctl start sshd # Vim is in the list because this advice is for sysadmins yum -y install bind-utils vim ipa-server ipa-server-dns bindipa-server bind-dyndb-ldap # ID manipulation in case this is a container ipa-server-install --idstart=1000000 --idmax=2000000 --setup-dns kinit admin # Answer the password prompt for the admin user klist # See if admin is logged in. .. * For RHEL8/Cent8... .. code-block:: bash :linenos: # Enable the Identity Manager repository dnf module enable idm:DL1 dnf distro-sync dnf install -y tcpdump nmap vim strace bind-utils ipa-server-dns ipa-server bind-dyndb-ldap .. .. code-block:: bash :linenos: # Unattended install example with a password in /root/.p export tdom=local.domain.com export thost=ipa0 export tdns=172.31.0.2 # AWS example iplist=`ip a | grep "inet " | grep -v ' 127.0.0' | awk '{print $2}' | perl -pe 's/\/.*//' | xargs -i echo -n ' --ip-address='{}` ipa-server-install -U -q -N --log-file=/root/ipa-install.log \ --netbios-name=${tdom} --setup-adtrust \ --domain=${tdom} --realm=${tdom} \ --hostname=${thost}.${tdom} ${iplist} \ --setup-dns --setup-kra --forwarder=${tdns} --no-reverse \ -p `cat ~/.p` -a `cat ~/.p` .. * Answer the prompts as they come. Say yes to the DNS forwarder question, leaving the default and adding any additional ones you want. Operations ========== If you forgot mkhomedirs... --------------------------- .. code-block:: bash :linenos: authconfig --enablemkhomedir --update Users ----- .. note:: I lost my CAC integration instructions, but will add them when I find them. * Make a user Let us give Private Schmuckatelli his own federated account. .. code-block:: bash :linenos: ipa user-add pschmuck --first=Private --last=Schmuckatelli --email=pschmuck@mydomain.com --shell=/bin/bash --password * List users .. code-block:: bash :linenos: ipa user-find * Modify users .. code-block:: bash :linenos: # Set every user shell but admin to bash for f in `ipa user-find | grep "User login:" | perl -pe 's/^.*://' | egrep -v '^admin$'` do ipa user-mod ${f} --shell=/bin/bash done * ...or use the web GUI. Client nodes the easy way ------------------------- Let us assume **local.mydomain.com** .. note:: Systemd is a piece of garbage, so LXC and Docker containers need special handling. .. .. code-block:: ini :linenos: :caption: /etc/systemd/system/systemd-hostnamed.service.d/override.conf on LXC or Docker [Service] PrivateNetwork=no .. .. code-block:: bash :linenos: :caption: Redhat-like sudo yum -y install epel-release sudo yum -y install ipa-client export myipa=ipa0 export mydomain=local.mydomain.com sudo ipa-client-install --mkhomedir \ --domain=${mydomain} \ --server=${myipa}.${mydomain} \ --hostname=`uname -n | awk -F\. '{print $1}'`.${mydomain} .. .. code-block:: bash :linenos: :caption: Debian-like sudo apt-get update && sudo apt-get -y install freeipa-client export myipa=ipa0 export mydomain=local.mydomain.com sudo ipa-client-install --mkhomedir \ --domain=${mydomain} \ --server=${myipa}.${mydomain} \ --hostname=`uname -n | awk -F\. '{print $1}'`.${mydomain} .. Centos client nodes - original ------------------------------ * Install IPA client .. code-block:: bash :linenos: yum -y install ipa-client # Skip the Kerberos realm auth ipa-client-install --hostname=`hostname -f` --mkhomedir \ --server=myserver.mydomain.com --domain mydomain.com \ --realm MYDOMAIN.COM * State PAM config for home directories if using Ubuntu .. code-block:: bash :caption: /usr/share/pam-configs/mkhomedir or /etc/pam.d/mkhomedir :linenos: Name: activate mkhomedir Default: yes Priority: 900 Session-Type: Additional Session: required pam_mkhomedir.so umask=0022 skel=/etc/skel * Make PAM obey .. code-block:: bash :linenos: pam-auth-update * Do the same kinit and klist as above to make sure Kerberos is working. * Check /etc/nsswitch.conf to ensure "sss" is ahead of "files" where your tastes deem appropriate. * After any changes, mass execute `sss_cache -E` everywhere. Windows client nodes -------------------- * ...because Windows happens. Sometimes in public. * Let's call our IPA server **myipa** and our realm and our domain **mydomain.com**. * Ensure we added a Windows node called **mywin** to myipa.mydomain.com through the GUI or otherwise with the password **mypassword**. .. note:: Using an alternative to GINA called Pgina will skip the Microsoft obfuscation of the LDAP dialog. Docs to follow. .. code-block:: batch :linenos: REM Kerberos config ksetup /setdomain MYDOMAIN.COM setup /addkdc MYDOMAIN.COM myipa.mydomain.com setup /addkpasswd MYDOMAIN.COM myipa.mydomain.com REM this is the password we set in FreeIPA for this node setup /setcomputerpassword mypassword REM no user filters setup /mapuser * * * Ensure policy allows Kerberos auth with the right encryption and only the right encryption. * Too many choices can breed timeouts and cause delays or failed logins. * Open *gpedit.msc* and browse down the layers as follows: * Computer Configuration * Windows Settings * Security Settings * Local Policies * Security Options * Find "Network Security: Configure encryption types allowed for Kerberos" * Deselect everything except RC4_HMAC_MD5 * Reboot (because Windows) Applications requiring LDAP --------------------------- +-------------------+-------------------------------------------------------------------+ | Datum | Content | +===================+===================================================================+ | Server | ipa0.local.mydomain.com | +-------------------+-------------------------------------------------------------------+ | User Search_Base | cn=accounts,dc=local,dc=mydomain,dc=com | +-------------------+-------------------------------------------------------------------+ | User Filter | (objectclass=person) | +-------------------+-------------------------------------------------------------------+ | User Identifier | uid | +-------------------+-------------------------------------------------------------------+ | Group Search_Base | cn=groups,cn=accounts,dc=local,dc=mydomain,dc=com | +-------------------+-------------------------------------------------------------------+ | Group Filter | (objectclass=ipaUserGroup) | +-------------------+-------------------------------------------------------------------+ | Service Account | uid=ldapuser,cn=users,cn=accounts,dc=local,dc=mydomain,dc=com | +-------------------+-------------------------------------------------------------------+ | Service Password | (in place of anonymous auth) | +-------------------+-------------------------------------------------------------------+ Endnotes ======== .. [#] Discovered by user "Zenyatta" on the FreeIPA forum. The post vanished, but I have the content in my notes.