Installing FreeIPA

Installation steps

Container problems

• Expand the UID map for the IPA install to evade LXC limitations.

  • The running container does not give you enough UIDs and Freeipa picks huge UIDs, hovering near MAXINT [1].

content for both /etc/subuid and /etc/subgid

root:5000000:2500000

• Sadly, this prompts a reboot. It’s not required, but it avoids any need to tread lightly.

Machine preparation

• Ensure the static IP is in /etc/hosts with the internal FQDN of your box.

• Ensure the internal FQDN is the default hostname in /etc/hostname

• Open the required ports. Choose one of the below approaches.

Add to /etc/sysconfig/iptables for IP tables config

# SSH
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# Web
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
# LDAP
-A INPUT -p tcp -m tcp --dport 389 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 636 -m state --state NEW,ESTABLISHED -j ACCEPT
# Kerberos
-A INPUT -p tcp -m tcp --dport 88 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 464 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 88 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 464 -m state --state NEW,ESTABLISHED -j ACCEPT
# NTP
-A INPUT -p udp -m udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT

run these commands for Firewalld config

firewall-cmd --add-service={ssh,http,https} --permanent
firewall-cmd --add-service={ntp,dns,freeipa-ldap,freeipa-ldaps} --permanent
firewall-cmd --reload

• Prep the box and run the installer.

yum install epel-release
yum -y update
# Really; SSH is missing by default from the Proxmox Centos template
yum install openssh-server
systemctl enable sshd; systemctl start sshd
# Vim is in the list because this advice is for sysadmins
yum -y install bind-utils vim ipa-server ipa-server-dns bindipa-server bind-dyndb-ldap
# ID manipulation in case this is a container
ipa-server-install --idstart=1000000 --idmax=2000000 --setup-dns
kinit admin # Answer the password prompt for the admin user
klist # See if admin is logged in.

• For RHEL8/Cent8…

# Enable the Identity Manager repository
dnf module enable idm:DL1
dnf distro-sync
dnf install -y tcpdump nmap vim strace bind-utils ipa-server-dns ipa-server bind-dyndb-ldap

# Unattended install example with a password in /root/.p
export tdom=local.domain.com
export thost=ipa0
export tdns=172.31.0.2 # AWS example
iplist=`ip a | grep "inet " | grep -v ' 127.0.0' | awk '{print $2}' | perl -pe 's/\/.*//' | xargs -i echo -n '  --ip-address='{}`
ipa-server-install -U -q -N --log-file=/root/ipa-install.log \
    --netbios-name=${tdom} --setup-adtrust \
    --domain=${tdom} --realm=${tdom} \
    --hostname=${thost}.${tdom} ${iplist} \
    --setup-dns --setup-kra --forwarder=${tdns} --no-reverse \
    -p `cat ~/.p` -a `cat ~/.p`

• Answer the prompts as they come. Say yes to the DNS forwarder question, leaving the default and adding any additional ones you want.

Operations

If you forgot mkhomedirs…

authconfig --enablemkhomedir --update

Users

Note

I lost my CAC integration instructions, but will add them when I find them.

• Make a user

Let us give Private Schmuckatelli his own federated account.

ipa user-add pschmuck --first=Private --last=Schmuckatelli --email=pschmuck@mydomain.com --shell=/bin/bash --password

• List users

ipa user-find

• Modify users

# Set every user shell but admin to bash
for f in `ipa user-find | grep "User login:" | perl -pe 's/^.*://' | egrep -v '^admin$'`
do
    ipa user-mod ${f} --shell=/bin/bash
done

• …or use the web GUI.

Client nodes the easy way

Let us assume local.mydomain.com

Note

Systemd is a piece of garbage, so LXC and Docker containers need special handling.

/etc/systemd/system/systemd-hostnamed.service.d/override.conf on LXC or Docker

[Service]
PrivateNetwork=no

Redhat-like

sudo yum -y install epel-release
sudo yum -y install ipa-client
export myipa=ipa0
export mydomain=local.mydomain.com
sudo ipa-client-install --mkhomedir \
    --domain=${mydomain} \
    --server=${myipa}.${mydomain} \
    --hostname=`uname -n | awk -F\. '{print $1}'`.${mydomain}

Debian-like

sudo apt-get update && sudo apt-get -y install freeipa-client
export myipa=ipa0
export mydomain=local.mydomain.com
sudo ipa-client-install --mkhomedir \
    --domain=${mydomain} \
    --server=${myipa}.${mydomain} \
    --hostname=`uname -n | awk -F\. '{print $1}'`.${mydomain}

Centos client nodes - original

• Install IPA client

yum -y install ipa-client # Skip the Kerberos realm auth
ipa-client-install --hostname=`hostname -f` --mkhomedir \
    --server=myserver.mydomain.com --domain mydomain.com \
    --realm MYDOMAIN.COM

• State PAM config for home directories if using Ubuntu

/usr/share/pam-configs/mkhomedir or /etc/pam.d/mkhomedir

Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel

• Make PAM obey

pam-auth-update

• Do the same kinit and klist as above to make sure Kerberos is working.

• Check /etc/nsswitch.conf to ensure “sss” is ahead of “files” where your tastes deem appropriate.

• After any changes, mass execute sss_cache -E everywhere.

Windows client nodes

• …because Windows happens. Sometimes in public.

• Let’s call our IPA server myipa and our realm and our domain mydomain.com.

• Ensure we added a Windows node called mywin to myipa.mydomain.com through the GUI or otherwise with the password mypassword.

Note

Using an alternative to GINA called Pgina will skip the Microsoft obfuscation of the LDAP dialog. Docs to follow.

REM Kerberos config
ksetup /setdomain MYDOMAIN.COM
setup /addkdc MYDOMAIN.COM myipa.mydomain.com
setup /addkpasswd MYDOMAIN.COM myipa.mydomain.com
REM this is the password we set in FreeIPA for this node
setup /setcomputerpassword mypassword
REM no user filters
setup /mapuser * *

• Ensure policy allows Kerberos auth with the right encryption and only the right encryption.

  • Too many choices can breed timeouts and cause delays or failed logins.

  • Open gpedit.msc and browse down the layers as follows:

    • Computer Configuration

      • Windows Settings

        • Security Settings

          • Local Policies

            • Security Options

    • Find “Network Security: Configure encryption types allowed for Kerberos”

    • Deselect everything except RC4_HMAC_MD5

  • Reboot (because Windows)

Applications requiring LDAP

Datum	Content
Server	ipa0.local.mydomain.com
User Search_Base	cn=accounts,dc=local,dc=mydomain,dc=com
User Filter	(objectclass=person)
User Identifier	uid
Group Search_Base	cn=groups,cn=accounts,dc=local,dc=mydomain,dc=com
Group Filter	(objectclass=ipaUserGroup)
Service Account	uid=ldapuser,cn=users,cn=accounts,dc=local,dc=mydomain,dc=com
Service Password	<shared password> (in place of anonymous auth)

Endnotes

[1]

Discovered by user “Zenyatta” on the FreeIPA forum. The post vanished, but I have the content in my notes.