[Freeipa-users] manual client join
Stephen Ingram
sbingram at gmail.com
Tue Mar 13 21:16:30 UTC 2012
On Sat, Dec 3, 2011 at 10:56 AM, Dmitri Pal <dpal at redhat.com> wrote:
> On 11/30/2011 03:59 PM, Rob Crittenden wrote:
>> Stephen Ingram wrote:
>>> Rob-
>>>
>>> On Wed, Nov 30, 2011 at 12:04 PM, Rob
>>> Crittenden<rcritten at redhat.com> wrote:
>>>> Retrieve the CA certificate for the FreeIPA CA.
>>>>
>>>> # wget -O /etc/ipa/ca.crt http://ipa.example.com/ipa/config/ca.crt
>>>>
>>>> Create a separate Kerberos configuration to test the provided
>>>> credentials.
>>>> This enables a Kerberos connection to the FreeIPA XML-RPC server,
>>>> necessary
>>>> to join the FreeIPA client to the FreeIPA domain. This Kerberos
>>>> configuration is ultimately discarded.
>>>>
>>>> - Basically just copy a working krb5.conf to /etc/krb5.conf and set
>>>> up sssd
>>>> or nss_ldap as documented.
>>>>
>>>> # kinit admin
>>>> # ipa-join -s ipa.example.com -b dc=example,dc=com
>>>>
>>>> Or if using a one-time password you can skip the kinit and do
>>>>
>>>> # ipa-join -s ipa.example.com -b dc=example,dc=com -w Secret123
>>>>
>>>> ipa-join lets IPA know a host is enrolled and retrieves a host
>>>> principal and
>>>> stores it into /etc/krb5.keytab.
>>>>
>>>> Enable certmonger, retrieve an SSL server certificate, and install the
>>>> certificate in /etc/pki/nssdb.
>>>>
>>>> # service messagebus start
>>>> # service certmonger start
>>>> # certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i
>>>> /etc/ipa/ca.crt
>>>> # ipa-getcert request -d /etc/pki/nssdb -n 'IPA Machine Certificate -
>>>> client.example.com' -N 'cn=client.example.com,O=EXAMPLE.COM; -K
>>>> host/client.example.com at EXAMPLE.COM
>>>>
>>>> Disable the nscd daemon.
>>>>
>>>> # service nscd stop
>>>> # chkconfig nscd off
>>>
>>> Thanks, but aren't some of these steps assuming that ipa-client has
>>> been installed on the system? For instance, instead of "# ipa-join -s
>>> ipa.example.com -b dc=example,dc=com -w Secret123", can't I instead
>>> use kadmin to retrieve the keytab and then securely copy it over to
>>> the client system? And, in the case of the ca.crt, if there if IPA
>>> itself is not installed, the ca would not go to /etc/ipa/ca.crt, no? I
>>> realize that I will lose functionality by not having ipa-client, but
>>> just trying to build a case for supporting legacy systems that I would
>>> never want to take the time to adapt ipa-client for.
>>>
>>> Steve
>>
>> The only part assuming that is ipa-join itself. IPA does not support
>> the direct use of kadmin or kadmin.local. On a supported platform
>> you'd run:
>>
>> # ipa-getkeytab -s ipa.example.com -k /tmp/remote.keytab -p
>> host/remote.example.com
>>
>> Then ship /tmp/remote.keytab to the machine and either use ktutil to
>> combine it with /etc/krb5.keytab or replace krb5.keytab with it (and
>> fix owner and permissions, and potentially SELinux context).
>>
>> certmonger gets its IPA configuration from /etc/ipa/default.conf. If
>> you don't want or have certmonger then you can skip the CA bit
>> altogether. Otherwise you'll need to copy in a working config.
>>
>
> Should any part of this be documented?
This might be beyond what you are thinking, however, to me, one of the
best things about FreeIPA is that because of how flexible you've made
it, I can use as much or as little as I want. These sorts of "small
steps" might also make it easier to integrate into non-Redhat/Fedora
or non-Linux systems. I have compiled and tested the suggestions
offered to me by Rob and put them into an attached text document that
roughly corresponds to the current section 3.4 of the FreeIPA
documentation. It's probably a little rough, but should make a nice
template to help supplement the existing documentation.
Steve
-------------- next part --------------
3.4 Manual Configuring a Linux Client
The ipa-client-install command automatically configures services like Kerberos, SSSD, PAM and NSS. However, there are some situations where the ipa-client-install command cannot be used on a system, or, its full capabilities are simply not required. In those instances, the FreeIPA client entries and services can be configured manually.
The entire set of capabilities of FreeIPA can be obtained by installing and configuring SSSD and either using authconfig or editing the PAM configuration files by hand. In instances where only a subset of FreeIPA capabilities are desired, for example a Web service on a system using FreeIPA as an authentication source, only the necessary configuration changes need be implemented.
3.4.1 Retrieve CA Certificate from FreeIPA server
1. Retrieve CA certificate
# mkdir /etc/ipa
# wget -O /etc/ipa/ca.crt http://ipa.example.com/ipa/config/ca.crt
2. import CA certificate
a. Using certutil (NSS):
# certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt
b. Using openssl:
# openssl x509 -in /etc/ipa/ca.crt -text >> /etc/pki/tls/certs/ca-bundle.crt
3.4.2 Obtain and Import Host Certificate
1. Generate CSR for client machine
a. Using certutil (NSS):
# certutil -R -s "CN=client.example.com,O=EXAMPLE.COM" -d /etc/pki/nssdb -a > client.example.com.csr
b. Using openssl:
# openssl req -nodes -new -newkey rsa:2048 -keyout /etc/pki/tls/private/client.example.com.key \
-out /etc/pki/tls/certs/client.example.com.csr
2. Submit CSR to IPA to obtain certificate
on IPA server:
# ipa cert-request --principal host/client.example.com client.example.com.csr
3. Obtain certificate in PEM format
on IPA server:
# ipa host-show --out=/tmp/client.example.com.crt client.example.com
4. Import host certificate
a. Using certutil (NSS):
# certutil -A -d /etc/pki/nssdb -n 'IPA Machine Certificate - client.example.com' -t P,, -a -i client.example.com.crt
b. Using openssl:
copy client.example.com.crt to /etc/pki/tls/certs directory
3.4.3 Configure /etc/krb5.conf on client machine
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
forwardable = yes
ticket_lifetime = 24h
[realms]
EXAMPLE.COM = {
kdc = ipaserver.example.com:88
admin_server = ipaserver.example.com:749
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
3.4.4 Obtain and Import Host Principal
1. Generate host principal in FreeIPA
on IPA server:
# ipa-join -h client.example.com -s ipa.example.com -b dc=example,dc=com
2. Output host principal
on IPA server:
# ipa-getkeytab -s ipa.example.com -k /tmp/client.example.com.keytab -p host/client.example.com
3. Securely transport keytab to client machine and then replace /etc/krb5.keytab or merge with existing keytab using ktutil.
a. If replacing or creating new /etc/krb5.keytab, then:
# chown root:root /etc/krb5.keytab
# chmod 600
b. If using SELinux, then:
# chcon -u unconfined_u -r object_r -t krb5_keytab_t -l s0
3.4.5 Disable nscd daemon
# service nscd stop
# chkconfig nscd off
3.4.6 Configure system to authenticate and authorize from IPA
1. If setting up legacy LDAP/KRB5 authentication
a. Install nslcd daemon
# yum install nss-pam-ldapd
b. Configure /etc/nsswitch.conf, PAM files and nslcd daemon
# authconfig --enableldap --ldapserver=ldaps://ipa.example.com --ldapbasedn=dc=example,dc=com --ldaploadcacert=http://ipa.example.com/ipa/config/ca.crt --disableldapstarttls --enablekrb5 --krb5kdc=ipa.example.com --krb5adminserver=ipa.example.com --krb5realm=EXAMPLE.COM --updateall
If authconfig not available, edit /etc/nsswitch.conf, the PAM system authentication files and either the older PADL (/etc/ldap.conf) files or the newer LDAP nameservice daemon (/etc/nslcd.conf) by hand. (this will vary depending on operating system)
2. If using SSSD
a. Install sssd daemon
# yum install sssd
b. Configure /etc/nsswitch.conf, PAM files and SSSD daemon
# authconfig --enableldap --ldapserver=ldaps://ipa.example.com --ldapbasedn=dc=example,dc=com --ldaploadcacert=http://ipa.example.com/ipa/config/ca.crt --disableldapstarttls --enablekrb5 --krb5kdc=ipa.example.com --krb5adminserver=ipa.example.com --krb5realm=EXAMPLE.COM --enablesssd --enablesssdauth --updateall
If authconfig not available, edit /etc/nsswitch.conf, the PAM system authentication files and the SSSD configuration files (/etc/sssd/sssd.conf) by hand. (examples in current documentation-will vary on other operating systems)
More information about the Freeipa-users
mailing list