This is the manual process for enrolling a host running SUSE/SLE 12 SP2 with FreeIPA.

The following reference documentation was used to create this process:

An outdated guide on Enrolling a SUSE machine with FreeIPA
The Manual FreeIPA guide from the RedHat documentation.

I do not recommend using yast to set this up, however it is useful to check if the configuration is valid. SUSE/SLE has all the required packages to use FreeIPA but does not have the conveinent ipa-client tools, such as ipa-client-install.

Pre-Requisites

The host must have a fully qualified domain name
The host must be able to resolve the FreeIPA server hostname
The FreeIPA server must in the host's /etc/resolv.conf as a nameserver, and it should be the first nameserver
The host must have a route to the FreeIPA server
The FreeIPA server is assumed to be managing:
- The Kerberos Realm
- The DNS domain
The host must be able to connect to the following services (port protocols) on the FreeIPA server
- ntp (123 TCP)
- http (80 TCP)
- https (443 TCP)
- ldap (389 TCP)
- ldaps (636 TCP)
- Kerberos (88 TCP/UDP)
- kpasswd (464 TCP/UDP)
- dns (53 TCP/UDP)

Step-by-step guide

On the FreeIPA server

Create the host entry and DNS for the host to be enrolled

kinit admin
ipa host-add hostname.your.domain.org --ip-address=192.168.XXX.XXX

Set the FreeIPA server to manage the host

ipa host-add-managedby --hosts=ipa-server.your.domain.org hostname.your.domain.org

Retrieve the host's keytab, send it to the host, and delete it

ipa-getkeytab -s ipa-server.your.domain.org -p host/hostname.your.domain.org -k hostname.krb5.keytab
scp hostname.krb5.keytab [email protected]:.
rm hostname.krb5.keytab

On the host to be enrolled

Log into the host to be installed as root
Install the required packages for FreeIPA and the sssd ipa module (the yast2-auth-client package can be omitted)
```
zypper install yast2-auth-client sssd sssd-ipa krb5-client openldap2-client sssd-ad cyrus-sasl-gssapi
```

Deploy the host's keytab

mv ~/hostname.krb5.keytab /etc/krb5.keytab
chown root:root /etc/krb5.keytab
chmod 0600 /etc/krb5.keytab

Retrieve the FreeIPA server's certificate

mkdir /etc/ipa
wget -O /etc/ipa/ca.crt http://ipa-server.your.domain.org/ipa/config/ca.crt
cp /etc/ipa/ca.crt /etc/pki/trust/anchors/ipa.crt
update-ca-certificates

Edit /etc/nsswitch.conf

#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       compat                  Use compatibility setup
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       [NOTFOUND=return]       Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#

# passwd: files nis
# shadow: files nis
# group:  files nis

passwd:     files sss
shadow:     files sss
group:      files sss

hosts:          files dns
networks:       files dns

services:       files sss
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files nis sss
publickey:      files

bootparams:     files
automount:      files nis sss
aliases:        files

sudoers:        files sss

Edit /etc/sssd/sssd.conf (this step would be handled by Cray CME on an XC50, hostname substituted in {{ipa_hostname}})

[sssd]
config_file_version = 2
services = nss, pam, ssh, sudo
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
domains = your.domain.org

[nss]
homedir_substring = /home

[pam]

[domain/your.domain.org]

cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = YOUR.DOMAIN.ORG
ipa_domain = your.domain.org
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = hostname.your.domain.org
chpass_provider = ipa
ipa_server = _srv_, ipa-server.your.domain.org
ldap_tls_cacert = /etc/ipa/ca.crt

Edit /etc/krb5.conf

[libdefaults]
default_realm = YOUR.DOMAIN.ORG
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
YOUR.DOMAIN.ORG = {
  kdc = ipa-server.your.domain.org:88
  master_kdc = ipa-server.your.domain.org:88
  admin_server = ipa-server.your.domain.org:749
  kpasswd_server = ipa-server.your.domain.org:464
  default_domain = your.domain.org
  pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
  pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}

[domain_realm]
.your.domain.org = YOUR.DOMAIN.ORG
your.domain.org = YOUR.DOMAIN.ORG
hostname.your.domain.org = YOUR.DOMAIN.ORG

[logging]
  kdc = FILE:/var/log/krb5/krb5kdc.log
  admin_server = FILE:/var/log/krb5/kadmind.log
  default = SYSLOG:NOTICE:DAEMON

Configure /etc/pam.d to use sssd

Use the pam-config helper command
```
pam-config -a --sss
```

Edit the following files in /etc/pam.d (quick and dirty git diff of what pam-config did)

diff --git a/common-account-pc b/common-account-pc
index 1f24753..00cad08 100644
--- a/common-account-pc
+++ b/common-account-pc
@@ -10,4 +10,6 @@
 # the central access policy for use on the system.  The default is to
 # only deny service to users whose accounts are expired.
 #
-account        required        pam_unix.so     try_first_pass
+account        requisite       pam_unix.so     try_first_pass
+account        sufficient      pam_localuser.so
+account        required        pam_sss.so      use_first_pass
diff --git a/common-auth-pc b/common-auth-pc
index c8b5b81..7514a77 100644
--- a/common-auth-pc
+++ b/common-auth-pc
@@ -12,4 +12,5 @@
 # traditional Unix authentication mechanisms.
 #
 auth   required        pam_env.so
-auth   required        pam_unix.so     try_first_pass
+auth   sufficient      pam_unix.so     try_first_pass
+auth   required        pam_sss.so      use_first_pass
diff --git a/common-password-pc b/common-password-pc
index 8540257..22dc764 100644
--- a/common-password-pc
+++ b/common-password-pc
@@ -10,4 +10,5 @@
 # used to change user passwords.
 #
 password       requisite       pam_cracklib.so
-password       required        pam_unix.so     use_authtok nullok shadow try_first_pass
+password       sufficient      pam_unix.so     use_authtok nullok shadow try_first_pass
+password       required        pam_sss.so      use_authtok
diff --git a/common-session-pc b/common-session-pc
index 317cd2e..e303b8e 100644
--- a/common-session-pc
+++ b/common-session-pc
@@ -12,6 +12,7 @@
 #
 session        required        pam_limits.so
 session        required        pam_unix.so     try_first_pass
+session        optional        pam_sss.so
 session        optional        pam_umask.so
 session        optional        pam_systemd.so
 session        optional        pam_env.so

Enable and start sssd

systemctl enable sssd
systemctl start sssd

A restart may be required, however you should now be able to log in with credentials for user accounts hosted on FreeIPA.

Aethylred/freeipa_auth_suse.md

Pre-Requisites

Step-by-step guide

On the FreeIPA server

On the host to be enrolled