Skip to content

Instantly share code, notes, and snippets.

@arashi01
Forked from Aethylred/freeipa_auth_suse.md
Created June 10, 2019 19:32
Show Gist options
  • Save arashi01/1d927cee6887ae25e879f383933d5408 to your computer and use it in GitHub Desktop.
Save arashi01/1d927cee6887ae25e879f383933d5408 to your computer and use it in GitHub Desktop.
Setting up FreeIPA authentication onf SUSE/SLE 12 SP2

This is the manual process for enrolling a host running SUSE/SLE 12 SP2 with FreeIPA.

The following reference documentation was used to create this process:

I do not recommend using yast to set this up, however it is useful to check if the configuration is valid. SUSE/SLE has all the required packages to use FreeIPA but does not have the conveinent ipa-client tools, such as ipa-client-install.

Pre-Requisites

  • The host must have a fully qualified domain name
  • The host must be able to resolve the FreeIPA server hostname
  • The FreeIPA server must in the host's /etc/resolv.conf as a nameserver, and it should be the first nameserver
  • The host must have a route to the FreeIPA server
  • The FreeIPA server is assumed to be managing:
    • The Kerberos Realm
    • The DNS domain
  • The host must be able to connect to the following services (port protocols) on the FreeIPA server
    • ntp (123 TCP)
    • http (80 TCP)
    • https (443 TCP)
    • ldap (389 TCP)
    • ldaps (636 TCP)
    • Kerberos (88 TCP/UDP)
    • kpasswd (464 TCP/UDP)
    • dns (53 TCP/UDP)

Step-by-step guide

On the FreeIPA server

  1. Create the host entry and DNS for the host to be enrolled

    kinit admin
    ipa host-add hostname.your.domain.org --ip-address=192.168.XXX.XXX
    
  2. Set the FreeIPA server to manage the host

    ipa host-add-managedby --hosts=ipa-server.your.domain.org hostname.your.domain.org
    
  3. Retrieve the host's keytab, send it to the host, and delete it

    ipa-getkeytab -s ipa-server.your.domain.org -p host/hostname.your.domain.org -k hostname.krb5.keytab
    scp hostname.krb5.keytab [email protected]:.
    rm hostname.krb5.keytab
    

On the host to be enrolled

  1. Log into the host to be installed as root

  2. Install the required packages for FreeIPA and the sssd ipa module (the yast2-auth-client package can be omitted)

    zypper install yast2-auth-client sssd sssd-ipa krb5-client openldap2-client sssd-ad cyrus-sasl-gssapi
    
  3. Deploy the host's keytab

    mv ~/hostname.krb5.keytab /etc/krb5.keytab
    chown root:root /etc/krb5.keytab
    chmod 0600 /etc/krb5.keytab
    
  4. Retrieve the FreeIPA server's certificate

    mkdir /etc/ipa
    wget -O /etc/ipa/ca.crt http://ipa-server.your.domain.org/ipa/config/ca.crt
    cp /etc/ipa/ca.crt /etc/pki/trust/anchors/ipa.crt
    update-ca-certificates
    
  5. Edit /etc/nsswitch.conf

    #
    # /etc/nsswitch.conf
    #
    # An example Name Service Switch config file. This file should be
    # sorted with the most-used services at the beginning.
    #
    # The entry '[NOTFOUND=return]' means that the search for an
    # entry should stop if the search in the previous entry turned
    # up nothing. Note that if the search failed due to some other reason
    # (like no NIS server responding) then the search continues with the
    # next entry.
    #
    # Legal entries are:
    #
    #       compat                  Use compatibility setup
    #       nisplus                 Use NIS+ (NIS version 3)
    #       nis                     Use NIS (NIS version 2), also called YP
    #       dns                     Use DNS (Domain Name Service)
    #       files                   Use the local files
    #       [NOTFOUND=return]       Stop searching if not found so far
    #
    # For more information, please read the nsswitch.conf.5 manual page.
    #
    
    # passwd: files nis
    # shadow: files nis
    # group:  files nis
    
    passwd:     files sss
    shadow:     files sss
    group:      files sss
    
    hosts:          files dns
    networks:       files dns
    
    services:       files sss
    protocols:      files
    rpc:            files
    ethers:         files
    netmasks:       files
    netgroup:       files nis sss
    publickey:      files
    
    bootparams:     files
    automount:      files nis sss
    aliases:        files
    
    sudoers:        files sss
    
  6. Edit /etc/sssd/sssd.conf (this step would be handled by Cray CME on an XC50, hostname substituted in {{ipa_hostname}})

    [sssd]
    config_file_version = 2
    services = nss, pam, ssh, sudo
    # SSSD will not start if you do not configure any domains.
    # Add new domain configurations as [domain/<NAME>] sections, and
    # then add the list of domains (in the order you want them to be
    # queried) to the "domains" attribute below and uncomment it.
    domains = your.domain.org
    
    [nss]
    homedir_substring = /home
    
    [pam]
    
    [domain/your.domain.org]
    
    cache_credentials = True
    krb5_store_password_if_offline = True
    krb5_realm = YOUR.DOMAIN.ORG
    ipa_domain = your.domain.org
    id_provider = ipa
    auth_provider = ipa
    access_provider = ipa
    ipa_hostname = hostname.your.domain.org
    chpass_provider = ipa
    ipa_server = _srv_, ipa-server.your.domain.org
    ldap_tls_cacert = /etc/ipa/ca.crt
    
  7. Edit /etc/krb5.conf

    [libdefaults]
    default_realm = YOUR.DOMAIN.ORG
    dns_lookup_realm = false
    dns_lookup_kdc = false
    rdns = false
    dns_canonicalize_hostname = false
    ticket_lifetime = 24h
    forwardable = true
    udp_preference_limit = 0
    default_ccache_name = KEYRING:persistent:%{uid}
    
    [realms]
    YOUR.DOMAIN.ORG = {
      kdc = ipa-server.your.domain.org:88
      master_kdc = ipa-server.your.domain.org:88
      admin_server = ipa-server.your.domain.org:749
      kpasswd_server = ipa-server.your.domain.org:464
      default_domain = your.domain.org
      pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
      pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
    }
    
    [domain_realm]
    .your.domain.org = YOUR.DOMAIN.ORG
    your.domain.org = YOUR.DOMAIN.ORG
    hostname.your.domain.org = YOUR.DOMAIN.ORG
    
    [logging]
      kdc = FILE:/var/log/krb5/krb5kdc.log
      admin_server = FILE:/var/log/krb5/kadmind.log
      default = SYSLOG:NOTICE:DAEMON
    
  8. Configure /etc/pam.d to use sssd

    1. Use the pam-config helper command
      pam-config -a --sss
      
    2. Edit the following files in /etc/pam.d (quick and dirty git diff of what pam-config did)
      diff --git a/common-account-pc b/common-account-pc
      index 1f24753..00cad08 100644
      --- a/common-account-pc
      +++ b/common-account-pc
      @@ -10,4 +10,6 @@
       # the central access policy for use on the system.  The default is to
       # only deny service to users whose accounts are expired.
       #
      -account        required        pam_unix.so     try_first_pass
      +account        requisite       pam_unix.so     try_first_pass
      +account        sufficient      pam_localuser.so
      +account        required        pam_sss.so      use_first_pass
      diff --git a/common-auth-pc b/common-auth-pc
      index c8b5b81..7514a77 100644
      --- a/common-auth-pc
      +++ b/common-auth-pc
      @@ -12,4 +12,5 @@
       # traditional Unix authentication mechanisms.
       #
       auth   required        pam_env.so
      -auth   required        pam_unix.so     try_first_pass
      +auth   sufficient      pam_unix.so     try_first_pass
      +auth   required        pam_sss.so      use_first_pass
      diff --git a/common-password-pc b/common-password-pc
      index 8540257..22dc764 100644
      --- a/common-password-pc
      +++ b/common-password-pc
      @@ -10,4 +10,5 @@
       # used to change user passwords.
       #
       password       requisite       pam_cracklib.so
      -password       required        pam_unix.so     use_authtok nullok shadow try_first_pass
      +password       sufficient      pam_unix.so     use_authtok nullok shadow try_first_pass
      +password       required        pam_sss.so      use_authtok
      diff --git a/common-session-pc b/common-session-pc
      index 317cd2e..e303b8e 100644
      --- a/common-session-pc
      +++ b/common-session-pc
      @@ -12,6 +12,7 @@
       #
       session        required        pam_limits.so
       session        required        pam_unix.so     try_first_pass
      +session        optional        pam_sss.so
       session        optional        pam_umask.so
       session        optional        pam_systemd.so
       session        optional        pam_env.so
      
  9. Enable and start sssd

    systemctl enable sssd
    systemctl start sssd
    

  A restart may be required, however you should now be able to log in with credentials for user accounts hosted on FreeIPA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment