Manually setting up FreeIPA Client on Archlinux

This post describes how i set up my ArchLinux boxes to authenticate to FreeIPA version: 4.2.3 running on Fedora23.
The whole procedure could be scripted but i had to work my way through by trial&error.


Preperation

  • Make sure your clients time equals your FreeIPA servers.
  • Make sure your ipa-client and ipa-server are resolvable both forward (A-record) and reverse (PTR-record)
  • Assure that the clients hostname command returns the FQDN to save some trouble later with HBAC and SUDO rules
  • Double Check you have the correct DNS entries if you are not using FreeIPA itself as your primary DNS Server

Packages

pacman -S sssd


Files

/etc/sssd/sssd.conf

/etc/nsswitch.conf

/etc/nscd.conf

Disable caching for passwords and groups
Make sure these 2 lines end on no instead of yes

/etc/krb5.conf


Configuration

On the IPA Server

Add your new client to IPA

In case IPA is also your DNS server and there is already a record for it:

otherwise:

Create a Kerberos keytab and transfer it to your client

Copy /tmp/ipaclient.keytab to ipaclient.example.com:/etc/krb5.keytab

Permissions


First Tests

Time for a first test to see if we can already retrieve information about IPA users:

Restart nscd

Restart sssd

Retrieve passwd information

Try to query any user with posix attributes you created on your IPA-Server.

If you want to make sure not hit a local record you can add your domain like this

It should return something like this:


PAM

I recommend not to start configuring pam before the getent command above did succeed!

/etc/pam.d/sss

Create a new file named /etc/pam.d/sss

login, ssh, sudo, su, passwd

These are the services that i found mandatory for my environment.

/etc/pam.d/system-auth

/etc/pam.d/sudo

/etc/pam.d/su

/etc/pam.d/su-l

/etc/pam.d/passwd


Other Services

All the services mentioned from here on down are not tested to the bone by myself. I just created this configuration by reverse engineering a random script found on the internet.

/etc/pam.d/chage

/etc/pam.d/chfn

/etc/pam.d/chpasswd

/etc/pam.d/chsh

/etc/pam.d/cups

/etc/pam.d/groupadd

/etc/pam.d/groupdel

/etc/pam.d/groupmod

/etc/pam.d/newusers

/etc/pam.d/other

/etc/pam.d/screen

/etc/pam.d/shadow

/etc/pam.d/system-services

/etc/pam.d/useradd

/etc/pam.d/userdel

/etc/pam.d/usermod

See also

https://wiki.archlinux.org/index.php/FreeIPA
https://wiki.archlinux.org/index.php/LDAP_authentication#Online_and_Offline_Authentication_with_SSSD
https://wiki.archlinux.org/index.php/LDAP_authentication#PAM_Configuration

Leave a Reply

Your email address will not be published / Required fields are marked *