Manually setting up FreeIPA Client on Archlinux

15 February, 2016 / tom / 2 Comments

This post describes how i set up my ArchLinux boxes to authenticate to FreeIPA version: 4.2.3 running on Fedora23.
The whole procedure could be scripted but i had to work my way through by trial&error.

Preperation

  • Make sure your clients time equals your FreeIPA servers.
  • Make sure your ipa-client and ipa-server are resolvable both forward (A-record) and reverse (PTR-record)
  • Assure that the clients hostname command returns the FQDN to save some trouble later with HBAC and SUDO rules
  • Double Check you have the correct DNS entries if you are not using FreeIPA itself as your primary DNS Server

Packages

pacman -S sssd

Files

/etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam, sudo, ssh
domains = example.com
debug_level = 9
 
[domain/EXAMPLE.COM]
debug_level = 9
cache_credentials = true
krb5_store_password_if_offline = true
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_domain= example.com
ipa_server= ipa.example.com
ipa_hostname= ipaclient.example.com
override_shell = /usr/bin/zsh #feel free to comment this out if you dont need/want it

/etc/nsswitch.conf

# Begin /etc/nsswitch.conf
 
passwd: files sss
group: files sss
shadow: files sss
sudoers: files sss
 
publickey: files
 
hosts: files dns myhostname
networks: files
 
protocols: files
services: files
ethers: files
rpc: files
 
netgroup: files
 
# End /etc/nsswitch.conf

/etc/nscd.conf

Disable caching for passwords and groups
Make sure these 2 lines end on no instead of yes

enable-cache		group		no
enable-cache		passwd		no

/etc/krb5.conf

[libdefaults]
        default_realm = EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = false
        rdns = false
        ticket_lifetime = 24h
        fowardable = yes
        allow_weak_crypto = yes
 
[realms]
        EXAMPLE.COM = {
                admin_server = ipa.example.com:749
                kdc = ipa.example.com:88
                master_kdc = ipa.example.com:88
                default_admin = example.com
        }
 
[domain_realm]
        example.com = EXAMPLE.COM
        .example.com = EXAMPLE.COM
 
 
[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log

Configuration

On the IPA Server

Add your new client to IPA
kinit admin

In case IPA is also your DNS server and there is already a record for it:

ipa host-add --force ipaclient.example.com

otherwise:

ipa host-add --force --ip-address=192.168.0.14 ipaclient.example.com
Create a Kerberos keytab and transfer it to your client
kinit admin
Password for admin@EXAMPLE.COM:
ipa-getkeytab -s ipa.example.com -p host/ipaclient.example.com -k /tmp/ipaclient.keytab

Copy /tmp/ipaclient.keytab to ipaclient.example.com:/etc/krb5.keytab

Permissions

chmod 0600 /etc/sssd/sssd.conf
chown root:root /etc/sssd/sssd.conf

First Tests

Time for a first test to see if we can already retrieve information about IPA users:

Restart nscd

systemctl restart nscd

Restart sssd

systemctl restart sssd

Retrieve passwd information

Try to query any user with posix attributes you created on your IPA-Server.

getent passwd ipatest

If you want to make sure not hit a local record you can add your domain like this

getent passwd ipatest@ipa.domain

It should return something like this:

ipatest:*:10004:10004:test ipa:/home/ipatest:/usr/bin/zsh

PAM

I recommend not to start configuring pam before the getent command above did succeed!

/etc/pam.d/sss

Create a new file named /etc/pam.d/sss

auth     sufficient pam_unix.so nullok try_first_pass
auth     sufficient pam_sss.so use_first_pass
auth     required   pam_deny.so
 
account  required   pam_unix.so
#account  [default=bad success=ok user_unknown=ignore] pam_sss.so
account  optional   pam_sss.so
 
password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=0 ucredit=0 ocredit=0 lcredit=0 type=
password sufficient pam_unix.so try_first_pass nullok sha512 shadow
password sufficient pam_sss.so use_authtok
password required   pam_deny.so
 
session         required        pam_mkhomedir.so skel=/etc/skel umask=0077
session  required   pam_unix.so
session  optional   pam_sss.so

login, ssh, sudo, su, passwd

These are the services that i found mandatory for my environment.

/etc/pam.d/system-auth
auth		include		sss
auth		optional	pam_permit.so
auth		required	pam_env.so
 
account		include		sss
account		optional	pam_permit.so
account		required	pam_time.so
 
password	include		sss
password	optional	pam_permit.so
 
session		required	pam_limits.so
session		include		sss
session		optional	pam_permit.so
/etc/pam.d/sudo
auth		include		system-auth
account		include		system-auth
session		include		system-auth
/etc/pam.d/su
auth		sufficient	pam_rootok.so
auth		include		sss
account		include		sss
session		include		sss
/etc/pam.d/su-l
auth		sufficient	pam_rootok.so
auth		include		sss
account		include		sss
session		include		sss
/etc/pam.d/passwd
password	include		sss

Other Services

All the services mentioned from here on down are not tested to the bone by myself. I just created this configuration by reverse engineering a random script found on the internet.

/etc/pam.d/chage
auth		sufficient	pam_rootok.so
auth		include		sss
account		include		sss
session		include		sss
password	required	pam_permit.so
/etc/pam.d/chfn
auth		sufficient	pam_rootok.so
auth		include		sss
account		include		sss
session		include		sss
password	required	pam_permit.so
/etc/pam.d/chpasswd
auth		sufficient	pam_rootok.so
auth		include		sss
account		include		sss
session		include		sss
password		include		sss
/etc/pam.d/chsh
auth		sufficient	pam_rootok.so
auth		include		sss
account		include		sss
session		include		sss
password	required	pam_permit.so
/etc/pam.d/cups
auth		include		sss
account		include		sss
session		include		sss
/etc/pam.d/groupadd
auth		sufficient	pam_rootok.so
auth		include		sss
account		include		sss
session		include		sss
password	required	pam_permit.so
/etc/pam.d/groupdel
auth		sufficient	pam_rootok.so
auth		include		sss
account		include		sss
session		include		sss
password	required	pam_permit.so
/etc/pam.d/groupmod
auth		sufficient	pam_rootok.so
auth		include		sss
account		include		sss
session		include		sss
password	required	pam_permit.so
/etc/pam.d/newusers
auth		sufficient	pam_rootok.so
auth		include		sss
account		include		sss
session		include		sss
password		include		sss
/etc/pam.d/other
auth		include		sss
account		include		sss
password		include		sss
session		include		sss
/etc/pam.d/screen
auth		include		sss
/etc/pam.d/shadow
auth		sufficient	pam_rootok.so
auth		include		sss
account		include		sss
session		include		sss
password	required	pam_permit.so
/etc/pam.d/system-services
auth      sufficient  pam_permit.so
 
account   include     system-auth
 
session   optional    pam_loginuid.so
session   required    pam_limits.so
session		include		sss
session   optional    pam_permit.so
session   required    pam_env.so
/etc/pam.d/useradd
auth		sufficient	pam_rootok.so
auth		include		sss
account		include		sss
session		include		sss
password	required	pam_permit.so
/etc/pam.d/userdel
auth		sufficient	pam_rootok.so
auth		include		sss
account		include		sss
session		include		sss
password	required	pam_permit.so
/etc/pam.d/usermod
auth		sufficient	pam_rootok.so
auth		include		sss
account		include		sss
session		include		sss
password	required	pam_permit.so

See also

https://wiki.archlinux.org/index.php/FreeIPA
https://wiki.archlinux.org/index.php/LDAP_authentication#Online_and_Offline_Authentication_with_SSSD
https://wiki.archlinux.org/index.php/LDAP_authentication#PAM_Configuration

Comments

  1. Nico
    19 May, 2020 - 13:09

    I know this post is 4 years old, but after failing miserably for a couple days, I finally got getent working from FreeIPA. Thanks aplenty
    Cheers mate !

Leave a Reply

Your email address will not be published / Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.