linux_course_doc/modules/qualifying/learning_centralized_accoun...

608 lines
25 KiB
Markdown
Raw Permalink Normal View History

2021-09-28 22:32:50 +02:00
# FreeIPA
[FreeIPA](https://www.freeipa.org/page/Main_Page) is an open source identify management solution.
It's a good modern day solution for centralized account management.
For this one we'll be installing the server on a Fedora machine.
By looking at the installation [requirements](https://www.freeipa.org/page/Quick_Start_Guide#Preparing_a_Platform) we learn that we need a bit more RAM than usual.
I suggest a machine with:
* 4GB RAM
* min 2 CPU
* 10GB disk
## Server installation
Do a Fedora installation as you have done before.
Your base installation should look like the screenshot below.
![base](./assets/fedora_01.png)
When looking through the software selection list we can already install freeipa from the start.
Tick it, or install it later through `dnf`, your call.
Notice the `Network Servers` package and how it *still* includes `nis`?
![software selection](./assets/fedora_02.png)
Fedora takes a bit more time to install but once it's done, log in and install your tools of choice.
Your Debian skills will go a long way here.
```bash
[waldek@fedora ~]$ sudo dnf install htop tmux vim
[sudo] password for waldek:
Last metadata expiration check: 0:00:04 ago on Tue 28 Sep 2021 21:12:01 CEST.
Dependencies resolved.
=======================================================================================================================================
Package Architecture Version Repository Size
=======================================================================================================================================
Installing:
htop x86_64 3.0.5-4.fc34 fedora 154 k
tmux x86_64 3.1c-2.fc34 fedora 397 k
vim-enhanced x86_64 2:8.2.3404-1.fc34 updates 1.8 M
Installing dependencies:
gpm-libs x86_64 1.20.7-26.fc34 fedora 20 k
libsodium x86_64 1.0.18-7.fc34 fedora 165 k
vim-common x86_64 2:8.2.3404-1.fc34 updates 6.7 M
vim-filesystem noarch 2:8.2.3404-1.fc34 updates 22 k
Transaction Summary
=======================================================================================================================================
Install 7 Packages
Total download size: 9.3 M
Installed size: 36 M
Is this ok [y/N]: y
Downloading Packages:
(1/7): gpm-libs-1.20.7-26.fc34.x86_64.rpm 38 kB/s | 20 kB 00:00
(2/7): htop-3.0.5-4.fc34.x86_64.rpm 270 kB/s | 154 kB 00:00
(3/7): libsodium-1.0.18-7.fc34.x86_64.rpm 262 kB/s | 165 kB 00:00
(4/7): tmux-3.1c-2.fc34.x86_64.rpm 996 kB/s | 397 kB 00:00
(5/7): vim-filesystem-8.2.3404-1.fc34.noarch.rpm 139 kB/s | 22 kB 00:00
(6/7): vim-enhanced-8.2.3404-1.fc34.x86_64.rpm 943 kB/s | 1.8 MB 00:02
(7/7): vim-common-8.2.3404-1.fc34.x86_64.rpm 2.2 MB/s | 6.7 MB 00:02
---------------------------------------------------------------------------------------------------------------------------------------
Total 2.0 MB/s | 9.3 MB 00:04
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : vim-filesystem-2:8.2.3404-1.fc34.noarch 1/7
Installing : vim-common-2:8.2.3404-1.fc34.x86_64 2/7
Installing : libsodium-1.0.18-7.fc34.x86_64 3/7
Installing : gpm-libs-1.20.7-26.fc34.x86_64 4/7
Installing : vim-enhanced-2:8.2.3404-1.fc34.x86_64 5/7
Installing : tmux-3.1c-2.fc34.x86_64 6/7
Running scriptlet: tmux-3.1c-2.fc34.x86_64 6/7
Installing : htop-3.0.5-4.fc34.x86_64 7/7
Running scriptlet: htop-3.0.5-4.fc34.x86_64 7/7
Verifying : gpm-libs-1.20.7-26.fc34.x86_64 1/7
Verifying : htop-3.0.5-4.fc34.x86_64 2/7
Verifying : libsodium-1.0.18-7.fc34.x86_64 3/7
Verifying : tmux-3.1c-2.fc34.x86_64 4/7
Verifying : vim-common-2:8.2.3404-1.fc34.x86_64 5/7
Verifying : vim-enhanced-2:8.2.3404-1.fc34.x86_64 6/7
Verifying : vim-filesystem-2:8.2.3404-1.fc34.noarch 7/7
Installed:
gpm-libs-1.20.7-26.fc34.x86_64 htop-3.0.5-4.fc34.x86_64 libsodium-1.0.18-7.fc34.x86_64
tmux-3.1c-2.fc34.x86_64 vim-common-2:8.2.3404-1.fc34.x86_64 vim-enhanced-2:8.2.3404-1.fc34.x86_64
vim-filesystem-2:8.2.3404-1.fc34.noarch
Complete!
[waldek@fedora ~]$
```
Once this is done we need to set a `hostname` and a FQDN.
Most LDAP servers are *very* picky about domains and FQDNs and FreeIPA is no different.
It can not have a single top level domain.
I advise a reboot once you have set this before continuing the configuration.
```bash
[waldek@ipa ~]$ cat /etc/hostname
ipa
[waldek@ipa ~]$ cat /etc/hosts
192.168.0.69 ipa.corp.lan ipa
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
[waldek@ipa ~]$
```
We can configure the server with a tool called `ipa-server-install` that comes installed with the FreeIPA package.
It will run you through some questions but the default values are good for the most part.
I'll be adding some arguments to speed things up.
The `--mkhomedir -a -p` arguments do the following (in practice you should set proper passwords!):
```bash
--mkhomedir create home directories for users on their first login
-p DM_PASSWORD, --ds-password=DM_PASSWORD
Directory Manager password
-a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
admin user kerberos password
```
There we go!
```bash
[waldek@ipa ~]$ sudo ipa-server-install --mkhomedir -a 123456789 -p 123456789
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.9.6
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the NTP client (chronyd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure the KDC to enable PKINIT
To accept the default shown in brackets, press the Enter key.
Do you want to configure integrated DNS (BIND)? [no]:
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [ipa.corp.lan]:
The domain name has been determined based on the host name.
Please confirm the domain name [corp.lan]:
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [CORP.LAN]:
Do you want to configure chrony with NTP server or pool address? [no]:
The IPA Master Server will be configured with:
Hostname: ipa.corp.lan
IP address(es): 192.168.0.69
Domain name: corp.lan
Realm name: CORP.LAN
The CA will be configured with:
Subject DN: CN=Certificate Authority,O=CORP.LAN
Subject base: O=CORP.LAN
Chaining: self-signed
Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Disabled p11-kit-proxy
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/41]: creating directory server instance
[2/41]: tune ldbm plugin
[3/41]: adding default schema
[4/41]: enabling memberof plugin
[5/41]: enabling winsync plugin
[6/41]: configure password logging
[7/41]: configuring replication version plugin
[8/41]: enabling IPA enrollment plugin
[9/41]: configuring uniqueness plugin
[10/41]: configuring uuid plugin
[11/41]: configuring modrdn plugin
[12/41]: configuring DNS plugin
[13/41]: enabling entryUSN plugin
[14/41]: configuring lockout plugin
[15/41]: configuring topology plugin
[16/41]: creating indices
[17/41]: enabling referential integrity plugin
[18/41]: configuring certmap.conf
[19/41]: configure new location for managed entries
[20/41]: configure dirsrv ccache and keytab
[21/41]: enabling SASL mapping fallback
[22/41]: restarting directory server
[23/41]: adding sasl mappings to the directory
[24/41]: adding default layout
[25/41]: adding delegation layout
[26/41]: creating container for managed entries
[27/41]: configuring user private groups
[28/41]: configuring netgroups from hostgroups
[29/41]: creating default Sudo bind user
[30/41]: creating default Auto Member layout
[31/41]: adding range check plugin
[32/41]: creating default HBAC rule allow_all
[33/41]: adding entries for topology management
[34/41]: initializing group membership
[35/41]: adding master entry
[36/41]: initializing domain level
[37/41]: configuring Posix uid/gid generation
[38/41]: adding replication acis
[39/41]: activating sidgen plugin
[40/41]: activating extdom plugin
[41/41]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
[1/10]: adding kerberos container to the directory
[2/10]: configuring KDC
[3/10]: initialize kerberos container
[4/10]: adding default ACIs
[5/10]: creating a keytab for the directory
[6/10]: creating a keytab for the machine
[7/10]: adding the password extension to the directory
[8/10]: creating anonymous principal
[9/10]: starting the KDC
[10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa-custodia
[1/5]: Making sure custodia container exists
[2/5]: Generating ipa-custodia config file
[3/5]: Generating ipa-custodia keys
[4/5]: starting ipa-custodia
[5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
[2/28]: stopping certificate server instance to update CS.cfg
[3/28]: backing up CS.cfg
[4/28]: Add ipa-pki-wait-running
[5/28]: secure AJP connector
[6/28]: reindex attributes
[7/28]: exporting Dogtag certificate store pin
[8/28]: disabling nonces
[9/28]: set up CRL publishing
[10/28]: enable PKIX certificate path discovery and validation
[11/28]: authorizing RA to modify profiles
[12/28]: authorizing RA to manage lightweight CAs
[13/28]: Ensure lightweight CAs container exists
[14/28]: starting certificate server instance
[15/28]: configure certmonger for renewals
[16/28]: requesting RA certificate from CA
[17/28]: publishing the CA certificate
[18/28]: adding RA agent as a trusted user
[19/28]: configure certificate renewals
[20/28]: Configure HTTP to proxy connections
[21/28]: updating IPA configuration
[22/28]: enabling CA instance
[23/28]: importing IPA certificate profiles
[24/28]: migrating certificate profiles to LDAP
[25/28]: adding default CA ACL
[26/28]: adding 'ipa' CA entry
[27/28]: configuring certmonger renewal for lightweight CAs
[28/28]: deploying ACME service
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[2/3]: adding CA certificate entry
[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[13/21]: configure certmonger for renewals
[14/21]: publish CA cert
[15/21]: clean up any existing httpd ccaches
[16/21]: configuring SELinux for httpd
[17/21]: create KDC proxy config
[18/21]: enable KDC proxy
[19/21]: starting httpd
[20/21]: configuring httpd to start on boot
[21/21]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Restarting the KDC
Configuring client side components
This program will set up IPA client.
Version 4.9.6
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: ipa.corp.lan
Realm: CORP.LAN
DNS Domain: corp.lan
IPA Server: ipa.corp.lan
BaseDN: dc=corp,dc=lan
Configured sudoers in /etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring corp.lan as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
Please add records in this file to your DNS system: /tmp/ipa.system.records.o8dlznpf.db
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful
[waldek@ipa ~]$
```
Fedora comes with a firewall installed by default so let's open up the ports needed for LDAP and HTTP and make them permanent.
```bash
[waldek@ipa ~]$ sudo firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --add-service=http --add-service=https --permanent
success
[waldek@ipa ~]$
```
### Adding users
#### Command line
We can add users from the command line with the `ipa` tool.
In order to *use* the tool we need to authenticate the shell we're using with Kerberos.
```bash
[waldek@ipa ~]$ kinit admin
Password for admin@CORP.LAN:
[waldek@ipa ~]$
```
Next we can **add** a user and **set** the password.
You must do this in the same shell you authenticated before!
```bash
[waldek@ipa ~]$ ipa user-add
First name: david
Last name: guy
User login [dguy]: david
------------------
Added user "david"
------------------
User login: david
First name: david
Last name: guy
Full name: david guy
Display name: david guy
Initials: dg
Home directory: /home/david
GECOS: david guy
Login shell: /bin/sh
Principal name: david@CORP.LAN
Principal alias: david@CORP.LAN
Email address: david@corp.lan
UID: 1715200004
GID: 1715200004
Password: False
Member of groups: ipausers
Kerberos keys available: False
[waldek@ipa ~]$ ipa passwd david
New Password:
Enter New Password again to verify:
-------------------------------------
Changed password for "david@CORP.LAN"
-------------------------------------
[waldek@ipa ~]$
```
#### Web GUI
As we had to fix the domain as a two part domain the resolv on our LAN won't work out of the box but you can just add the FreeIPA server to your graphical `/etc/hosts` file.
Next you open a browser and navigate to the hostname or IP address of your server.
There you log in with the credentials you set during the installation.
You'll see a dashboard similar to the one below.
![dashboard](./assets/fedora_03.png)
## client installation
### Debian
We'll need a classic headless Debian server to install the client software on.
No real hardware requirements here but keep in mind the **domain** you set your FreeIPA server to!
This machine will need to be in the same domain.
Once up and running, install your preferred tools and look for the `freeipa-client` package to install.
It seems to be missing!
We can [find](https://packages.debian.org/buster/freeipa-client) on on the Debian website though?
There is a package available for Buster *and* for *Sid* but not for Bullseye.
The problem is that it was not ready in time for the release so it got excluded, not that it's incompatible.
Remember apt pinning?
We can use it to include packages from different branches of Debian.
Let's add the sources and set up the pinning.
```bash
waldek@ipaclient1:~$ cat /etc/apt/sources.list
# deb cdrom:[Debian GNU/Linux 11.0.0 _Bullseye_ - Official amd64 NETINST 20210814-10:07]/ bullseye main
#deb cdrom:[Debian GNU/Linux 11.0.0 _Bullseye_ - Official amd64 NETINST 20210814-10:07]/ bullseye main
deb http://deb.debian.org/debian/ bullseye main
deb-src http://deb.debian.org/debian/ bullseye main
deb http://deb.debian.org/debian/ sid main
deb-src http://deb.debian.org/debian/ sid main
deb http://security.debian.org/debian-security bullseye-security main
deb-src http://security.debian.org/debian-security bullseye-security main
# bullseye-updates, to get updates before a point release is made;
# see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports
deb http://deb.debian.org/debian/ bullseye-updates main
deb-src http://deb.debian.org/debian/ bullseye-updates main
# This system was installed using small removable media
# (e.g. netinst, live or single CD). The matching "deb cdrom"
# entries were disabled at the end of the installation process.
# For information about how to configure apt package sources,
# see the sources.list(5) manual.
waldek@ipaclient1:~$ cat /etc/apt/preferences.d/pinning
Package: *
Pin: release a=stable
Pin-Priority: 700
Package: *
Pin: release a=unstable
Pin-Priority: 600
waldek@ipaclient1:~$ sudo apt install freeipa-client
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
freeipa-client is already the newest version (4.8.10-2+b1).
0 upgraded, 0 newly installed, 0 to remove and 8 not upgraded.
waldek@ipaclient1:~$
```
We need to add the IP address of our server to out hosts file so our client can contact it.
```bash
waldek@ipaclient1:~$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 ipaclient1.corp.lan ipaclient1
192.168.0.69 ipa.corp.lan ipa
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
waldek@ipaclient1:~$
```
Just as with the server, the client comes with a configuration tool as well.
For some weird reason Debian does not detect the domain by itself so we can specify it on the command line.
Here we also add the `--mkhomedir` argument so each user who logs in, gets his or her own home directory on the local computer.
```bash
waldek@ipaclient1:~$ sudo ipa-client-install --server ipa.corp.lan --domain corp.lan --mkhomedir
This program will set up FreeIPA client.
Version 4.8.10
WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Do you want to configure chrony with NTP server or pool address? [no]:
Client hostname: ipaclient1.corp.lan
Realm: CORP.LAN
DNS Domain: corp.lan
IPA Server: ipa.corp.lan
BaseDN: dc=corp,dc=lan
Continue to configure the system with these values? [no]: yes
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: admin
Password for admin@CORP.LAN:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=CORP.LAN
Issuer: CN=Certificate Authority,O=CORP.LAN
Valid From: 2021-09-28 19:30:06
Valid Until: 2041-09-28 19:30:06
Enrolled in IPA realm CORP.LAN
Created /etc/ipa/default.conf
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm CORP.LAN
Systemwide CA database updated.
Hostname (ipaclient1.corp.lan) does not have A/AAAA record.
Failed to update DNS records.
Missing A/AAAA record(s) for host ipaclient1.corp.lan: 192.168.0.145.
Incorrect reverse record(s):
192.168.0.145 is pointing to ipaclient1.lan. instead of ipaclient1.corp.lan.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring corp.lan as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
waldek@ipaclient1:~$
```
Once this is done we can use the accounts we added to the server, either via the command line or the web interface, to authenticate with on the local machine.
```bash
waldek@ipaclient1:~$ su alice
Password:
Password expired. Change your password now.
Current Password:
New password:
Retype new password:
$ id
uid=1715200001(alice) gid=1715200001(alice) groups=1715200001(alice)
$ cd
$ pwd
/home/alice
$
```
### Fedora
TODO in class