diff --git a/modules/qualifying/assets/fedora_01.png b/modules/qualifying/assets/fedora_01.png new file mode 100644 index 0000000..168a046 Binary files /dev/null and b/modules/qualifying/assets/fedora_01.png differ diff --git a/modules/qualifying/assets/fedora_02.png b/modules/qualifying/assets/fedora_02.png new file mode 100644 index 0000000..f187276 Binary files /dev/null and b/modules/qualifying/assets/fedora_02.png differ diff --git a/modules/qualifying/assets/fedora_03.png b/modules/qualifying/assets/fedora_03.png new file mode 100644 index 0000000..82fa2d0 Binary files /dev/null and b/modules/qualifying/assets/fedora_03.png differ diff --git a/modules/qualifying/learning_centralized_account_management_freeipa.md b/modules/qualifying/learning_centralized_account_management_freeipa.md new file mode 100644 index 0000000..999feb0 --- /dev/null +++ b/modules/qualifying/learning_centralized_account_management_freeipa.md @@ -0,0 +1,607 @@ +# FreeIPA + +[FreeIPA](https://www.freeipa.org/page/Main_Page) is an open source identify management solution. +It's a good modern day solution for centralized account management. +For this one we'll be installing the server on a Fedora machine. +By looking at the installation [requirements](https://www.freeipa.org/page/Quick_Start_Guide#Preparing_a_Platform) we learn that we need a bit more RAM than usual. + +I suggest a machine with: + +* 4GB RAM +* min 2 CPU +* 10GB disk + +## Server installation + +Do a Fedora installation as you have done before. +Your base installation should look like the screenshot below. + +![base](./assets/fedora_01.png) + +When looking through the software selection list we can already install freeipa from the start. +Tick it, or install it later through `dnf`, your call. +Notice the `Network Servers` package and how it *still* includes `nis`? + +![software selection](./assets/fedora_02.png) + +Fedora takes a bit more time to install but once it's done, log in and install your tools of choice. +Your Debian skills will go a long way here. + +```bash +[waldek@fedora ~]$ sudo dnf install htop tmux vim +[sudo] password for waldek: +Last metadata expiration check: 0:00:04 ago on Tue 28 Sep 2021 21:12:01 CEST. +Dependencies resolved. +======================================================================================================================================= + Package Architecture Version Repository Size +======================================================================================================================================= +Installing: + htop x86_64 3.0.5-4.fc34 fedora 154 k + tmux x86_64 3.1c-2.fc34 fedora 397 k + vim-enhanced x86_64 2:8.2.3404-1.fc34 updates 1.8 M +Installing dependencies: + gpm-libs x86_64 1.20.7-26.fc34 fedora 20 k + libsodium x86_64 1.0.18-7.fc34 fedora 165 k + vim-common x86_64 2:8.2.3404-1.fc34 updates 6.7 M + vim-filesystem noarch 2:8.2.3404-1.fc34 updates 22 k + +Transaction Summary +======================================================================================================================================= +Install 7 Packages + +Total download size: 9.3 M +Installed size: 36 M +Is this ok [y/N]: y +Downloading Packages: +(1/7): gpm-libs-1.20.7-26.fc34.x86_64.rpm 38 kB/s | 20 kB 00:00 +(2/7): htop-3.0.5-4.fc34.x86_64.rpm 270 kB/s | 154 kB 00:00 +(3/7): libsodium-1.0.18-7.fc34.x86_64.rpm 262 kB/s | 165 kB 00:00 +(4/7): tmux-3.1c-2.fc34.x86_64.rpm 996 kB/s | 397 kB 00:00 +(5/7): vim-filesystem-8.2.3404-1.fc34.noarch.rpm 139 kB/s | 22 kB 00:00 +(6/7): vim-enhanced-8.2.3404-1.fc34.x86_64.rpm 943 kB/s | 1.8 MB 00:02 +(7/7): vim-common-8.2.3404-1.fc34.x86_64.rpm 2.2 MB/s | 6.7 MB 00:02 +--------------------------------------------------------------------------------------------------------------------------------------- +Total 2.0 MB/s | 9.3 MB 00:04 +Running transaction check +Transaction check succeeded. +Running transaction test +Transaction test succeeded. +Running transaction + Preparing : 1/1 + Installing : vim-filesystem-2:8.2.3404-1.fc34.noarch 1/7 + Installing : vim-common-2:8.2.3404-1.fc34.x86_64 2/7 + Installing : libsodium-1.0.18-7.fc34.x86_64 3/7 + Installing : gpm-libs-1.20.7-26.fc34.x86_64 4/7 + Installing : vim-enhanced-2:8.2.3404-1.fc34.x86_64 5/7 + Installing : tmux-3.1c-2.fc34.x86_64 6/7 + Running scriptlet: tmux-3.1c-2.fc34.x86_64 6/7 + Installing : htop-3.0.5-4.fc34.x86_64 7/7 + Running scriptlet: htop-3.0.5-4.fc34.x86_64 7/7 + Verifying : gpm-libs-1.20.7-26.fc34.x86_64 1/7 + Verifying : htop-3.0.5-4.fc34.x86_64 2/7 + Verifying : libsodium-1.0.18-7.fc34.x86_64 3/7 + Verifying : tmux-3.1c-2.fc34.x86_64 4/7 + Verifying : vim-common-2:8.2.3404-1.fc34.x86_64 5/7 + Verifying : vim-enhanced-2:8.2.3404-1.fc34.x86_64 6/7 + Verifying : vim-filesystem-2:8.2.3404-1.fc34.noarch 7/7 + +Installed: + gpm-libs-1.20.7-26.fc34.x86_64 htop-3.0.5-4.fc34.x86_64 libsodium-1.0.18-7.fc34.x86_64 + tmux-3.1c-2.fc34.x86_64 vim-common-2:8.2.3404-1.fc34.x86_64 vim-enhanced-2:8.2.3404-1.fc34.x86_64 + vim-filesystem-2:8.2.3404-1.fc34.noarch + +Complete! +[waldek@fedora ~]$ +``` + +Once this is done we need to set a `hostname` and a FQDN. +Most LDAP servers are *very* picky about domains and FQDNs and FreeIPA is no different. +It can not have a single top level domain. +I advise a reboot once you have set this before continuing the configuration. + +```bash +[waldek@ipa ~]$ cat /etc/hostname +ipa +[waldek@ipa ~]$ cat /etc/hosts +192.168.0.69 ipa.corp.lan ipa +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +[waldek@ipa ~]$ +``` + +We can configure the server with a tool called `ipa-server-install` that comes installed with the FreeIPA package. +It will run you through some questions but the default values are good for the most part. +I'll be adding some arguments to speed things up. +The `--mkhomedir -a -p` arguments do the following (in practice you should set proper passwords!): + +```bash + --mkhomedir create home directories for users on their first login + -p DM_PASSWORD, --ds-password=DM_PASSWORD + Directory Manager password + -a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD + admin user kerberos password +``` + +There we go! + +```bash +[waldek@ipa ~]$ sudo ipa-server-install --mkhomedir -a 123456789 -p 123456789 + +The log file for this installation can be found in /var/log/ipaserver-install.log +============================================================================== +This program will set up the IPA Server. +Version 4.9.6 + +This includes: + * Configure a stand-alone CA (dogtag) for certificate management + * Configure the NTP client (chronyd) + * Create and configure an instance of Directory Server + * Create and configure a Kerberos Key Distribution Center (KDC) + * Configure Apache (httpd) + * Configure the KDC to enable PKINIT + +To accept the default shown in brackets, press the Enter key. + +Do you want to configure integrated DNS (BIND)? [no]: + +Enter the fully qualified domain name of the computer +on which you're setting up server software. Using the form +. +Example: master.example.com. + + +Server host name [ipa.corp.lan]: + +The domain name has been determined based on the host name. + +Please confirm the domain name [corp.lan]: + +The kerberos protocol requires a Realm name to be defined. +This is typically the domain name converted to uppercase. + +Please provide a realm name [CORP.LAN]: +Do you want to configure chrony with NTP server or pool address? [no]: + +The IPA Master Server will be configured with: +Hostname: ipa.corp.lan +IP address(es): 192.168.0.69 +Domain name: corp.lan +Realm name: CORP.LAN + +The CA will be configured with: +Subject DN: CN=Certificate Authority,O=CORP.LAN +Subject base: O=CORP.LAN +Chaining: self-signed + +Continue to configure the system with these values? [no]: yes + +The following operations may take some minutes to complete. +Please wait until the prompt is returned. + +Disabled p11-kit-proxy +Synchronizing time +No SRV records of NTP servers found and no NTP server or pool address was provided. +Using default chrony configuration. +Attempting to sync time with chronyc. +Time synchronization was successful. +Configuring directory server (dirsrv). Estimated time: 30 seconds + [1/41]: creating directory server instance + [2/41]: tune ldbm plugin + [3/41]: adding default schema + [4/41]: enabling memberof plugin + [5/41]: enabling winsync plugin + [6/41]: configure password logging + [7/41]: configuring replication version plugin + [8/41]: enabling IPA enrollment plugin + [9/41]: configuring uniqueness plugin + [10/41]: configuring uuid plugin + [11/41]: configuring modrdn plugin + [12/41]: configuring DNS plugin + [13/41]: enabling entryUSN plugin + [14/41]: configuring lockout plugin + [15/41]: configuring topology plugin + [16/41]: creating indices + [17/41]: enabling referential integrity plugin + [18/41]: configuring certmap.conf + [19/41]: configure new location for managed entries + [20/41]: configure dirsrv ccache and keytab + [21/41]: enabling SASL mapping fallback + [22/41]: restarting directory server + [23/41]: adding sasl mappings to the directory + [24/41]: adding default layout + [25/41]: adding delegation layout + [26/41]: creating container for managed entries + [27/41]: configuring user private groups + [28/41]: configuring netgroups from hostgroups + [29/41]: creating default Sudo bind user + [30/41]: creating default Auto Member layout + [31/41]: adding range check plugin + [32/41]: creating default HBAC rule allow_all + [33/41]: adding entries for topology management + [34/41]: initializing group membership + [35/41]: adding master entry + [36/41]: initializing domain level + [37/41]: configuring Posix uid/gid generation + [38/41]: adding replication acis + [39/41]: activating sidgen plugin + [40/41]: activating extdom plugin + [41/41]: configuring directory to start on boot +Done configuring directory server (dirsrv). +Configuring Kerberos KDC (krb5kdc) + [1/10]: adding kerberos container to the directory + [2/10]: configuring KDC + [3/10]: initialize kerberos container + [4/10]: adding default ACIs + [5/10]: creating a keytab for the directory + [6/10]: creating a keytab for the machine + [7/10]: adding the password extension to the directory + [8/10]: creating anonymous principal + [9/10]: starting the KDC + [10/10]: configuring KDC to start on boot +Done configuring Kerberos KDC (krb5kdc). +Configuring kadmin + [1/2]: starting kadmin + [2/2]: configuring kadmin to start on boot +Done configuring kadmin. +Configuring ipa-custodia + [1/5]: Making sure custodia container exists + [2/5]: Generating ipa-custodia config file + [3/5]: Generating ipa-custodia keys + [4/5]: starting ipa-custodia + [5/5]: configuring ipa-custodia to start on boot +Done configuring ipa-custodia. +Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes + [1/28]: configuring certificate server instance + [2/28]: stopping certificate server instance to update CS.cfg + [3/28]: backing up CS.cfg + [4/28]: Add ipa-pki-wait-running + [5/28]: secure AJP connector + [6/28]: reindex attributes + [7/28]: exporting Dogtag certificate store pin + [8/28]: disabling nonces + [9/28]: set up CRL publishing + [10/28]: enable PKIX certificate path discovery and validation + [11/28]: authorizing RA to modify profiles + [12/28]: authorizing RA to manage lightweight CAs + [13/28]: Ensure lightweight CAs container exists + [14/28]: starting certificate server instance + [15/28]: configure certmonger for renewals + [16/28]: requesting RA certificate from CA + [17/28]: publishing the CA certificate + [18/28]: adding RA agent as a trusted user + [19/28]: configure certificate renewals + [20/28]: Configure HTTP to proxy connections + [21/28]: updating IPA configuration + [22/28]: enabling CA instance + [23/28]: importing IPA certificate profiles + [24/28]: migrating certificate profiles to LDAP + [25/28]: adding default CA ACL + [26/28]: adding 'ipa' CA entry + [27/28]: configuring certmonger renewal for lightweight CAs + [28/28]: deploying ACME service +Done configuring certificate server (pki-tomcatd). +Configuring directory server (dirsrv) + [1/3]: configuring TLS for DS instance + [2/3]: adding CA certificate entry + [3/3]: restarting directory server +Done configuring directory server (dirsrv). +Configuring ipa-otpd + [1/2]: starting ipa-otpd + [2/2]: configuring ipa-otpd to start on boot +Done configuring ipa-otpd. +Configuring the web interface (httpd) + [1/21]: stopping httpd + [2/21]: backing up ssl.conf + [3/21]: disabling nss.conf + [4/21]: configuring mod_ssl certificate paths + [5/21]: setting mod_ssl protocol list + [6/21]: configuring mod_ssl log directory + [7/21]: disabling mod_ssl OCSP + [8/21]: adding URL rewriting rules + [9/21]: configuring httpd + [10/21]: setting up httpd keytab + [11/21]: configuring Gssproxy + [12/21]: setting up ssl + [13/21]: configure certmonger for renewals + [14/21]: publish CA cert + [15/21]: clean up any existing httpd ccaches + [16/21]: configuring SELinux for httpd + [17/21]: create KDC proxy config + [18/21]: enable KDC proxy + [19/21]: starting httpd + [20/21]: configuring httpd to start on boot + [21/21]: enabling oddjobd +Done configuring the web interface (httpd). +Configuring Kerberos KDC (krb5kdc) + [1/1]: installing X509 Certificate for PKINIT +Done configuring Kerberos KDC (krb5kdc). +Applying LDAP updates +Upgrading IPA:. Estimated time: 1 minute 30 seconds + [1/10]: stopping directory server + [2/10]: saving configuration + [3/10]: disabling listeners + [4/10]: enabling DS global lock + [5/10]: disabling Schema Compat + [6/10]: starting directory server + [7/10]: upgrading server + [8/10]: stopping directory server + [9/10]: restoring configuration + [10/10]: starting directory server +Done. +Restarting the KDC +Configuring client side components +This program will set up IPA client. +Version 4.9.6 + +Using existing certificate '/etc/ipa/ca.crt'. +Client hostname: ipa.corp.lan +Realm: CORP.LAN +DNS Domain: corp.lan +IPA Server: ipa.corp.lan +BaseDN: dc=corp,dc=lan + +Configured sudoers in /etc/authselect/user-nsswitch.conf +Configured /etc/sssd/sssd.conf +Systemwide CA database updated. +Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub +Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub +Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub +Could not update DNS SSHFP records. +SSSD enabled +Configured /etc/openldap/ldap.conf +Configured /etc/ssh/ssh_config +Configured /etc/ssh/sshd_config.d/04-ipa.conf +Configuring corp.lan as NIS domain. +Client configuration complete. +The ipa-client-install command was successful + +Please add records in this file to your DNS system: /tmp/ipa.system.records.o8dlznpf.db +============================================================================== +Setup complete + +Next steps: + 1. You must make sure these network ports are open: + TCP Ports: + * 80, 443: HTTP/HTTPS + * 389, 636: LDAP/LDAPS + * 88, 464: kerberos + UDP Ports: + * 88, 464: kerberos + * 123: ntp + + 2. You can now obtain a kerberos ticket using the command: 'kinit admin' + This ticket will allow you to use the IPA tools (e.g., ipa user-add) + and the web user interface. + +Be sure to back up the CA certificates stored in /root/cacert.p12 +These files are required to create replicas. The password for these +files is the Directory Manager password +The ipa-server-install command was successful +[waldek@ipa ~]$ +``` + +Fedora comes with a firewall installed by default so let's open up the ports needed for LDAP and HTTP and make them permanent. + +```bash +[waldek@ipa ~]$ sudo firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --add-service=http --add-service=https --permanent +success +[waldek@ipa ~]$ +``` + +### Adding users + +#### Command line + +We can add users from the command line with the `ipa` tool. +In order to *use* the tool we need to authenticate the shell we're using with Kerberos. + +```bash +[waldek@ipa ~]$ kinit admin +Password for admin@CORP.LAN: +[waldek@ipa ~]$ +``` + +Next we can **add** a user and **set** the password. +You must do this in the same shell you authenticated before! + +```bash +[waldek@ipa ~]$ ipa user-add +First name: david +Last name: guy +User login [dguy]: david +------------------ +Added user "david" +------------------ + User login: david + First name: david + Last name: guy + Full name: david guy + Display name: david guy + Initials: dg + Home directory: /home/david + GECOS: david guy + Login shell: /bin/sh + Principal name: david@CORP.LAN + Principal alias: david@CORP.LAN + Email address: david@corp.lan + UID: 1715200004 + GID: 1715200004 + Password: False + Member of groups: ipausers + Kerberos keys available: False +[waldek@ipa ~]$ ipa passwd david +New Password: +Enter New Password again to verify: +------------------------------------- +Changed password for "david@CORP.LAN" +------------------------------------- +[waldek@ipa ~]$ +``` + +#### Web GUI + +As we had to fix the domain as a two part domain the resolv on our LAN won't work out of the box but you can just add the FreeIPA server to your graphical `/etc/hosts` file. +Next you open a browser and navigate to the hostname or IP address of your server. +There you log in with the credentials you set during the installation. +You'll see a dashboard similar to the one below. + +![dashboard](./assets/fedora_03.png) + +## client installation + +### Debian + +We'll need a classic headless Debian server to install the client software on. +No real hardware requirements here but keep in mind the **domain** you set your FreeIPA server to! +This machine will need to be in the same domain. +Once up and running, install your preferred tools and look for the `freeipa-client` package to install. +It seems to be missing! +We can [find](https://packages.debian.org/buster/freeipa-client) on on the Debian website though? +There is a package available for Buster *and* for *Sid* but not for Bullseye. +The problem is that it was not ready in time for the release so it got excluded, not that it's incompatible. + +Remember apt pinning? +We can use it to include packages from different branches of Debian. +Let's add the sources and set up the pinning. + +```bash +waldek@ipaclient1:~$ cat /etc/apt/sources.list +# deb cdrom:[Debian GNU/Linux 11.0.0 _Bullseye_ - Official amd64 NETINST 20210814-10:07]/ bullseye main + +#deb cdrom:[Debian GNU/Linux 11.0.0 _Bullseye_ - Official amd64 NETINST 20210814-10:07]/ bullseye main + +deb http://deb.debian.org/debian/ bullseye main +deb-src http://deb.debian.org/debian/ bullseye main + +deb http://deb.debian.org/debian/ sid main +deb-src http://deb.debian.org/debian/ sid main + +deb http://security.debian.org/debian-security bullseye-security main +deb-src http://security.debian.org/debian-security bullseye-security main + +# bullseye-updates, to get updates before a point release is made; +# see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports +deb http://deb.debian.org/debian/ bullseye-updates main +deb-src http://deb.debian.org/debian/ bullseye-updates main + +# This system was installed using small removable media +# (e.g. netinst, live or single CD). The matching "deb cdrom" +# entries were disabled at the end of the installation process. +# For information about how to configure apt package sources, +# see the sources.list(5) manual. +waldek@ipaclient1:~$ cat /etc/apt/preferences.d/pinning +Package: * +Pin: release a=stable +Pin-Priority: 700 + +Package: * +Pin: release a=unstable +Pin-Priority: 600 +waldek@ipaclient1:~$ sudo apt install freeipa-client +Reading package lists... Done +Building dependency tree... Done +Reading state information... Done +freeipa-client is already the newest version (4.8.10-2+b1). +0 upgraded, 0 newly installed, 0 to remove and 8 not upgraded. +waldek@ipaclient1:~$ + +``` + +We need to add the IP address of our server to out hosts file so our client can contact it. + +```bash +waldek@ipaclient1:~$ cat /etc/hosts +127.0.0.1 localhost +127.0.1.1 ipaclient1.corp.lan ipaclient1 +192.168.0.69 ipa.corp.lan ipa + +# The following lines are desirable for IPv6 capable hosts +::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters +waldek@ipaclient1:~$ +``` + +Just as with the server, the client comes with a configuration tool as well. +For some weird reason Debian does not detect the domain by itself so we can specify it on the command line. +Here we also add the `--mkhomedir` argument so each user who logs in, gets his or her own home directory on the local computer. + +```bash +waldek@ipaclient1:~$ sudo ipa-client-install --server ipa.corp.lan --domain corp.lan --mkhomedir +This program will set up FreeIPA client. +Version 4.8.10 + +WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd + +Autodiscovery of servers for failover cannot work with this configuration. +If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. +Proceed with fixed values and no DNS discovery? [no]: yes +Do you want to configure chrony with NTP server or pool address? [no]: +Client hostname: ipaclient1.corp.lan +Realm: CORP.LAN +DNS Domain: corp.lan +IPA Server: ipa.corp.lan +BaseDN: dc=corp,dc=lan + +Continue to configure the system with these values? [no]: yes +Synchronizing time +No SRV records of NTP servers found and no NTP server or pool address was provided. +Using default chrony configuration. +Attempting to sync time with chronyc. +Time synchronization was successful. +User authorized to enroll computers: admin +Password for admin@CORP.LAN: +Successfully retrieved CA cert + Subject: CN=Certificate Authority,O=CORP.LAN + Issuer: CN=Certificate Authority,O=CORP.LAN + Valid From: 2021-09-28 19:30:06 + Valid Until: 2041-09-28 19:30:06 + +Enrolled in IPA realm CORP.LAN +Created /etc/ipa/default.conf +Configured sudoers in /etc/nsswitch.conf +Configured /etc/sssd/sssd.conf +Configured /etc/krb5.conf for IPA realm CORP.LAN +Systemwide CA database updated. +Hostname (ipaclient1.corp.lan) does not have A/AAAA record. +Failed to update DNS records. +Missing A/AAAA record(s) for host ipaclient1.corp.lan: 192.168.0.145. +Incorrect reverse record(s): +192.168.0.145 is pointing to ipaclient1.lan. instead of ipaclient1.corp.lan. +Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub +Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub +Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub +Could not update DNS SSHFP records. +SSSD enabled +Configured /etc/openldap/ldap.conf +Configured /etc/ssh/ssh_config +Configured /etc/ssh/sshd_config.d/04-ipa.conf +Configuring corp.lan as NIS domain. +Client configuration complete. +The ipa-client-install command was successful +waldek@ipaclient1:~$ +``` + +Once this is done we can use the accounts we added to the server, either via the command line or the web interface, to authenticate with on the local machine. + +```bash +waldek@ipaclient1:~$ su alice +Password: +Password expired. Change your password now. +Current Password: +New password: +Retype new password: +$ id +uid=1715200001(alice) gid=1715200001(alice) groups=1715200001(alice) +$ cd +$ pwd +/home/alice +$ +``` + +### Fedora + +TODO in class + + +