Introduction

About

In order to make my infrastructure more easy to manage, I decide to install a FreeIPA server.
One of my ex-colleague and now friend talk me a lot about this product times ago.
So I decided to try it.
Thanks Djul(@JulienPorschen)

NB. This article is not yet finished so some typos can still be included or paragraph not yet formatted.

Objectives

Install a functionnal FreeIPA server to :

  • manage users and groups
  • Centralise User SSH keys
  • Automount
    -

This is the first step, I will add new modules after

  • FreeOTP

Requirements

  • A CentOS machine (10G HD System, 1 VCPU, 2G RAM )
  • a local domain name like myplace.local

References

This article is based on :

Core Installation

Prepare the machine

Add your machine ip and name in your /etc/hosts file

echo "$(ip -o -4 addr show  | grep -v " lo" | head -1 | awk {'print $4'} | cut -d'/' -f1) $(hostname) $(hostname -s)" >> /etc/hosts

That would add something like :

10.0.0.1 ipaserver.myplace.local ipaserver

Install the software

Install the requirements to setup everything :

yum install ipa-server bind-dyndb-ldap ipa-server-dns

Prepare the following infos before executing the install process :

  • domain name (myplace.local) will be determined based on machine hostname, you just have to confirm it
  • Directory Manager password
  • IPA admin password
  • A DNS Forwarder
ipa-server-install --setup-dns
Answer the questions At the end the following message will appear :
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password

Backup this file

Firewall

if you want to use the local firewall on the centos, allow incoming traffic:

firewall-cmd --permanent --add-service=ntp
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --permanent --add-service=ldap
firewall-cmd --permanent --add-service=ldaps
firewall-cmd --permanent --add-service=kerberos
firewall-cmd --permanent --add-service=kpasswd

If you want to use your FreeIPA to hande also the PKI part, add the RootCA, located in /etc/ipa/ca.crt, in your firefox or system’s CA.

Configure FreeIPA

Everything can be done through a web interface or commands lines.
I will use command line.
The web interface is reachable through https://ipaserver.myplace.local/

User Management

A NFS Server will be used in order to have a unique point of storage for home dir.
This will avoid to have multiple time the same data over multiple machine.

The NFS Server will be a freebsd server with ZFS Storage.

NFS Mount configuration for homedir

On FreeIPA Server :

ipaserver# ipa automountmap-add default auto.home


Added automount map "auto.home"

  Map: auto.home


ipaserver# ipa automountkey-add default --key "/exports/home" --info auto.home auto.master
Added automount key "/exports/home"

  Key: /exports/home
  Mount information: auto.home


ipaserver# ipa automountkey-add default --key "*" --info "-fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 nfssrv.myplace.local:/exports/home/&" auto.home

Added automount key "*"

  Key: *
  Mount information: -fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 nfssrv.myplace.local:/exports/home/&

On Linux machines ensure that home dir will be created automatically if it doesn’t exist.

authconfig --enablemkhomedir --update

Linux

Linux NFS Server

Source :
https://blog.delouw.ch/2015/03/14/using-ipa-to-provide-automount-maps-for-nfsv4-home-directories/

Configure sssd + krb5.conf

ipa service-add nfs/nfssrv.myplace.local
ipa-getkeytab -s ipasrv.myplace.local -p nfs/nfssrv.myplace.local -k /etc/krb5.keytab

Linux IPA Client

ipa-server# ipa host-add ipaclient2.myplace.local --ip-address=A.B.C.D
ipa-server# ipa service-add nfs/ipaclient2.myplace.local


ipa-client# yum install ipa-client
ipa-client# mkdir -p /exports/home
ipa-client# authconfig --enablemkhomedir --update
ipa-client# generate /etc/krb5.conf
ipa-client# kinit
ipa-client# ipa-getkeytab -s ipasrv.myplace.local -p nfs/${HOSTNAME} -k /etc/krb5.keytab

ipa-client# ipa-client-install
Or
ipa-client# ipa-client-install --domain=myplace.local --server=ipaserver.myplace.local --realm=MYPLACE.LOCAL

ipa-client# ipa-client-automount --location=default

Ensure that a mount | grep auto return

auto.home on /exports/home type autofs (rw,relatime,fd=18,pgrp=19004,timeout=300,minproto=5,maxproto=5,indirect)

If not edit /etc/nsswitch.conf
find the automount line, sss may be missing it should be like :

automount: files sss

Fix it, restart sssd and autofs.

FreeBSD

FreeBSD NFS Server

FreeBSD IPA Client

Source :

On the FreeBSD Client (not yet functionnal)
compile sssd with smb support
and –with-krb5-conf=/etc/krb5.conf in sssd/Makefile
(thx https://community.riocities.com/freebsd_nfv4_krb.html)
mkdir -p /usr/compat/linux/proc

echo “linproc /usr/compat/linux/proc linprocfs rw 0 0” >> /etc/fstab

mkdir /var/log/krb5

edit /etc/pam.d/system

on the FreeIPA Server

ipa-host-add FREEBSD_FQDN
ipa-getkeytab -s ${HOSTNAME} -p host/FREEBSD_FQDN -k

copy the newly created keytab file to /etc/krb5.keytab on the FreeBSD Client

Add TLS_CACERT /etc/ipa/ca.crt in /usr/local/etc/openldap/ldap.conf

Allow some users to connect throught ssh

Based on http://www.freeipa.org/page/Howto/HBAC_and_allow_all

Create a new rule name allow_ssh

ipaserver# ipa hbacrule-add allow_ssh

Added HBAC rule "allow_ssh"

  Rule name: allow_ssh
  Enabled: TRUE

Associate newly created HBAC rule

ipaserver# ipa hbacrule-add-service allow_ssh --hbacsvcs=sshd

  Rule name: allow_ssh
  Enabled: TRUE
  Services: sshd

Number of members added 1

Associate a User to this rule

ipaserver# ipa hbacrule-add-user allow_ssh --user=username_allowed

  Rule name: allow_ssh
  Enabled: TRUE
  Users: username_allowed

Number of members added 1

ipaserver# ipa hbacrule-add-host allow_ssh --hosts=ipaclient.myplace.local

  Rule name: allow_ssh
  Enabled: TRUE
  Users: username_allowed
  Hosts: ipaclient.myplace.local

Number of members added 1

Allow some users to excute commands with sudo

In the previous section about allowing ssh command, I’ve written the command output, but in the following one, I will not.

Before allowing user to execute specific command through sudo, we need to allow the user to access sudo.

ipaserver# ipa hbacrule-add allow_sudo
ipaserver# ipa hbacrule-add-service allow_sudo --hbacsvcs=sudo
ipaserver# ipa hbacrule-add-user allow_sudo --user=username_allowed
ipaserver# ipa hbacrule-add-host allow_sudo --hosts=ipaclient.myplace.local

Ok now let’s allow the user execute a command like whoami.

Beware that sssd is a caching system so I can take time to refresh the data (up to 6h)

  • Incrementally, meaning only changes to rules since the last full update (ldap_sudo_smart_refresh_interval, the time in seconds); the default is 15 minutes,
  • Fully, which dumps the entire caches and pulls in all of the current rules on the LDAP server(ldap_sudo_full_refresh_interval, the time in seconds); the default is six hours.

Source sssd-ldap-sudo

ipaserver# ipa sudorule-add whoami
ipaserver# ipa sudocmd-add /usr/bin/whoami
ipaserver# ipa sudorule-add-allow-command whoami --sudocmds /usr/bin/whoami
ipaserver# ipa sudorule-add-host whoami --hosts ipaclient.myplace.local
ipaserver# ipa sudorule-add-user whoami --users username_allowed

Now if we want to allow to execute sudo whoami without autenticate the user we add this:

ipaserver# ipa sudorule-add-option whoami --sudooption '!authenticate'