services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

freeipa with piv instructions
All checks were successful
Reese's Arch Toolbox / build-and-push-arch-toolbox (push) Successful in 37m55s
Details

Browse Source
This commit is contained in:
Reese Wells
2025-01-26 03:39:19 -05:00
parent 0bd45fb023
commit 54281c36dd
2 changed files with 172 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
systemd/incubating/freeipa/README.md
View File

@@ -1,83 +0,0 @@
# FreeIPA
An AD Server.
This guide assumes Fedora 40+.
## Quickstart
<https://www.freeipa.org/page/Quick_Start_Guide>
- Set your hostname to your server's fqdn with `hostnamectl hostname freeipa.reeselink.com`
- Ensure you have a DNS entry pointing to your host
- Open ports:
```bash
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent
```
- Set a permanet DNS resolver: `sudo echo "nameserver 1.1.1.1" > /etc/resolv.conf`
- Disable NetworkManager DNS management
```bash
vim /etc/NetworkManager/NetworkManager.conf
[main]
dns=none
```
- Restart NetworkManager: `systemctl restart NetworkManager`
- Ensure resolv.conf hasn't been repopulated: `cat /etc/resolv.conf`
- Install freeipa: `dnf install -y freeipa-server freeipa-server-dns`
- Install the server (mostly choose defaults and sane options): `ipa-server-install`
- Authenticate as admin: `kinit admin`
## Adding a user
- `ipa user-add`
- `ipa passwd <user>`
- `kinit <user>`
## Arch Client
- Install krb5: `pacman -S krb5`
- Edit /etc/krb5.conf to match your server
```conf
vim /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = REESELINK.COM
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
REESELINK.COM = {
kdc = freeipa.reeselink.com:88
master_kdc = freeipa.reeselink.com:88
kpasswd_server = freeipa.reeselink.com:464
admin_server = freeipa.reeselink.com:749
default_domain = reeselink.com
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.reeselink.com = REESELINK.COM
reeselink.com = REESELINK.COM
freeipa.reeselink.com = REESELINK.COM
```
- Log in with your user: `kinit <user>`
- List your tickets: `klist`

172
systemd/incubating/freeipa/freeipa.md Normal file
View File

@@ -0,0 +1,172 @@
# FreeIPA
An AD Server.
This guide assumes Fedora 40+.
## Quickstart
<https://www.freeipa.org/page/Quick_Start_Guide>
- Set your hostname to your server's fqdn with `hostnamectl hostname freeipa.reeselink.com`
- Ensure you have a DNS entry pointing to your host
- Open ports:
```bash
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent
```
- Set a permanet DNS resolver: `sudo echo "nameserver 1.1.1.1" > /etc/resolv.conf`
- Disable NetworkManager DNS management
```bash
vim /etc/NetworkManager/NetworkManager.conf
[main]
dns=none
```
Note, if installing for local use only, set /etc/hosts and reply "yes" to configure dns.
```bash
vim /etc/hosts
192.168.122.100 freeipa.reeselink.com
```
- Restart NetworkManager: `systemctl restart NetworkManager`
- Ensure resolv.conf hasn't been repopulated: `cat /etc/resolv.conf`
- Install freeipa: `dnf install -y freeipa-server freeipa-server-dns`
- Install the server (mostly choose defaults and sane options): `ipa-server-install`
- Authenticate as admin: `kinit admin`
## Tips
```bash
# Install gnome desktop
dnf group install gnome-desktop
systemctl enable gdm
reboot
# Install spice tools for clipboard sync
sudo dnf install spice-vdagent
reboot
```
## Stop pcscd on the host
"virt-manager USB redirection error: Device is in use by another application"
You won't be able to pass through a smart card without stopping pcscd on the host.
```bash
systemctl stop pcscd.socket && systemctl stop pcscd
```
## Adding a user
- `ipa user-add`
- `ipa passwd <user>`
- `kinit <user>`
## PIV
Self signed piv cert generation
<https://developers.yubico.com/yubico-piv-tool/Actions/key_generation.html>
Explaing Yubikey key slots
<https://developers.yubico.com/PIV/Introduction/Certificate_slots.html>
Ultimate guide to creating a CA
<https://checkmk.com/linux-knowledge/creating-server-certificate>
CA Public directory
<https://nextcloud.reeseapps.com/s/twRAFeWJZKJ3Qw5>
Convert pem to der
<https://knowledge.digicert.com/solution/how-to-convert-a-certificate-into-the-appropriate-format>
Add smart card login to extended key use
<https://docs.openssl.org/master/man5/x509v3_config/#key-usage>
This should set up a CA and a signed cert for your yubikey.
Note, add to `/etc/httpd/conf.d/ssl.conf`
```conf
SSLProtocol all -TLSv1 -TLSv1.1 -TLSv1.3
```
<https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/managing_smart_card_authentication/configuring-idm-for-smart-card-auth_managing-smart-card-authentication#conf-idm-server-for-smart-card-auth_configuring-idm-for-smart-card-auth>
This should do it
```bash
cp /etc/ipa/ca.crt ca.crt
kinit admin
ipa-advise config-server-for-smart-card-auth > config-server-for-smart-card-auth.sh
chmod +x config-server-for-smart-card-auth.sh
./config-server-for-smart-card-auth.sh ca.crt
```
Then in `/etc/httpd/conf.d/ssl.conf`
```conf
SSLOCSPEnable off
```
```bash
systemctl restart httpd
```
Then user -> actions -> new certificate. Paste in the yubikey CSR. Download then upload cert to the yubikey.
Auth with smart card
```bash
kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user
```
## Arch Client
- Install krb5: `pacman -S krb5`
- Edit /etc/krb5.conf to match your server
```conf
vim /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = REESELINK.COM
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
REESELINK.COM = {
kdc = freeipa.reeselink.com:88
master_kdc = freeipa.reeselink.com:88
kpasswd_server = freeipa.reeselink.com:464
admin_server = freeipa.reeselink.com:749
default_domain = reeselink.com
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.reeselink.com = REESELINK.COM
reeselink.com = REESELINK.COM
freeipa.reeselink.com = REESELINK.COM
```
- Log in with your user: `kinit <user>`
- List your tickets: `klist`