update freeipa smart card notes

retired/systemd_freeipa/freeipa.md

@@ -6,6 +6,7 @@
   - [Quickstart Production Setup](#quickstart-production-setup)
   - [Tips](#tips)
   - [Adding a user](#adding-a-user)
+    - [Adding a Smart Card Certificate](#adding-a-smart-card-certificate)
   - [PIV](#piv)
     - [Sources](#sources)
     - [Set up PIV Auth on the Host where you Installed FreeIPA](#set-up-piv-auth-on-the-host-where-you-installed-freeipa)
@@ -17,6 +18,8 @@
     - [Finding devices in sysfs WIP](#finding-devices-in-sysfs-wip)
     - [Finding p11 devices WIP](#finding-p11-devices-wip)
   - [Arch Client WIP](#arch-client-wip)
+  - [Troubleshooting](#troubleshooting)
+    - [Changing IP address](#changing-ip-address)
 
 An AD Server.
 
@@ -71,6 +74,10 @@ dnf install ipa-server-dns bind-dyndb-ldap -y
 # 2. We don't need to scan for additional zones
 ipa-server-install --setup-dns
 
+# Setup firewall
+firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --add-service=dns --permanent
+firewall-cmd --reload
+
 # Install flatpak
 dnf install flatpak
 flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
@@ -98,8 +105,8 @@ Now skip to [Get PIV Working](#piv)
 - Open ports:
 
 ```bash
-firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps
 firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent
+firewall-cmd --reload
 ```
 
 - Set a permanet DNS resolver: `sudo echo "nameserver 1.1.1.1" > /etc/resolv.conf`
@@ -147,6 +154,18 @@ reboot
 - `ipa passwd <user>`
 - `kinit <user>`
 
+### Adding a Smart Card Certificate
+
+1. Login to the UI as admin
+2. Navigate to your user
+3. Actions -> New Certificate
+4. Generate a self-signed CSR with your yubikey
+5. Paste the CSR into the CSR field
+6. Generate
+7. Download the certificate from the user page
+8. Import the certificate into slot 9a for your yubikey
+9. `kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user`
+
 ## PIV
 
 ### Sources
@@ -249,36 +268,34 @@ hostnamectl set-hostname client.reese.reeselink.com
 
 # OPTIONAL: You need to leave any existing AD realm before joining a new one
 # realm leave <some-realm>
-```
 
-Add the freeipa server to our /etc/hosts so we don't need to set up DNS
+# Install pcscd
+dnf install pcsc-lite opensc
+# Start the pcscd server
+systemctl enable --now pcscd
 
-```bash
-vim /etc/hosts
-
-`192.168.122.195 freeipa.reese.reeselink.com`
+# Update client's dns server to use freeipa
+vim /etc/resolv.conf
+nameserver 192.168.122.130
 
 # This should populate /etc/krb5.conf and /etc/sssd/sssd.conf
-realm join -U someuser freeipa.reese.reeselink.com -v
-
-# AD should be configured to create the user's home dir, but to be safe
-export freeipa_user=ducoterra
-mkdir /home/$freeipa_user
-chown $freeipa_user:$freeipa_user /home/$freeipa_user
-
-# Check login
-su - $freeipa_user
+realm join -U admin freeipa.reese.reeselink.com -v
 
 # With kinit
 kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user
 
 # With sssctl
-cp /etc/ipa/ca.crt /etc/sssd/pki/sssd_auth_ca_db.pem
 dnf install -y sssd-tools
+cp /etc/ipa/ca.crt /etc/sssd/pki/sssd_auth_ca_db.pem
+chmod 600 /etc/ipa/ca.crt /etc/sssd/pki/sssd_auth_ca_db.pem
 authselect enable-feature with-smartcard
 # required: authselect enable-feature with-smartcard-required
 # lock on remove: authselect enable-feature with-smartcard-lock-on-removal
-# set "pam_cert_auth = True" in [pam] section of /etc/sssd/sssd.conf
+```
+
+IMPORTANT: set `pam_cert_auth = True` in `[pam]` section of `/etc/sssd/sssd.conf`.
+
+```bash
 systemctl restart sssd
 sssctl user-checks -s gdm-smartcard "ducoterra" -a auth
 ```
@@ -389,3 +406,11 @@ vim /etc/krb5.conf
 
 - Log in with your user: `kinit <user>`
 - List your tickets: `klist`
+
+## Troubleshooting
+
+### Changing IP address
+
+Changing the IP address of a freeipa server can break dnssec. You'll get
+"servfail" looking things up. The quick way to fix this is to edit
+`/etc/named/ipa-options-ext.conf` and to set `dnssec-validation no;`.