From 8035fa38dc8ac97d836eff1cf3740708afc5461b Mon Sep 17 00:00:00 2001 From: ducoterra Date: Tue, 14 Oct 2025 12:38:13 -0400 Subject: [PATCH] update freeipa smart card notes --- retired/systemd_freeipa/freeipa.md | 61 +++++++++++++++++++++--------- 1 file changed, 43 insertions(+), 18 deletions(-) diff --git a/retired/systemd_freeipa/freeipa.md b/retired/systemd_freeipa/freeipa.md index 767604e..3e23f04 100644 --- a/retired/systemd_freeipa/freeipa.md +++ b/retired/systemd_freeipa/freeipa.md @@ -6,6 +6,7 @@ - [Quickstart Production Setup](#quickstart-production-setup) - [Tips](#tips) - [Adding a user](#adding-a-user) + - [Adding a Smart Card Certificate](#adding-a-smart-card-certificate) - [PIV](#piv) - [Sources](#sources) - [Set up PIV Auth on the Host where you Installed FreeIPA](#set-up-piv-auth-on-the-host-where-you-installed-freeipa) @@ -17,6 +18,8 @@ - [Finding devices in sysfs WIP](#finding-devices-in-sysfs-wip) - [Finding p11 devices WIP](#finding-p11-devices-wip) - [Arch Client WIP](#arch-client-wip) + - [Troubleshooting](#troubleshooting) + - [Changing IP address](#changing-ip-address) An AD Server. @@ -71,6 +74,10 @@ dnf install ipa-server-dns bind-dyndb-ldap -y # 2. We don't need to scan for additional zones ipa-server-install --setup-dns +# Setup firewall +firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --add-service=dns --permanent +firewall-cmd --reload + # Install flatpak dnf install flatpak flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo @@ -98,8 +105,8 @@ Now skip to [Get PIV Working](#piv) - Open ports: ```bash -firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent +firewall-cmd --reload ``` - Set a permanet DNS resolver: `sudo echo "nameserver 1.1.1.1" > /etc/resolv.conf` @@ -147,6 +154,18 @@ reboot - `ipa passwd ` - `kinit ` +### Adding a Smart Card Certificate + +1. Login to the UI as admin +2. Navigate to your user +3. Actions -> New Certificate +4. Generate a self-signed CSR with your yubikey +5. Paste the CSR into the CSR field +6. Generate +7. Download the certificate from the user page +8. Import the certificate into slot 9a for your yubikey +9. `kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user` + ## PIV ### Sources @@ -249,36 +268,34 @@ hostnamectl set-hostname client.reese.reeselink.com # OPTIONAL: You need to leave any existing AD realm before joining a new one # realm leave -``` -Add the freeipa server to our /etc/hosts so we don't need to set up DNS +# Install pcscd +dnf install pcsc-lite opensc +# Start the pcscd server +systemctl enable --now pcscd -```bash -vim /etc/hosts - -`192.168.122.195 freeipa.reese.reeselink.com` +# Update client's dns server to use freeipa +vim /etc/resolv.conf +nameserver 192.168.122.130 # This should populate /etc/krb5.conf and /etc/sssd/sssd.conf -realm join -U someuser freeipa.reese.reeselink.com -v - -# AD should be configured to create the user's home dir, but to be safe -export freeipa_user=ducoterra -mkdir /home/$freeipa_user -chown $freeipa_user:$freeipa_user /home/$freeipa_user - -# Check login -su - $freeipa_user +realm join -U admin freeipa.reese.reeselink.com -v # With kinit kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user # With sssctl -cp /etc/ipa/ca.crt /etc/sssd/pki/sssd_auth_ca_db.pem dnf install -y sssd-tools +cp /etc/ipa/ca.crt /etc/sssd/pki/sssd_auth_ca_db.pem +chmod 600 /etc/ipa/ca.crt /etc/sssd/pki/sssd_auth_ca_db.pem authselect enable-feature with-smartcard # required: authselect enable-feature with-smartcard-required # lock on remove: authselect enable-feature with-smartcard-lock-on-removal -# set "pam_cert_auth = True" in [pam] section of /etc/sssd/sssd.conf +``` + +IMPORTANT: set `pam_cert_auth = True` in `[pam]` section of `/etc/sssd/sssd.conf`. + +```bash systemctl restart sssd sssctl user-checks -s gdm-smartcard "ducoterra" -a auth ``` @@ -389,3 +406,11 @@ vim /etc/krb5.conf - Log in with your user: `kinit ` - List your tickets: `klist` + +## Troubleshooting + +### Changing IP address + +Changing the IP address of a freeipa server can break dnssec. You'll get +"servfail" looking things up. The quick way to fix this is to edit +`/etc/named/ipa-options-ext.conf` and to set `dnssec-validation no;`.