add joining docs
All checks were successful
Reese's Arch Toolbox / build-and-push-arch-toolbox (push) Successful in 37m49s
All checks were successful
Reese's Arch Toolbox / build-and-push-arch-toolbox (push) Successful in 37m49s
This commit is contained in:
@@ -11,6 +11,7 @@
|
||||
- [Set up PIV Auth on the Host where you Installed FreeIPA](#set-up-piv-auth-on-the-host-where-you-installed-freeipa)
|
||||
- [Note for VMs](#note-for-vms)
|
||||
- [Set up PIV](#set-up-piv)
|
||||
- [Set up PIV on Another Host](#set-up-piv-on-another-host)
|
||||
- [PIV Smart Card (Yubikey Manual) WIP](#piv-smart-card-yubikey-manual-wip)
|
||||
- [PIV Smart Card (Taglio) WIP](#piv-smart-card-taglio-wip)
|
||||
- [Finding devices in sysfs WIP](#finding-devices-in-sysfs-wip)
|
||||
@@ -232,6 +233,56 @@ systemctl restart sssd
|
||||
sssctl user-checks -s gdm-smartcard "ducoterra" -a auth
|
||||
```
|
||||
|
||||
### Set up PIV on Another Host
|
||||
|
||||
**NOTE**: Make sure, if you're joining with a host that already has a user with a username that
|
||||
exists in your freeipa server, that **you set the UID in freeipa to match the UID on
|
||||
the system**. Otherwise joining will cause all sorts of problems.
|
||||
|
||||
```bash
|
||||
# This package is required to join a FreeIPA realm
|
||||
# I think it helps collect and save the relevant data from the FreeIPA
|
||||
# server when joining (server CA, NTP sync, SSH keys, etc.)
|
||||
dnf install -y freeipa-client
|
||||
|
||||
hostnamectl set-hostname client.reese.reeselink.com
|
||||
|
||||
# OPTIONAL: You need to leave any existing AD realm before joining a new one
|
||||
# realm leave <some-realm>
|
||||
```
|
||||
|
||||
Add the freeipa server to our /etc/hosts so we don't need to set up DNS
|
||||
|
||||
```bash
|
||||
vim /etc/hosts
|
||||
|
||||
`192.168.122.195 freeipa.reese.reeselink.com`
|
||||
|
||||
# This should populate /etc/krb5.conf and /etc/sssd/sssd.conf
|
||||
realm join freeipa.reese.reeselink.com -v
|
||||
|
||||
# AD should be configured to create the user's home dir, but to be safe
|
||||
export freeipa_user=ducoterra
|
||||
mkdir /home/$freeipa_user
|
||||
chown $freeipa_user:$freeipa_user /home/$freeipa_user
|
||||
|
||||
# Check login
|
||||
su - $freeipa_user
|
||||
|
||||
# With kinit
|
||||
kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user
|
||||
|
||||
# With sssctl
|
||||
cp /etc/ipa/ca.crt /etc/sssd/pki/sssd_auth_ca_db.pem
|
||||
dnf install -y sssd-tools
|
||||
authselect enable-feature with-smartcard
|
||||
# required: authselect enable-feature with-smartcard-required
|
||||
# lock on remove: authselect enable-feature with-smartcard-lock-on-removal
|
||||
# set "pam_cert_auth = True" in [pam] section of /etc/sssd/sssd.conf
|
||||
systemctl restart sssd
|
||||
sssctl user-checks -s gdm-smartcard "ducoterra" -a auth
|
||||
```
|
||||
|
||||
### PIV Smart Card (Yubikey Manual) WIP
|
||||
|
||||
```bash
|
||||
|
||||
Reference in New Issue
Block a user