add joining docs
All checks were successful
Reese's Arch Toolbox / build-and-push-arch-toolbox (push) Successful in 37m49s
All checks were successful
Reese's Arch Toolbox / build-and-push-arch-toolbox (push) Successful in 37m49s
This commit is contained in:
@@ -11,6 +11,7 @@
|
|||||||
- [Set up PIV Auth on the Host where you Installed FreeIPA](#set-up-piv-auth-on-the-host-where-you-installed-freeipa)
|
- [Set up PIV Auth on the Host where you Installed FreeIPA](#set-up-piv-auth-on-the-host-where-you-installed-freeipa)
|
||||||
- [Note for VMs](#note-for-vms)
|
- [Note for VMs](#note-for-vms)
|
||||||
- [Set up PIV](#set-up-piv)
|
- [Set up PIV](#set-up-piv)
|
||||||
|
- [Set up PIV on Another Host](#set-up-piv-on-another-host)
|
||||||
- [PIV Smart Card (Yubikey Manual) WIP](#piv-smart-card-yubikey-manual-wip)
|
- [PIV Smart Card (Yubikey Manual) WIP](#piv-smart-card-yubikey-manual-wip)
|
||||||
- [PIV Smart Card (Taglio) WIP](#piv-smart-card-taglio-wip)
|
- [PIV Smart Card (Taglio) WIP](#piv-smart-card-taglio-wip)
|
||||||
- [Finding devices in sysfs WIP](#finding-devices-in-sysfs-wip)
|
- [Finding devices in sysfs WIP](#finding-devices-in-sysfs-wip)
|
||||||
@@ -232,6 +233,56 @@ systemctl restart sssd
|
|||||||
sssctl user-checks -s gdm-smartcard "ducoterra" -a auth
|
sssctl user-checks -s gdm-smartcard "ducoterra" -a auth
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Set up PIV on Another Host
|
||||||
|
|
||||||
|
**NOTE**: Make sure, if you're joining with a host that already has a user with a username that
|
||||||
|
exists in your freeipa server, that **you set the UID in freeipa to match the UID on
|
||||||
|
the system**. Otherwise joining will cause all sorts of problems.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# This package is required to join a FreeIPA realm
|
||||||
|
# I think it helps collect and save the relevant data from the FreeIPA
|
||||||
|
# server when joining (server CA, NTP sync, SSH keys, etc.)
|
||||||
|
dnf install -y freeipa-client
|
||||||
|
|
||||||
|
hostnamectl set-hostname client.reese.reeselink.com
|
||||||
|
|
||||||
|
# OPTIONAL: You need to leave any existing AD realm before joining a new one
|
||||||
|
# realm leave <some-realm>
|
||||||
|
```
|
||||||
|
|
||||||
|
Add the freeipa server to our /etc/hosts so we don't need to set up DNS
|
||||||
|
|
||||||
|
```bash
|
||||||
|
vim /etc/hosts
|
||||||
|
|
||||||
|
`192.168.122.195 freeipa.reese.reeselink.com`
|
||||||
|
|
||||||
|
# This should populate /etc/krb5.conf and /etc/sssd/sssd.conf
|
||||||
|
realm join freeipa.reese.reeselink.com -v
|
||||||
|
|
||||||
|
# AD should be configured to create the user's home dir, but to be safe
|
||||||
|
export freeipa_user=ducoterra
|
||||||
|
mkdir /home/$freeipa_user
|
||||||
|
chown $freeipa_user:$freeipa_user /home/$freeipa_user
|
||||||
|
|
||||||
|
# Check login
|
||||||
|
su - $freeipa_user
|
||||||
|
|
||||||
|
# With kinit
|
||||||
|
kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user
|
||||||
|
|
||||||
|
# With sssctl
|
||||||
|
cp /etc/ipa/ca.crt /etc/sssd/pki/sssd_auth_ca_db.pem
|
||||||
|
dnf install -y sssd-tools
|
||||||
|
authselect enable-feature with-smartcard
|
||||||
|
# required: authselect enable-feature with-smartcard-required
|
||||||
|
# lock on remove: authselect enable-feature with-smartcard-lock-on-removal
|
||||||
|
# set "pam_cert_auth = True" in [pam] section of /etc/sssd/sssd.conf
|
||||||
|
systemctl restart sssd
|
||||||
|
sssctl user-checks -s gdm-smartcard "ducoterra" -a auth
|
||||||
|
```
|
||||||
|
|
||||||
### PIV Smart Card (Yubikey Manual) WIP
|
### PIV Smart Card (Yubikey Manual) WIP
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
|||||||
Reference in New Issue
Block a user