update freeipa with debugging docs

systemd/incubating/freeipa/freeipa.md

@@ -1,10 +1,94 @@
 # FreeIPA
 
+- [FreeIPA](#freeipa)
+  - [Notes](#notes)
+  - [Quickstart Debugging Setup](#quickstart-debugging-setup)
+  - [Quickstart Production Setup](#quickstart-production-setup)
+  - [Tips](#tips)
+  - [Adding a user](#adding-a-user)
+  - [PIV](#piv)
+    - [Sources](#sources)
+    - [Set up PIV Auth on the Host where you Installed FreeIPA](#set-up-piv-auth-on-the-host-where-you-installed-freeipa)
+      - [Note for VMs](#note-for-vms)
+      - [Set up PIV](#set-up-piv)
+    - [PIV Smart Card (Yubikey Manual) WIP](#piv-smart-card-yubikey-manual-wip)
+    - [PIV Smart Card (Taglio) WIP](#piv-smart-card-taglio-wip)
+    - [Finding devices in sysfs WIP](#finding-devices-in-sysfs-wip)
+    - [Finding p11 devices WIP](#finding-p11-devices-wip)
+  - [Arch Client WIP](#arch-client-wip)
+
 An AD Server.
 
 This guide assumes Fedora 40+.
 
-## Quickstart
+## Notes
+
+For yubikey manager appimage extend app not responding timeout to 60 seconds
+
+```bash
+gsettings set org.gnome.mutter check-alive-timeout 0
+```
+
+## Quickstart Debugging Setup
+
+This sets up a freeipa server on RHEL 9 for debugging purposes. No DNS records required
+and mostly for local use.
+
+```bash
+# Don't forget to install tmux
+dnf install -y tmux
+```
+
+Install FreeIPA:
+
+```bash
+# Hostname needs to be an address that isn't managed by DNS (FreeIPA will check)
+# We can get away with *.name.reeselink.com because "name.reeselink.com" doesn't resolve.
+export HNAME="freeipa.reese.reeselink.com"
+export IPS=$(hostname -I)
+# Add "<ip address> freeipa.<unique_name>.reeselink.com" to the /etc/hosts
+# Example: "10.3.128.130 freeipa.reese.reeselink.com" <- note, this address *cannot* already exist.
+# This will allow us to access our AD server without DNS complication 
+for item in $IPS; do echo "$item $HNAME" >> /etc/hosts; done
+
+# FreeIPA checks for this
+hostnamectl set-hostname $HNAME --static
+hostname $HNAME
+
+# Turning off selinux isn't required, but is nice for debugging.
+setenforce 0
+sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config
+
+# Install FreeIPA with the dns packages. We *could* use this server our DNS server if
+# we wanted. This will prevent DCV from talking to our auth endpoint, however, so isn't
+# recommended.
+dnf install ipa-server-dns bind-dyndb-ldap -y
+
+# IPA Server install
+# Note - select defaults for almost everything except:
+# 1. We want DNS, so say yes to that
+# 2. We don't need to scan for additional zones
+ipa-server-install --setup-dns
+
+# Install flatpak
+dnf install flatpak
+flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
+flatpak install it.mijorus.gearlever
+```
+
+1. Download the yubikey manager at <https://www.yubico.com/support/download/yubikey-manager/>
+2. Open it in Gear Lever and add to app menu
+
+```bash
+# Install pcscd
+dnf install pcsc-lite opensc
+# Start the pcscd server
+systemctl enable --now pcscd
+```
+
+Now skip to [Get PIV Working](#piv)
+
+## Quickstart Production Setup
 
 <https://www.freeipa.org/page/Quick_Start_Guide>
 
@@ -41,10 +125,12 @@ vim /etc/hosts
 - Install the server (mostly choose defaults and sane options): `ipa-server-install`
 - Authenticate as admin: `kinit admin`
 
+Now skip to [Get PIV Working](#piv)
+
 ## Tips
 
 ```bash
-# Install gnome desktop
+# Install gnome desktop on Fedora server
 dnf group install gnome-desktop
 systemctl enable gdm
 reboot
@@ -54,16 +140,6 @@ sudo dnf install spice-vdagent
 reboot
 ```
 
-## Stop pcscd on the host
-
-"virt-manager USB redirection error: Device is in use by another application"
-
-You won't be able to pass through a smart card without stopping pcscd on the host.
-
-```bash
-systemctl stop pcscd.socket && systemctl stop pcscd
-```
-
 ## Adding a user
 
 - `ipa user-add`
@@ -72,6 +148,8 @@ systemctl stop pcscd.socket && systemctl stop pcscd
 
 ## PIV
 
+### Sources
+
 Self signed piv cert generation
 <https://developers.yubico.com/yubico-piv-tool/Actions/key_generation.html>
 
@@ -91,31 +169,44 @@ Add smart card login to extended key use
 <https://docs.openssl.org/master/man5/x509v3_config/#key-usage>
 
 This should set up a CA and a signed cert for your yubikey.
-
-Note, add to `/etc/httpd/conf.d/ssl.conf`
-
-```conf
-SSLProtocol all -TLSv1 -TLSv1.1 -TLSv1.3
-```
-
 <https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/managing_smart_card_authentication/configuring-idm-for-smart-card-auth_managing-smart-card-authentication#conf-idm-server-for-smart-card-auth_configuring-idm-for-smart-card-auth>
 
-This should do it
+### Set up PIV Auth on the Host where you Installed FreeIPA
+
+#### Note for VMs
+
+"virt-manager USB redirection error: Device is in use by another application"
+
+You won't be able to pass through a smart card without stopping pcscd on the host.
 
 ```bash
+systemctl stop pcscd.socket && systemctl stop pcscd
+```
+
+#### Set up PIV
+
+```bash
+# copy the CA and run the ipa-advise script that sets up smartcard auth
 cp /etc/ipa/ca.crt ca.crt
+sudo -i
 kinit admin
 ipa-advise config-server-for-smart-card-auth > config-server-for-smart-card-auth.sh
 chmod +x config-server-for-smart-card-auth.sh
 ./config-server-for-smart-card-auth.sh ca.crt
 ```
 
-Then in `/etc/httpd/conf.d/ssl.conf`
+Allow smart card auth in browser with these changes `/etc/httpd/conf.d/ssl.conf`
 
 ```conf
+...
 SSLOCSPEnable off
+...
+SSLProtocol all -TLSv1 -TLSv1.1 -TLSv1.3
+...
 ```
 
+And restart httpd:
+
 ```bash
 systemctl restart httpd
 ```
@@ -128,7 +219,75 @@ Auth with smart card
 kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user
 ```
 
-## Arch Client
+Or with pam
+
+```bash
+cp /etc/ipa/ca.crt /etc/sssd/pki/sssd_auth_ca_db.pem
+dnf install -y sssd-tools
+authselect enable-feature with-smartcard
+# required: authselect enable-feature with-smartcard-required
+# lock on remove: authselect enable-feature with-smartcard-lock-on-removal
+# set "pam_cert_auth = True" in [pam] section of /etc/sssd/sssd.conf
+systemctl restart sssd
+sssctl user-checks -s gdm-smartcard "ducoterra" -a auth
+```
+
+### PIV Smart Card (Yubikey Manual) WIP
+
+```bash
+openssl req -x509 -config openssl-ca.cnf -days 3650 -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM
+touch index.txt
+echo '01' > serial.txt
+
+# Sign the csr generated in slot 9a on your yubikey
+openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out reese-crt.pem -infiles reese-csr.pem
+
+# Inspect
+openssl x509 -in reese-crt.pem -text -noout
+
+# Convert to microsoft format
+openssl x509 -outform der -in reese-crt.pem -out reese-crt-der.cer
+```
+
+### PIV Smart Card (Taglio) WIP
+
+<https://github.com/OpenSC/OpenSC/wiki/Using-pkcs11-tool-and-OpenSSL>
+
+```bash
+openssl genrsa -aes256 -out testkey.key 2048
+openssl rsa -in testkey.key -pubout -out testkey-public.key
+openssl req -new -key testkey.key -out testkey.csr
+
+# Sign with CA
+```
+
+### Finding devices in sysfs WIP
+
+```bash
+# Try this
+ls /dev/input/by-id
+udevadm info --query=all --name='/dev/input/by-id/usb-Yubico_YubiKey_OTP+FIDO+CCID-event-kbd'
+# Look for E: DEVPATH and put /sys in front of it
+# For example:
+cd /sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-3/1-3:1.0/0003:1050:0407.0004/input/input10/event6
+
+# Or alternatively
+find /sys -name 'removable'
+cd /sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-3
+```
+
+### Finding p11 devices WIP
+
+```bash
+dnf install python3-pip python3-devel gcc
+python3 -m venv venv
+source venv/bin/activate
+pip install -U pip
+pip install python-pkcs11
+export PKCS11_MODULE=/usr/lib64/p11-kit-proxy.so
+```
+
+## Arch Client WIP
 
 - Install krb5: `pacman -S krb5`
 - Edit /etc/krb5.conf to match your server