update freeipa with debugging docs

2025-02-05 11:42:44 -05:00
parent 54281c36dd
commit d2212fddd7
1 changed files with 181 additions and 22 deletions
--- a/systemd/incubating/freeipa/freeipa.md
+++ b/systemd/incubating/freeipa/freeipa.md
@@ -1,10 +1,94 @@
 # FreeIPA
 - [FreeIPA](#freeipa)
  - [Notes](#notes)
  - [Quickstart Debugging Setup](#quickstart-debugging-setup)
  - [Quickstart Production Setup](#quickstart-production-setup)
  - [Tips](#tips)
  - [Adding a user](#adding-a-user)
  - [PIV](#piv)
    - [Sources](#sources)
    - [Set up PIV Auth on the Host where you Installed FreeIPA](#set-up-piv-auth-on-the-host-where-you-installed-freeipa)
      - [Note for VMs](#note-for-vms)
      - [Set up PIV](#set-up-piv)
    - [PIV Smart Card (Yubikey Manual) WIP](#piv-smart-card-yubikey-manual-wip)
    - [PIV Smart Card (Taglio) WIP](#piv-smart-card-taglio-wip)
    - [Finding devices in sysfs WIP](#finding-devices-in-sysfs-wip)
    - [Finding p11 devices WIP](#finding-p11-devices-wip)
  - [Arch Client WIP](#arch-client-wip)
 An AD Server.
 This guide assumes Fedora 40+.
-## Quickstart
+## Notes
 For yubikey manager appimage extend app not responding timeout to 60 seconds
 ```bash
 gsettings set org.gnome.mutter check-alive-timeout 0
 ```
 ## Quickstart Debugging Setup
 This sets up a freeipa server on RHEL 9 for debugging purposes. No DNS records required
 and mostly for local use.
 ```bash
 # Don't forget to install tmux
 dnf install -y tmux
 ```
 Install FreeIPA:
 ```bash
 # Hostname needs to be an address that isn't managed by DNS (FreeIPA will check)
 # We can get away with *.name.reeselink.com because "name.reeselink.com" doesn't resolve.
 export HNAME="freeipa.reese.reeselink.com"
 export IPS=$(hostname -I)
 # Add "<ip address> freeipa.<unique_name>.reeselink.com" to the /etc/hosts
 # Example: "10.3.128.130 freeipa.reese.reeselink.com" <- note, this address *cannot* already exist.
 # This will allow us to access our AD server without DNS complication 
 for item in $IPS; do echo "$item $HNAME" >> /etc/hosts; done
 # FreeIPA checks for this
 hostnamectl set-hostname $HNAME --static
 hostname $HNAME
 # Turning off selinux isn't required, but is nice for debugging.
 setenforce 0
 sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config
 # Install FreeIPA with the dns packages. We *could* use this server our DNS server if
 # we wanted. This will prevent DCV from talking to our auth endpoint, however, so isn't
 # recommended.
 dnf install ipa-server-dns bind-dyndb-ldap -y
 # IPA Server install
 # Note - select defaults for almost everything except:
 # 1. We want DNS, so say yes to that
 # 2. We don't need to scan for additional zones
 ipa-server-install --setup-dns
 # Install flatpak
 dnf install flatpak
 flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
 flatpak install it.mijorus.gearlever
 ```
 1. Download the yubikey manager at <https://www.yubico.com/support/download/yubikey-manager/>
 2. Open it in Gear Lever and add to app menu
 ```bash
 # Install pcscd
 dnf install pcsc-lite opensc
 # Start the pcscd server
 systemctl enable --now pcscd
 ```
 Now skip to [Get PIV Working](#piv)
 ## Quickstart Production Setup
 <https://www.freeipa.org/page/Quick_Start_Guide>
@@ -41,10 +125,12 @@ vim /etc/hosts
 - Install the server (mostly choose defaults and sane options): `ipa-server-install`
 - Authenticate as admin: `kinit admin`
 Now skip to [Get PIV Working](#piv)
 ## Tips
 ```bash
-# Install gnome desktop
+# Install gnome desktop on Fedora server
 dnf group install gnome-desktop
 systemctl enable gdm
 reboot
@@ -54,16 +140,6 @@ sudo dnf install spice-vdagent
 reboot
 ```
 ## Stop pcscd on the host
 "virt-manager USB redirection error: Device is in use by another application"
 You won't be able to pass through a smart card without stopping pcscd on the host.
 ```bash
 systemctl stop pcscd.socket && systemctl stop pcscd
 ```
 ## Adding a user
 - `ipa user-add`
@@ -72,6 +148,8 @@ systemctl stop pcscd.socket && systemctl stop pcscd
 ## PIV
 ### Sources
 Self signed piv cert generation
 <https://developers.yubico.com/yubico-piv-tool/Actions/key_generation.html>
@@ -91,31 +169,44 @@ Add smart card login to extended key use
 <https://docs.openssl.org/master/man5/x509v3_config/#key-usage>
 This should set up a CA and a signed cert for your yubikey.
 Note, add to `/etc/httpd/conf.d/ssl.conf`
 ```conf
 SSLProtocol all -TLSv1 -TLSv1.1 -TLSv1.3
 ```
 <https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/managing_smart_card_authentication/configuring-idm-for-smart-card-auth_managing-smart-card-authentication#conf-idm-server-for-smart-card-auth_configuring-idm-for-smart-card-auth>
-This should do it
+### Set up PIV Auth on the Host where you Installed FreeIPA
 #### Note for VMs
 "virt-manager USB redirection error: Device is in use by another application"
 You won't be able to pass through a smart card without stopping pcscd on the host.
 ```bash
 systemctl stop pcscd.socket && systemctl stop pcscd
 ```
 #### Set up PIV
 ```bash
 # copy the CA and run the ipa-advise script that sets up smartcard auth
 cp /etc/ipa/ca.crt ca.crt
 sudo -i
 kinit admin
 ipa-advise config-server-for-smart-card-auth > config-server-for-smart-card-auth.sh
 chmod +x config-server-for-smart-card-auth.sh
 ./config-server-for-smart-card-auth.sh ca.crt
 ```
-Then in `/etc/httpd/conf.d/ssl.conf`
+Allow smart card auth in browser with these changes `/etc/httpd/conf.d/ssl.conf`
 ```conf
 ...
 SSLOCSPEnable off
 ...
 SSLProtocol all -TLSv1 -TLSv1.1 -TLSv1.3
 ...
 ```
 And restart httpd:
 ```bash
 systemctl restart httpd
 ```
@@ -128,7 +219,75 @@ Auth with smart card
 kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user
 ```
-## Arch Client
+Or with pam
 ```bash
 cp /etc/ipa/ca.crt /etc/sssd/pki/sssd_auth_ca_db.pem
 dnf install -y sssd-tools
 authselect enable-feature with-smartcard
 # required: authselect enable-feature with-smartcard-required
 # lock on remove: authselect enable-feature with-smartcard-lock-on-removal
 # set "pam_cert_auth = True" in [pam] section of /etc/sssd/sssd.conf
 systemctl restart sssd
 sssctl user-checks -s gdm-smartcard "ducoterra" -a auth
 ```
 ### PIV Smart Card (Yubikey Manual) WIP
 ```bash
 openssl req -x509 -config openssl-ca.cnf -days 3650 -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM
 touch index.txt
 echo '01' > serial.txt
 # Sign the csr generated in slot 9a on your yubikey
 openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out reese-crt.pem -infiles reese-csr.pem
 # Inspect
 openssl x509 -in reese-crt.pem -text -noout
 # Convert to microsoft format
 openssl x509 -outform der -in reese-crt.pem -out reese-crt-der.cer
 ```
 ### PIV Smart Card (Taglio) WIP
 <https://github.com/OpenSC/OpenSC/wiki/Using-pkcs11-tool-and-OpenSSL>
 ```bash
 openssl genrsa -aes256 -out testkey.key 2048
 openssl rsa -in testkey.key -pubout -out testkey-public.key
 openssl req -new -key testkey.key -out testkey.csr
 # Sign with CA
 ```
 ### Finding devices in sysfs WIP
 ```bash
 # Try this
 ls /dev/input/by-id
 udevadm info --query=all --name='/dev/input/by-id/usb-Yubico_YubiKey_OTP+FIDO+CCID-event-kbd'
 # Look for E: DEVPATH and put /sys in front of it
 # For example:
 cd /sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-3/1-3:1.0/0003:1050:0407.0004/input/input10/event6
 # Or alternatively
 find /sys -name 'removable'
 cd /sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-3
 ```
 ### Finding p11 devices WIP
 ```bash
 dnf install python3-pip python3-devel gcc
 python3 -m venv venv
 source venv/bin/activate
 pip install -U pip
 pip install python-pkcs11
 export PKCS11_MODULE=/usr/lib64/p11-kit-proxy.so
 ```
 ## Arch Client WIP
 - Install krb5: `pacman -S krb5`
 - Edit /etc/krb5.conf to match your server