# FreeIPA - [FreeIPA](#freeipa) - [Notes](#notes) - [Quickstart Debugging Setup](#quickstart-debugging-setup) - [Quickstart Production Setup](#quickstart-production-setup) - [NFS](#nfs) - [Tips](#tips) - [Adding a user](#adding-a-user) - [Adding a Smart Card Certificate](#adding-a-smart-card-certificate) - [PIV](#piv) - [Sources](#sources) - [Set up PIV Auth on the Host where you Installed FreeIPA](#set-up-piv-auth-on-the-host-where-you-installed-freeipa) - [Note for VMs](#note-for-vms) - [Set up PIV](#set-up-piv) - [Set up PIV on Another Host](#set-up-piv-on-another-host) - [PIV Smart Card (Yubikey Manual) WIP](#piv-smart-card-yubikey-manual-wip) - [PIV Smart Card (Taglio) WIP](#piv-smart-card-taglio-wip) - [Finding devices in sysfs WIP](#finding-devices-in-sysfs-wip) - [Finding p11 devices WIP](#finding-p11-devices-wip) - [Arch Client WIP](#arch-client-wip) - [Troubleshooting](#troubleshooting) - [Changing IP address](#changing-ip-address) An AD Server. This guide assumes Fedora 40+. ## Notes For yubikey manager appimage extend app not responding timeout to 60 seconds ```bash gsettings set org.gnome.mutter check-alive-timeout 0 ``` ## Quickstart Debugging Setup This sets up a freeipa server on RHEL 9 for debugging purposes. No DNS records required and mostly for local use. ```bash # Don't forget to install tmux dnf install -y tmux ``` Install FreeIPA: ```bash # Hostname needs to be an address that isn't managed by DNS (FreeIPA will check) # We can get away with *.name.reeselink.com because "name.reeselink.com" doesn't resolve. export HNAME="freeipa.reese.reeselink.com" export IPS=$(hostname -I) # Add " freeipa..reeselink.com" to the /etc/hosts # Example: "10.3.128.130 freeipa.reese.reeselink.com" <- note, this address *cannot* already exist. # This will allow us to access our AD server without DNS complication for item in $IPS; do echo "$item $HNAME" >> /etc/hosts; done # FreeIPA checks for this hostnamectl set-hostname $HNAME --static hostname $HNAME # Turning off selinux isn't required, but is nice for debugging. setenforce 0 sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config # Install FreeIPA with the dns packages. We *could* use this server our DNS server if # we wanted. This will prevent DCV from talking to our auth endpoint, however, so isn't # recommended. dnf install ipa-server-dns bind-dyndb-ldap -y # IPA Server install # Note - select defaults for almost everything except: # 1. We want DNS, so say yes to that # 2. We don't need to scan for additional zones ipa-server-install --setup-dns # Setup firewall firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --add-service=dns --permanent firewall-cmd --reload # Install flatpak dnf install flatpak flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo flatpak install it.mijorus.gearlever ``` 1. Download the yubikey manager at 2. Open it in Gear Lever and add to app menu ```bash # Install pcscd dnf install pcsc-lite opensc # Start the pcscd server systemctl enable --now pcscd ``` Now skip to [Get PIV Working](#piv) ## Quickstart Production Setup 1. Set your hostname to your server's fqdn with `hostnamectl hostname freeipa.reeselink.com` 2. If you want freeipa to manage your DNS, make sure you don't have a DNS address pointing to your domain 3. Open freeipa ports ```bash firewall-cmd --add-service=freeipa-4 firewall-cmd --add-service=freeipa-4 --permanent firewall-cmd --reload ``` 4. Set a permanent DNS resolver ```bash rm /etc/resolv.conf echo "nameserver 1.1.1.1" > /etc/resolv.conf ``` 5. Disable NetworkManager DNS management ```bash vim /etc/NetworkManager/NetworkManager.conf [main] dns=none ``` 6. Reboot 7. Ensure resolv.conf hasn't been repopulated: `cat /etc/resolv.conf` 8. Install freeipa: `dnf install -y freeipa-server freeipa-server-dns` 9. Install the server (mostly choose defaults and sane options): `ipa-server-install` 10. Authenticate as admin: `kinit admin` Now skip to [Get PIV Working](#piv) ## NFS ```bash mkdir /exports chmod 1777 /exports mount --bind /srv /exports/srv ``` What this does is remounts /srv to /exports/srv. Effectively, this means that /srv can be accessed directly, or via /exports/srv and changes in one location reflect in the other. To make this persistent, add the mount command above to /etc/rc.d/rc.local or some similar executed-at-boot script. Next, edit `/etc/sysconfig/nfs` and enable the SECURE_NFS option: ```conf SECURE_NFS="yes" ``` Then edit `/etc/exports`. The “/exports” entry has the “fsid=0” option, which tells NFS that this is the “root” export. ```fstab /exports gss/krb5(rw,sync,fsid=0,insecure,no_subtree_check) /exports/srv gss/krb5(rw,sync,nohide,insecure,no_subtree_check) ``` Create the server principal for the NFS server and add it to the keytab file on the server using kadmin (usually /etc/krb5.keytab): ```bash kadmin.local kadmin.local: addprinc -randkey nfs/nfsserver.domain.com kadmin.local: ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/nfsserver.domain.com kadmin.local: quit ``` Edit `/etc/idmapd.conf` and make sure the Nobody-User and Nobody-Group options are correct (i.e. on Red Hat Enterprise Linux and Fedora, use the “nfsnobody” user and group, other distributions may just use “nobody”) ```bash systemctl restart nfs rpcidmapd ``` open TCP port 2049 for use with NFsv4 ```bash firewall-cmd --add-service=nfs firewall-cmd --add-service=nfs --permanent firewall-cmd --reload ``` ## Tips ```bash # Install gnome desktop on Fedora server dnf group install gnome-desktop systemctl enable gdm reboot # Install spice tools for clipboard sync sudo dnf install spice-vdagent reboot ``` ## Adding a user - `ipa user-add` - `ipa passwd ` - `kinit ` ### Adding a Smart Card Certificate 1. Login to the UI as admin 2. Navigate to your user 3. Actions -> New Certificate 4. Generate a self-signed CSR with your yubikey 5. Paste the CSR into the CSR field 6. Generate 7. Download the certificate from the user page 8. Import the certificate into slot 9a for your yubikey 9. `kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user` ## PIV ### Sources Self signed piv cert generation Explaing Yubikey key slots Ultimate guide to creating a CA CA Public directory Convert pem to der Add smart card login to extended key use This should set up a CA and a signed cert for your yubikey. ### Set up PIV Auth on the Host where you Installed FreeIPA #### Note for VMs "virt-manager USB redirection error: Device is in use by another application" You won't be able to pass through a smart card without stopping pcscd on the host. ```bash systemctl stop pcscd.socket && systemctl stop pcscd ``` #### Set up PIV ```bash # copy the CA and run the ipa-advise script that sets up smartcard auth cp /etc/ipa/ca.crt ca.crt sudo -i kinit admin ipa-advise config-server-for-smart-card-auth > config-server-for-smart-card-auth.sh chmod +x config-server-for-smart-card-auth.sh ./config-server-for-smart-card-auth.sh ca.crt ``` Allow smart card auth in browser with these changes `/etc/httpd/conf.d/ssl.conf` ```conf ... SSLOCSPEnable off ... SSLProtocol all -TLSv1 -TLSv1.1 -TLSv1.3 ... ``` And restart httpd: ```bash systemctl restart httpd ``` Then user -> actions -> new certificate. Paste in the yubikey CSR. Download then upload cert to the yubikey. Auth with smart card ```bash kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user ``` Or with pam ```bash cp /etc/ipa/ca.crt /etc/sssd/pki/sssd_auth_ca_db.pem dnf install -y sssd-tools authselect enable-feature with-smartcard # required: authselect enable-feature with-smartcard-required # lock on remove: authselect enable-feature with-smartcard-lock-on-removal # set "pam_cert_auth = True" in [pam] section of /etc/sssd/sssd.conf systemctl restart sssd sssctl user-checks -s gdm-smartcard "ducoterra" -a auth ``` ### Set up PIV on Another Host **NOTE**: Make sure, if you're joining with a host that already has a user with a username that exists in your freeipa server, that **you set the UID in freeipa to match the UID on the system**. Otherwise joining will cause all sorts of problems. ```bash # This package is required to join a FreeIPA realm # I think it helps collect and save the relevant data from the FreeIPA # server when joining (server CA, NTP sync, SSH keys, etc.) dnf install -y freeipa-client hostnamectl set-hostname client.reese.reeselink.com # OPTIONAL: You need to leave any existing AD realm before joining a new one # realm leave # Install pcscd dnf install pcsc-lite opensc # Start the pcscd server systemctl enable --now pcscd # Update client's dns server to use freeipa vim /etc/resolv.conf nameserver 192.168.122.130 # This should populate /etc/krb5.conf and /etc/sssd/sssd.conf realm join -U admin freeipa.reese.reeselink.com -v # With kinit kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user # With sssctl dnf install -y sssd-tools cp /etc/ipa/ca.crt /etc/sssd/pki/sssd_auth_ca_db.pem chmod 600 /etc/ipa/ca.crt /etc/sssd/pki/sssd_auth_ca_db.pem authselect enable-feature with-smartcard # required: authselect enable-feature with-smartcard-required # lock on remove: authselect enable-feature with-smartcard-lock-on-removal ``` IMPORTANT: set `pam_cert_auth = True` in `[pam]` section of `/etc/sssd/sssd.conf`. ```bash systemctl restart sssd sssctl user-checks -s gdm-smartcard "ducoterra" -a auth ``` ### PIV Smart Card (Yubikey Manual) WIP ```bash openssl req -x509 -config openssl-ca.cnf -days 3650 -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM touch index.txt echo '01' > serial.txt # Sign the csr generated in slot 9a on your yubikey openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out reese-crt.pem -infiles reese-csr.pem # Inspect openssl x509 -in reese-crt.pem -text -noout # Convert to microsoft format openssl x509 -outform der -in reese-crt.pem -out reese-crt-der.cer ``` OCSP Server ```bash openssl req -new -nodes -out ocspSigning.csr -keyout ocspSigning.key openssl ca -keyfile rootCA.key -cert rootCA.crt -in ocspSigning.csr -out ocspSigning.crt -config validation.conf ``` ### PIV Smart Card (Taglio) WIP ```bash openssl genrsa -aes256 -out testkey.key 2048 openssl rsa -in testkey.key -pubout -out testkey-public.key openssl req -new -key testkey.key -out testkey.csr # Sign with CA ``` ### Finding devices in sysfs WIP ```bash # Try this ls /dev/input/by-id udevadm info --query=all --name='/dev/input/by-id/usb-Yubico_YubiKey_OTP+FIDO+CCID-event-kbd' # Look for E: DEVPATH and put /sys in front of it # For example: cd /sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-3/1-3:1.0/0003:1050:0407.0004/input/input10/event6 # Or alternatively find /sys -name 'removable' cd /sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-3 ``` ### Finding p11 devices WIP ```bash dnf install python3-pip python3-devel gcc python3 -m venv venv source venv/bin/activate pip install -U pip pip install python-pkcs11 export PKCS11_MODULE=/usr/lib64/p11-kit-proxy.so ``` ## Arch Client WIP - Install krb5: `pacman -S krb5` - Edit /etc/krb5.conf to match your server ```conf vim /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = REESELINK.COM dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] REESELINK.COM = { kdc = freeipa.reeselink.com:88 master_kdc = freeipa.reeselink.com:88 kpasswd_server = freeipa.reeselink.com:464 admin_server = freeipa.reeselink.com:749 default_domain = reeselink.com pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .reeselink.com = REESELINK.COM reeselink.com = REESELINK.COM freeipa.reeselink.com = REESELINK.COM ``` - Log in with your user: `kinit ` - List your tickets: `klist` ## Troubleshooting ### Changing IP address Changing the IP address of a freeipa server can break dnssec. You'll get "servfail" looking things up. The quick way to fix this is to edit `/etc/named/ipa-options-ext.conf` and to set `dnssec-validation no;`.