# FreeIPA - [FreeIPA](#freeipa) - [Notes](#notes) - [Quickstart Debugging Setup](#quickstart-debugging-setup) - [Quickstart Production Setup](#quickstart-production-setup) - [Tips](#tips) - [Adding a user](#adding-a-user) - [PIV](#piv) - [Sources](#sources) - [Set up PIV Auth on the Host where you Installed FreeIPA](#set-up-piv-auth-on-the-host-where-you-installed-freeipa) - [Note for VMs](#note-for-vms) - [Set up PIV](#set-up-piv) - [Set up PIV on Another Host](#set-up-piv-on-another-host) - [PIV Smart Card (Yubikey Manual) WIP](#piv-smart-card-yubikey-manual-wip) - [PIV Smart Card (Taglio) WIP](#piv-smart-card-taglio-wip) - [Finding devices in sysfs WIP](#finding-devices-in-sysfs-wip) - [Finding p11 devices WIP](#finding-p11-devices-wip) - [Arch Client WIP](#arch-client-wip) An AD Server. This guide assumes Fedora 40+. ## Notes For yubikey manager appimage extend app not responding timeout to 60 seconds ```bash gsettings set org.gnome.mutter check-alive-timeout 0 ``` ## Quickstart Debugging Setup This sets up a freeipa server on RHEL 9 for debugging purposes. No DNS records required and mostly for local use. ```bash # Don't forget to install tmux dnf install -y tmux ``` Install FreeIPA: ```bash # Hostname needs to be an address that isn't managed by DNS (FreeIPA will check) # We can get away with *.name.reeselink.com because "name.reeselink.com" doesn't resolve. export HNAME="freeipa.reese.reeselink.com" export IPS=$(hostname -I) # Add " freeipa..reeselink.com" to the /etc/hosts # Example: "10.3.128.130 freeipa.reese.reeselink.com" <- note, this address *cannot* already exist. # This will allow us to access our AD server without DNS complication for item in $IPS; do echo "$item $HNAME" >> /etc/hosts; done # FreeIPA checks for this hostnamectl set-hostname $HNAME --static hostname $HNAME # Turning off selinux isn't required, but is nice for debugging. setenforce 0 sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config # Install FreeIPA with the dns packages. We *could* use this server our DNS server if # we wanted. This will prevent DCV from talking to our auth endpoint, however, so isn't # recommended. dnf install ipa-server-dns bind-dyndb-ldap -y # IPA Server install # Note - select defaults for almost everything except: # 1. We want DNS, so say yes to that # 2. We don't need to scan for additional zones ipa-server-install --setup-dns # Install flatpak dnf install flatpak flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo flatpak install it.mijorus.gearlever ``` 1. Download the yubikey manager at 2. Open it in Gear Lever and add to app menu ```bash # Install pcscd dnf install pcsc-lite opensc # Start the pcscd server systemctl enable --now pcscd ``` Now skip to [Get PIV Working](#piv) ## Quickstart Production Setup - Set your hostname to your server's fqdn with `hostnamectl hostname freeipa.reeselink.com` - Ensure you have a DNS entry pointing to your host - Open ports: ```bash firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent ``` - Set a permanet DNS resolver: `sudo echo "nameserver 1.1.1.1" > /etc/resolv.conf` - Disable NetworkManager DNS management ```bash vim /etc/NetworkManager/NetworkManager.conf [main] dns=none ``` Note, if installing for local use only, set /etc/hosts and reply "yes" to configure dns. ```bash vim /etc/hosts 192.168.122.100 freeipa.reeselink.com ``` - Restart NetworkManager: `systemctl restart NetworkManager` - Ensure resolv.conf hasn't been repopulated: `cat /etc/resolv.conf` - Install freeipa: `dnf install -y freeipa-server freeipa-server-dns` - Install the server (mostly choose defaults and sane options): `ipa-server-install` - Authenticate as admin: `kinit admin` Now skip to [Get PIV Working](#piv) ## Tips ```bash # Install gnome desktop on Fedora server dnf group install gnome-desktop systemctl enable gdm reboot # Install spice tools for clipboard sync sudo dnf install spice-vdagent reboot ``` ## Adding a user - `ipa user-add` - `ipa passwd ` - `kinit ` ## PIV ### Sources Self signed piv cert generation Explaing Yubikey key slots Ultimate guide to creating a CA CA Public directory Convert pem to der Add smart card login to extended key use This should set up a CA and a signed cert for your yubikey. ### Set up PIV Auth on the Host where you Installed FreeIPA #### Note for VMs "virt-manager USB redirection error: Device is in use by another application" You won't be able to pass through a smart card without stopping pcscd on the host. ```bash systemctl stop pcscd.socket && systemctl stop pcscd ``` #### Set up PIV ```bash # copy the CA and run the ipa-advise script that sets up smartcard auth cp /etc/ipa/ca.crt ca.crt sudo -i kinit admin ipa-advise config-server-for-smart-card-auth > config-server-for-smart-card-auth.sh chmod +x config-server-for-smart-card-auth.sh ./config-server-for-smart-card-auth.sh ca.crt ``` Allow smart card auth in browser with these changes `/etc/httpd/conf.d/ssl.conf` ```conf ... SSLOCSPEnable off ... SSLProtocol all -TLSv1 -TLSv1.1 -TLSv1.3 ... ``` And restart httpd: ```bash systemctl restart httpd ``` Then user -> actions -> new certificate. Paste in the yubikey CSR. Download then upload cert to the yubikey. Auth with smart card ```bash kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user ``` Or with pam ```bash cp /etc/ipa/ca.crt /etc/sssd/pki/sssd_auth_ca_db.pem dnf install -y sssd-tools authselect enable-feature with-smartcard # required: authselect enable-feature with-smartcard-required # lock on remove: authselect enable-feature with-smartcard-lock-on-removal # set "pam_cert_auth = True" in [pam] section of /etc/sssd/sssd.conf systemctl restart sssd sssctl user-checks -s gdm-smartcard "ducoterra" -a auth ``` ### Set up PIV on Another Host **NOTE**: Make sure, if you're joining with a host that already has a user with a username that exists in your freeipa server, that **you set the UID in freeipa to match the UID on the system**. Otherwise joining will cause all sorts of problems. ```bash # This package is required to join a FreeIPA realm # I think it helps collect and save the relevant data from the FreeIPA # server when joining (server CA, NTP sync, SSH keys, etc.) dnf install -y freeipa-client hostnamectl set-hostname client.reese.reeselink.com # OPTIONAL: You need to leave any existing AD realm before joining a new one # realm leave ``` Add the freeipa server to our /etc/hosts so we don't need to set up DNS ```bash vim /etc/hosts `192.168.122.195 freeipa.reese.reeselink.com` # This should populate /etc/krb5.conf and /etc/sssd/sssd.conf realm join freeipa.reese.reeselink.com -v # AD should be configured to create the user's home dir, but to be safe export freeipa_user=ducoterra mkdir /home/$freeipa_user chown $freeipa_user:$freeipa_user /home/$freeipa_user # Check login su - $freeipa_user # With kinit kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user # With sssctl cp /etc/ipa/ca.crt /etc/sssd/pki/sssd_auth_ca_db.pem dnf install -y sssd-tools authselect enable-feature with-smartcard # required: authselect enable-feature with-smartcard-required # lock on remove: authselect enable-feature with-smartcard-lock-on-removal # set "pam_cert_auth = True" in [pam] section of /etc/sssd/sssd.conf systemctl restart sssd sssctl user-checks -s gdm-smartcard "ducoterra" -a auth ``` ### PIV Smart Card (Yubikey Manual) WIP ```bash openssl req -x509 -config openssl-ca.cnf -days 3650 -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM touch index.txt echo '01' > serial.txt # Sign the csr generated in slot 9a on your yubikey openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out reese-crt.pem -infiles reese-csr.pem # Inspect openssl x509 -in reese-crt.pem -text -noout # Convert to microsoft format openssl x509 -outform der -in reese-crt.pem -out reese-crt-der.cer ``` OCSP Server ```bash openssl req -new -nodes -out ocspSigning.csr -keyout ocspSigning.key openssl ca -keyfile rootCA.key -cert rootCA.crt -in ocspSigning.csr -out ocspSigning.crt -config validation.conf ``` ### PIV Smart Card (Taglio) WIP ```bash openssl genrsa -aes256 -out testkey.key 2048 openssl rsa -in testkey.key -pubout -out testkey-public.key openssl req -new -key testkey.key -out testkey.csr # Sign with CA ``` ### Finding devices in sysfs WIP ```bash # Try this ls /dev/input/by-id udevadm info --query=all --name='/dev/input/by-id/usb-Yubico_YubiKey_OTP+FIDO+CCID-event-kbd' # Look for E: DEVPATH and put /sys in front of it # For example: cd /sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-3/1-3:1.0/0003:1050:0407.0004/input/input10/event6 # Or alternatively find /sys -name 'removable' cd /sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-3 ``` ### Finding p11 devices WIP ```bash dnf install python3-pip python3-devel gcc python3 -m venv venv source venv/bin/activate pip install -U pip pip install python-pkcs11 export PKCS11_MODULE=/usr/lib64/p11-kit-proxy.so ``` ## Arch Client WIP - Install krb5: `pacman -S krb5` - Edit /etc/krb5.conf to match your server ```conf vim /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = REESELINK.COM dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] REESELINK.COM = { kdc = freeipa.reeselink.com:88 master_kdc = freeipa.reeselink.com:88 kpasswd_server = freeipa.reeselink.com:464 admin_server = freeipa.reeselink.com:749 default_domain = reeselink.com pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .reeselink.com = REESELINK.COM reeselink.com = REESELINK.COM freeipa.reeselink.com = REESELINK.COM ``` - Log in with your user: `kinit ` - List your tickets: `klist`