ducoterra
5184c84d50
11 KiB
FreeIPA
- FreeIPA
An AD Server.
This guide assumes Fedora 40+.
Notes
For yubikey manager appimage extend app not responding timeout to 60 seconds
gsettings set org.gnome.mutter check-alive-timeout 0
Quickstart Debugging Setup
This sets up a freeipa server on RHEL 9 for debugging purposes. No DNS records required and mostly for local use.
# Don't forget to install tmux
dnf install -y tmux
Install FreeIPA:
# Hostname needs to be an address that isn't managed by DNS (FreeIPA will check)
# We can get away with *.name.reeselink.com because "name.reeselink.com" doesn't resolve.
export HNAME="freeipa.reese.reeselink.com"
export IPS=$(hostname -I)
# Add "<ip address> freeipa.<unique_name>.reeselink.com" to the /etc/hosts
# Example: "10.3.128.130 freeipa.reese.reeselink.com" <- note, this address *cannot* already exist.
# This will allow us to access our AD server without DNS complication
for item in $IPS; do echo "$item $HNAME" >> /etc/hosts; done
# FreeIPA checks for this
hostnamectl set-hostname $HNAME --static
hostname $HNAME
# Turning off selinux isn't required, but is nice for debugging.
setenforce 0
sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config
# Install FreeIPA with the dns packages. We *could* use this server our DNS server if
# we wanted. This will prevent DCV from talking to our auth endpoint, however, so isn't
# recommended.
dnf install ipa-server-dns bind-dyndb-ldap -y
# IPA Server install
# Note - select defaults for almost everything except:
# 1. We want DNS, so say yes to that
# 2. We don't need to scan for additional zones
ipa-server-install --setup-dns
# Install flatpak
dnf install flatpak
flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
flatpak install it.mijorus.gearlever
- Download the yubikey manager at https://www.yubico.com/support/download/yubikey-manager/
- Open it in Gear Lever and add to app menu
# Install pcscd
dnf install pcsc-lite opensc
# Start the pcscd server
systemctl enable --now pcscd
Now skip to Get PIV Working
Quickstart Production Setup
https://www.freeipa.org/page/Quick_Start_Guide
- Set your hostname to your server's fqdn with
hostnamectl hostname freeipa.reeselink.com - Ensure you have a DNS entry pointing to your host
- Open ports:
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent
- Set a permanet DNS resolver:
sudo echo "nameserver 1.1.1.1" > /etc/resolv.conf - Disable NetworkManager DNS management
vim /etc/NetworkManager/NetworkManager.conf
[main]
dns=none
Note, if installing for local use only, set /etc/hosts and reply "yes" to configure dns.
vim /etc/hosts
192.168.122.100 freeipa.reeselink.com
- Restart NetworkManager:
systemctl restart NetworkManager - Ensure resolv.conf hasn't been repopulated:
cat /etc/resolv.conf - Install freeipa:
dnf install -y freeipa-server freeipa-server-dns - Install the server (mostly choose defaults and sane options):
ipa-server-install - Authenticate as admin:
kinit admin
Now skip to Get PIV Working
Tips
# Install gnome desktop on Fedora server
dnf group install gnome-desktop
systemctl enable gdm
reboot
# Install spice tools for clipboard sync
sudo dnf install spice-vdagent
reboot
Adding a user
ipa user-addipa passwd <user>kinit <user>
PIV
Sources
Self signed piv cert generation https://developers.yubico.com/yubico-piv-tool/Actions/key_generation.html
Explaing Yubikey key slots https://developers.yubico.com/PIV/Introduction/Certificate_slots.html
Ultimate guide to creating a CA https://checkmk.com/linux-knowledge/creating-server-certificate
CA Public directory https://nextcloud.reeseapps.com/s/twRAFeWJZKJ3Qw5
Convert pem to der https://knowledge.digicert.com/solution/how-to-convert-a-certificate-into-the-appropriate-format
Add smart card login to extended key use https://docs.openssl.org/master/man5/x509v3_config/#key-usage
This should set up a CA and a signed cert for your yubikey. https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/managing_smart_card_authentication/configuring-idm-for-smart-card-auth_managing-smart-card-authentication#conf-idm-server-for-smart-card-auth_configuring-idm-for-smart-card-auth
Set up PIV Auth on the Host where you Installed FreeIPA
Note for VMs
"virt-manager USB redirection error: Device is in use by another application"
You won't be able to pass through a smart card without stopping pcscd on the host.
systemctl stop pcscd.socket && systemctl stop pcscd
Set up PIV
# copy the CA and run the ipa-advise script that sets up smartcard auth
cp /etc/ipa/ca.crt ca.crt
sudo -i
kinit admin
ipa-advise config-server-for-smart-card-auth > config-server-for-smart-card-auth.sh
chmod +x config-server-for-smart-card-auth.sh
./config-server-for-smart-card-auth.sh ca.crt
Allow smart card auth in browser with these changes /etc/httpd/conf.d/ssl.conf
...
SSLOCSPEnable off
...
SSLProtocol all -TLSv1 -TLSv1.1 -TLSv1.3
...
And restart httpd:
systemctl restart httpd
Then user -> actions -> new certificate. Paste in the yubikey CSR. Download then upload cert to the yubikey.
Auth with smart card
kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user
Or with pam
cp /etc/ipa/ca.crt /etc/sssd/pki/sssd_auth_ca_db.pem
dnf install -y sssd-tools
authselect enable-feature with-smartcard
# required: authselect enable-feature with-smartcard-required
# lock on remove: authselect enable-feature with-smartcard-lock-on-removal
# set "pam_cert_auth = True" in [pam] section of /etc/sssd/sssd.conf
systemctl restart sssd
sssctl user-checks -s gdm-smartcard "ducoterra" -a auth
Set up PIV on Another Host
NOTE: Make sure, if you're joining with a host that already has a user with a username that exists in your freeipa server, that you set the UID in freeipa to match the UID on the system. Otherwise joining will cause all sorts of problems.
# This package is required to join a FreeIPA realm
# I think it helps collect and save the relevant data from the FreeIPA
# server when joining (server CA, NTP sync, SSH keys, etc.)
dnf install -y freeipa-client
hostnamectl set-hostname client.reese.reeselink.com
# OPTIONAL: You need to leave any existing AD realm before joining a new one
# realm leave <some-realm>
Add the freeipa server to our /etc/hosts so we don't need to set up DNS
vim /etc/hosts
`192.168.122.195 freeipa.reese.reeselink.com`
# This should populate /etc/krb5.conf and /etc/sssd/sssd.conf
realm join -U someuser freeipa.reese.reeselink.com -v
# AD should be configured to create the user's home dir, but to be safe
export freeipa_user=ducoterra
mkdir /home/$freeipa_user
chown $freeipa_user:$freeipa_user /home/$freeipa_user
# Check login
su - $freeipa_user
# With kinit
kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user
# With sssctl
cp /etc/ipa/ca.crt /etc/sssd/pki/sssd_auth_ca_db.pem
dnf install -y sssd-tools
authselect enable-feature with-smartcard
# required: authselect enable-feature with-smartcard-required
# lock on remove: authselect enable-feature with-smartcard-lock-on-removal
# set "pam_cert_auth = True" in [pam] section of /etc/sssd/sssd.conf
systemctl restart sssd
sssctl user-checks -s gdm-smartcard "ducoterra" -a auth
PIV Smart Card (Yubikey Manual) WIP
openssl req -x509 -config openssl-ca.cnf -days 3650 -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM
touch index.txt
echo '01' > serial.txt
# Sign the csr generated in slot 9a on your yubikey
openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out reese-crt.pem -infiles reese-csr.pem
# Inspect
openssl x509 -in reese-crt.pem -text -noout
# Convert to microsoft format
openssl x509 -outform der -in reese-crt.pem -out reese-crt-der.cer
OCSP Server
https://bhashineen.medium.com/create-your-own-ocsp-server-ffb212df8e63
openssl req -new -nodes -out ocspSigning.csr -keyout ocspSigning.key
openssl ca -keyfile rootCA.key -cert rootCA.crt -in ocspSigning.csr -out ocspSigning.crt -config validation.conf
PIV Smart Card (Taglio) WIP
https://github.com/OpenSC/OpenSC/wiki/Using-pkcs11-tool-and-OpenSSL
openssl genrsa -aes256 -out testkey.key 2048
openssl rsa -in testkey.key -pubout -out testkey-public.key
openssl req -new -key testkey.key -out testkey.csr
# Sign with CA
Finding devices in sysfs WIP
# Try this
ls /dev/input/by-id
udevadm info --query=all --name='/dev/input/by-id/usb-Yubico_YubiKey_OTP+FIDO+CCID-event-kbd'
# Look for E: DEVPATH and put /sys in front of it
# For example:
cd /sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-3/1-3:1.0/0003:1050:0407.0004/input/input10/event6
# Or alternatively
find /sys -name 'removable'
cd /sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-3
Finding p11 devices WIP
dnf install python3-pip python3-devel gcc
python3 -m venv venv
source venv/bin/activate
pip install -U pip
pip install python-pkcs11
export PKCS11_MODULE=/usr/lib64/p11-kit-proxy.so
Arch Client WIP
- Install krb5:
pacman -S krb5 - Edit /etc/krb5.conf to match your server
vim /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = REESELINK.COM
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
REESELINK.COM = {
kdc = freeipa.reeselink.com:88
master_kdc = freeipa.reeselink.com:88
kpasswd_server = freeipa.reeselink.com:464
admin_server = freeipa.reeselink.com:749
default_domain = reeselink.com
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.reeselink.com = REESELINK.COM
reeselink.com = REESELINK.COM
freeipa.reeselink.com = REESELINK.COM
- Log in with your user:
kinit <user> - List your tickets:
klist