ducoterra
b97f41eb70
13 KiB
FreeIPA
- FreeIPA
An AD Server.
This guide assumes Fedora 40+.
Notes
For yubikey manager appimage extend app not responding timeout to 60 seconds
gsettings set org.gnome.mutter check-alive-timeout 0
Quickstart Debugging Setup
This sets up a freeipa server on RHEL 9 for debugging purposes. No DNS records required and mostly for local use.
# Don't forget to install tmux
dnf install -y tmux
Install FreeIPA:
# Hostname needs to be an address that isn't managed by DNS (FreeIPA will check)
# We can get away with *.name.reeselink.com because "name.reeselink.com" doesn't resolve.
export HNAME="freeipa.reese.reeselink.com"
export IPS=$(hostname -I)
# Add "<ip address> freeipa.<unique_name>.reeselink.com" to the /etc/hosts
# Example: "10.3.128.130 freeipa.reese.reeselink.com" <- note, this address *cannot* already exist.
# This will allow us to access our AD server without DNS complication
for item in $IPS; do echo "$item $HNAME" >> /etc/hosts; done
# FreeIPA checks for this
hostnamectl set-hostname $HNAME --static
hostname $HNAME
# Turning off selinux isn't required, but is nice for debugging.
setenforce 0
sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config
# Install FreeIPA with the dns packages. We *could* use this server our DNS server if
# we wanted. This will prevent DCV from talking to our auth endpoint, however, so isn't
# recommended.
dnf install ipa-server-dns bind-dyndb-ldap -y
# IPA Server install
# Note - select defaults for almost everything except:
# 1. We want DNS, so say yes to that
# 2. We don't need to scan for additional zones
ipa-server-install --setup-dns
# Setup firewall
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --add-service=dns --permanent
firewall-cmd --reload
# Install flatpak
dnf install flatpak
flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
flatpak install it.mijorus.gearlever
- Download the yubikey manager at https://www.yubico.com/support/download/yubikey-manager/
- Open it in Gear Lever and add to app menu
# Install pcscd
dnf install pcsc-lite opensc
# Start the pcscd server
systemctl enable --now pcscd
Now skip to Get PIV Working
Quickstart Production Setup
https://www.freeipa.org/page/Quick_Start_Guide
-
Set your hostname to your server's fqdn with
hostnamectl hostname freeipa.reeselink.com -
If you want freeipa to manage your DNS, make sure you don't have a DNS address pointing to your domain
-
Open freeipa ports
firewall-cmd --add-service=freeipa-4 firewall-cmd --add-service=freeipa-4 --permanent firewall-cmd --reload -
Set a permanent DNS resolver
rm /etc/resolv.conf echo "nameserver 1.1.1.1" > /etc/resolv.conf -
Disable NetworkManager DNS management
vim /etc/NetworkManager/NetworkManager.conf [main] dns=none -
Reboot
-
Ensure resolv.conf hasn't been repopulated:
cat /etc/resolv.conf -
Install freeipa:
dnf install -y freeipa-server freeipa-server-dns -
Install the server (mostly choose defaults and sane options):
ipa-server-install -
Authenticate as admin:
kinit admin
Now skip to Get PIV Working
NFS
https://www.techrepublic.com/article/kerberos-authentication-with-nfsv4/
mkdir /exports
chmod 1777 /exports
mount --bind /srv /exports/srv
What this does is remounts /srv to /exports/srv. Effectively, this means that /srv can be accessed directly, or via /exports/srv and changes in one location reflect in the other.
To make this persistent, add the mount command above to /etc/rc.d/rc.local or some similar executed-at-boot script.
Next, edit /etc/sysconfig/nfs and enable the SECURE_NFS option:
SECURE_NFS="yes"
Then edit /etc/exports. The “/exports” entry has the “fsid=0” option, which
tells NFS that this is the “root” export.
/exports gss/krb5(rw,sync,fsid=0,insecure,no_subtree_check)
/exports/srv gss/krb5(rw,sync,nohide,insecure,no_subtree_check)
Create the server principal for the NFS server and add it to the keytab file on the server using kadmin (usually /etc/krb5.keytab):
kadmin.local
kadmin.local: addprinc -randkey nfs/nfsserver.domain.com
kadmin.local: ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/nfsserver.domain.com
kadmin.local: quit
Edit /etc/idmapd.conf and make sure the Nobody-User and Nobody-Group options
are correct (i.e. on Red Hat Enterprise Linux and Fedora, use the “nfsnobody”
user and group, other distributions may just use “nobody”)
systemctl restart nfs rpcidmapd
open TCP port 2049 for use with NFsv4
firewall-cmd --add-service=nfs
firewall-cmd --add-service=nfs --permanent
firewall-cmd --reload
Tips
# Install gnome desktop on Fedora server
dnf group install gnome-desktop
systemctl enable gdm
reboot
# Install spice tools for clipboard sync
sudo dnf install spice-vdagent
reboot
Adding a user
ipa user-addipa passwd <user>kinit <user>
Adding a Smart Card Certificate
- Login to the UI as admin
- Navigate to your user
- Actions -> New Certificate
- Generate a self-signed CSR with your yubikey
- Paste the CSR into the CSR field
- Generate
- Download the certificate from the user page
- Import the certificate into slot 9a for your yubikey
kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user
PIV
Sources
Self signed piv cert generation https://developers.yubico.com/yubico-piv-tool/Actions/key_generation.html
Explaing Yubikey key slots https://developers.yubico.com/PIV/Introduction/Certificate_slots.html
Ultimate guide to creating a CA https://checkmk.com/linux-knowledge/creating-server-certificate
CA Public directory https://nextcloud.reeseapps.com/s/twRAFeWJZKJ3Qw5
Convert pem to der https://knowledge.digicert.com/solution/how-to-convert-a-certificate-into-the-appropriate-format
Add smart card login to extended key use https://docs.openssl.org/master/man5/x509v3_config/#key-usage
This should set up a CA and a signed cert for your yubikey. https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/managing_smart_card_authentication/configuring-idm-for-smart-card-auth_managing-smart-card-authentication#conf-idm-server-for-smart-card-auth_configuring-idm-for-smart-card-auth
Set up PIV Auth on the Host where you Installed FreeIPA
Note for VMs
"virt-manager USB redirection error: Device is in use by another application"
You won't be able to pass through a smart card without stopping pcscd on the host.
systemctl stop pcscd.socket && systemctl stop pcscd
Set up PIV
# copy the CA and run the ipa-advise script that sets up smartcard auth
cp /etc/ipa/ca.crt ca.crt
sudo -i
kinit admin
ipa-advise config-server-for-smart-card-auth > config-server-for-smart-card-auth.sh
chmod +x config-server-for-smart-card-auth.sh
./config-server-for-smart-card-auth.sh ca.crt
Allow smart card auth in browser with these changes /etc/httpd/conf.d/ssl.conf
...
SSLOCSPEnable off
...
SSLProtocol all -TLSv1 -TLSv1.1 -TLSv1.3
...
And restart httpd:
systemctl restart httpd
Then user -> actions -> new certificate. Paste in the yubikey CSR. Download then upload cert to the yubikey.
Auth with smart card
kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user
Or with pam
cp /etc/ipa/ca.crt /etc/sssd/pki/sssd_auth_ca_db.pem
dnf install -y sssd-tools
authselect enable-feature with-smartcard
# required: authselect enable-feature with-smartcard-required
# lock on remove: authselect enable-feature with-smartcard-lock-on-removal
# set "pam_cert_auth = True" in [pam] section of /etc/sssd/sssd.conf
systemctl restart sssd
sssctl user-checks -s gdm-smartcard "ducoterra" -a auth
Set up PIV on Another Host
NOTE: Make sure, if you're joining with a host that already has a user with a username that exists in your freeipa server, that you set the UID in freeipa to match the UID on the system. Otherwise joining will cause all sorts of problems.
# This package is required to join a FreeIPA realm
# I think it helps collect and save the relevant data from the FreeIPA
# server when joining (server CA, NTP sync, SSH keys, etc.)
dnf install -y freeipa-client
hostnamectl set-hostname client.reese.reeselink.com
# OPTIONAL: You need to leave any existing AD realm before joining a new one
# realm leave <some-realm>
# Install pcscd
dnf install pcsc-lite opensc
# Start the pcscd server
systemctl enable --now pcscd
# Update client's dns server to use freeipa
vim /etc/resolv.conf
nameserver 192.168.122.130
# This should populate /etc/krb5.conf and /etc/sssd/sssd.conf
realm join -U admin freeipa.reese.reeselink.com -v
# With kinit
kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user
# With sssctl
dnf install -y sssd-tools
cp /etc/ipa/ca.crt /etc/sssd/pki/sssd_auth_ca_db.pem
chmod 600 /etc/ipa/ca.crt /etc/sssd/pki/sssd_auth_ca_db.pem
authselect enable-feature with-smartcard
# required: authselect enable-feature with-smartcard-required
# lock on remove: authselect enable-feature with-smartcard-lock-on-removal
IMPORTANT: set pam_cert_auth = True in [pam] section of /etc/sssd/sssd.conf.
systemctl restart sssd
sssctl user-checks -s gdm-smartcard "ducoterra" -a auth
PIV Smart Card (Yubikey Manual) WIP
openssl req -x509 -config openssl-ca.cnf -days 3650 -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM
touch index.txt
echo '01' > serial.txt
# Sign the csr generated in slot 9a on your yubikey
openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out reese-crt.pem -infiles reese-csr.pem
# Inspect
openssl x509 -in reese-crt.pem -text -noout
# Convert to microsoft format
openssl x509 -outform der -in reese-crt.pem -out reese-crt-der.cer
OCSP Server
https://bhashineen.medium.com/create-your-own-ocsp-server-ffb212df8e63
openssl req -new -nodes -out ocspSigning.csr -keyout ocspSigning.key
openssl ca -keyfile rootCA.key -cert rootCA.crt -in ocspSigning.csr -out ocspSigning.crt -config validation.conf
PIV Smart Card (Taglio) WIP
https://github.com/OpenSC/OpenSC/wiki/Using-pkcs11-tool-and-OpenSSL
openssl genrsa -aes256 -out testkey.key 2048
openssl rsa -in testkey.key -pubout -out testkey-public.key
openssl req -new -key testkey.key -out testkey.csr
# Sign with CA
Finding devices in sysfs WIP
# Try this
ls /dev/input/by-id
udevadm info --query=all --name='/dev/input/by-id/usb-Yubico_YubiKey_OTP+FIDO+CCID-event-kbd'
# Look for E: DEVPATH and put /sys in front of it
# For example:
cd /sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-3/1-3:1.0/0003:1050:0407.0004/input/input10/event6
# Or alternatively
find /sys -name 'removable'
cd /sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-3
Finding p11 devices WIP
dnf install python3-pip python3-devel gcc
python3 -m venv venv
source venv/bin/activate
pip install -U pip
pip install python-pkcs11
export PKCS11_MODULE=/usr/lib64/p11-kit-proxy.so
Arch Client WIP
- Install krb5:
pacman -S krb5 - Edit /etc/krb5.conf to match your server
vim /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = REESELINK.COM
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
REESELINK.COM = {
kdc = freeipa.reeselink.com:88
master_kdc = freeipa.reeselink.com:88
kpasswd_server = freeipa.reeselink.com:464
admin_server = freeipa.reeselink.com:749
default_domain = reeselink.com
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.reeselink.com = REESELINK.COM
reeselink.com = REESELINK.COM
freeipa.reeselink.com = REESELINK.COM
- Log in with your user:
kinit <user> - List your tickets:
klist
Troubleshooting
Changing IP address
Changing the IP address of a freeipa server can break dnssec. You'll get
"servfail" looking things up. The quick way to fix this is to edit
/etc/named/ipa-options-ext.conf and to set dnssec-validation no;.