Aethylred/freeipa_auth_suse.md

## freeipa_auth_suse.md

      
    Raw
  

              freeipa_auth_suse.md
            
          
    This is the manual process for enrolling a host running SUSE/SLE 12 SP2 with FreeIPA.
The following reference documentation was used to create this process:

An outdated guide on Enrolling a SUSE machine with FreeIPA
The  Manual FreeIPA guide from the RedHat documentation.

I do not recommend using yast to set this up, however it is useful to check if the configuration is valid. SUSE/SLE has all the required packages to use FreeIPA but does not have the conveinent ipa-client tools, such as ipa-client-install.
Pre-Requisites


The host must have a fully qualified domain name
The host must be able to resolve the FreeIPA server hostname
The FreeIPA server must in the host's /etc/resolv.conf as a nameserver, and it should be the first nameserver
The host must have a route to the FreeIPA server
The FreeIPA server is assumed to be managing:

The Kerberos Realm
The DNS domain


The host must be able to connect to the following services (port protocols) on the FreeIPA server

ntp (123 TCP)
http (80 TCP)
https (443 TCP)
ldap (389 TCP)
ldaps (636 TCP)
Kerberos (88 TCP/UDP)
kpasswd (464 TCP/UDP)
dns (53 TCP/UDP)


Step-by-step guide

On the FreeIPA server


Create the host entry and DNS for the host to be enrolled
kinit admin
ipa host-add hostname.your.domain.org --ip-address=192.168.XXX.XXX


Set the FreeIPA server to manage the host
ipa host-add-managedby --hosts=ipa-server.your.domain.org hostname.your.domain.org


Retrieve the host's keytab, send it to the host, and delete it
ipa-getkeytab -s ipa-server.your.domain.org -p host/hostname.your.domain.org -k hostname.krb5.keytab
scp hostname.krb5.keytab root@hostname.your.domain.org:.
rm hostname.krb5.keytab


On the host to be enrolled


Log into the host to be installed as root


Install the required packages for FreeIPA and the sssd ipa module (the yast2-auth-client package can be omitted)
zypper install yast2-auth-client sssd sssd-ipa krb5-client openldap2-client sssd-ad cyrus-sasl-gssapi


Deploy the host's keytab
mv ~/hostname.krb5.keytab /etc/krb5.keytab
chown root:root /etc/krb5.keytab
chmod 0600 /etc/krb5.keytab


Retrieve the FreeIPA server's certificate
mkdir /etc/ipa
wget -O /etc/ipa/ca.crt http://ipa-server.your.domain.org/ipa/config/ca.crt
cp /etc/ipa/ca.crt /etc/pki/trust/anchors/ipa.crt
update-ca-certificates


Edit /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       compat                  Use compatibility setup
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       [NOTFOUND=return]       Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#

# passwd: files nis
# shadow: files nis
# group:  files nis

passwd:     files sss
shadow:     files sss
group:      files sss

hosts:          files dns
networks:       files dns

services:       files sss
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files nis sss
publickey:      files

bootparams:     files
automount:      files nis sss
aliases:        files

sudoers:        files sss


Edit /etc/sssd/sssd.conf (this step would be handled by Cray CME on an XC50, hostname substituted in {{ipa_hostname}})
[sssd]
config_file_version = 2
services = nss, pam, ssh, sudo
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
domains = your.domain.org

[nss]
homedir_substring = /home

[pam]

[domain/your.domain.org]

cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = YOUR.DOMAIN.ORG
ipa_domain = your.domain.org
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = hostname.your.domain.org
chpass_provider = ipa
ipa_server = _srv_, ipa-server.your.domain.org
ldap_tls_cacert = /etc/ipa/ca.crt


Edit /etc/krb5.conf
[libdefaults]
default_realm = YOUR.DOMAIN.ORG
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
YOUR.DOMAIN.ORG = {
  kdc = ipa-server.your.domain.org:88
  master_kdc = ipa-server.your.domain.org:88
  admin_server = ipa-server.your.domain.org:749
  kpasswd_server = ipa-server.your.domain.org:464
  default_domain = your.domain.org
  pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
  pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}

[domain_realm]
.your.domain.org = YOUR.DOMAIN.ORG
your.domain.org = YOUR.DOMAIN.ORG
hostname.your.domain.org = YOUR.DOMAIN.ORG

[logging]
  kdc = FILE:/var/log/krb5/krb5kdc.log
  admin_server = FILE:/var/log/krb5/kadmind.log
  default = SYSLOG:NOTICE:DAEMON


Configure /etc/pam.d to use sssd

Use the pam-config helper command
pam-config -a --sss


Edit the following files in /etc/pam.d (quick and dirty git diff of what pam-config did)
diff --git a/common-account-pc b/common-account-pc
index 1f24753..00cad08 100644
--- a/common-account-pc
+++ b/common-account-pc
@@ -10,4 +10,6 @@
 # the central access policy for use on the system.  The default is to
 # only deny service to users whose accounts are expired.
 #
-account        required        pam_unix.so     try_first_pass
+account        requisite       pam_unix.so     try_first_pass
+account        sufficient      pam_localuser.so
+account        required        pam_sss.so      use_first_pass
diff --git a/common-auth-pc b/common-auth-pc
index c8b5b81..7514a77 100644
--- a/common-auth-pc
+++ b/common-auth-pc
@@ -12,4 +12,5 @@
 # traditional Unix authentication mechanisms.
 #
 auth   required        pam_env.so
-auth   required        pam_unix.so     try_first_pass
+auth   sufficient      pam_unix.so     try_first_pass
+auth   required        pam_sss.so      use_first_pass
diff --git a/common-password-pc b/common-password-pc
index 8540257..22dc764 100644
--- a/common-password-pc
+++ b/common-password-pc
@@ -10,4 +10,5 @@
 # used to change user passwords.
 #
 password       requisite       pam_cracklib.so
-password       required        pam_unix.so     use_authtok nullok shadow try_first_pass
+password       sufficient      pam_unix.so     use_authtok nullok shadow try_first_pass
+password       required        pam_sss.so      use_authtok
diff --git a/common-session-pc b/common-session-pc
index 317cd2e..e303b8e 100644
--- a/common-session-pc
+++ b/common-session-pc
@@ -12,6 +12,7 @@
 #
 session        required        pam_limits.so
 session        required        pam_unix.so     try_first_pass
+session        optional        pam_sss.so
 session        optional        pam_umask.so
 session        optional        pam_systemd.so
 session        optional        pam_env.so


Enable and start sssd
systemctl enable sssd
systemctl start sssd


A restart may be required, however you should now be able to log in with credentials for user accounts hosted on FreeIPA.