Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
guides:freeipa [2017/05/02 22:00] jamesdro Update LDAP stuff |
guides:freeipa [2017/11/29 21:11] (current) jamesdro NTP is important, mmkay |
||
|---|---|---|---|
| Line 4: | Line 4: | ||
| ===== Server ===== | ===== Server ===== | ||
| Basically follow [this](https://www.freeipa.org/page/Quick_Start_Guide). Also DNS is _suuuuuuupppppeeeerrrrr_ important. | Basically follow [this](https://www.freeipa.org/page/Quick_Start_Guide). Also DNS is _suuuuuuupppppeeeerrrrr_ important. | ||
| + | |||
| + | As a note, you should install `libsss_sudo`. Otherwise you might get this error: | ||
| + | |||
| + | ``` | ||
| + | sudo: unable to load /usr/lib64/libsss_sudo.so: /usr/lib64/libsss_sudo.so: cannot open shared object file: No such file or directory | ||
| + | sudo: unable to initialize SSS source. Is SSSD installed on your machine? | ||
| + | ``` | ||
| + | |||
| + | When running sudo on the server. | ||
| ===== Client ===== | ===== Client ===== | ||
| - | On RHEL based ones, install `freeipa-client`. Super easy. On debian, aka master race, it's TBD. | + | On RHEL based ones (and Ubuntu 16.04), install `freeipa-client`. Super easy. Then run: |
| + | |||
| + | ``` | ||
| + | ipa-client-install --mkhomedir --enable-dns-updates --ssh-trust-dns | ||
| + | ``` | ||
| + | |||
| + | However, if you're on debian-master-race, you don't need hand holding and an "automated client". Let's dig into some config files. | ||
| + | |||
| + | ===== Debian Installation ===== | ||
| + | - Install `sssd` | ||
| + | - Copy the configuration file to `/etc/sssd/sssd.conf` | ||
| + | - Don't forget to `s/name.ubnetdef.net/your-hostname.ubnetdef.net/g` | ||
| + | - `chown root:root /etc/sssd/sssd.conf` and `chmod 0600 /etc/sssd/sssd.conf` | ||
| + | - Grab your krb5.keytab, and dump it to `/etc/krb5.keytab` | ||
| + | - `ipa-getkeytab -p host/name.ubnetdef.net -k /tmp/keytab` | ||
| + | - Grab the CA cert (`/etc/ipa/ca.crt` on the FreeIPA server) and save it to `/etc/sssd/ipa.crt` | ||
| + | - Append the following line to `/etc/pam.d/common-session` | ||
| + | - `session required pam_mkhomedir.so skel=/etc/skel/` | ||
| + | - Append the following lines to `/etc/ssh/sshd_config` to allow public key logins | ||
| + | - `AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys` | ||
| + | - `AuthorizedKeysCommandUser nobody` | ||
| + | - Append the following line to `/etc/systemd/timesyncd.conf` | ||
| + | - `Servers=tick.cse.buffalo.edu tock.cse.buffalo.edu ticktock.cse.buffalo.edu` | ||
| + | - Enable NTP: `timedatectl set-ntp yes` | ||
| + | - GG, you're done. | ||
| + | |||
| + | <file conf /etc/sssd/sssd.conf> | ||
| + | [domain/ubnetdef.net] | ||
| + | cache_credentials = True | ||
| + | krb5_store_password_if_offline = True | ||
| + | id_provider = ipa | ||
| + | auth_provider = ipa | ||
| + | access_provider = ipa | ||
| + | chpass_provider = ipa | ||
| + | sudo_provider = ldap | ||
| + | |||
| + | # Configure IPA | ||
| + | ipa_domain = ubnetdef.net | ||
| + | ipa_hostname = name.ubnetdef.net | ||
| + | |||
| + | # Configure sudo | ||
| + | ldap_uri = ldaps://master.ubnetdef.net | ||
| + | ldap_tls_cacert = /etc/sssd/ipa.crt | ||
| + | ldap_sudo_search_base = ou=sudoers,dc=ubnetdef,dc=net | ||
| + | ldap_sasl_mech = GSSAPI | ||
| + | ldap_sasl_authid = host/name.ubnetdef.net | ||
| + | ldap_sasl_realm = UBNETDEF.NET | ||
| + | krb5_server = master.ubnetdef.net | ||
| + | krb5_realm = UBNETDEF.NET | ||
| + | |||
| + | [sssd] | ||
| + | services = nss, pam, ssh, sudo | ||
| + | config_file_version = 2 | ||
| + | domains = ubnetdef.net | ||
| + | |||
| + | </file> | ||
| ===== LDAP Integrations ===== | ===== LDAP Integrations ===== | ||