Differences

This shows you the differences between two versions of the page.

--- guides:freeipa [2017/05/03 03:21]
jamesdro libsss_sudo pls
+++ guides:freeipa [2017/11/29 21:11] (current)
jamesdro NTP is important, mmkay
@@ Line 15: / Line 15: @@
 ===== Client =====
-On RHEL based ones, install `freeipa-client`.  Super easy.  However, if you're on debian-master-race, you don't need hand holding and an "automated client".  Let's dig into some config files.
+On RHEL based ones (and Ubuntu 16.04), install `freeipa-client`.  Super easy.  Then run:
+```
+ipa-client-install --mkhomedir --enable-dns-updates --ssh-trust-dns
+```
+However, if you're on debian-master-race, you don't need hand holding and an "automated client".  Let's dig into some config files.
 ===== Debian Installation =====
@@ Line 24: / Line 30: @@
   - Grab your krb5.keytab, and dump it to `/etc/krb5.keytab`
     - `ipa-getkeytab -p host/name.ubnetdef.net -k /tmp/keytab`
+  - Grab the CA cert (`/etc/ipa/ca.crt` on the FreeIPA server) and save it to `/etc/sssd/ipa.crt`
   - Append the following line to `/etc/pam.d/common-session`
     - `session required pam_mkhomedir.so skel=/etc/skel/`
+  - Append the following lines to `/etc/ssh/sshd_config` to allow public key logins
+    - `AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys`
+    - `AuthorizedKeysCommandUser nobody`
+  - Append the following line to `/etc/systemd/timesyncd.conf`
+    - `Servers=tick.cse.buffalo.edu tock.cse.buffalo.edu ticktock.cse.buffalo.edu`
+  - Enable NTP: `timedatectl set-ntp yes`
   - GG, you're done.
@@ Line 44: / Line 57: @@
 # Configure sudo
 ldap_uri = ldaps://master.ubnetdef.net
+ldap_tls_cacert = /etc/sssd/ipa.crt
 ldap_sudo_search_base = ou=sudoers,dc=ubnetdef,dc=net
 ldap_sasl_mech = GSSAPI