Enroll exotic servers to FreeIPA

Following procedure describe enrollment procedure to enroll Linux servers to FreeIPA. Most popular distributions have freeipa-client for them. this procedure designed for SLES, but similar concept should work with other distros.

Preparation:

Install SLES with following modules (or activate mentioned modules)

sle-module-basesystem 
sle-module-containers
PackageHub
sle-module-server-applications
sle-module-python3

Choose system role: minimal.

Use XFS (or other you prefer. do not use btrfs).

Move swap partition to dedicated partition.

Install default applications:

zypper install docker docker-compose iputils vim tcpdump wget sudo yast2-auth-client sssd sssd-ipa krb5-client openldap2-client sssd-ad cyrus-sasl-gssapi

Start docker

systemctl start docker
systemctl enable docker

Enrollment process. IDM server side.

Login to IDM server:

https://linux-idm1.your-domain.ca

Enable Admin user for enrollment process or use another user with enrollment rights for enrollment procedure.

ssh to IDM server:

ssh user@linux-idm1.your-domain.ca

connect to FreeIPA container:

docker exec -it freeipa-server /bin/bash

Obtain FreeIPA user credentials for current session, add new host to IDM, change configuration of host, get Kerberos keys for host.

kinit admin
ipa host-add new-server.your-domain.ca --ip-address=100.100.100.100
ipa host-add-managedby --hosts=linux-idm1.your-domain.ca new-server.your-domain.ca
ipa-getkeytab -s linux-idm1.your-domain.ca -p host/new-server.your-domain.ca.ca -k /data/new_server.krb5.keytab

Login to IDM server.

https://linux-idm1.your-domain.ca

Disable user “Admin”.

Enrollment Process. Client server side.

ssh to server you want to enroll

ssh user@new-server.your-domain.ca

Install default applications:

zypper install docker docker-compose iputils vim tcpdump wget sudo yast2-auth-client sssd sssd-ipa krb5-client openldap2-client sssd-ad cyrus-sasl-gssapi

Copy new_server.krb5.keytab from IDM server and do:

mv ~/new_server.krb5.keytab /etc/krb5.keytab
chown root:root /etc/krb5.keytab
chmod 0600 /etc/krb5.keytab

Install IDM certificate:

mkdir /etc/ipa
wget -O /etc/ipa/ca.crt https://linux-idm1.your-domain.ca/ipa/config/ca.crt --no-check-certificate
cp /etc/ipa/ca.crt /etc/pki/trust/anchors/ipa.crt
update-ca-certificates

Edit /etc/nsswitch.conf. Replace with new values:

passwd:     files sss
shadow:     files sss
group:      files sss
hosts:          files dns
networks:       files dns
services:       files sss
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files nis sss
publickey:      files
bootparams:     files
automount:      files nis sss
aliases:        files
sudoers:        files sss

Edit /etc/sssd/sssd.conf. Replace with new values:

[sssd]
config_file_version = 2
services = nss, pam, ssh, sudo
domains = your-domain.ca

[nss]
homedir_substring = /home

[pam]

[domain/your-domain.ca]
cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = YOUR_REALM.YOUR_DOMAIN.CA
ipa_domain = your-domain.ca
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = new-server.your-domain.ca
chpass_provider = ipa
ipa_server = linux-idm1.your-domain.ca
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_user_ssh_public_key = ipaSshPubKey

Edit /etc/krb5.conf Replace with new values:

includedir  /etc/krb5.conf.d

[libdefaults]
default_realm = YOUR_REALM.YOUR_DOMAIN.CA
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
LINUX.CC.UREGINA.CA = {
  kdc = linux-idm1.your-domain.ca:88
  master_kdc = linux-idm1.your-domain.ca:88
  admin_server = linux-idm1.your-domain.ca:749
  kpasswd_server = linux-idm1.your-domain.ca:464
  default_domain = your-domain.ca
  pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
  pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}

[domain_realm]
.your-domain.ca = YOUR_REALM.YOUR_DOMAIN.CA
your-domain.ca = YOUR_REALM.YOUR_DOMAIN.CA
.your-realm.your-domain.ca = YOUR_REALM.YOUR_DOMAIN.CA
your-realm.your-domain.ca = YOUR_REALM.YOUR_DOMAIN.CA
new-server.your-domain.ca = YOUR_REALM.YOUR_DOMAIN.CA

[logging]
  kdc = FILE:/var/log/krb5/krb5kdc.log
  admin_server = FILE:/var/log/krb5/kadmind.log
  default = SYSLOG:NOTICE:DAEMON

execute to configure PAM:

pam-config -a --sss

Edit /etc/pam.d/sshd. Add:

session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 

Edit /etc/ssh/sshd_conf. Add or update:

PubkeyAuthentication yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

Comment out following lines in /etc/sudoers

##Defaults targetpw   # ask for the password of the target user i.e. root
##ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!

Restart services

service sshd restart
systemctl enable sssd
systemctl start sssd
systemctl start docker
systemctl enable docker

Try to login from different window. Now it should work. 🙂