On Sat, Dec 3, 2011 at 10:56 AM, Dmitri Pal <d...@redhat.com> wrote:
> On 11/30/2011 03:59 PM, Rob Crittenden wrote:
>> Stephen Ingram wrote:
>>> Rob-
>>> On Wed, Nov 30, 2011 at 12:04 PM, Rob
>>> Crittenden<rcrit...@redhat.com>  wrote:
>>>> Retrieve the CA certificate for the FreeIPA CA.
>>>> # wget -O /etc/ipa/ca.crt http://ipa.example.com/ipa/config/ca.crt
>>>> Create a separate Kerberos configuration to test the provided
>>>> credentials.
>>>> This enables a Kerberos connection to the FreeIPA XML-RPC server,
>>>> necessary
>>>> to join the FreeIPA client to the FreeIPA domain. This Kerberos
>>>> configuration is ultimately discarded.
>>>> - Basically just copy a working krb5.conf to /etc/krb5.conf and set
>>>> up sssd
>>>> or nss_ldap as documented.
>>>> # kinit admin
>>>> # ipa-join -s ipa.example.com -b dc=example,dc=com
>>>> Or if using a one-time password you can skip the kinit and do
>>>> # ipa-join -s ipa.example.com -b dc=example,dc=com -w Secret123
>>>> ipa-join lets IPA know a host is enrolled and retrieves a host
>>>> principal and
>>>> stores it into /etc/krb5.keytab.
>>>> Enable certmonger, retrieve an SSL server certificate, and install the
>>>> certificate in /etc/pki/nssdb.
>>>> # service messagebus start
>>>> # service certmonger start
>>>> # certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i
>>>> /etc/ipa/ca.crt
>>>> # ipa-getcert request -d /etc/pki/nssdb -n 'IPA Machine Certificate -
>>>> client.example.com' -N 'cn=client.example.com,O=EXAMPLE.COM; -K
>>>> host/client.example....@example.com
>>>> Disable the nscd daemon.
>>>> # service nscd stop
>>>> # chkconfig nscd off
>>> Thanks, but aren't some of these steps assuming that ipa-client has
>>> been installed on the system? For instance, instead of "# ipa-join -s
>>> ipa.example.com -b dc=example,dc=com -w Secret123", can't I instead
>>> use kadmin to retrieve the keytab and then securely copy it over to
>>> the client system? And, in the case of the ca.crt, if there if IPA
>>> itself is not installed, the ca would not go to /etc/ipa/ca.crt, no? I
>>> realize that I will lose functionality by not having ipa-client, but
>>> just trying to build a case for supporting legacy systems that I would
>>> never want to take the time to adapt ipa-client for.
>>> Steve
>> The only part assuming that is ipa-join itself. IPA does not support
>> the direct use of kadmin or kadmin.local. On a supported platform
>> you'd run:
>> # ipa-getkeytab -s ipa.example.com -k /tmp/remote.keytab -p
>> host/remote.example.com
>> Then ship /tmp/remote.keytab to the machine and either use ktutil to
>> combine it with /etc/krb5.keytab or replace krb5.keytab with it (and
>> fix owner and permissions, and potentially SELinux context).
>> certmonger gets its IPA configuration from /etc/ipa/default.conf. If
>> you don't want or have certmonger then you can skip the CA bit
>> altogether. Otherwise you'll need to copy in a working config.
> Should any part of this be documented?

This might be beyond what you are thinking, however, to me, one of the
best things about FreeIPA is that because of how flexible you've made
it, I can use as much or as little as I want. These sorts of "small
steps" might also make it easier to integrate into non-Redhat/Fedora
or non-Linux systems. I have compiled and tested the suggestions
offered to me by Rob and put them into an attached text document that
roughly corresponds to the current section 3.4 of the FreeIPA
documentation. It's probably a little rough, but should make a nice
template to help supplement the existing documentation.

3.4 Manual Configuring a Linux Client

The ipa-client-install command automatically configures services like Kerberos, 
SSSD, PAM and NSS. However, there are some situations where the 
ipa-client-install command cannot be used on a system, or, its full 
capabilities are simply not required. In those instances, the FreeIPA client 
entries and services can be configured manually.

The entire set of capabilities of FreeIPA can be obtained by installing and 
configuring SSSD and either using authconfig or editing the PAM configuration 
files by hand. In instances where only a subset of FreeIPA capabilities are 
desired, for example a Web service on a system using FreeIPA as an 
authentication source, only the necessary configuration changes need be 

3.4.1 Retrieve CA Certificate from FreeIPA server

1. Retrieve CA certificate

    # mkdir /etc/ipa

    # wget -O /etc/ipa/ca.crt http://ipa.example.com/ipa/config/ca.crt

2. import CA certificate

a. Using certutil (NSS):
    # certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt

b. Using openssl:
   #  openssl x509 -in /etc/ipa/ca.crt -text >> /etc/pki/tls/certs/ca-bundle.crt

3.4.2 Obtain and Import Host Certificate

1. Generate CSR for client machine

a. Using certutil (NSS):
    # certutil -R -s "CN=client.example.com,O=EXAMPLE.COM" -d /etc/pki/nssdb -a 
> client.example.com.csr

b. Using openssl:
    # openssl req -nodes -new -newkey rsa:2048 -keyout 
/etc/pki/tls/private/client.example.com.key \
       -out /etc/pki/tls/certs/client.example.com.csr

2. Submit CSR to IPA to obtain certificate

   on IPA server:
   # ipa cert-request --principal host/client.example.com client.example.com.csr

3. Obtain certificate in PEM format

   on IPA server:
   # ipa host-show --out=/tmp/client.example.com.crt client.example.com

4. Import host certificate

a. Using certutil (NSS):
   # certutil -A -d /etc/pki/nssdb -n 'IPA Machine Certificate - 
client.example.com' -t P,, -a -i client.example.com.crt

b. Using openssl:
   copy client.example.com.crt to /etc/pki/tls/certs directory

3.4.3 Configure /etc/krb5.conf on client machine

default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
forwardable = yes
ticket_lifetime = 24h

      kdc = ipaserver.example.com:88
      admin_server = ipaserver.example.com:749
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

3.4.4 Obtain and Import Host Principal

1. Generate host principal in FreeIPA

    on IPA server:
   # ipa-join -h client.example.com -s ipa.example.com -b dc=example,dc=com

2. Output host principal

    on IPA server:
   # ipa-getkeytab -s ipa.example.com -k /tmp/client.example.com.keytab -p 

3. Securely transport keytab to client machine and then replace 
/etc/krb5.keytab or merge with existing keytab using ktutil.

a. If replacing or creating new /etc/krb5.keytab, then:

   # chown root:root /etc/krb5.keytab
   # chmod 600

b. If using SELinux, then:

   # chcon -u unconfined_u -r object_r -t krb5_keytab_t -l s0

3.4.5 Disable nscd daemon

   # service nscd stop
   # chkconfig nscd off

3.4.6 Configure system to authenticate and authorize from IPA

1. If setting up legacy LDAP/KRB5 authentication

a. Install nslcd daemon

  # yum install nss-pam-ldapd

b.  Configure /etc/nsswitch.conf, PAM files and nslcd daemon

  # authconfig --enableldap --ldapserver=ldaps://ipa.example.com 
--ldaploadcacert=http://ipa.example.com/ipa/config/ca.crt --disableldapstarttls 
--enablekrb5 --krb5kdc=ipa.example.com --krb5adminserver=ipa.example.com 
--krb5realm=EXAMPLE.COM --updateall

   If authconfig not available, edit /etc/nsswitch.conf, the PAM system 
authentication files and either the older PADL (/etc/ldap.conf) files or the 
newer LDAP nameservice daemon (/etc/nslcd.conf) by hand. (this will vary 
depending on operating system)

2. If using SSSD

a. Install sssd daemon

   # yum install sssd

b. Configure /etc/nsswitch.conf, PAM files and SSSD daemon

  # authconfig --enableldap --ldapserver=ldaps://ipa.example.com 
--ldaploadcacert=http://ipa.example.com/ipa/config/ca.crt --disableldapstarttls 
--enablekrb5 --krb5kdc=ipa.example.com --krb5adminserver=ipa.example.com 
--krb5realm=EXAMPLE.COM --enablesssd --enablesssdauth --updateall

    If authconfig not available, edit /etc/nsswitch.conf, the PAM system 
authentication files and the SSSD configuration files (/etc/sssd/sssd.conf) by 
hand. (examples in current documentation-will vary on other operating systems)
Freeipa-users mailing list

Reply via email to