Edition 2.1.4
1801 Varsity Drive
Raleigh, NC 27606-2072 USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701
[]) are used to indicate an alternative element in a name. For example, if a tool is available in /usr/lib on 32-bit systems and in /usr/lib64 on 64-bit systems, then the tool location may be represented as /usr/lib[64].
/usr/bin and the /usr/sbin directories.
ldapmodify and ldapsearch, are from OpenLDAP. OpenLDAP tools use SASL connections by default. To perform a simple bind using a username and password, use the -x argument to disable SASL.
| Formatting Style | Purpose |
|---|---|
Monospace with a background | This type of formatting is used for anything entered or returned in a command prompt. |
| Italicized text | Any text which is italicized is a variable, such as instance_name or hostname. Occasionally, this is also used to emphasize a new term or other phrase. |
| Bolded text |
Most phrases which are in bold are application names, such as Cygwin, or are fields or options in a user interface, such as a User Name Here: field or button. This can also indicate a file, package, or directory name, such as /usr/sbin.
|
doc-Enterprise_Identity_Management_Guide.
"Incorrect command example for setup script options" is better than "Bad example".
| Revision History | ||||
|---|---|---|---|---|
| Revision 6.2-8 | December 16, 2011 | |||
| ||||
| Revision 6.2-7 | December 6, 2011 | |||
| ||||
uidNumber or gidNumber of a user when using SSSD. SSSD caches the authentication information; when the user is deleted and re-added with a new uidNumber number, then SSSD attempts to reuse the cached object for the new user, which fails wit this error:
Cache file [/tmp/krb5cc_1866400007_wPJrHJ] exists, but is owned by [1866400007] instead of [1866400008].
hash_create() with an initial table size of 65536 will corrupt memory. With the default parameters, the corruption can occur if the initial table size larger than 1024.
sssd.conf:
ldap_referrals = False
ipa-server-install command should add a record to the static hostname lookup table in /etc/hosts and enable further configuration of Identity Management integrated services. However, a record is not added to /etc/hosts when an IP address is passed as an CLI option and not interactively. Consequently, IPA server installation fails because integrated services that are being configured expect the IPA server hostname to be resolvable.
ipa-server-install without the --ip-address option and pass the IP address interactively.
/etc/hosts before the installation is started. The record should contain the Identity Management server IP address and its full hostname (the hosts(5) man page specifies the record format).
ipa-csreplica-manage utility.
ipa-replica-manage connect command. However, once a connection between a replica and server is deleted using ipa-replica-manage del, a new connection cannot be created. It fails with this error:
unexpected error: list index out of range
ipa-replica-manage list command still lists the replica as being in the server topology.
ipa-replica-manage script manages both replication agreements betweenn IPA servers and synchronization agreements between an IPA server and an Active Directory server.
force-sync, del, and re-initialize subcommands with ipa-replica-manage do not work when managing sync agreements, so these operations fail when run against an Active Directory server.
uidNumber and gidNumber attributes on Active Directory user entries are not synced over to IPA.
Server host name [server1.example.com]: Warning: skipping DNS resolution of host server1.example.com The domain name has been calculated based on the host name. Please confirm the domain name [example]: Unable to resolve IP address for host name Please provide the IP address to be used for this host name:
| 389 Directory Server | Identity Management | |
|---|---|---|
| Use | General purpose | Single domain, focused on identity management |
| Flexibility | Highly-customizable | Limitations to focus on identity and authentication |
| Schema | Default LDAP schema | Optimized, special schema for identity management |
| Directory Tree | Standard and flexible hierarchy | Flat tree with a fixed hierarchy |
| Authentication | LDAP | Kerberos or Kerberos and LDAP |
| Active Directory Synchronization | Bi-directional | Unidirectional, Active Directory to Identity Management |
| Password Policies | LDAP-based | Kerberos-based |
| User Tools | Java Console and standard LDAP utilities | Web-based UI and special Python command-line tools |
certmonger monitors and renews the certificates on the client. It can request new certificates for the services on the system, including virtual machines.
certmonger are configured to connect to the IPA server and the required Kerberos keytab and host certificates are created. (The host certificate is not used directly by IPA; it may be used by other services, such as a web server.)
| Minimum Hardware Requirements | 10,000 - 250,000 Entries | 250,000 - 1,000,000 Entries | Over 1,000,000 Entries |
|---|---|---|---|
| CPU | P3; 500MHz | ||
| RAM | 1 GB | 1 GB | 1 GB |
| Disk Space | 2 GB | 4 GB | 8 GB |
ipaserver.example.com.
127.0.0.1. The output of the hostname command cannot be localhost or localhost6.
--setup-dns option when you install IPA to configure a suitable DNS automatically.
--setup-dns option because the script assumes that the IPA server will use itself as a DNS.
iptables to list the available ports or nc, telnet, or nmap to connect to a port or run a port scan.
# iptables -A INPUT -p tcp --dport 389 -j ACCEPT
iptables man page has more information on opening and closing ports on a system.
| Service | Ports | |||||||
|---|---|---|---|---|---|---|---|---|
| HTTP/HTTPS |
| |||||||
| LDAP/LDAPS |
| |||||||
| Kerberos[a] |
| |||||||
| DNS[a] | 53 | |||||||
| NTP[b] | 123 | |||||||
| OCSP responder[c] | 9180 | |||||||
| Dogtag Certificate System |
| |||||||
[a]
This service uses both TCP and UDP ports.
[b]
This service uses UDP ports only.
[c]
This is part of the Dogtag Certificate System server.
| ||||||||
--no-ntp option.
Sample zone file for bind has been created in /tmp/sample.zone.F_uMf4.db
; ldap servers _ldap._tcp IN SRV 0 100 389 ipaserver.example.com ;kerberos realm _kerberos IN TXT EXAMPLE.COM ; kerberos servers _kerberos._tcp IN SRV 0 100 88 ipaserver.example.com _kerberos._udp IN SRV 0 100 88 ipaserver.example.com _kerberos-master._tcp IN SRV 0 100 88 ipaserver.example.com _kerberos-master._udp IN SRV 0 100 88 ipaserver.example.com _kpasswd._tcp IN SRV 0 100 464 ipaserver.example.com _kpasswd._udp IN SRV 0 100 464 ipaserver.example.com
nscd (Name Service Caching Daemon) in an IPA deployment. The nscd service is extremely useful for reducing the load on the server, and for making clients more responsive, but there can be problems when a system is also using SSSD, which performs its own caching.
nscd caches authentication and identity information for all services that perform queries through nsswitch, including getent. Because nscd performs both positive and negative caching, if a request determines that a specific IPA user does not exist, it marks this as a negative cache. Values stored in the cache remain until the cache expires, regardless of any changes that may occur on the server. The results of such caching is that new users and memberships may not be visible, and users and memberships that have been removed may still be visible.
nscd altogether. Alternatively, use a shorter cache time by resetting the time-to-live caching values in the /etc/nscd.conf file:
positive-time-to-live group 3600 negative-time-to-live group 60 positive-time-to-live hosts 3600 negative-time-to-live hosts 20
/etc/hosts file, as long as the fully qualified hostname must be listed first. For example:
192.168.1.1 ipaserver.example.com ipaserverThe realm name does not have to match any or all of the domain name. For example, the domain name can be
example.com and the realm name can be TESTIPA. It is only a convention that they match. IPA adds the appropriate domain to realm mapping in the /etc/krb5.conf file.
/etc/hosts file first and DNS second. If nscd is running this may also cause issues because it caches lookups. The IPA installer does not kill nscd until after the installation process has started, so there can be cached entries that interfere with any changes to the /etc/hosts. If you need to edit the /etc/hosts file, kill the nscd daemon first.
/etc/named.conf file to allow these recursive queries.
forward first;
forwarders { 10.16.36.29; };
allow-recursion { any; };allow-recursion statement. The name server documentation has more details on editing configuration statements.
network service to manage the networking requirements in an IPA environment and disable the NetworkManager service.
# chkconfig NetworkManager off; service NetworkManager stopNetworkManagerDispatcher is installed, ensure that it is stopped and disabled:
# chkconfig NetworkManagerDispatcher off; service NetworkManagerDispatcher stopnetwork service is properly started.
# chkconfig network on; service network start
/etc/hosts file is configured correctly. A misconfigured file can prevent the IPA command-line tools from functioning correctly and can prevent the IPA web interface from connecting to the IPA server.
/etc/hosts file to list the FQDN for the IPA server before any aliases. Also ensure that the hostname is not part of the localhost entry. The following is an example of a valid hosts file:
127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 192.168.1.1 ipaserver.example.com ipaserver
IPv4 entry in the /etc/hosts file. This entry is required by the IPA web service.
ipa-server. If the IPA server will also manage a DNS server, then it requires two additional packages to set up the DNS.
yum command:
# yum install ipa-server bind bind-dyndb-ldapipa-server also installs a large number of dependencies, such as 389-ds-base for the LDAP service and krb5-server for the Kerberos service, along with IPA tools.
ipa-server-install command. The options for configuring the new server instance are described in Section 2.4, “Creating an IPA Server Instance”.
ipa-install-server script.
ipa-server-install script. This script can accept user-defined settings for services, like DNS and Kerberos, that are used by the IPA instance, or it can supply predefined values for minimal input from the administrator.
ipa-server-install can be run without any options, so that it prompts for the required information, it has numerous arguments which allow the configuration process to be easily scripted or to supply additional information which is not requested during an interactive installation.
ipa-server-install, while Section 2.4.3, “Examples of Creating the IPA Server” has examples of some common installation scenarios. The full list of options are in Section B.5.3, “ipa-server-install”. In real life, the ipa-server-install options are versatile enough to be customized to the specific deployment environment.
| Argument | Description |
|---|---|
| -a ipa_admin_password | The password for the IPA administrator. This is used for the admin user to authenticate to the Kerberos realm. |
| --hostname=hostname |
The fully-qualified domain name of the IPA server machine.
IMPORTANT
This must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the hostname will cause DNS failures.
|
| -n domain_name | The name of the LDAP server domain to use for the IPA domain. This is usually based on the IPA server's hostname. |
| -p directory_manager_password |
The password for the superuser, cn=Directory Manager, for the LDAP service.
|
| -r realm_name | The name of the Kerberos realm to create for the IPA domain. |
| --subject=subject_DN |
Sets the base element for the subject DN of the issued certificates. This defaults to O=realm.
|
| --forwarder=forwarder | Gives a DNS forwarder to use with the DNS service. To specify more than one forwarder, use this option multiple times. |
| --no-forwarders | Uses root servers with the DNS service instead of forwarders. |
| --no-reverse | Does not create a reverse DNS zone when the DNS domain is set up. |
| --setup-dns | Tells the installation script to set up a DNS service within the IPA domain. Using an integrated DNS service is optional, so if this option is not passed with the installation script, then no DNS is configured. |
| --idmax=number | Sets the upper bound for IDs which can be assigned by the IPA server. The default value is the ID start value plus 199999. |
| --idstart=number | Sets the lower bound (starting value) for IDs which can be assigned by the IPA server. The default value is randomly selected. |
ipa-server-install script. This launches the script interactively, which prompts for the required information to set up a server, but without more advanced configuration like DNS and CA options.
ipa-server-install script.
# ipa-server-installServer host name [ipaserver.example.com]:
Please confirm the domain name [example.com]:
The IPA Master Server will be configured with
Hostname: ipaserver.example.com
IP address: 192.168.1.1
Domain name: example.comPlease provide a realm name [EXAMPLE.COM]:
cn=Directory Manager. There are password strength requirements for this password, including a minimum password length.
Directory Manager password: Password (confirm):
admin. This user is created on the machine.
IPA admin password: Password (confirm):
Configuring ntpd [1/4]: stopping ntpd ... done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user ... done configuring pkids. Configuring certificate server: Estimated time 6 minutes [1/17]: creating certificate server user .... done configuring pki-cad. Configuring directory server: Estimated time 1 minute [1/32]: creating directory server user ... done configuring dirsrv. Configuring Kerberos KDC: Estimated time 30 seconds [1/14]: setting KDC account password ... done configuring krb5kdc. Configuring ipa_kpasswd [1/2]: starting ipa_kpasswd [2/2]: configuring ipa_kpasswd to start on boot done configuring ipa_kpasswd. Configuring the web interface: Estimated time 1 minute [1/12]: disabling mod_ssl in httpd ... done configuring httpd. Setting the certificate subject base restarting certificate server Applying LDAP updates Restarting the directory server Restarting the KDC Restarting the web server Sample zone file for bind has been created in /tmp/sample.zone.ygzij5.db ============================================================================== Setup complete
SSH service to retrieve the Kerberos principal and to refresh the name server switch (NSS) configuration file:
# service sshd restart
# kinit admin Password for admin@EXAMPLE.COM:
ipa user-find. For example:
# ipa user-find admin -------------- 1 user matched -------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Account disabled: False Member of groups: admins ---------------------------- Number of entries returned 1 ----------------------------
ipa-server-install, along with the -U to force it to run without requiring user interaction.
# ipa-server-install -a secret12 --hostname=ipaserver.example.com --r EXAMPLE.COM -p secret12 -n example.com -UTo accept the default shown in brackets, press the Enter key. The IPA Master Server will be configured with Hostname: ipaserver.example.com IP address: 192.168.1.1 Domain name: example.com
--selfsign option. When the IPA server uses a self-signed certificate, the setup process is exactly the same as a normal installation, except that no Dogtag Certificate System instance is created. There is still a cacert.p12 file created that can be used by replicas, but the certificate services that the IPA server can perform are much more limited.
# ipa-server-install -a secret12 --hostname=ipaserver.example.com --r EXAMPLE.COM -p secret12 -n example.com -U --selfsignipa-server-install script, using the --external-ca option.
# ipa-server-install -a secret12 --r EXAMPLE.COM -P password -p secret12 -n ipaserver.example.com --external-ca/root/ipa.csr. This request must be submitted to the external CA.
Configuring certificate server: Estimated time 6 minutes [1/4]: creating certificate server user [2/4]: creating pki-ca instance [3/4]: restarting certificate server [4/4]: configuring certificate server instance The next step is to get /root/ipa.csr signed by your CA and re-run ipa-server-install.
ipa-server-install, specifying the locations and names of the certificate and CA chain files. For example:
# ipa-server-install --external_cert_file=/tmp/servercert20110601.p12 --external_ca_file=/tmp/cacert.p12--setup-dns option.
ipa-server-install script, using the --setup-dns option.
# ipa-server-install -a secret12 --r EXAMPLE.COM -P password -p secret12 -n ipaserver.example.com --setup-dnsDo you want to configure DNS forwarders? [yes]: no
No DNS forwarders configurednamed service.
Do you want to configure the reverse zone? [yes]: yes Configuring named: [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves done configuring named. ============================================================================== Setup complete
--forwarder or --no-forwarders option and --no-reverse option.
--setup-dns. To user forwarders, use the --forwarder with a comma-separated list of forwarders.
# ipa-server-install ... --setup-dns --forwarder=1.2.3.0 --forwarder=1.2.255.0--no-forwarders option to indicate that only root servers will be used.
--no-reverse option.
# ipa-server-install ... --setup-dns --no-reverse/var/log/ipaserver-install.log. The IPA logs, both for the server and for IPA-associated services, are covered in Section 16.1.3, “Checking IPA Server Logs”.
ipa-* command. For example:
ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('Decrypt integrity check failed', -1765328353)named service fails to start, this can indicate that there is a package conflict. Check the /var/log/messages file for error messages related to the named service and the ldap.so library:
ipaserver named[6886]: failed to dynamically load driver 'ldap.so': libldap-2.4.so.2: cannot open shared object file: No such file or directory
named service from starting. To resolve this issue, remove the bind-chroot package and then restart the IPA server.
# yum remove bind-chroot # ipactl restart
--selfsign option for the original IPA server.
# yum install ipa-server bind bind-dyndb-ldapipa-server-install script.
7389 is free. This port is used by the master IPA server to communicate with the replica.
ipa-replica-prepare command on the master IPA server. The command requires the fully-qualified domain name of the replica machine. Using the --ip-address option automatically creates DNS entries for the replica, including the A and PTR records for the replica to the DNS.
# ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 Determining current realm name Getting domain name from LDAP Preparing replica for ipareplica.example.com from ipaserver.example.com Creating SSL certificate for the Directory Server Creating SSL certificate for the Web Server Copying additional files Finalizing configuration Packaging the replica into replica-info-ipareplica.example.com
ipa-replica-prepare, see Section B.5.2, “ipa-replica-prepare”.
/var/lib/ipa/ directory as a GPG-encrypted file. Each file is named specifically for the replica server for which it is intended, such as replica-info-ipareplica.example.com.gpg.
# scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ipareplica:/var/lib/ipa/# ipa-replica-install --setup-dns /var/lib/ipa/replica-info-ipareplica.example.com.gpgipareplica.example.com:
_ldap._tcp IN SRV 0 100 389 ipareplica.example.com _kerberos._tcp IN SRV 0 100 88 ipareplica.example.com _kerberos._udp IN SRV 0 100 88 ipareplica.example.com _kerberos-master._tcp IN SRV 0 100 88 ipareplica.example.com _kerberos-master._udp IN SRV 0 100 88 ipareplica.example.com _kpasswd._tcp IN SRV 0 100 464 ipareplica.example.com _kpasswd._udp IN SRV 0 100 464 ipareplica.example.com _ntp._udp IN SRV 0 100 123 ipareplica.example.com
ipa-dns-install command to install the DNS manually, then use the ipa dnsrecord-add command to add the required DNS records. For example:
# ipa-dns-install # ipa dnsrecord-add example.com @ --ns-rec ipareplica.example.com.
/var/log/pki-ca/debug, which may show error messages about being unable to find certain entries. For example:
[04/Feb/2011:22:29:03][http-9445-Processor25]: DatabasePanel comparetAndWaitEntries ou=people,o=ipaca not found, let's wait
# ipa-server-install --uninstall
--uninstall option to the ipa-server-install command:
# ipa-server-install --uninstall
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
forwardable = yes
ticket_lifetime = 24h
[realms]
EXAMPLE.COM = {
kdc = ipaserver.example.com:88
admin_server = ipaserver.example.com:749
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
ipa-join command to perform the actual join
/etc/krb5.keytab. For example, host/ipa.example.com@EXAMPLE.COM.
/etc/pki/nssdb.
ipa-client-install script retrieves the Active Directory DNS records instead of any records that were added for IPA.
ipa-client-install script.
ipa-client package:
# yum install ipa-clientipa-admintools package, as well:
# yum install ipa-client ipa-admintools/etc/resolv.conf file.
# ipa-client-install --enable-dns-updates--enable-dns-updates option updates DNS with the client machine's IP address. This option should only be used if the IPA server was installed with integrated DNS or if the DNS server on the network accepts DNS entry updates with the GSS-TSIG protocol.
--server option to specify the IPA server to register with, the server name must be a fully-qualified domain name.
ipa-client-install are listed in Section B.6.1, “ipa-client-install”.
--on-master option that is used as part of configuring an IPA server (which also is an IPA client, since it is within the domain). This option should never be used when configuring a regular IPA client, because it results in slightly different client configuration which may not work on a non-IPA server machine.
DNS discovery failed to determine your DNS domain Please provide the domain name of your IPA server (ex: example.com): example.com
--server option with the client installation script to supply the fully-qualified domain name of the IPA server.
DNS discovery failed to find the IPA Server Please provide your IPA server name (ex: ipa.example.com): ipaserver.example.com
Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Password for admin@EXAMPLE.COM: Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.COM SSSD enabled Kerberos 5 enabled NTP enabled Client configuration complete.
$ id $ getent passwd userID $ getent group ipausers
/etc/sysconfig/nfs file.
RPCGSSDARGS="-vvv" RPCSVCGSSDARGS="-vvv"
# ipa service-add nfs/ipaclient.example.com@EXAMPLEipa command is available.
# ipa-getkeytab -s ipaserver.example.com -p nfs/ipaclient.example.com@EXAMPLE -k /tmp/krb5.keytab
-e des-cbc-crc option to the ipa-getkeytab command for any nfs/<FQDN> service keytabs to set up, both on the server and on all clients. This instructs the KDC to generate only DES keys.
allow_weak_crypto option enabled in the [libdefaults] section of the /etc/krb5.conf file. Without these configuration changes, NFS clients and servers are unable to authenticate to each other, and attempts to mount NFS filesystems may fail. The client's rpc.gssd and the server's rpc.svcgssd daemons may log errors indicating that DES encryption types are not permitted.
# scp /tmp/krb5.keytab root@nfs.example.com:/etc/krb5.keytab
# scp /tmp/krb5.keytab root@client.example.com:/etc/krb5.keytab
/etc/exports file on the NFS server.
/ipashare gss/krb5p(rw,no_root_squash,subtree_check,fsid=0)
-o sec setting as is used in the /etc/exports file for the NFS server.
[root@client ~]# mount -v -t nfs4 -o sec=krb5p nfs.example.com:/ /mnt/ipashare
ipa-client-install command automatically configures services like Kerberos, SSSD, PAM, and NSS. However, if the ipa-client-install command cannot be used on a system for some reason, then the IPA client entries and the services can be configured manually.
$ ipa host-add --force --ip-address=192.168.166.31 client1.example.com
$ kinit admin
$ ipa host-add-managedby --hosts=ipaserver.example.com client1.example.com
# ipa-getkeytab -s ipaserver.example.com -p host/client1.example.com -k /tmp/client1.keytab
/etc/krb5.ketab.
/etc/krb5.ketab that should be preserved, the two files can be combined using ktutil.
/etc/krb5.ketab file.
chown root:root 0600 system_u:object_r:krb5_keytab_t:s0
/etc/sssd/sssd.conf file to point to the IPA domain.
[sssd] config_file_version = 2 services = nss, pam domains = example.com [nss] [pam] [domain/example.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client1.example.com chpass_provider = ipa ipa_server = ipaserver.example.com ldap_tls_cacert = /etc/ipa/ca.crt
vim /etc/nsswitch.conf ... passwd: files sss shadow: files sss group: files sss ... netgroup: files sss ...
/etc/krb5.conf file to point to the IPA KDC.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
allow_weak_crypto = true
[realms]
EXAMPLE.COM = {
kdc = ipaserver.example.com:88
admin_server = ipaserver.example.com:749
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM/etc/pam.d configuration to use the pam_sss.so modules.
/etc/pam.d/fingerprint-auth:
... account [default=bad success=ok user_unknown=ignore] pam_sss.so ... session optional pam_sss.so
/etc/pam.d/system-auth:
... auth sufficient pam_sss.so use_first_pass ... account [default=bad success=ok user_unknown=ignore] pam_sss.so ... password sufficient pam_sss.so use_authtok ... session optional pam_sss.so
/etc/pam.d/password-auth:
... auth sufficient pam_sss.so use_first_pass ... account [default=bad success=ok user_unknown=ignore] pam_sss.so ... password sufficient pam_sss.so use_authtok ... session optional pam_sss.so
/etc/pam.d/smartcard-auth:
... account [default=bad success=ok user_unknown=ignore] pam_sss.so ... session optional pam_sss.so
/etc/sysconfig/nfs file.
RPCGSSDARGS="-vvv" RPCSVCGSSDARGS="-vvv"
# ipa service-add nfs/ipaclient.example.com@EXAMPLEipa command is available.
# ipa-getkeytab -s ipaserver.example.com -p nfs/ipaclient.example.com@EXAMPLE -k /tmp/krb5.keytab
-e des-cbc-crc option to the ipa-getkeytab command for any nfs/<FQDN> service keytabs to set up, both on the server and on all clients. This instructs the KDC to generate only DES keys.
allow_weak_crypto option enabled in the [libdefaults] section of the /etc/krb5.conf file. Without these configuration changes, NFS clients and servers are unable to authenticate to each other, and attempts to mount NFS filesystems may fail. The client's rpc.gssd and the server's rpc.svcgssd daemons may log errors indicating that DES encryption types are not permitted.
# scp /tmp/krb5.keytab root@nfs.example.com:/etc/krb5.keytab
# scp /tmp/krb5.keytab root@client.example.com:/etc/krb5.keytab
/etc/exports file on the NFS server.
/ipashare gss/krb5p(rw,no_root_squash,subtree_check,fsid=0)
-o sec setting as is used in the /etc/exports file for the NFS server.
[root@client ~]# mount -v -t nfs4 -o sec=krb5p nfs.example.com:/ /mnt/ipashare
ldapclient with the information for the IPA domain:
[root@server ~]# ldapclient manual
-a credentialLevel=anonymous
-a authenticationMethod=none
-a defaultSearchBase=dc=example,dc=com
-a domainName=example.com
-a defaultServerList=192.168.0.1
-a attributeMap=group:memberuid=memberUid
-a attributeMap=group:gidnumber=gidNumber
-a attributeMap=passwd:gidnumber=gidNumber
-a attributeMap=passwd:uidnumber=uidNumber
-a attributeMap=passwd:homedirectory=homeDirectory
-a attributeMap=passwd:loginshell=loginShell
-a attributeMap=shadow:userpassword=userPassword
-a objectClassMap=group:posixGroup=posixgroup
-a objectClassMap=passwd:posixAccount=posixaccount
-a objectClassMap=shadow:shadowAccount=posixaccount
-a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=example,dc=com
-a serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=example,dc=comldap option from all entries in /etc/nsswitch.conf except for the passwd: and group: entries.
[root@server ~]# ntpdate ipaserver.example.com
[root@server ~]# vim /etc/krb5/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
verify_ap_req_nofail = false
[realms]
EXAMPLE.COM = {
kdc = ipaserver.example.com
admin_server = ipaserver.example.com
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
[appdefaults]
kinit = {
renewable = true
forwardable= true
}ldapclient configures forwardable tickets by default, which makes it possible to connect to the UI from any system and provides a way to audit administration operations.
[root@server ~]# vim /etc/pam.conf # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account required pam_krb5.so.1 # Password construction requirements apply to all users. # Remove force_check to have the traditional authorized administrator # bypass of construction requirements. other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1
[root@server ~]# kadmin.local -q "addprinc testadmin/admin"
/var/kerberos/krb5kdc/kadm5.acl on the IPA server to allow access from the NFS client machine.
kclient command to set up the NFS client for Kerberos authentication.
krb5.conf file.
[root@server ~]# kclient Starting client setup --------------------------------------------------- Do you want to use DNS for kerberos lookups ? [y/n]: n No action performed. Enter the Kerberos realm: EXAMPLE.COM Specify the KDC hostname for the above realm: ipaserver.example.com ipaserver.example.com Note, this system and the KDC's time must be within 5 minutes of each other for Kerberos to function. Both systems should run some form of time synchronization system like Network Time Protocol (NTP). Setting up /etc/krb5/krb5.conf. Enter the krb5 administrative principal to be used: testadmin Obtaining TGT for testadmin/admin ... Password for testadmin/admin@EXAMPLE.COM: Do you have multiple DNS domains spanning the Kerberos realm EXAMPLE.COM ? [y/n]: n No action performed. Do you plan on doing Kerberized nfs ? [y/n]: y nfs/client.example.com entry ADDED to KDC database. nfs/client.example.com entry ADDED to keytab. host/client.example.com entry ADDED to KDC database. host/client.example.com entry ADDED to keytab. Do you want to copy over the master krb5.conf file ? [y/n]: n No action performed. --------------------------------------------------- Setup COMPLETE.
[root@server ~]# klist -ket /etc/krb5/krb5.keytab
[root@server ~]# showmount -e ipaserver.example.com
/etc/nfssec.conf file.
krb5 390003 kerberos_v5 default - # RPCSEC_GSS
[root@server ~]# mount -t nfs4 ipaserver.example.com:/ /mnt/ -o sec=krb5
ktutil command to import the contents into the main host keytab.
# ktutil ktutil: read_kt /tmp/krb5.keytab ktutil: write_kt /etc/krb5/krb5.keytab ktutil: q
/etc/exports file on the NFS server.
/nfs client.example.com(sec=krb5p,rw,sync,fsid=0,no_subtree_check)
[root@server ~]# ipa service-add nfs/client.example.com
[root@server ~]# ipa-getkeytab -s ipaserver.example.com -p nfs/client.example.com -k /tmp/krb5.keytab -e des-cbc-crc
[root@server ~]# scp /tmp/krb5.keytab root@client.example.com:/tmp/krb5.keytab
/etc/nfssec.conf file.
krb5 390005 kerberos_v5 default - # RPCSEC_GSS
[root@server ~]# kinit -k nfs/client.example.com
[root@server ~]# mount -F nfs -o sec=krb5p ipaserver.example.com:/nfs /mnt/
ldapux client.
# swinstall -s /path/to/J4269AA_B.04.15.01_HP-UX_B.11.23_IA_PA.depot# cd /opt/ldapux/config/ # ./setup
Would you like to continue with the setup? [Yes] Select which Directory Server you want to connect to ? [RedHat Directory] Directory server host ? [ipaserver.example.com] Directory Server port number [389] Would you like to extend the printer schema in this directory server? [No] Would you like to install PublicKey schema in this directory server? [No] Would you like to install the new automount schema ? [No] Profile Entry DN: [cn=ldapuxprofile,cn=etc,dc=example,dc=com] User DN [cn=Directory Manager] Password ? [Directory Manager's Password] Authentication method ? [ SIMPLE ] Enter the number of the hosts you want to specify [1] Default Base DN ? [dc=example,dc=com] Accept remaining defaults ? [n] Client binding [Anonymous] Bind time limit [5 seconds] Search time limit [no limit] Do you want client searches of the directory to follow referrals? [Yes] Profile TTL [0 = infinite] Do you want to remap any of the standard RFC 2307 attribute? [Yes] Specify the service you want to map? [ 3 ] [ group ] Specify the attribute you want to map [3 for memberuid ] Type the name of the attribute memberuid should be mapped to [member] Specify the service you want to map? [ 0 = exit ] Do you want to remap any of the standard RFC 2307 attribute? [ no this time ] Do you want to create custom search descriptors? [ No ]
# ps -ef | grep ldapclientd# /opt/ldapux/bin/ldapclientd# nsquery passwd admin # nsquery group admins
# ipa group-add testgroup # ipa group-add-member -a testuser testgroup# nsquery passwd testuser # nsquery group testgroup
/etc/opt/ldapux/ldapclientd.conf file:
[StartOnBoot] enable=yes
/etc/krb5.conf file to reflect the Kerberos domain used by the IPA server. Setting up the Kerberos configuration includes specifying the realm and domain details, and default ticket attributes. Forwardable tickets are configured by default, which facilitates connection to the administration interface from any operating system, and also provides for auditing of administration operations. For example:
[libdefaults]
default_realm = EXAMPLE.COM
default_keytab_name = FILE:/etc/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
ccache_type = 2
[realms]
EXAMPLE.COM = {
kpasswd_server = ipaserver.example.com
kdc = ipaserver.example.com:88
admin_server = ipaserver.example.com:749
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[appdefaults]
kinit = {
forwardable = true
}
/etc/pam.conf file so that all of the required modules are loaded for authentication. For example:
# # PAM configuration # # This pam.conf file is intended as an example only. # see pam.conf(4) for more details # Authentication management # login auth required libpam_hpsec.so.1 login auth sufficient libpam_krb5.so.1 login auth required libpam_unix.so.1 try_first_pass su auth required libpam_hpsec.so.1 su auth sufficient libpam_krb5.so.1 su auth required libpam_unix.so.1 try_first_pass dtlogin auth required libpam_hpsec.so.1 dtlogin auth sufficient libpam_krb5.so.1 dtlogin auth required libpam_unix.so.1 try_first_pass dtaction auth required libpam_hpsec.so.1 dtaction auth sufficient libpam_krb5.so.1 dtaction auth required libpam_unix.so.1 try_first_pass ftp auth required libpam_hpsec.so.1 ftp auth sufficient libpam_krb5.so.1 ftp auth required libpam_unix.so.1 try_first_pass sshd auth required libpam_hpsec.so.1 sshd auth sufficient libpam_krb5.so.1 sshd auth required libpam_unix.so.1 try_first_pass OTHER auth required libpam_unix.so.1 # # Account management # login account required libpam_hpsec.so.1 login account sufficient libpam_krb5.so.1 login account required libpam_unix.so.1 su account required libpam_hpsec.so.1 su account sufficient libpam_krb5.so.1 su account required libpam_unix.so.1 dtlogin account required libpam_hpsec.so.1 dtlogin account sufficient libpam_krb5.so.1 dtlogin account required libpam_unix.so.1 dtaction account required libpam_hpsec.so.1 dtaction account sufficient libpam_krb5.so.1 dtaction account required libpam_unix.so.1 ftp account required libpam_hpsec.so.1 ftp account sufficient libpam_krb5.so.1 ftp account required libpam_unix.so.1 sshd account required libpam_hpsec.so.1 sshd account sufficient libpam_krb5.so.1 sshd account required libpam_unix.so.1 OTHER account required libpam_unix.so.1 # # Session management # login session required libpam_hpsec.so.1 login session sufficient libpam_krb5.so.1 login session required libpam_unix.so.1 dtlogin session required libpam_hpsec.so.1 dtlogin session sufficient libpam_krb5.so.1 dtlogin session required libpam_unix.so.1 dtaction session required libpam_hpsec.so.1 dtaction session sufficient libpam_krb5.so.1 dtaction session required libpam_unix.so.1 sshd session required libpam_hpsec.so.1 sshd session sufficient libpam_krb5.so.1 sshd session required libpam_unix.so.1 OTHER session required libpam_unix.so.1 # # Password management # login password required libpam_hpsec.so.1 login password sufficient libpam_krb5.so.1 login password required libpam_unix.so.1 passwd password required libpam_hpsec.so.1 passwd password sufficient libpam_krb5.so.1 passwd password required libpam_unix.so.1 dtlogin password required libpam_hpsec.so.1 dtlogin password sufficient libpam_krb5.so.1 dtlogin password required libpam_unix.so.1 dtaction password required libpam_hpsec.so.1 dtaction password sufficient libpam_krb5.so.1 dtaction password required libpam_unix.so.1 OTHER password required libpam_unix.so.1
/etc/pam.conf file to reflect the following example:
# # PAM configuration # # This pam.conf file is intended as an example only. # see pam.conf(4) for more details # # Authentication management # login auth sufficient /usr/lib/security/libpam_krb5.1 login auth required /usr/lib/security/libpam_unix.1 try_first_pass su auth sufficient /usr/lib/security/libpam_krb5.1 su auth required /usr/lib/security/libpam_unix.1 try_first_pass dtlogin auth sufficient /usr/lib/security/libpam_krb5.1 dtlogin auth required /usr/lib/security/libpam_unix.1 try_first_pass dtaction auth sufficient /usr/lib/security/libpam_krb5.1 dtaction auth required /usr/lib/security/libpam_unix.1 try_first_pass ftp auth sufficient /usr/lib/security/libpam_krb5.1 ftp auth required /usr/lib/security/libpam_unix.1 try_first_pass OTHER auth required /usr/lib/security/libpam_unix.1 # # Account management # login account sufficient /usr/lib/security/libpam_krb5.1 login account required /usr/lib/security/libpam_unix.1 su account sufficient /usr/lib/security/libpam_krb5.1 su account required /usr/lib/security/libpam_unix.1 dtlogin account sufficient /usr/lib/security/libpam_krb5.1 dtlogin account required /usr/lib/security/libpam_unix.1 dtaction account sufficient /usr/lib/security/libpam_krb5.1 dtaction account required /usr/lib/security/libpam_unix.1 ftp account sufficient /usr/lib/security/libpam_krb5.1 ftp account required /usr/lib/security/libpam_unix.1 OTHER account required /usr/lib/security/libpam_unix.1 # # Session management # login session sufficient /usr/lib/security/libpam_krb5.1 login session required /usr/lib/security/libpam_unix.1 dtlogin session sufficient /usr/lib/security/libpam_krb5.1 dtlogin session required /usr/lib/security/libpam_unix.1 dtaction session sufficient /usr/lib/security/libpam_krb5.1 dtaction session required /usr/lib/security/libpam_unix.1 OTHER session required /usr/lib/security/libpam_unix.1 # # Password management # login password sufficient /usr/lib/security/libpam_krb5.1 login password required /usr/lib/security/libpam_unix.1 passwd password sufficient /usr/lib/security/libpam_krb5.1 passwd password required /usr/lib/security/libpam_unix.1 dtlogin password sufficient /usr/lib/security/libpam_krb5.1 dtlogin password required /usr/lib/security/libpam_unix.1 dtaction password sufficient /usr/lib/security/libpam_krb5.1 dtaction password required /usr/lib/security/libpam_unix.1 OTHER password required /usr/lib/security/libpam_unix.1
ssh installed. A current package can be downloaded from the HP website at http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA.
/etc/opt/ssh/ssh_config file:
PreferredAuthentications entries.
Host * GSSAPIAuthentication yes GSSAPITrustDNS no PreferredAuthentications "gssapi-with-mic,publickey,password"
GSSAPIAuthentication, GSSAPITrustDNS, and PreferredAuthentications lines, and include the double quotes around the PreferredAuthentications value.
/etc/krb5.keytab file.
# ipa service-add host/hpuxipaclient.example.com # ipa-getkeytab -s ipaserver.example.com -p host/hpuxipaclient.example.com -k /tmp/krb5.keytab -e des-cbc-crc/etc/krb5/krb5.keytab.
# scp /tmp/krb5.keytab root@hpuxipaclient.example.com:/etc/krb5/krb5.keytabpam_authz PAM module, which can be used to control login access to the system based on a user's group membership. For details on how to configure access control with this module, see the HP documentation at http://h20000.www2.hp.com/bc/docs/support/SupportManual/c02261530/c02261530.pdf.
/etc/opt/ldapux/pam_authz.policy prevents the admin user from logging in while still allowing regular users to log in.
# pam_authz.policy.template: # # An example file that could be copied over to /etc/opt/ldapux/pam_authz.policy. # pam_authz.policy is a local policy file that PAM_AUTHZ would use to help # determine which users would be allowed to login to the local host. # # In this template file, by default, the only active access rule is # "allow:unix_local_user" # All the local users are authorized to login. # # The policy file contains one or more access rule. The format of an access # rule is <action>:<type>:<object> # # where <action> could be "deny", "allow", "status" # "PAM_SUCCESS", "PAM_PERM_DENIED", "PAM_MAXTRIES" # "PAM_AUTH_ERR", "PAM_NEW_AUTHTOK_REQD", # "PAM_AUTHTOKEN_REQD, "PAM_CRED_INSUFFICIENT", # "PAM_AUTHINFO_UNAVAIL", "PAM_USER_UNKNOWN" # "PAM_ACCT_EXPIRED", "PAM_AUTHOK_EXPIRED" # # Note: "status" must use along with "rhds" or # "ads" <type>. # <type> could be "unix_user", "unix_local_user", "unix_group", # "netgroup", ldap_filter", "ldap_group" # "rhds" or "ads" # # Note: When <type> is set to "rhds" or "ads", # the <action> filed must set to "status". # <object> contains search information. For example, # deny:unix_group:admins allow:unix_local_user
/bin/bash as the shell to use and /home/admin as the home directory. It may be necessary to install bash to be able to log in.
# kinit admin # ssh admin@hpuxipaclient.example.com
# mkkrb5clnt -r EXAMPLE.COM -d example.com -c ipaclient.example.com -s ipaserver.example.com# kinit admin# mksecldap -c -h ipaserver.example.com -d cn=accounts,dc=example,dc=com -a uid=nss,cn=sysaccounts,cn=etc,dc=example,dc=com -p secret/etc/security/ldap directory, create user and group map files:
IPAuser.map file:
#IPAuser.map file keyobjectclass SEC_CHAR posixaccount s # The following attributes are required by AIX to be functional username SEC_CHAR uid s id SEC_INT uidnumber s pgrp SEC_CHAR gidnumber s home SEC_CHAR homedirectory s shell SEC_CHAR loginshell s gecos SEC_CHAR gecos s spassword SEC_CHAR userpassword s lastupdate SEC_INT shadowlastchange s
IPAgroup.map file:
#IPAgroup.map file groupname SEC_CHAR cn s id SEC_INT gidNumber s users SEC_LIST member m
/etc/security/ldap/ldap.cfg file to set the REALM and base DN values for the IPA domain.
userbasedn:cn=users,cn=accounts,dc=example,dc=com groupbasedn:cn=groups,cn=accounts,dc=example,dc=com userattrmappath:/etc/security/ldap/IPAuser.map groupattrmappath:/etc/security/ldap/IPAgroup.map userclasses:posixaccount
# start-secldapclntd# lsldap -a passwd/usr/lib/security/methods.cfg file to configure the system login to use Kerberos and LDAP:
KRB5A: program = /usr/lib/security/KRB5A program_64 = /usr/lib/security/KRB5A_64 options = authonly LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64 KRB5ALDAP: options = auth=KRB5A,db=LDAP
/etc/security/user file, and modify the default section to use the Kerberos/LDAP system and the LDAP user registry.
SYSTEM = "KRB5ALDAP" registry = LDAP
$ idauth.info /var/log/sshd.log auth.info /var/log/sshd.log auth.crit /var/log/sshd.log auth.warn /var/log/sshd.log auth.notice /var/log/sshd.log auth.err /var/log/sshd.log
SyslogFacility AUTH LogLevel INFO
sshd to use GSS-API, including disabling DNS for GSS-API:
vim /etc/ssh/sshd_config # GSSAPI options GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPITrustDNS no
sshd daemon:
# stopsrc -s sshd # startsrc -s sshd
syslogd daemon:
# stopsrc -s syslogd # startsrc -s syslogd
# ipa service-add host/ipaclient.example.com # ipa-getkeytab -s ipaserver -p host/ipaclient.example.com -k /tmp/krb5.keytab -e des-cbc-crc # scp /tmp/krb5.keytab root@ipaclient.example.com:/tmp/krb5.keytabktutil command to import the contents into the main host keytab.
# ktutil ktutil: read_kt /tmp/krb5.keytab ktutil: write_kt /etc/krb5/krb5.keytab ktutil: q
ldapmodify, bind as Directory Manager and create this user. The user should be assigned a shared password.
ldapmodify -D "cn=directory manager" -w secret -p 389 -h ipaserver.example.com -x -a dn: uid=nss,cn=sysaccounts,cn=etc,dc=example,dc=com objectClass: account objectClass: simplesecurityobject objectClass: top uid: nss userPassword: secretpassword
# kinit admin # ssh admin@ipaclient.example.com/bin/bash as the shell to use and /home/admin as the home directory. It may be necessary to install bash to be able to log in.
ipa-client-install, the client installation log is located in /var/log/ipaclient-install.log. The IPA logs, both for the server and client and for IPA-associated services, are covered in Section 16.1.3, “Checking IPA Server Logs”.
/etc/resolv.conf file or if there are other resources on the network with SRV records, like Active Directory.
Jun 30 11:11:48 server1 krb5kdc[1279](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.60.135: NEEDED_PREAUTH: admin EXAMPLE COM for krbtgt/EXAMPLE COM EXAMPLE COM, Additional pre-authentication required
Jun 30 11:11:48 server1 krb5kdc[1279](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.60.135: ISSUE: authtime 1309425108, etypes {rep=18 tkt=18 ses=18}, admin EXAMPLE COM for krbtgt/EXAMPLE COM EXAMPLE COM
Jun 30 11:11:49 server1 krb5kdc[1279](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.60.135: UNKNOWN_SERVER: authtime 0, admin EXAMPLE COM for HTTP/server1.wrong.example.com@EXAMPLE.COM, Server not found in Kerberos database/etc/resolv.conf file to remove the external DNS name server references.
ipa-client-install utility can be used to uninstall the client and remove it from the IPA domain. To remove the client, use the --uninstall option.
# ipa-client-install --uninstallipa-join command. This is called by ipa-client-install --uninstall as part of the uninstallation process. However, while the ipa-join option removes the client from the domain, it does not actually uninstall the client or properly remove all of the IPA-related configuration. Do not run ipa-join -u to attempt to uninstall the IPA client. The only way to uninstall a client completely is to use ipa-client-install --uninstall.
ipa-server-install, ipa-client-install, and ipa-replica-install). Some scripts are also available to enable services within the IPA server. The domain server has a large number of different installation options and services — such as DNS, certificate services, and NIS management. All of these can be enabled at the time the server is set up, but none of those services are required. If a server is configured without a service like DNS, that service can be enabled later using a specific installation script, such as ipa-dns-install.
ipa. The ipa command is essentially a big plug-in container, and it supports dozens of plug-ins which it executes as subcommands. For example, adding a user is done using the user-add plug-in, which is run like a user-add subcommand:
ipa user-add optionsdnszone-add and dnsrecord-add all belong to the dns module or topic. All of the information for managing a specific area, with all of the supported commands and examples for each, are available by viewing the help for that topic:
ipa help topicipa help
ipa use specified command-line arguments to set values. For example, adding a mail attribute to a user can be done with the --mail argument; enabling dynamic updates for a DNS zone can be done with the --allow-dynupdate option with zone commands; and a map key for an automount map is given in the --key option.
ipa allow the --setattr and --addattr options to define attributes and values explicitly.
--setattr=attribute=value--setattr option sets one value for the given attribute; any existing values are overwritten, even for multi-valued attributes.
--addattr option adds a new value for an attribute; for a multi-valued attribute, it adds the new value while preserving any existing values.
--setattr option and --addattr can be used multiple times in the same command invocation. For example:
$ ipa user-mod jsmith --addattr=mail=johnnys@me.com --addattr=mail=jsmith@example.com --setattr=description="backup IT manager for the east coast branch"
| Main Menu Tab | Configuration Areas |
|---|---|
| Identity |
|
| Policy |
|
| Access controls within Identity Management |
|
kinit.
kinit issues the user a Kerberos ticket. This ticket is checked by any IPA or Kerberos-aware service, so that a user only needs to log in once to access all domain services. Domain services include the IPA web UI, mounted file shares, wikis, or any other application which uses IPA as its identity/authentication store.
kinit on a client within the IPA domain.
$ kinit
kinit command must be run from a machine which has been configured as a client within the IPA domain, so that the client retrieves authenticates with the IPA KDC.
kinit logs into IPA as the currently logged-in user account. This user account must also be an IPA user for them to authenticate to the IPA Kerberos domain successfully. For example, if you are logged into the machine as jsmith:
$ kinit Password for jsmith@EXAMPLE.COM:
pam_krb5 is configured on the IPA client machine, then when a user logs into the machine, a ticket is created which can be used for machine services which require authentication, such as sudo.
kinit command, specifying the new user. For example:
$ kinituserNamePassword foruserName@EXAMPLE.COM:
admin, is created to perform normal administrative activities. To authenticate as the admin user, use the name admin when running kinit:
$ kinit admin
klist command to verify the identity and the ticket granting ticket (TGT) from the server:
$ klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: ipaUser@EXAMPLE.COM Valid starting Expires Service principal 11/10/08 15:35:45 11/11/08 15:35:45 krbtgt/EXAMPLE.COM@EXAMPLE.COM Kerberos 4 ticket cache: /tmp/tkt500 klist: You have no tickets cached
kinit have some limitation, one of them being that the current ticket is overwritten with any new invocation of kinit. Authenticating as User A and then authenticating as User B overwrites User A's ticket.
KRB5CCNAME environment variable. This variable keeps credential caches separate in different shells.
admin, added a new user, set the password, and then tried to authenticate as that user, the administrator's ticket is lost.
KRB5CCNAME, can be used.
kinit, as in Section 4.2, “Logging into IPA”.
https://IPAserver-FQDN/ipa/ui, but this service is also accessed simply by opening https://IPAserver-FQDN. For example:
https://server.example.com https://server.example.com/ipa/ui
negotiate settings in the Firefox configuration to use the IPA domain settings.
about:config in the address bar.
negotiate to filter out the Kerberos-related parameters.
gsslib parameter to true:
network.negotiate-auth.trusted-uris .example.com network.negotiate-auth.delegation-uris .example.com network.negotiate-auth.using-native-gsslib true
http://ipaserver.example.com. Make sure that you can open the web UI and that there are no Kerberos authentication errors.
http://ipa.example.com/ipa/config/ca.crt.
kinit, and then the user can authenticate against the IPA server domain.
/etc/krb5.conf file from the IPA server.
# scp /etc/krb5.conf root@externalmachine.example.com:/etc/krb5_ipa.conf
krb5.conf file.
$ export KRB5_CONFIG=/etc/krb5_ipa.conf
ipa.conf file used by the Apache web service.
vim /etc/httpd/conf.d/ipa.conf
<Location "/ipa"> location definition, change the KrbMethodK5Passwd attribute from off to on.
KrbMethodK5Passwd on
httpd service:
# service httpd restart
export NSPR_LOG_MODULES=negotiateauth:5 export NSPR_LOG_FILE=/tmp/moz.log
/tmp/moz.log.
| Error Log Message | Description and Fix |
|---|---|
-1208550944[90039d0]: entering nsNegotiateAuth::GetNextToken() -1208550944[90039d0]: gss_init_sec_context() failed: Miscellaneous failure No credentials cache found |
There are no Kerberos tickets. Run kinit.
|
-1208994096[8d683d8]: entering nsAuthGSSAPI::GetNextToken() -1208994096[8d683d8]: gss_init_sec_context() failed: Miscellaneous failure Server not found in Kerberos database |
This can occur when you have successfully obtained Kerberos tickets but are still unable to authenticate to the UI. This indicates that there is a problem with the Kerberos configuration. The first place to check is the [domain_realm] section in the /etc/krb5.conf file. Make sure that the IPA Kerberos domain entry is correct and matches the configuration in the Firefox negotiation parameters. For example:
.example.com = EXAMPLE.COM example.com = EXAMPLE.COM |
| Nothing is in the log file. | It is possible that you are behind a proxy which is removing the HTTP headers required for negotiate authentication. Try to connect to the server using HTTPS instead, which allows the request to pass through unmodified. Then check the log file again. |
/home.
pam_oddjob_mkhomedir module or the pam_mkhomedir module. This module can be configured as part of client installation or after installation, as described in Section 5.1.2, “Enabling the PAM Home Directory Module”.
pam_oddjob_mkhomedir module because this requires fewer user privileges and access to create the home directories, as well as integrating smoothly with SELinux. If this module is not available, then the process falls back to the pam_mkhomedir module.
/home that can be made available to all machines in the domain and then automounted on the IPA server.
/home tree, and network performance issues for using remote servers for home directories. There are some general guidelines for using NFS with Identity Management:
/home tree.
httpd process, it is possible to use sudo or a similar program to grant limited access to the IPA server to create home directories on the NFS server.
pam_oddjob_mkhomedir module, to create the home directory as that user.
pam_oddjob_mkhomedir module or the pam_mkhomedir module. Because it requires fewer permissions and works well with SELinux, IPA preferentially uses the pam_oddjob_mkhomedir module. If that module is not installed, then it falls back to the pam_mkhomedir module.
pam_oddjob_mkhomedir module or pam_mkhomedir module. This is because the *_mkhomedir module may try to create home directories even when the shared storage is not available. If the module is unable to create the home directory, then users can be blocked from logging into the IPA domain.
pam_oddjob_mkhomedir (or pam_mkhomedir) module:
--mkhomedir option can be used with the ipa-client-install command. While this is possible for clients, this option is not available to servers when they are set up.
pam_oddjob_mkhomedir module can be enabled using the system's authconfig command. For example:
authconfig --enablemkhomedir
automount.
$ ipa automountlocation-add userdirs Location: userdirs
auto.direct file. In this example, the mount point is /share:
$ ipa automountkey-add userdirs auto.direct --key=/share --info="-ro,soft, ipaserver.example.com:/home/share" Key: /share Mount information: -ro,soft, ipaserver.example.com:/home/share
| Description | Object Classes | |||||
|---|---|---|---|---|---|---|
| IPA object classes | ipaobject | |||||
| Person object classes |
| |||||
| Kerberos object classes |
| |||||
| Managed entries (template) object classes | mepOriginEntry |
| UI Field | Command-Line Option | Required, Optional, or Default[a] |
|---|---|---|
| User login | username | Required |
| First name | --first | Required |
| Last name | --last | Required |
| Full name | --cn | Optional |
| Display name | --displayname | Optional |
| Initials | --initials | Default |
| Home directory | --homedir | Default |
| GECOS field | --gecos | Default |
| Shell | --shell | Default |
| Kerberos principal | --principal | Default |
| Email address | Optional | |
| Password |
--password
Unlike the other options, this accepts no value. The script prompts for the new password.
| Optional |
User ID number
IMPORTANT
When a user is created without specifying a UID number, then the user account is automatically assigned an ID number that is next available in the server or replica range. (Number ranges are described more in Section 5.4, “Managing Unique UID and GID Number Assignments”.) This means that a user always has a unique number for its UID number and, if configured, for its private group.
If a number is manually assigned to a user entry, the server does not validate that the uidNumber is unique. It will allow duplicate IDs; this is expected (though discouraged) behavior for POSIX entries.
If two entries are assigned the same ID number, only the first entry is returned in a search for that ID number. However, both entries will be returned in searches for other attributes or with ipa user-find --all.
| --uid | Default |
Group ID number
IMPORTANT
When a user is created without specifying a GID number, then the user account is automatically assigned an ID number that is next available in the server or replica range. (Number ranges are described more in Section 5.4, “Managing Unique UID and GID Number Assignments”.) This means that a user always has a unique number for its UID number and, if configured, for its private group.
If a number is manually assigned to a user entry, the server does not validate that the uidNumber is unique. It will allow duplicate IDs; this is expected (though discouraged) behavior for POSIX entries.
If two entries are assigned the same ID number, only the first entry is returned in a search for that ID number. However, both entries will be returned in searches for other attributes or with ipa user-find --all.
| --gidnumber | Default |
| Street address | --street | Optional |
| City | --city | Optional |
| State/Province | --state | Optional |
| Zip code | --postalcode | Optional |
| Telephone number | --phone | Optional |
| Mobile telephone number | --mobile | Optional |
| Pager number | --pager | Optional |
| Fax number | --fax | Optional |
| Organizational unit | --orgunit | Optional |
| Job title | --title | Optional |
| Manager | --manager | Optional |
| Car license | --carlicense | Optional |
| Additional attributes | --addattr | Optional |
[a]
Required attributes must be set for every entry. Optional attributes may be set, while default attributes are automatically added with a pre-defined value unless a specific value is given.
| ||
[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?ipaobject object class. However, when the user or group schema is changed, the server does not check to make sure that this object class is included; if the object class is accidentally deleted, then future entry add operations will fail.
--userobjectclasses.
$ ipa config-mod--userobjectclasses=top,person,organizationalperson,inetorgperson,inetuser,posixaccount, krbprincipalaux,krbticketpolicyaux,ipaobject,employeeinfo
--groupobjectclasses.
$ ipa config-mod--groupobjectclasses=top,groupofnames,nestedgroup,ipausergroup,ipaobject,employeegroup
user-add command. Attributes (listed in Table 5.2, “Default Identity Management User Attributes”) can be added to the entry with specific values or the command can be run with no arguments.
$ ipa user-add [username] [attributes]
$ ipa user-add First name: John Last name: Smith User login [jsmith]: jsmith -------------------- Added user "jsmith" -------------------- User login: jsmith First name: John Last name: Smith Home directory: /home/jsmith GECOS field: jsmith Login shell: /bin/sh Kerberos principal: jsmith@EXAMPLE.COM UID: 387115841
$ ipa user-add jsmith --first=John --last=Smith --manager=bjensen --email=johnls@example.com --homedir=/home/work/johns --password
uidNumber is unique. It will allow duplicate IDs; this is expected (though discouraged) behavior for POSIX entries.
ipa user-find --all.
user-mod command edits user accounts by adding or changing attributes. At its most basic, the user-mod specifies the user account by login ID, the attribute to edit, and the new value:
$ ipa user-modloginID--attributeName=newValue
$ ipa user-mod jsmith --title="Editor III"
--addattr option.
--setaddr. However, using --addattr will add a new attribute; for a multi-valued attribute, it adds the new value in addition to any existing values.
$ ipa user-add jsmith --first=John --last=Smith --email=johnls@example.com
$ ipa user-mod jsmith --addattr=mail=johnnys@me.com
$ ipa user-find jsmith --all
--------------
1 user matched
--------------
dn: uid=jsmith,cn=users,cn=accounts,dc=example,dc=com
User login: jsmith
.....
Email address: jsmith@example.com, jsmith@new.com--addattr option twice:
$ ipa user-add jsmith --first=John --last=Smith --email=johnls@example.com --addattr=mail=johnnys@me.com --addattr=mail=admin@example.com
user-enable and user-disable commands. All that is required is the user login. For example:
$ ipa user-disable jsmith
user-del command and then the user login. For example, a single user:
$ ipa user-del jsmith
$ ipa user-del jsmith bjensen mreynolds cdickens
--continue option to force the command to continue regardless of errors. A summary of the successful and failed operations is printed to stdout when the command completes. If --continue is not used, then the command proceeds with deleting users until it encounters an error, and then it exits.
user-mod command, as with other user account changes.
$ ipa user-mod jsmith --password
uidNumber) and group IDs (gidNumber). A user and a group may have the same ID, but since the ID is set in different attributes, there is no conflict. Using the same ID number for both a user and a group also allows an administrator to configure user private groups, where a unique system group is created for each user and the ID number is the same for both the user and the group.
uidNumber is unique. It will allow duplicate IDs; this is expected (though discouraged) behavior for POSIX entries. The same is true for group entries: a duplicate gidNumber can be manually assigned to the entry.
ipa user-find --all.
--idstart and --idmax options with ipa-server-install. These options are not required, so the setup script can assign random ranges during installation.
dnaNextRange parameter. For example:
ldapmodify -x -D "cn=Directory Manager" -W -h server.example.com -p 389 Enter LDAP Password: ******* dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify add: dnaNextRange dnaNextRange: 123400000-123500000
admin user belongs to this group.
| Description | Object Classes | |||
|---|---|---|---|---|
| IPA object classes |
| |||
| Group object classes |
|
group-add command. (This adds only the group; members are added separately.)
$ ipa group-addgroupName--desc="description" [--nonposix]
--nonposix. (By default, all groups are created as POSIX groups.) To enable interoperability with Windows users and groups and programs like Samba, it is possible to create non-POSIX groups by using the --nonposix option. This option tells the script not to add the posixGroup object class to the entry.
$ ipa group-add examplegroup --desc="for examples" --nonposix ---------------------- Added group "examplegroup" ---------------------- Group name: examplegroup Description: for examples GID: 855800010
$ ipa group-add Group name: engineering Description: for engineers ------------------------- Added group "engineering" ------------------------- Group name: engineering Description: for engineers GID: 387115842
gidNumber is unique. It will allow duplicate IDs; this is expected (though discouraged) behavior for POSIX entries.
ipa group-find --all.
group-add-member command. This command can add both users as group members and other groups as group members.
group-add-member command requires only the group name and a comma-separated list of users to add:
$ ipa group-add-membergroupName[--users=list] [--groups=list]
engineering group:
$ ipa group-add-member engineering --users=jsmith,bjensen,mreynolds Group name: engineering Description: for engineers GID: 387115842 Member users: jsmith,bjensen,mreynolds ------------------------- Number of members added 3 -------------------------
$ ipa group-add-member engineering --groups=dev,qe1,dev2 Group name: engineering Description: for engineers GID: 387115842 Member groups: dev,qe1,dev2 ------------------------- Number of members added 3 -------------------------
$ ipa group-show examplegroup Group name: examplegroup Description: for examples GID: 93200002 Member users: jsmith,bjensen,mreynolds Member groups: californiausers Indirect Member users: sbeckett,acalavicci
group-remove-member command.
$ ipa group-remove-member engineering --users=jsmith Group name: engineering Description: for engineers GID: 855800009 Member users: bjensen,mreynolds --------------------------- Number of members removed 1 ---------------------------
group-del command to deletes the specified group. For example:
$ ipa group-del examplegroup
| User Search Attributes | |
| First name | Last name |
| Login ID | Job title |
| Organizational unit | Phone number |
| Group Search Attributes | |
| Name | Description |
$ ipa user-find|group-findstringoptions
$ ipa user-find john --------------- 2 users matched --------------- User login: jpeterson First name: john Last name: peterson Home directory: /home/jpeterson Login shell: /bin/sh UID: 855800007 GID: 855800007 Account disabled: False User login: jsmith First name: john Last name: smith Home directory: /home/jsmith Login shell: /bin/sh UID: 855800004 GID: 855800004 Account disabled: False ---------------------------- Number of entries returned 2 ----------------------------
--raw. --raw prints the LDAP attributes for the user account rather than the reading-friendly field names.
$ ipa user-find john --raw --------------- 2 users matched --------------- uid: jpeterson givenname: john sn: peterson homedirectory: /home/jpeterson loginshell: /bin/sh uidnumber: 855800007 gidnumber: 855800007 nsaccountlock: False uid: jsmith givenname: john sn: smith homedirectory: /home/jsmith loginshell: /bin/sh uidnumber: 855800004 gidnumber: 855800004 nsaccountlock: False ---------------------------- Number of entries returned 2 ----------------------------
cn=ipaconfig,cn=etc,dc=example,dc=com.
ipa config-mod command.
| Field | Command-Line Option | Descriptions |
|---|---|---|
| Maximum username length | --maxusername | Sets the maximum number of characters for usernames. The default value is eight. |
| Root for home directories | --homedirectory |
Sets the default directory to use for user home directories. The default value is /home.
|
| Default shell | --defaultshell |
Sets the default shell to use for users. The default value is /bin/sh.
|
| Default user group | --defaultgroup |
Sets the default group to which all newly created accounts are added. The default value is ipausers, which is automatically created during the IPA server installation process.
|
| Default e-mail domain | --emaildomain | Sets the email domain to use to create email addressed based on the new accounts. The default is the IPA server domain. |
| Search time limit | --searchtimelimit | Sets the maximum amount of time, in seconds, to spend on a search before the server returns results. |
| Search size limit | --searchrecordslimit | Sets the maximum number of records to return in a search. |
| User search fields | --usersearch | Sets the fields in a user entry that can be used as a search string. Any attribute listed has an index kept for that attribute, so setting too many attributes could affect server performance. |
| Group search fields | --groupsearch | Sets the fields in a group entry that can be used as a search string. |
| Certificate subject base | Sets the base DN to use when creating subject DNs for client certificates. This is configured when the server is set up. | |
| Default user object classes | --userobjectclasses | Sets a list of object classes that are used to create IPA user accounts. |
| Default group object classes | --groupobjectclasses | Sets a list of object classes that are used to create IPA group accounts. |
| Password expiration notification | --pwdexpnotify | Sets how long, in days, before a password expires for the server to send a notification. |
| Password plug-in features | Sets the format of passwords that are allowed for users. |
config-show command shows the current configuration which applies to all new user accounts. By default, only the most common attributes are displayed; use the --all option to show the complete configuration.
# ipa config-show --all
dn: cn=ipaconfig,cn=etc,dc=example,dc=com
Max. username length: 32
Home directory base: /home
Default shell: /bin/sh
Default users group: ipausers
Default e-mail domain for new users: example.com
Search time limit: 2
Search size limit: 100
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: FALSE
Certificate Subject base: O=EXAMPLE.COM
Default group objectclasses: top, groupofnames, nestedgroup, ipausergroup, ipaobject
Default user objectclasses: top, person, organizationalperson, inetorgperson, inetuser, posixaccount,
krbprincipalaux, krbticketpolicyaux, ipaobject
Password Expiration Notification (days): 4
Password plugin features: AllowNThash
cn: ipaConfig
objectclass: nsContainer, top, ipaGuiConfig, ipaConfigObjectconfig-mod command.
$ ipa config-mod --searchtimelimit=5 --searchrecordslimit=500 Max. username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain for new users: rhts.eng.bos.redhat.com Search time limit: 5 Search size limit: 50 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=EXAMPLE.COM Password Expiration Notification (days): 4
--usersearch option to set the attributes for user searches.
$ ipa config-mod --usersearch=uid,givenname,sn,telephonenumber,ou,title
--groupsearch options to set the attributes for group searches.
$ ipa config-mod --groupsearch=cn,description
ipa-client-install script. On other platforms — and in alternative enrollment scenarios, as in Section 6.3, “Enrolling Clients Manually” — the host entry is created manually.
host-add command. This commands adds the host entry to the IPA Directory Server. The full list of options with host-add are listed in Section B.4, “ipa Host Commands”. At its most basic, an add operation only requires the client hostname to add the client to the Kerberos realm and to create an entry in the IPA LDAP server:
$ ipa host-add client1.example.com
--ip-address and --force options.
$ ipa host-add --force --ip-address=192.168.166.31 client1.example.com
--force. This essentially creates a placeholder entry in the IPA DNS service. When the DNS service dynamically updates its records, the host's current IP address is detected and its DNS record is updated.
$ ipa host-add --force client1.example.com
host-del command. If the IPA domain uses DNS, then the --updatedns option also removes the associated records of any kind for the host from the DNS.
$ ipa host-del --updatedns client1.example.com
ipa-client-install command. It is also possible to perform those steps separately; this allows for administrators to prepare machines and IPA in advance of actually configuring the clients. This allows more flexible setup scenarios, including bulk deployments.
ipa-client-install command and allowing it to create the host. However, that administrator may have the right to run the command after a host entry exists. In that case, one administrator can create the host entry manually, then the second administrator can complete the enrollment by running the ipa-client-install command.
ipa-client-install command. For example:
$ ipa-client-install -w secret -p admin2
root:root ownership and 0600 permissions.
$ ipa host-add bulkserver.example.com --password=secret
ipa-client-install --uninstall
$ ipa-rmkeytab -k /etc/krb5.keytab -r EXAMPLE.COM
$ ipa-rmkeytab -k /etc/krb5.keytab -p host/server.example.com@EXAMPLE.COM
certmonger for every certificate. Each certificate must be removed from tracking individually.
$ ipa-getcert stop-tracking -n Server-Cert -d /etc/pki/nssdb $ ipa-getcert stop-tracking -n Server2-Cert -d /etc/pki/nssdb
$ ipa host-del server.example.com
ipa-join command.
$ ipa-join
/etc/httpd/conf/ipa.keytab.
ipa.keytab and that keytab file is delete, the IPA web UI will stop working, because the original key would also be deleted.
ipa-getkeytab, you should avoid using /etc/krb5.keytab. This file should not contain service-specific keytabs; each service should have its keytab saved in a specific location and the access privileges (and possibly SELinux rules) should be configured so that only this service has access to the keytab.
ipa-getkeytab command to generate and assign the new keytab for the service principal.
# ipa-getkeytab -s server.example.com -p HTTP/server.example.com -k /etc/httpd/conf/krb5.keytab -e des-cbc-crc--force flag to force the creation of a principal should this prove necessary.
-e argument can include a comma-separated list of encryption types to include in the keytab. This supersedes any default encryption type.
# ipa service-add serviceName/hostname$ ipa service-add HTTP/server.example.com
-------------------------------------------------------
Added service "HTTP/server.example.com@EXAMPLE.COM"
-------------------------------------------------------
Principal: HTTP/server.example.com@EXAMPLE.COM
Managed by: ipaserver.example.com
ipa-getkeytab command. The command requires the Kerberos service principal (-p), the IPA server name (-s), the file to write (-k), and the encryption method (-e). Be sure to copy the keytab to the appropriate directory for the service.
# ipa-getkeytab -s server.example.com -p HTTP/server.example.com -k /etc/httpd/conf/krb5.keytab -e des-cbc-crc--force flag to force the creation of a principal should this prove necessary.
-e argument can include a comma-separated list of encryption types to include in the keytab. This supersedes any default encryption type.
ipa-getkeytab command resets the secret for the specified principal. This means that all other keytabs for that principal are rendered invalid.
$ ipa cert-request --principal=HTTP/web.example.com example.csr
--add option to create the service automatically when requesting the certificate.
getcert command, which creates and manages the certificate through certmonger. The options are described more in Section 18.1, “Requesting a Certificate with certmonger” and .
$ ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/client1.example.com -N 'CN=client1.example.com,O=EXAMPLE.COM'
# ipa service-addserviceName/hostname--certificate="CSR"
$ ipa service-add HTTP/server.example.com --certificate="MIICbTCCAVUCAQ...IzSljdLMYNg==" ------------------------------------------------------- Added service "HTTP/server.example.com@EXAMPLE.COM" ------------------------------------------------------- Principal: HTTP/server.example.com@EXAMPLE.COM Managed by: ipaserver.example.com
--certificate option.
$ certutil -N -d /path/to/database/dircertutil, an NSS tool.
$ certutil -R -s "CN=client1.example.com,O=EXAMPLE.COM" -d /path/to/database/dir -a > example.csr/etc/krb5.keytab.
ktutil command to produce a single keytab file that contains the contents of all of the keytab files.
rkt command to read the keys from that file.
wkt command to write all of the keys which have been read to a new keytab file.
sshd, set GSSAPIStrictAcceptorCheck no in /etc/ssh/sshd_config.
mod_auth_kerb, set KrbServiceName Any in /etc/httpd/conf.d/auth_kerb.conf.
ipa-getkeytab command.
# ipa-getkeytab -s kdc.example.com -p HTTP/server.example.com -k /etc/httpd/conf/krb5.keytab -e des-cbc-crc
host-disable and service-disable commands.
$ ipa host-disable server.example.com
$ ipa service-disable http/server.example.com
managedby entry which lists what hosts or services can manage it. By default, a host can manage itself and all of its services. It is also possible to allow a host to manage other hosts, or services on other hosts, by updating the appropriate delegations or providing a suitable managedby entry.
managedBy entry, it does not mean that the host has also been delegated management for all services on that host. Each delegation has to be performed independently.
service-add-host command. There are two parts to delegating the service: specifying the principal and identifying the hosts (in a comma-separated list) with control:
# ipa service-add-hostprincipal--hosts=hostnames
# ipa service-add-host http/web.example.com --hosts=client1.example.com
# kinit -kt /etc/krb5.keytab host/`hostname` # ipa-getkeytab -s `hostname` -k /tmp/test.keytab -p http/web.example.com Keytab successfully retrieved and stored in: /tmp/test.keytab
cert-request command to create a service entry and load the certification information:
# ipa cert-request --add --principal=http/web.example.com web.csr Certificate: MIICETCCAXqgA...[snip] Subject: CN=web.example.com,O=EXAMPLE.COM Issuer: CN=EXAMPLE.COM Certificate Authority Not Before: Tue Feb 08 18:51:51 2011 UTC Not After: Mon Feb 08 18:51:51 2016 UTC Fingerprint (MD5): c1:46:8b:29:51:a6:4c:11:cd:81:cb:9d:7c:5e:84:d5 Fingerprint (SHA1): 01:43:bc:fa:b9:d8:30:35:ee:b6:54:dd:a4:e7:d2:11:b1:9d:bc:38 Serial number: 1005
host-add-managedby command. This creates a managedby entry. Once the managedby entry is created, then the host can retrieve a keytab for the host it has delegated authority over.
# kinit admin
managedby entry. For example, this delegates authority over client2 to client1.
# ipa host-add-managedby client2.example.com --hosts=client1.example.com
client1 and then retrieve a keytab for client2:
# kinit -kt /etc/krb5.keytab host/`hostname` # ipa-getkeytab -s `hostname` -k /tmp/client2.keytab -p host/client2.example.com Keytab successfully retrieved and stored in: /tmp/client2.keytab
host.
kinit, use the -k option to load a keytab and the -t option to specify the keytab.
# kinit -kt /etc/krb5.keytab host/ipa.example.com@EXAMPLE.COM
# kinit -kt /etc/httpd/conf/krb5.keytab http/ipa.example.com@EXAMPLE.COM
# ipa service-find server.example.com
host/<hostname>, such as host/server.example.com. This principal can also be referred to as the host principal.
# ipa hostgroup-find server.example.com
ldapsearch command to check the entries in the IPA LDAP database directly:
# ldapsearch -x -b "cn=accounts,dc=example,dc=com" "(&(objectclass=ipaservice)(userCertificate=*))" krbPrincipalName
server.example.com. The keytab location is different for each service, and IPA does not store this information.
ldap/server.example.com@EXAMPLE.COM.
# ipa-client-install --uninstall
/etc/krb5.keytab, remove the old principals:
# ipa-rmkeytab -k /path/to/keytab -r EXAMPLE.COM
# ipa host-del server.example.com
# ipa-client-install
/etc/krb5.keytab.
# ipa service-add serviceName/new-hostname
certmonger or the IPA administration tools.
hostgroup-add command. (This adds only the group; members are added separately.)
$ ipa hostgroup-addgroupName--desc="description"
hostgroup-add-member command. This command can add both hosts as group members and other groups as group members.
hostgroup-add-member command requires only the group name and a comma-separated list of hosts to add:
$ ipa hostgroup-add-membergroupName[--hosts=list] [--hostgroups=list]
caligroup group:
$ ipa hostgroup-add-member caligroup --hosts=ipaserver.example.com,client1.example.com,client2.example.com Group name: caligroup Description: for machines in california GID: 387115842 Member hosts: ipaserver.example.com,client1.example.com,client2.example.com ------------------------- Number of members added 3 -------------------------
$ ipa hostgroup-add-member caligroup --groups=mountainview,sandiego Group name: caligroup Description: for machines in california GID: 387115842 Member groups: mountainview,sandiego ------------------------- Number of members added 2 -------------------------
Certificate operation cannot be completed: EXCEPTION (Certificate serial number 0x2d not found)
getent passwd admin).
/var/log/sssd/. There is a specific log file for the DNS domain, such as sssd_example.com.log. If there is not enough information in the logs at the default logging level, then increase the log level.
sssd.conf file.
vim /etc/sssd/sssd.conf
[domain/example.com] section, set debug_level.
debug_level = 9
sssd daemon.
service sssd restart
/var/log/sssd/sssd_example.com.log file for the debug messages.
| cn[a] | physicalDeliveryOfficeName |
| description | postOfficeBox |
| destinationIndicator | postalAddress |
| facsimileTelephoneNumber | postalCode |
| givenname | registeredAddress |
| homePhone | sn |
| homePostalAddress | st |
| initials | street |
| l | telephoneNumber |
| teletexTerminalIdentifier | |
| mobile | telexNumber |
| o | title |
| ou | usercertificate |
| pager | x121Address |
[a]
The cn is treated differently than other synced attributes. It is mapped directly (cn to cn) when syncing from Identity Management to Active Directory. When syncing from Active Directory to Identity Management, however, cn is mapped from the name attribute on Windows to the cn attribute in Identity Management.
| |
| Identity Management | Active Directory |
|---|---|
| cn[a] | name |
| nsAccountLock | userAccountControl |
| ntUserDomainId | sAMAccountName |
| ntUserHomeDir | homeDirectory |
| ntUserScriptPath | scriptPath |
| ntUserLastLogon | lastLogon |
| ntUserLastLogoff | lastLogoff |
| ntUserAcctExpires | accountExpires |
| ntUserCodePage | codePage |
| ntUserLogonHours | logonHours |
| ntUserMaxStorage | maxStorage |
| ntUserProfile | profilePath |
| ntUserParms | userParameters |
| ntUserWorkstations | userWorkstations |
[a]
The cn is mapped directly (cn to cn) when syncing from Identity Management to Active Directory. When syncing from Active Directory cn is mapped from the name attribute in Active Directory to the cn attribute in Identity Management.
| |
cn attribute can be multi-valued, while in Active Directory this attribute must have only a single value. When the Identity Management cn attribute is synchronized, then, only one value is sent to the Active Directory peer.
cn value is added to an Active Directory entry and that value is not one of the values for cn in Identity Management, then all of the Identity Management cn values are overwritten with the single Active Directory value.
cn attribute attribute as its naming attribute, where Identity Management uses uid. This means that there is the potential to rename the entry entirely (and accidentally) if the cn attribute is edited in the Identity Management. If that cn change is written over to the Active Directory entry, then the entry is renamed, and the new named entry is written back over to Identity Management.
streetAddress for a user or group's postal address; this is the way that 389 Directory Server uses the street attribute. There are two important differences in the way that Active Directory and Identity Management use the streetAddress and street attributes, respectively:
streetAddress is an alias for street. Active Directory also has the street attribute, but it is a separate attribute that can hold an independent value, not an alias for streetAddress.
streetAddress and street as single-valued attributes, while 389 Directory Server defines street as a multi-valued attribute, as specified in RFC 4519.
streetAddress and street attributes, there are two rules to follow when setting address attributes in Active Directory and Identity Management:
streetAddress in the Active Directory entry to street in Identity Management. To avoid conflicts, the street attribute should not be used in Active Directory.
street attribute value is synced to Active Directory. If the streetAddress attribute is changed in Active Directory and the new value does not already exist in Identity Management, then all street attribute values in Identity Management are replaced with the new, single Active Directory value.
initials attribute, Active Directory imposes a maximum length constraint of six characters, but 389 Directory Server does not have a length limit. If an initials attribute longer than six characters is added to Identity Management, the value is trimmed when it is synchronized with the Active Directory entry.
C:\WINDOWS\system32\certsrv\CertEnroll\.
.crt file) to display the Certificate dialog box.
http://ipa.example.com/ipa/config/ca.crt.
/etc/openldap/cacerts/ directory.
cacertdir_rehash /etc/openldap/cacerts/
/etc/openldap/ldap.conf file, and add the information to point to and use the certificates in the /etc/openldap/cacerts/ directory.
TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow
ipa-replica-manage connect command because it creates a connection to the Active Directory domain. The options to create the synchronization agreement are listed in Table 7.3, “Synchronization Agreement Options”.
$ kdestroy
ipa-replica-manage command to create a Windows synchronization agreement. This requires the --winsync option. If passwords will be synchronized as well as user accounts, then also use the --passsync option and set a password to use for Password Sync.
--binddn and--bindpwd options give the username and password of the system account on the Active Directory server that IPA will use to connect to the Active Directory server.
$ ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=example,dc=com --bindpw Windows-secret --passsync secretpwd --cacert /etc/openldap/cacerts/windows.cer adserver.example.com -v
| Option | Description |
|---|---|
| --winsync | Identifies this as a synchronization agreement. |
| --binddn | Gives the full user DN of the synchronization identity. This is the user DN that the IPA LDAP server uses to bind to Active Directory. This user must exist in the Active Directory domain and must have replicator, read, search, and write permissions on the Active Directory subtree. |
| --bindpw | Gives the password for the sync user. |
| --passsync | Gives the password for the Windows user account which is involved in synchronization. |
| --cacert | Gives the full path and file name of the Active Directory CA certificate. This certificate is exported in Section 7.3.1, “Trusting the Active Directory and IPA CA Certificates”. |
| --win-subtree |
Gives the DN of the Windows subtree containing the users to synchronize. The default value is cn=Users,$SUFFIX.
|
| AD_server_name | Gives the hostname of the Active Directory domain controller. |
ldapmodify command to modify the LDAP server entry directly.
ipaWinSyncAcctDisable attribute. (Changing this means that if an account is disabled in Active Directory, it is still active in IPA and vice versa.)
$ ldapmodify -x -D "cn=directory manager" -w password dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify replace: ipaWinSyncAcctDisable ipaWinSyncAcctDisable: none modifying entry "cn=ipa-winsync,cn=plugins,cn=config"
| Parameter | Description | Possible Values |
|---|---|---|
| General User Account Parameters | ||
| ipaWinSyncNewEntryFilter | Sets the search filter to use to find the entry which contains the list of object classes to add to new user entries. |
The default is (cn=ipaConfig).
|
| ipaWinSyncNewUserOCAttr | Sets the attribute in the configuration entry which actually contains the list of object classes to add to new user entries. |
The default is ipauserobjectclasses.
|
| ipaWinSyncHomeDirAttr | Identifies which attribute in the entry contains the default location of the POSIX home directory. |
The default is ipaHomesRootDir.
|
| ipaWinSyncUserAttr |
Sets an additional attribute with a specific value to add to Active Directory users when they are synced over from the Active Directory domain. If the attribute is multi-valued, then it can be set multiple times, and the sync process adds all of the values to the entry.
NOTE
This only sets the attribute value if the entry does not already have that attribute present. If the attribute is present, then the entry's value is used when the Active Directory entry is synced over.
| ipaWinSyncUserAttr: attributeName attributeValue |
| ipaWinSyncUserFlatten |
Sets whether to normalize the DN of Active Directory entries to conform with the IPA directory structure. In IPA, all users are stored under the cn=users,cn=accounts,$SUFFIX entry, but Active Directory can have more branches in its directory, which can result in DNs like cn=John Smith,ou=Development,ou=Engineering,cn=users,dc=example,dc=com. Flattening the DN discards any additional intervening organizational units in the Active Directory DN and creating a simple DN on the IPA side.
Any
ou attributes are stored in the IPA user entry.
| true | false |
| ipaWinSyncForceSync |
Sets whether to check existing IPA users which match an existing Active Directory user should be automatically edited so they can be synchronized. If an IPA user account has a uid parameter which is identical to the samAccountName in an existing Active Directory user, then that account is not synced by default. This attribute tells the sync service to add the ntUser and ntUserDomainId to the IPA user entries automatically, which allows them to be synchronized.
| true | false |
| User Account Lock Parameters | ||
| ipaWinSyncAcctDisable |
Sets which way to synchronize account lockout attributes. It is possible to control which account lockout settings are in effect. For example, to_ad means that when account lockout attribute is set in IPA, its value is synced over to Active Directory and overrides the local Active Directory value. By default, account lockout attributes are synced from both domains.
|
|
| ipaWinSyncInactivatedFilter | Sets the search filter to use to find the DN of the group used to hold inactivated (disabled) users. This does not need to be changed in most deployments. |
The default is (&(cn=inactivated)(objectclass=groupOfNames)).
|
| ipaWinSyncActivatedFilter | Sets the search filter to use to find the DN of the group used to hold activate users. This does not need to be changed in most deployments. |
The default is (&(cn=activated)(objectclass=groupOfNames)).
|
| Group Parameters | ||
| ipaWinSyncDefaultGroupAttr |
Sets the attribute in the new user account to reference to see what the default group for the user is. The group name in the entry is then used to find the gidNumber for the user account.
|
The default is ipaDefaultPrimaryGroup.
|
| ipaWinSyncDefaultGroupFilter |
Sets the search filter to map the group name to the POSIX gidNumber.
|
The default is (&(gidNumber=*)(objectclass=posixGroup)(cn=groupAttr_value)).
|
| Realm Parameters | ||
| ipaWinSyncRealmAttr | Sets the attribute which contains the realm name in the realm entry. |
The default is cn.
|
| ipaWinSyncRealmFilter | Sets the search filter to use to find the entry which contains the IPA realm name. |
The default is (objectclass=krbRealmContainer).
|
cn=users,cn=accounts,$SUFFIX, and for Active Directory, the default is CN=Users,$SUFFIX.
--win-subtree option. After the agreement is created, the Active Directory subtree can be changed by using the ldapmodify command to edit the nsds7WindowsReplicaSubtree value in the sync agreement entry.
$ ldapmodify -x -D "cn=directory manager" -w password dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify replace: nsds7WindowsReplicaSubtree nsds7WindowsReplicaSubtree: CN=People,DC=example,DC=com modifying entry "cn=ipa-winsync,cn=plugins,cn=config"
ipa-replica-manage disconnect command and then the hostname of the Active Directory server.
# ipa-replica-manage disconnect adserver.example.com
# certutil -D -d /etc/dirsrv/slapd-EXAMPLE.COM/ -n "Imported CA"
"Update failed! Status: [81 - LDAP error: Can't contact LDAP server]
/etc/dirsrv/slapd-DOMAIN/ directory) with the name Imported CA. This can be checked using certutil:
$ certutil -L -d /etc/dirsrv/slapd-DOMAIN/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA certificate CTu,u,Cu Imported CA CT,,C Server-Cert u,u,u Imported CA CT,,C
# certutil -d /etc/dirsrv/slapd-DOMAIN-NAME -D -n "Imported CA"
"Windows PassSync entry exists, not resetting password"
secpol.msc from the command line.
Password must meet complexity requirements option and save.
http://servername/certsrv.
.inf, using the fully-qualified domain name of the Active Directory as the certificate subject. For example:
;----------------- request.inf ----------------- [Version] Signature="$Windows NT$ [NewRequest] Subject = "CN=ad.server.example.com, O=Engineering, L=Raleigh, S=North Carolina, C=US" KeySpec = 1 KeyLength = 2048 Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 ;-----------------------------------------------
.inf request file, see the Microsoft documentation, such as http://technet.microsoft.com/en-us/library/cc783835.aspx.
certreq -new request.inf request.req
certreq -submit request.req certnew.cer
http://servername/certsrv.
certreq -accept certnew.cer
PassSync.msi file from the Red Hat Enterprise Linux channels, and save it to the Active Directory machine.
PassSync.msi file to install it.
uid=passsync,cn=systemaccounts,cn=etc,dc=example,dc=com.
--passsync option when the sync agreement was created
ou=People,dc=example,dc=com
http://ipa.example.com/ipa/config/ca.crt.
cd "C:\Program Files\389 Directory Password Synchronization" certutil.exe -d . -A -n "IPA.EXAMPLE.COM IPA CA" -t CT,, -a -i ipaca.crt
PasswordHook.dll is not enabled, and password synchronization will not function.
.msi.