Product SiteDocumentation Site

Chapter 6. Identity: Managing Hosts and Services

6.1. About Hosts, Services, and Machine Identity and Authentication
6.2. Adding Host Entries
6.2.1. Adding Host Entries from the Web UI
6.2.2. Adding Host Entries from the Command Line
6.3. Enrolling Clients Manually
6.3.1. Performing a Split Enrollment
6.3.2. Performing a Bulk or Kickstart Enrollment
6.4. Manually Unconfiguring Client Machines
6.5. Managing Services
6.5.1. Adding and Editing Service Entries and Keytabs
6.5.1.1. Adding Services and Keytabs from the Web UI
6.5.1.2. Adding Services and Keytabs from the Command Line
6.5.2. Adding Services and Certificates for Services
6.5.2.1. Adding Services and Certificates from the Web UI
6.5.2.2. Adding Services and Certificates from the Command Line
6.5.3. Storing Certificates in NSS Databases
6.5.4. Configuring Clustered Services
6.5.4.1. Configuring Kerberos Credentials for a Clustered Environment
6.5.5. Using the Same Service Principal for Multiple Services
6.6. Disabling Host and Service Entries
6.7. Extending Access Permissions over Other Hosts and Services
6.7.1. Delegating Service Management
6.7.2. Delegating Host Management
6.7.3. Accessing Delegated Services
6.8. Renaming Machines and Reconfiguring IPA Client Configuration
6.9. Managing Host Groups
6.9.1. Creating Host Groups
6.9.1.1. Creating Host Groups from the Web UI
6.9.1.2. Creating Host Groups from the Command Line
6.9.2. Adding Group Members
6.9.2.1. Adding Group Members from the Web UI
6.9.2.2. Adding Group Members from the Command Line
6.10. Troubleshooting Host Problems
6.10.1. Certificate Not Found/Serial Number Not Found Errors
6.10.2. Debugging Client Connection Problems
Both DNS and Kerberos are configured as part of the initial client configuration. This is required because these are the two services that bring the machine within the IPA domain and allow it to identify the IPA server it will connect with. After the initial configuration, IPA has tools to manage both of these services in response to changes in the domain services, changes to the IT environment, or changes on the machines themselves which affect Kerberos, certificate, and DNS services, like changing the client hostname.
This chapter describes how to manage identity services that relate directly to the client machine:

6.1. About Hosts, Services, and Machine Identity and Authentication

The basic function of an enrollment process is to create a host entry for the client machine in the IPA directory. This host entry is used to establish relationships between other hosts and even services within the domain. These relationships are part of delegating authorization and control to hosts within the domain.
A host entry contains all of the information about the client within IPA:
  • Service entries associated with the host
  • The host and service principal
  • Access control rules
  • Machine information, such as its physical location and operating system
Some services that run on a host can also belong to the IPA domain. Any service that can store a Kerberos principal or an SSL certificate (or both) can be configured as an IPA service. Adding a service to the IPA domain allows the service to request an SSL certificate or keytab from the domain. (Only the public key for the certificate is stored in the service record. The private key is local to the service.)
An IPA domain establishes a commonality between machines, with common identity information, common policies, and shared services. Any machine which belongs to a domain functions as a client of the domain, which means it uses the services that the domain provides. An IPA domain (as described in Section 1.2, “Bringing Linux Services Together”) provides three main services specifically for machines:
  • DNS
  • Kerberos
  • Certificate management
Machines are treated as another identity that is managed by IPA. Clients use DNS to identify IPA servers, services, and domain members — which, like user identities are stored in the 389 Directory Server instance for the IPA server. Like users, machines can be authenticated to the domain using Kerberos or certificates to verify the machine's identity.
From the machine perspective, there are several tasks that can be performed that access these domain services:
  • Joining the DNS domain (machine enrollment)
  • Managing DNS entries and zones
  • Managing machine authentication
Authentication in IPA includes machines as well as users. Machine authentication is required for the IPA server to trust the machine and to accept IPA connections from the client software installed on that machine. After authenticating the client, the IPA server can respond to its requests. IPA supports two different approaches to machine authentication:
  • Key tables (or keytabs, a symmetric key resembling to some extent a user password) and machine certificates. Kerberos tickets are generated as part of the Kerberos services and policies defined by the server. Initially granting a Kerberos ticket, renewing the Kerberos credentials, and even destroying the Kerberos session are all handled by the IPA services. Managing Kerberos is covered in Chapter 12, Policy: Managing the Kerberos Domain.
  • Machine certificates. In this case, the machine uses an SSL certificate that is issued by the IPA server's certificate authority and then stored in IPA's Directory Server. The certificate is then sent to the machine to present when it authenticates to the server. On the client, certificates are managed by a service called certmonger, which is described in Chapter 18, Working with certmonger.