2.2. Configuring a Red Hat Enterprise Linux System as an IPA Client
There are two elements to prepare before beginning the client setup process for the Red Hat Enterprise Linux client:
- There must be a way to connect the client machine to the Kerberos domain, either by having an available Kerberos identity (such as the admin user) or by manually adding the client machine to the KDC on the server with a one-time password before beginning the enrollment process for the client machine.
- If there is an Active Directory server on the same network that serves DNS records, the Active Directory DNS records could prevent the client from automatically detecting the IPA server address. The
ipa-client-install
script retrieves the Active Directory DNS records instead of any records that were added for IPA.In this case, it is necessary to pass the IPA server address directly to theipa-client-install
script.
To configure the client:
- Install the client packages. These packages provide a simple way to configure the system as a client; they also install and configure SSSD.
# yum install ipa-client
- If the IPA server is configured as the DNS server and is in the same domain as the client, add the server's IP address as the first entry in the client's
/etc/resolv.conf
file.Note
If every machine in the domain will be an IPA client, then add the IPA server address to the DHCP configuration. - Run the client setup command.
# ipa-client-install --enable-dns-updates
The--enable-dns-updates
option updates DNS with the client machine's IP address. This option should only be used if the IPA server was installed with integrated DNS or if the DNS server on the network accepts DNS entry updates with the GSS-TSIG protocol.When using the--server
option to specify the IPA server to register with, the server name must be a fully-qualified domain name.Important
This must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the hostname will cause DNS failures.Note
There is an--on-master
option that is used as part of configuring an IPA server (which also is an IPA client, since it is within the domain). This option should never be used when configuring a regular IPA client, because it results in slightly different client configuration which may not work on a non-IPA server machine. - If prompted, enter the domain name for the IPA's DNS domain.
DNS discovery failed to determine your DNS domain Please provide the domain name of your IPA server (ex: example.com): example.com
- If prompted, enter the fully-qualified domain name of the IPA server. Alternatively, use the
--server
option with the client installation script to supply the fully-qualified domain name of the IPA server.DNS discovery failed to find the IPA Server Please provide your IPA server name (ex: ipa.example.com): ipaserver.example.com
Important
This must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the hostname will cause DNS failures. - The client script then prompts for a Kerberos identity to use to contact and then join the Kerberos realm. When these credentials are supplied, then the client is able to join the IPA Kerberos domain and then complete the configuration:
Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Password for admin@EXAMPLE.COM: Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.COM SSSD enabled Kerberos 5 enabled NTP enabled Client configuration complete.
- Test that the client can connect successfully to the IPA domain and can perform basic tasks. For example, check that the IPA tools can be used to get user and group information:
$ id $ getent passwd userID $ getent group ipausers
- Set up NFS to work with Kerberos.
Note
To help troubleshoot potential NFS setup errors, enable debug information in the/etc/sysconfig/nfs
file.RPCGSSDARGS="-vvv" RPCSVCGSSDARGS="-vvv"
- On an IPA server, add an NFS service principal for the NFS client.
# ipa service-add nfs/ipaclient.example.com@EXAMPLE
Note
This must be run from a machine with the ipa-admintools package installed so that theipa
command is available. - On the IPA server, obtain a keytab for the NFS service principal.
# ipa-getkeytab -s ipaserver.example.com -p nfs/ipaclient.example.com@EXAMPLE -k /tmp/krb5.keytab
Note
Some versions of the Linux NFS implementation have limited encryption type support. If the NFS server is hosted on a version older than Red Hat Enterprise Linux 5, use the-e des-cbc-crc
option to theipa-getkeytab
command for any nfs/<FQDN> service keytabs to set up, both on the server and on all clients. This instructs the KDC to generate only DES keys.When using DES keys, all clients and servers that rely on this encryption type need to have theallow_weak_crypto
option enabled in the[libdefaults]
section of the/etc/krb5.conf
file. Without these configuration changes, NFS clients and servers are unable to authenticate to each other, and attempts to mount NFS filesystems may fail. The client'srpc.gssd
and the server'srpc.svcgssd
daemons may log errors indicating that DES encryption types are not permitted. - Copy the keytab from the IPA server to the NFS server. For example, if the IPA and NFS servers are on different machines:
# scp /tmp/krb5.keytab root@nfs.example.com:/etc/krb5.keytab
- Copy the keytab from the IPA server to the IPA client. For example:
# scp /tmp/krb5.keytab root@client.example.com:/etc/krb5.keytab
- Configure the
/etc/exports
file on the NFS server./ipashare gss/krb5p(rw,no_root_squash,subtree_check,fsid=0)
- On the client, mount the NFS share. Use the same
-o sec
setting as is used in the/etc/exports
file for the NFS server.[root@client ~]# mount -v -t nfs4 -o sec=krb5p nfs.example.com:/ /mnt/ipashare