2.3. Manually Configuring a Linux Client
The
ipa-client-install
command automatically configures services like Kerberos, SSSD, PAM, and NSS. However, if the ipa-client-install
command cannot be used on a system for some reason, then the IPA client entries and the services can be configured manually.
- Install SSSD 1.5.x or later, if it is not already installed.
- On an IPA server. Create a host entry for the client.
$ ipa host-add --force --ip-address=192.168.166.31 client1.example.com
- On an IPA server. Create keytabs for the client.
- Log in as IPA; administrator.
$ kinit admin
- Set the client host to be managed by the server.
$ ipa host-add-managedby --hosts=ipaserver.example.com client1.example.com
- Generate the keytab for the client.
# ipa-getkeytab -s ipaserver.example.com -p host/client1.example.com -k /tmp/client1.keytab
- Copy the keytab to the client machine and rename it
/etc/krb5.ketab
.Note
If there is an existing/etc/krb5.ketab
that should be preserved, the two files can be combined usingktutil
. - Set the correct user permissions and, if necessary, SELinux contexts for the
/etc/krb5.ketab
file.chown root:root 0600 system_u:object_r:krb5_keytab_t:s0
- Configure SSSD by editing the
/etc/sssd/sssd.conf
file to point to the IPA domain.[sssd] config_file_version = 2 services = nss, pam domains = example.com [nss] [pam] [domain/example.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client1.example.com chpass_provider = ipa ipa_server = ipaserver.example.com ldap_tls_cacert = /etc/ipa/ca.crt
- Configure NSS to use SSSD for passwords, groups, users, and netgroups.
vim /etc/nsswitch.conf ... passwd: files sss shadow: files sss group: files sss ... netgroup: files sss ...
- Configure the
/etc/krb5.conf
file to point to the IPA KDC.[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes allow_weak_crypto = true [realms] EXAMPLE.COM = { kdc = ipaserver.example.com:88 admin_server = ipaserver.example.com:749 default_domain = example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM
- Update the
/etc/pam.d
configuration to use thepam_sss.so
modules.- For
/etc/pam.d/fingerprint-auth
:... account [default=bad success=ok user_unknown=ignore] pam_sss.so ... session optional pam_sss.so
- For
/etc/pam.d/system-auth
:... auth sufficient pam_sss.so use_first_pass ... account [default=bad success=ok user_unknown=ignore] pam_sss.so ... password sufficient pam_sss.so use_authtok ... session optional pam_sss.so
- For
/etc/pam.d/password-auth
:... auth sufficient pam_sss.so use_first_pass ... account [default=bad success=ok user_unknown=ignore] pam_sss.so ... password sufficient pam_sss.so use_authtok ... session optional pam_sss.so
- For
/etc/pam.d/smartcard-auth
:... account [default=bad success=ok user_unknown=ignore] pam_sss.so ... session optional pam_sss.so
- Set up NFS to work with Kerberos.
Note
To help troubleshoot potential NFS setup errors, enable debug information in the/etc/sysconfig/nfs
file.RPCGSSDARGS="-vvv" RPCSVCGSSDARGS="-vvv"
- On an IPA server, add an NFS service principal for the NFS client.
# ipa service-add nfs/ipaclient.example.com@EXAMPLE
Note
This must be run from a machine with the ipa-admintools package installed so that theipa
command is available. - On the IPA server, obtain a keytab for the NFS service principal.
# ipa-getkeytab -s ipaserver.example.com -p nfs/ipaclient.example.com@EXAMPLE -k /tmp/krb5.keytab
Note
Some versions of the Linux NFS implementation have limited encryption type support. If the NFS server is hosted on a version older than Red Hat Enterprise Linux 5, use the-e des-cbc-crc
option to theipa-getkeytab
command for any nfs/<FQDN> service keytabs to set up, both on the server and on all clients. This instructs the KDC to generate only DES keys.When using DES keys, all clients and servers that rely on this encryption type need to have theallow_weak_crypto
option enabled in the[libdefaults]
section of the/etc/krb5.conf
file. Without these configuration changes, NFS clients and servers are unable to authenticate to each other, and attempts to mount NFS filesystems may fail. The client'srpc.gssd
and the server'srpc.svcgssd
daemons may log errors indicating that DES encryption types are not permitted. - Copy the keytab from the IPA server to the NFS server. For example, if the IPA and NFS servers are on different machines:
# scp /tmp/krb5.keytab root@nfs.example.com:/etc/krb5.keytab
- Copy the keytab from the IPA server to the IPA client. For example:
# scp /tmp/krb5.keytab root@client.example.com:/etc/krb5.keytab
- Configure the
/etc/exports
file on the NFS server./ipashare gss/krb5p(rw,no_root_squash,subtree_check,fsid=0)
- On the client, mount the NFS share.
- Always specify the share as nfs_server:/ /mountpoint.
- Use the same
-o sec
setting as is used in the/etc/exports
file for the NFS server.
[root@client ~]# mount -v -t nfs4 -o sec=krb5p nfs.example.com:/ /mnt/ipashare