Este contenido no está disponible en el idioma seleccionado.
Configuring Identity Management
Managing Identity and Authorization Policies for Linux-Based Infrastructures
Edition 2.1.4
Abstract
Preface
1. Audience and Purpose
2. Examples and Formatting
2.1. Brackets
[]
) are used to indicate an alternative element in a name. For example, if a tool is available in /usr/lib
on 32-bit systems and in /usr/lib64
on 64-bit systems, then the tool location may be represented as /usr/lib[64]
.
2.2. Client Tool Information
/usr/bin
and the /usr/sbin
directories.
ldapmodify
and ldapsearch
, are from OpenLDAP. OpenLDAP tools use SASL connections by default. To perform a simple bind using a username and password, use the -x
argument to disable SASL.
2.3. Text Formatting and Styles
Formatting Style | Purpose |
---|---|
Monospace with a background | This type of formatting is used for anything entered or returned in a command prompt. |
Italicized text | Any text which is italicized is a variable, such as instance_name or hostname. Occasionally, this is also used to emphasize a new term or other phrase. |
Bolded text | Most phrases which are in bold are application names, such as Cygwin, or are fields or options in a user interface, such as a User Name Here: field or button. This can also indicate a file, package, or directory name, such as /usr/sbin . |
Note
Important
Warning
3. Document Change History
Revision History | |||
---|---|---|---|
Revision 2.1.4-15.400 | 2013-10-31 | ||
| |||
Revision 2.1.4-15 | 2012-07-18 | ||
| |||
Revision 5.8-0 | December 15, 2011 | ||
|
Chapter 1. Introduction to Identity Management
1.1. A Working Definition for Identity Management
- Create a Linux-based and Linux-controlled domain. Both IPA servers and IPA clients are Linux or Unix machines. While IPA can synchronize data with an Active Directory domain to allow integration with Windows servers, it is not an administrative tools for Windows machines and it does not support Windows clients. Identity Management is a management tool for Linux domains.
- Centralize identity management and identity policies.
- Build on existing, native Linux applications and protocols. While IPA has its own processes and configuration, its underlying technologies are familiar and trusted by Linux administrators and are well established on Linux systems.
1.2. Relationships Between Servers and Clients
Figure 1.1. Server and Client Interactions
- Store IPA information when the machine is offline.
- Keep information active beyond its normal timeout period if the client cannot access the central server. The cache is persistent even after rebooting the machine.
- Reduce the round-trip time of requests by checking information locally before looking at the server.
- Identity information (about users, machines, and groups) is stored in the LDB database, which uses the same syntax as an LDAP directory. This identity information is originally stored in the IPA server's 389 Directory Server instance. Because this information changes frequently and is referenced frequently, it is important to be able to call the more current information quickly, which is possible using an LDB database on the client and the Directory Server on the server.
- Policy information is more static than identity information, and it can include configuration for SELinux or sudo. These policies are set globally on the server and then are propagated to the clients. On the client, the policy information is stored in the filesystem in XML files which can be downloaded and converted into a native file for whatever service is being managed.
Figure 1.2. Interactions Between IPA Services
- SSSD provides the user authentication for the machine and enforces host-based access control rules.
certmonger
monitors and renews the certificates on the client. It can request new certificates for the services on the system, including virtual machines.
certmonger
are configured to connect to the IPA server and the required Kerberos keytab and host certificates are created. (The host certificate is not used directly by IPA; it may be used by other services, such as a web server.)
Chapter 2. Setting up Systems as IPA Clients
Note
Note
2.1. What Happens in Client Setup
- Retrieve the CA certificate for the IPA CA.
- Create a separate Kerberos configuration to test the provided credentials. This enables a Kerberos connection to the IPA XML-RPC server, necessary to join the IPA client to the IPA domain. This Kerberos configuration is ultimately discarded.Setting up the Kerberos configuration includes specifying the realm and domain details, and default ticket attributes. Forwardable tickets are configured by default, which facilitates connection to the administration interface from any operating system, and also provides for auditing of administration operations. For example, this is the Kerberos configuration for Red Hat Enterprise Linux systems:
[libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false forwardable = yes ticket_lifetime = 24h [realms] EXAMPLE.COM = { kdc = ipaserver.example.com:88 admin_server = ipaserver.example.com:749 } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM
- Run the
ipa-join
command to perform the actual join - Obtain a service principal for the host service and installs it into
/etc/krb5.keytab
. For example,host/ipa.example.com@EXAMPLE.COM
. - Enable certmonger, retrieve an SSL server certificate, and install the certificate in
/etc/pki/nssdb
. - Disable the nscd daemon.
- Configures SSSD or LDAP/KRB5, including NSS and PAM configuration files.
- Configure NTP.
2.2. Configuring a Red Hat Enterprise Linux System as an IPA Client
- There must be a way to connect the client machine to the Kerberos domain, either by having an available Kerberos identity (such as the admin user) or by manually adding the client machine to the KDC on the server with a one-time password before beginning the enrollment process for the client machine.
- If there is an Active Directory server on the same network that serves DNS records, the Active Directory DNS records could prevent the client from automatically detecting the IPA server address. The
ipa-client-install
script retrieves the Active Directory DNS records instead of any records that were added for IPA.In this case, it is necessary to pass the IPA server address directly to theipa-client-install
script.
- Install the client packages. These packages provide a simple way to configure the system as a client; they also install and configure SSSD.
# yum install ipa-client
- If the IPA server is configured as the DNS server and is in the same domain as the client, add the server's IP address as the first entry in the client's
/etc/resolv.conf
file.Note
If every machine in the domain will be an IPA client, then add the IPA server address to the DHCP configuration. - Run the client setup command.
# ipa-client-install --enable-dns-updates
The--enable-dns-updates
option updates DNS with the client machine's IP address. This option should only be used if the IPA server was installed with integrated DNS or if the DNS server on the network accepts DNS entry updates with the GSS-TSIG protocol.When using the--server
option to specify the IPA server to register with, the server name must be a fully-qualified domain name.Important
This must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the hostname will cause DNS failures.Note
There is an--on-master
option that is used as part of configuring an IPA server (which also is an IPA client, since it is within the domain). This option should never be used when configuring a regular IPA client, because it results in slightly different client configuration which may not work on a non-IPA server machine. - If prompted, enter the domain name for the IPA's DNS domain.
DNS discovery failed to determine your DNS domain Please provide the domain name of your IPA server (ex: example.com): example.com
- If prompted, enter the fully-qualified domain name of the IPA server. Alternatively, use the
--server
option with the client installation script to supply the fully-qualified domain name of the IPA server.DNS discovery failed to find the IPA Server Please provide your IPA server name (ex: ipa.example.com): ipaserver.example.com
Important
This must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the hostname will cause DNS failures. - The client script then prompts for a Kerberos identity to use to contact and then join the Kerberos realm. When these credentials are supplied, then the client is able to join the IPA Kerberos domain and then complete the configuration:
Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Password for admin@EXAMPLE.COM: Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.COM SSSD enabled Kerberos 5 enabled NTP enabled Client configuration complete.
- Test that the client can connect successfully to the IPA domain and can perform basic tasks. For example, check that the IPA tools can be used to get user and group information:
$ id $ getent passwd userID $ getent group ipausers
- Set up NFS to work with Kerberos.
Note
To help troubleshoot potential NFS setup errors, enable debug information in the/etc/sysconfig/nfs
file.RPCGSSDARGS="-vvv" RPCSVCGSSDARGS="-vvv"
- On an IPA server, add an NFS service principal for the NFS client.
# ipa service-add nfs/ipaclient.example.com@EXAMPLE
Note
This must be run from a machine with the ipa-admintools package installed so that theipa
command is available. - On the IPA server, obtain a keytab for the NFS service principal.
# ipa-getkeytab -s ipaserver.example.com -p nfs/ipaclient.example.com@EXAMPLE -k /tmp/krb5.keytab
Note
Some versions of the Linux NFS implementation have limited encryption type support. If the NFS server is hosted on a version older than Red Hat Enterprise Linux 5, use the-e des-cbc-crc
option to theipa-getkeytab
command for any nfs/<FQDN> service keytabs to set up, both on the server and on all clients. This instructs the KDC to generate only DES keys.When using DES keys, all clients and servers that rely on this encryption type need to have theallow_weak_crypto
option enabled in the[libdefaults]
section of the/etc/krb5.conf
file. Without these configuration changes, NFS clients and servers are unable to authenticate to each other, and attempts to mount NFS filesystems may fail. The client'srpc.gssd
and the server'srpc.svcgssd
daemons may log errors indicating that DES encryption types are not permitted. - Copy the keytab from the IPA server to the NFS server. For example, if the IPA and NFS servers are on different machines:
# scp /tmp/krb5.keytab root@nfs.example.com:/etc/krb5.keytab
- Copy the keytab from the IPA server to the IPA client. For example:
# scp /tmp/krb5.keytab root@client.example.com:/etc/krb5.keytab
- Configure the
/etc/exports
file on the NFS server./ipashare gss/krb5p(rw,no_root_squash,subtree_check,fsid=0)
- On the client, mount the NFS share. Use the same
-o sec
setting as is used in the/etc/exports
file for the NFS server.[root@client ~]# mount -v -t nfs4 -o sec=krb5p nfs.example.com:/ /mnt/ipashare
2.3. Manually Configuring a Linux Client
ipa-client-install
command automatically configures services like Kerberos, SSSD, PAM, and NSS. However, if the ipa-client-install
command cannot be used on a system for some reason, then the IPA client entries and the services can be configured manually.
- Install SSSD 1.5.x or later, if it is not already installed.
- On an IPA server. Create a host entry for the client.
$ ipa host-add --force --ip-address=192.168.166.31 client1.example.com
- On an IPA server. Create keytabs for the client.
- Log in as IPA; administrator.
$ kinit admin
- Set the client host to be managed by the server.
$ ipa host-add-managedby --hosts=ipaserver.example.com client1.example.com
- Generate the keytab for the client.
# ipa-getkeytab -s ipaserver.example.com -p host/client1.example.com -k /tmp/client1.keytab
- Copy the keytab to the client machine and rename it
/etc/krb5.ketab
.Note
If there is an existing/etc/krb5.ketab
that should be preserved, the two files can be combined usingktutil
. - Set the correct user permissions and, if necessary, SELinux contexts for the
/etc/krb5.ketab
file.chown root:root 0600 system_u:object_r:krb5_keytab_t:s0
- Configure SSSD by editing the
/etc/sssd/sssd.conf
file to point to the IPA domain.[sssd] config_file_version = 2 services = nss, pam domains = example.com [nss] [pam] [domain/example.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client1.example.com chpass_provider = ipa ipa_server = ipaserver.example.com ldap_tls_cacert = /etc/ipa/ca.crt
- Configure NSS to use SSSD for passwords, groups, users, and netgroups.
vim /etc/nsswitch.conf ... passwd: files sss shadow: files sss group: files sss ... netgroup: files sss ...
- Configure the
/etc/krb5.conf
file to point to the IPA KDC.[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes allow_weak_crypto = true [realms] EXAMPLE.COM = { kdc = ipaserver.example.com:88 admin_server = ipaserver.example.com:749 default_domain = example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM
- Update the
/etc/pam.d
configuration to use thepam_sss.so
modules.- For
/etc/pam.d/fingerprint-auth
:... account [default=bad success=ok user_unknown=ignore] pam_sss.so ... session optional pam_sss.so
- For
/etc/pam.d/system-auth
:... auth sufficient pam_sss.so use_first_pass ... account [default=bad success=ok user_unknown=ignore] pam_sss.so ... password sufficient pam_sss.so use_authtok ... session optional pam_sss.so
- For
/etc/pam.d/password-auth
:... auth sufficient pam_sss.so use_first_pass ... account [default=bad success=ok user_unknown=ignore] pam_sss.so ... password sufficient pam_sss.so use_authtok ... session optional pam_sss.so
- For
/etc/pam.d/smartcard-auth
:... account [default=bad success=ok user_unknown=ignore] pam_sss.so ... session optional pam_sss.so
- Set up NFS to work with Kerberos.
Note
To help troubleshoot potential NFS setup errors, enable debug information in the/etc/sysconfig/nfs
file.RPCGSSDARGS="-vvv" RPCSVCGSSDARGS="-vvv"
- On an IPA server, add an NFS service principal for the NFS client.
# ipa service-add nfs/ipaclient.example.com@EXAMPLE
Note
This must be run from a machine with the ipa-admintools package installed so that theipa
command is available. - On the IPA server, obtain a keytab for the NFS service principal.
# ipa-getkeytab -s ipaserver.example.com -p nfs/ipaclient.example.com@EXAMPLE -k /tmp/krb5.keytab
Note
Some versions of the Linux NFS implementation have limited encryption type support. If the NFS server is hosted on a version older than Red Hat Enterprise Linux 5, use the-e des-cbc-crc
option to theipa-getkeytab
command for any nfs/<FQDN> service keytabs to set up, both on the server and on all clients. This instructs the KDC to generate only DES keys.When using DES keys, all clients and servers that rely on this encryption type need to have theallow_weak_crypto
option enabled in the[libdefaults]
section of the/etc/krb5.conf
file. Without these configuration changes, NFS clients and servers are unable to authenticate to each other, and attempts to mount NFS filesystems may fail. The client'srpc.gssd
and the server'srpc.svcgssd
daemons may log errors indicating that DES encryption types are not permitted. - Copy the keytab from the IPA server to the NFS server. For example, if the IPA and NFS servers are on different machines:
# scp /tmp/krb5.keytab root@nfs.example.com:/etc/krb5.keytab
- Copy the keytab from the IPA server to the IPA client. For example:
# scp /tmp/krb5.keytab root@client.example.com:/etc/krb5.keytab
- Configure the
/etc/exports
file on the NFS server./ipashare gss/krb5p(rw,no_root_squash,subtree_check,fsid=0)
- On the client, mount the NFS share.
- Always specify the share as nfs_server:/ /mountpoint.
- Use the same
-o sec
setting as is used in the/etc/exports
file for the NFS server.
[root@client ~]# mount -v -t nfs4 -o sec=krb5p nfs.example.com:/ /mnt/ipashare
2.4. Performing a Split Enrollment
ipa-client-install
command. It is also possible to perform those steps separately; this allows for administrators to prepare machines and IPA in advance of actually configuring the clients. This allows more flexible setup scenarios, including bulk deployments.
Note
ipa-client-install
command and allowing it to create the host. However, that administrator may have the right to run the command after a host entry exists. In that case, one administrator can create the host entry manually, then the second administrator can complete the enrollment by running the ipa-client-install
command.
- An administrator creates the host entry on the IPA server.
- The second administrator installs the IPA client packages on the machine, as in Section 2.2, “Configuring a Red Hat Enterprise Linux System as an IPA Client”.
- When the second administrator runs the setup script, he must pass his Kerberos password and username (principal) with the
ipa-client-install
command. For example:$ ipa-client-install -w secret -p admin2
- The keytab is generated on the server and provisioned to the client machine, so that the client machine is not able to connect to the IPA domain. The keytab is saved with
root:root
ownership and 0600 permissions.
Chapter 3. Basic Usage
3.1. Looking at the IPA UI
- It shows instant, visual relationships between entries (such as a user and all the groups, sudo rules, netgroups, and policies which are associated with that user).
- All entries are listed immediately without having to run a search. This makes it possible to browse entries. The UI also has a simple search box which quickly filters the list of entries.
- The interface is intuitive to use, without having to learn the command-line tools.
- The web UI can be accessed from machines outside the IPA domain, so the domain can be managed from anywhere.Using the web UI requires a valid Kerberos ticket for the IPA domain (by default), meaning that it can only be accessed from a machine within the IPA domain. Alternatively, the web UI can be configured to allow password authentication along with Kerberos authentication (Section 3.3.5, “Enabling Username/Password Authentication in Your Browser”), or a machine outside the IPA can be configured to work with Kerberos (Section 3.3.4, “Using a Browser on Another System”).
3.1.1. The UI Layout
Main Menu Tab | Configuration Areas |
---|---|
Identity |
|
Policy |
|
Access controls within Identity Management |
|
Figure 3.1. The Main Menu
Figure 3.2. List View
Figure 3.3. Form/Entry View
3.1.2. Page Elements
Figure 3.4. Active Task Link
Figure 3.5. Entry Breadcrumbs
Figure 3.6. Collapsing and Expanding Form Elements
Figure 3.7. Add an Attribute
Figure 3.8. Undo Edits
3.1.3. Showing and Changing Group Members
3.1.4. Looking at Search Results
3.2. Logging into IPA
kinit
.
kinit
issues the user a Kerberos ticket. This ticket is checked by any IPA or Kerberos-aware service, so that a user only needs to log in once to access all domain services. Domain services include the IPA web UI, mounted file shares, wikis, or any other application which uses IPA as its identity/authentication store.
3.2.1. Logging into IPA
kinit
on a client within the IPA domain.
$ kinit
kinit
command must be run from a machine which has been configured as a client within the IPA domain, so that the client retrieves authenticates with the IPA KDC.
kinit
logs into IPA as the currently logged-in user account. This user account must also be an IPA user for them to authenticate to the IPA Kerberos domain successfully. For example, if you are logged into the machine as jsmith
:
$ kinit Password for jsmith@EXAMPLE.COM:
Note
pam_krb5
is configured on the IPA client machine, then when a user logs into the machine, a ticket is created which can be used for machine services which require authentication, such as sudo
.
3.2.2. Logging in When an IPA User Is Different Than the System User
kinit
command, specifying the new user. For example:
$ kinit userName Password for userName@EXAMPLE.COM:
admin
, is created to perform normal administrative activities. To authenticate as the admin user, use the name admin when running kinit
:
$ kinit admin
Note
3.2.3. Checking the Current Logged in User
klist
command to verify the identity and the ticket granting ticket (TGT) from the server:
$ klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: ipaUser@EXAMPLE.COM Valid starting Expires Service principal 11/10/08 15:35:45 11/11/08 15:35:45 krbtgt/EXAMPLE.COM@EXAMPLE.COM Kerberos 4 ticket cache: /tmp/tkt500 klist: You have no tickets cached
kinit
have some limitation, one of them being that the current ticket is overwritten with any new invocation of kinit
. Authenticating as User A and then authenticating as User B overwrites User A's ticket.
KRB5CCNAME
environment variable. This variable keeps credential caches separate in different shells.
3.2.4. Caching User Kerberos Tickets
admin
, added a new user, set the password, and then tried to authenticate as that user, the administrator's ticket is lost.
KRB5CCNAME
, can be used.
3.3. Using the IPA Web UI
3.3.1. Supported Web Browsers
3.3.2. Opening the IPA Web UI
- Get a valid Kerberos ticket using
kinit
, as in Section 3.2, “Logging into IPA”. - Open the IPA URL. The full URL is
https://
IPAserver-FQDN/ipa/ui
, but this service is also accessed simply by openinghttps://
IPAserver-FQDN. For example:https://server.example.com https://server.example.com/ipa/ui
3.3.3. Configuring the Browser
Figure 3.10. Kerberos Authentication Error
- Click the follow these directions link.
- Click the link to import the CA certificate for the IPA server.
- Set the web site and software developer (first and last) trust bits for the CA certificate.
- Click the Configure Firefox button. This automatically fills out all the
negotiate
settings in the Firefox configuration to use the IPA domain settings.When the process is complete, a success box pops up saying that Firefox has been configured for single sign-on. For there, you are redirected to the IPA web UI.
- Open Firefox.
- Type
about:config
in the address bar. - In the Search field, type
negotiate
to filter out the Kerberos-related parameters. - On Red Hat Enterprise Linux, enter the domain name for the URI parameters, including the preceding period (.) and set the
gsslib
parameter to true:network.negotiate-auth.trusted-uris .example.com network.negotiate-auth.delegation-uris .example.com network.negotiate-auth.using-native-gsslib true
- Open the web UI by going to the fully-qualified domain name of the IPA server such as
http://ipaserver.example.com
. Make sure that you can open the web UI and that there are no Kerberos authentication errors. - Next, download the IPA server's CA certificate from
http://ipa.example.com/ipa/config/ca.crt
. - Select the first (Trust this CA to identify web sites) and third (Trust this CA to identify software developers) check boxes.
3.3.4. Using a Browser on Another System
kinit
, and then the user can authenticate against the IPA server domain.
- Copy the
/etc/krb5.conf
file from the IPA server.# scp /etc/krb5.conf root@externalmachine.example.com:/etc/krb5_ipa.conf
Warning
Do not overwrite the existingkrb5.conf
file. - On the external machine, set the terminal session to use the copied IPA Kerberos configuration file:
$ export KRB5_CONFIG=/etc/krb5_ipa.conf
- Configure Firefox on the external machine as in Section 3.3.3, “Configuring the Browser”.
3.3.5. Enabling Username/Password Authentication in Your Browser
- Open the
ipa.conf
file used by the Apache web service.vim /etc/httpd/conf.d/ipa.conf
- In the
<Location "/ipa">
location definition, change theKrbMethodK5Passwd
attribute from off to on.KrbMethodK5Passwd on
- Restart the
httpd
service:# service httpd restart
Figure 3.11. IPA Password Prompt
Note
3.3.6. Using the UI with Proxy Servers
3.3.7. Troubleshooting UI Connection Problems
- Close all browser windows.
- In a terminal, set the new log levels for Firefox:
export NSPR_LOG_MODULES=negotiateauth:5 export NSPR_LOG_FILE=/tmp/moz.log
This enables verbose logging and logs all information to/tmp/moz.log
. - Restart the browser from the same terminal window and attempt t .
Error Log Message | Description and Fix |
---|---|
-1208550944[90039d0]: entering nsNegotiateAuth::GetNextToken() -1208550944[90039d0]: gss_init_sec_context() failed: Miscellaneous failure No credentials cache found | There are no Kerberos tickets. Run kinit . |
-1208994096[8d683d8]: entering nsAuthGSSAPI::GetNextToken() -1208994096[8d683d8]: gss_init_sec_context() failed: Miscellaneous failure Server not found in Kerberos database | This can occur when you have successfully obtained Kerberos tickets but are still unable to authenticate to the UI. This indicates that there is a problem with the Kerberos configuration. The first place to check is the [domain_realm] section in the /etc/krb5.conf file. Make sure that the IPA Kerberos domain entry is correct and matches the configuration in the Firefox negotiation parameters. For example:
.example.com = EXAMPLE.COM example.com = EXAMPLE.COM |
Nothing is in the log file. | It is possible that you are behind a proxy which is removing the HTTP headers required for negotiate authentication. Try to connect to the server using HTTPS instead, which allows the request to pass through unmodified. Then check the log file again. |
Chapter 4. Configuring Red Hat Enterprise Linux 5 Servers for IPA Domain Services
4.1. Client Configuration for sudo Rules
- Configure
sudo
to look to LDAP for thesudoers
file.vim /etc/nsswitch.conf sudoers: files ldap
Leaving thefiles
option in place allowssudo
to check its local configuration before checking the LDAP-based IPA configuration. - Enable debug logging for
sudo
operations in the/etc/ldap.conf
file. If this file does not exist, it can be created.vim /etc/ldap.conf sudoers_debug: 1
Note
Adding thesudoers_debug
parameter helps with troubleshooting. Valid values for this parameter are 0,http://jboss-on-docs.etherpad.corp.redhat.com/10 1, and 2. Thesudo
documentation at http://www.gratisoft.us/sudo/readme_ldap.html has more information on debugging the process. - Optionally, enable debugging in SSSD to show what LDAP settings it is using.
vim /etc/sssd/sssd.conf [domain/IPADOMAIN] debug_level = 6 ....
The LDAP search base used by SSSD for operations is recorded in thesssd_
DOMAINNAME.log
log. - Edit the NSS/LDAP configuration file and add the following
sudo
-related lines to the/etc/nss_ldap.conf
file:sudoers_base ou=SUDOers,dc=example,dc=com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com bindpw sudo_password ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://ipaserver.example.com ldap://backup.example.com:3890
Multiple LDAP servers can be configured in a space-separated list, and other options (like SSL and non-standard ports) can be used with the LDAP URL. Thesudo
LDAP configuration is covered in thesudo
manpages, http://www.sudo.ws/sudo/man/1.8.2/sudoers.ldap.man.html.Important
Theuri
directive must give the fully-qualified domain name of the LDAP server, not an IP address. Otherwise,sudo
fails to connect to the LDAP server. - Create a symlink between the
nss_ldap
module configuration file and the system LDAP configuration file:# ln -s /etc/nss_ldap.conf /etc/ldap.conf
- Set a name for the NIS domain in the
sudo
configuration.sudo
uses NIS netgroups, so the NIS domain name must be set in the system configuration forsudo
to be able to find the host groups used in the IPAsudo
configuration.- Open the
/etc/rc.d/rc.local
file. Setting the NIS domain name in this file allows the value to persist between reboots.# vim /etc/rc.d/rc.local
- Add the command to set the NIS domain name.
nisdomainname example.com
Important
Even thoughsudo
uses NIS-style netgroups, it is not necessary to have a NIS server installed. Netgroups require that a NIS domain be named in their configuration, sosudo
requires that a NIS domain be named for netgroups. However, that NIS domain does not actually need to exist.
4.2. Configuring autofs
- Edit the
/etc/sysconfig/autofs
file to specify the schema attributes that autofs searches for:# # Other common LDAP naming # MAP_OBJECT_CLASS="automountMap" ENTRY_OBJECT_CLASS="automount" MAP_ATTRIBUTE="automountMapName" ENTRY_ATTRIBUTE="automountKey" VALUE_ATTRIBUTE="automountInformation"
- Specify the LDAP configuration. There are two ways to do this. The simplest is to let the automount service discover the LDAP server and locations on its own:
LDAP_URI="ldap:///dc=example,dc=com"
Alternatively, explicitly set which LDAP server to use and the base DN for LDAP searches:LDAP_URI="ldap://ipa.example.com" SEARCH_BASE="cn=location,cn=automount,dc=example,dc=com"
Note
The default value for location isdefault
. If additional locations are added, then the client can be pointed to use those locations, instead. - Edit the
/etc/autofs_ldap_auth.conf
file so that autofs allows client authentication with the IPA LDAP server. Changeauthrequired
to yes and set the principal to the Kerberos host principal:<autofs_ldap_sasl_conf usetls="no" tlsrequired="no" authrequired="yes" authtype="GSSAPI" clientprinc="host/server.example.com@EXAMPLE COM" />
If necessary, runklist -k
to get the exact host principal information. - Check the
/etc/nssswitch.conf
file, so that LDAP is listed as a source for automount configuration:automount: files
ldap
- Restart autofs:
# service autofs restart
- Test the configuration by listing a user's
/home
directory:# ls /home/userName
If this does not mount the remote file system, check the/var/log/messages
file for errors. If necessary, increase the debug level in the/etc/sysconfig/autofs
file by setting theLOGGING
parameter todebug
.
Note
automount -f -dThis prints the debug log information directly, without having to cross-check the LDAP access log with automount's log.
4.3. Setting up NFS
4.3.1. Setting up a Kerberized NFS Server
- If the NFS host machine has not been added as a client to the IPA domain, then create the host entry.
- Create the NFS service entry in the IPA domain.
- Generate an NFS service keytab for the NFS server. If this command is run on the NFS server, then save the keys directly to the host keytab. For example:
# ipa-getkeytab -s server.example.com -p nfs/nfs-server.example.com -k /etc/krb5.keytab -e des-cbc-crc
Note
Only DES keys are supported on Red Hat Enterprise Linux 5.If this command is run on a different machine:- Save the keytab to a temporary file. For example:
... -k /tmp/nfs.keytab
- Copy the keytabs over to the NFS machine.
- Set the file permissions to 0700.
- On the NFS host machine, add the service key to the keytab file.
# ( echo rkt /tmp/nfs.keytab; echo wkt /etc/krb5.keytab) |ktutil
- Install the NFS packages. For example:
# yum install nfs-utils
- Edit the
krb5.conf
file to allow weak crypto. This is required for every NFS client if any client in the domain will use older encryption options like DES.# vim /etc/krb5.conf allow_weak_crypto = true
- Edit the NFS server configuration to use NFSv4 security by uncommenting the
SECURE_NFS
line.# vim /etc/sysconfig/nfs SECURE_NFS="yes"
- If the NFS server and client are in different DNS domains, then configure the NFS domain.
# vim /etc/idmapd.conf Domain = example.com
- Edit the
/etc/exports
file and add the Kerberos information:/export *(rw,sec=sys:krb5:krb5i:krb5p)
- Restart the NFS server.
# service nfs restart
- Configure the NFS server as an NFS client, following the directions in Section 4.3.2, “Setting up a Kerberized NFS Client”.
4.3.2. Setting up a Kerberized NFS Client
- If the NFS client is not enrolled as a client in the IPA domain, then set up the required host entries.
- Create the host entry.
- Generate host keytab for the NFS client. If this command is run on the NFS clien, then save the keys directly to the host keytab. For example:
# ipa-getkeytab -p host/nfs-client-server.example.com@EXAMPLE.COM -k /etc/krb5.keytab -e des-cbc-crc
Note
Only DES keys are supported on Red Hat Enterprise Linux 5.If this command is run on a different machine:- Save the keytab to a temporary file. For example:
... -k /tmp/nfs.keytab
- Copy the keytabs over to the NFS machine.
- Set the file permissions to 0700.
- On the NFS host machine, add the service key to the keytab file.
# ( echo rkt /root/nfs-client.keytab; echo wkt /etc/krb5.keytab) |ktutil
- Edit the
krb5.conf
file to allow weak crypto. This is required for every client if any client in the domain will use older encryption options like DES.# vim /etc/krb5.conf allow_weak_crypto = true
- Edit the NFS common configuration to enable client-side secure NFS, by uncommenting the
SECURE_NFS
line.# vim /etc/sysconfig/nfs SECURE_NFS="yes"
- If the NFS server and client are in different DNS domains, then configure the NFS domain. The
idmapd.conf
must be the same on the NFS client as it is on the NFS server.# vim /etc/idmapd.conf Domain = example.com
- Start the GSS daemon.
# service rpc.gssd start
- Mount the directory.
# echo "$NFSSERVER:/this /mnt/this nfs4 sec=krb5i,rw,proto=tcp,port=2049" >>/etc/fstab # mount -av
Index
K
- Kerberos
- separate credentials cache, Caching User Kerberos Tickets
L
- logging in
- separate credentials cache, Caching User Kerberos Tickets
P
- port forwarding
- for the UI, Using the UI with Proxy Servers
- proxy servers
- for the UI, Using the UI with Proxy Servers
U
- users
- separate credentials cache, Caching User Kerberos Tickets
W
- web UI
- port forwarding, Using the UI with Proxy Servers
- proxy servers, Using the UI with Proxy Servers