Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

5.4. Manually Configuring a Linux Client

The ipa-client-install command automatically configures services like Kerberos, SSSD, PAM, and NSS. However, if the ipa-client-install command cannot be used on a system for some reason, then the IdM client entries and the services can be configured manually.

5.4.1. Setting up an IdM Client (Full Procedure)
Copia collegamento

  1. Install SSSD, if it is not already installed.
  2. Optional. Install the IdM tools so that administrative tasks can be performed from the host. 
    [root@client ~]# yum install ipa-admintools
    Copy to Clipboard Toggle word wrap
  3. On an IdM server. Create a host entry for the client. 
    [jsmith@client ~]$ kinit admin
[jsmith@client ~]$ ipa host-add --force --ip-address=192.168.166.31 ipaclient.example.com
    Copy to Clipboard Toggle word wrap
    Creating hosts manually is covered in Section 5.4.2, “Other Examples of Adding a Host Entry”.
  4. On an IdM server. Create keytabs for the client.
    1. Log in as IdM administrator. 
      [jsmith@client ~]$ kinit admin
      Copy to Clipboard Toggle word wrap
    2. Set the client host to be managed by the server. 
      [jsmith@client ~]$ ipa host-add-managedby --hosts=server.example.com ipaclient.example.com
      Copy to Clipboard Toggle word wrap
    3. Generate the keytab for the client. 
      [jsmith@client ~]$ ipa-getkeytab -s server.example.com -p host/ipaclient.example.com -k /tmp/ipaclient.keytab
      Copy to Clipboard Toggle word wrap
  5. Copy the keytab to the client machine and rename it /etc/krb5.keytab.

    Note

    If there is an existing /etc/krb5.keytab that should be preserved, the two files can be combined using ktutil.
  6. Set the correct user permissions for the /etc/krb5.keytab file. 
    [root@client ~]# chown root:root /etc/krb5.keytab 
[root@client ~]# chmod 0600 /etc/krb5.keytab
    Copy to Clipboard Toggle word wrap
  7. Set the SELinux contexts for the /etc/krb5.keytab file. 
    [root@client ~]# chcon system_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab
    Copy to Clipboard Toggle word wrap
  8. Configure SSSD by editing the /etc/sssd/sssd.conf file to point to the IdM domain. 
    [root@client ~]# touch /etc/sssd/sssd.conf
[root@client ~]# vim /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam

domains = example.com
[nss]

[pam]

[domain/example.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipaclient.example.com
chpass_provider = ipa
ipa_server = server.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
    Copy to Clipboard Toggle word wrap
  9. Configure NSS to use SSSD for passwords, groups, users, and netgroups. 
    [root@client ~]# vim /etc/nsswitch.conf

...
passwd:     files sss
shadow:     files sss
group:      files sss
...
netgroup:   files sss
...
    Copy to Clipboard Toggle word wrap
  10. Configure the /etc/krb5.conf file to point to the IdM KDC. 
    [logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes
 allow_weak_crypto = true

[realms]
 EXAMPLE.COM = {
  kdc = server.example.com:88
  admin_server = server.example.com:749
  default_domain = example.com
}

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
    Copy to Clipboard Toggle word wrap
  11. Update the /etc/pam.d configuration to use the pam_sss.so modules.
    • For /etc/pam.d/fingerprint-auth: 
      ...
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
...
session     optional      pam_sss.so
      Copy to Clipboard Toggle word wrap
    • For /etc/pam.d/system-auth: 
      ...
auth        sufficient    pam_sss.so use_first_pass
...
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
...
password    sufficient    pam_sss.so use_authtok
...
session     optional      pam_sss.so
      Copy to Clipboard Toggle word wrap
    • For /etc/pam.d/password-auth: 
      ...
auth        sufficient    pam_sss.so use_first_pass
...
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
...
password    sufficient    pam_sss.so use_authtok
...
session     optional      pam_sss.so
      Copy to Clipboard Toggle word wrap
    • Enrollment_with_Separation_of_DutiesFor /etc/pam.d/smartcard-auth: 
      ...
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
...
session     optional      pam_sss.so
      Copy to Clipboard Toggle word wrap
  12. Install the IdM server's CA certificate.
    1. Obtain the certificate from the server. 
      [root@ipaclient ~]# wget -O /etc/ipa/ca.crt http://ipa.example.com/ipa/config/ca.crt
      Copy to Clipboard Toggle word wrap
    2. Install the certificate in the system's NSS database. 
      [root@ipaclient ~]# certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i /etc/ipa/ca.crt
      Copy to Clipboard Toggle word wrap
  13. Set up a host certificate for the host in IdM.
    1. Make sure certmonger is running. 
      [root@ipaclient ~]# service certmonger start
      Copy to Clipboard Toggle word wrap

      Note

      Configure chkconfig so that the certmonger service starts by default. 
      [root@ipaclient ~]# chkconfig certmonger on
      Copy to Clipboard Toggle word wrap
    2. Use the ipa-getcert command, which creates and manages the certificate through certmonger. The options are described more in Section B.1, “Requesting a Certificate with certmonger”. 
      [root@ipaclient ~]# ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/ipaclient.example.com -N 'CN=ipaclient.example.com,O=EXAMPLE.COM'
      Copy to Clipboard Toggle word wrap
    If administrative tools were not installed on the client, then the certificate can be generated on an IdM server, copied over to the host, and installed using certutil.
  14. Set up NFS to work with Kerberos.

    Note

    To help troubleshoot potential NFS setup errors, enable debug information in the /etc/sysconfig/nfs file. 
    RPCGSSDARGS="-vvv"
RPCSVCGSSDARGS="-vvv"
    Copy to Clipboard Toggle word wrap
    1. On an IdM server, add an NFS service principal for the NFS client. 
      [root@ipaclient ~]# ipa service-add nfs/ipaclient.example.com@EXAMPLE
      Copy to Clipboard Toggle word wrap

      Note

      This must be run from a machine with the ipa-admintools package installed so that the ipa command is available.
    2. On the IdM server, obtain a keytab for the NFS service principal. 
      [root@ipaclient ~]# ipa-getkeytab -s server.example.com -p nfs/ipaclient.example.com@EXAMPLE -k /tmp/krb5.keytab
      Copy to Clipboard Toggle word wrap

      Note

      Some versions of the Linux NFS implementation have limited encryption type support. If the NFS server is hosted on a version older than Red Hat Enterprise Linux 6, use the -e des-cbc-crc option to the ipa-getkeytab command for any nfs/<FQDN> service keytabs to set up, both on the server and on all clients. This instructs the KDC to generate only DES keys.
      When using DES keys, all clients and servers that rely on this encryption type need to have the allow_weak_crypto option enabled in the [libdefaults] section of the /etc/krb5.conf file. Without these configuration changes, NFS clients and servers are unable to authenticate to each other, and attempts to mount NFS filesystems may fail. The client's rpc.gssd and the server's rpc.svcgssd daemons may log errors indicating that DES encryption types are not permitted.
    3. Copy the keytab from the IdM server to the NFS server. For example, if the IdM and NFS servers are on different machines: 
      [root@ipaclient ~]# scp /tmp/krb5.keytab root@nfs.example.com:/etc/krb5.keytab
      Copy to Clipboard Toggle word wrap
    4. Copy the keytab from the IdM server to the IdM client. For example: 
      [root@ipaclient ~]# scp /tmp/krb5.keytab root@client.example.com:/etc/krb5.keytab
      Copy to Clipboard Toggle word wrap
    5. Configure the /etc/exports file on the NFS server. 
      /ipashare       gss/krb5p(rw,no_root_squash,subtree_check,fsid=0)
      Copy to Clipboard Toggle word wrap
    6. On the client, mount the NFS share.
      • Always specify the share as nfs_server:/ /mountpoint.
      • Use the same -o sec setting as is used in the /etc/exports file for the NFS server. 
      [root@client ~]# mount -v -t nfs4 -o sec=krb5p nfs.example.com:/ /mnt/ipashare
      Copy to Clipboard Toggle word wrap

5.4.2. Other Examples of Adding a Host Entry
Copia collegamento

Section 5.4.1, “Setting up an IdM Client (Full Procedure)” covers the full procedure for configuring an IdM client manually. One of those steps is creating a host entry, and there are several different ways and options to perform that.

5.4.2.1. Adding Host Entries from the Web UI
Copia collegamento

  1. Open the Identity tab, and select the Hosts subtab.
  2. Click the Add link at the top of the hosts list.
    View larger image
  3. Fill in the machine name and select the domain from the configured zones in the drop-down list. If the host has already been assigned a static IP address, then include that with the host entry so that the DNS entry is fully created.
    View larger image
    DNS zones can be created in IdM, which is described in Section 17.6.1, “Adding Forward DNS Zones”. If the IdM server does not manage the DNS server, the zone can be entered manually in the menu area, like a regular text field.

    Note

    Select the Force checkbox to add the host DNS record, even if the hostname cannot be resolved.
    This is useful for hosts which use DHCP and do not have a static IP address. This essentially creates a placeholder entry in the IdM DNS service. When the DNS service dynamically updates its records, the host's current IP address is detected and its DNS record is updated.
  4. Click the Add and Edit button to go directly to the expanded entry page and fill in more attribute information. Information about the host hardware and physical location can be included with the host entry.
    View larger image

5.4.2.2. Adding Host Entries from the Command Line
Copia collegamento

Host entries are created using the host-add command. This commands adds the host entry to the IdM Directory Server. The full list of options with host-add are listed in the ipa host manpage. At its most basic, an add operation only requires the client hostname to add the client to the Kerberos realm and to create an entry in the IdM LDAP server: 
$ ipa host-add client1.example.com
Copy to Clipboard Toggle word wrap
If the IdM server is configured to manage DNS, then the host can also be added to the DNS resource records using the --ip-address and --force options.

Example 5.6. Creating Host Entries with Static IP Addresses

$ ipa host-add --force --ip-address=192.168.166.31 client1.example.com
Copy to Clipboard Toggle word wrap
Commonly, hosts may not have a static IP address or the IP address may not be known at the time the client is configured. For example, laptops may be preconfigured as Identity Management clients, but they do not have IP addresses at the time they're configured. Hosts which use DHCP can still be configured with a DNS entry by using --force. This essentially creates a placeholder entry in the IdM DNS service. When the DNS service dynamically updates its records, the host's current IP address is detected and its DNS record is updated.

Example 5.7. Creating Host Entries with DHCP

$ ipa host-add --force client1.example.com
Copy to Clipboard Toggle word wrap
Host records are deleted using the host-del command. If the IdM domain uses DNS, then the --updatedns option also removes the associated records of any kind for the host from the DNS. 
$ ipa host-del --updatedns client1.example.com
Copy to Clipboard Toggle word wrap
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat