2.3. Manually Configuring a Linux Client

Install SSSD 1.5.x or later, if it is not already installed.

On an IPA server. Create a host entry for the client.

ipa host-add --force --ip-address=192.168.166.31 client1.example.com

$ ipa host-add --force --ip-address=192.168.166.31 client1.example.com

Copy to Clipboard

Toggle word wrap

On an IPA server. Create keytabs for the client.

Log in as IPA; administrator.
```
kinit admin
```
```
$ kinit admin
```
Copy to Clipboard Toggle word wrap

Set the client host to be managed by the server.

ipa host-add-managedby --hosts=ipaserver.example.com client1.example.com

$ ipa host-add-managedby --hosts=ipaserver.example.com client1.example.com

Copy to Clipboard

Toggle word wrap

Generate the keytab for the client.

ipa-getkeytab -s ipaserver.example.com -p host/client1.example.com -k /tmp/client1.keytab

# ipa-getkeytab -s ipaserver.example.com -p host/client1.example.com -k /tmp/client1.keytab

Copy to Clipboard

Toggle word wrap

Copy the keytab to the client machine and rename it /etc/krb5.ketab.

Note

If there is an existing /etc/krb5.ketab that should be preserved, the two files can be combined using ktutil.

Set the correct user permissions and, if necessary, SELinux contexts for the /etc/krb5.ketab file.

chown root:root 0600
system_u:object_r:krb5_keytab_t:s0

chown root:root 0600
system_u:object_r:krb5_keytab_t:s0

Copy to Clipboard

Toggle word wrap

Configure SSSD by editing the /etc/sssd/sssd.conf file to point to the IPA domain.

[sssd]
config_file_version = 2
services = nss, pam

domains = example.com
[nss]

[pam]

[domain/example.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client1.example.com
chpass_provider = ipa
ipa_server = ipaserver.example.com
ldap_tls_cacert = /etc/ipa/ca.crt

[sssd]
config_file_version = 2
services = nss, pam

domains = example.com
[nss]

[pam]

[domain/example.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client1.example.com
chpass_provider = ipa
ipa_server = ipaserver.example.com
ldap_tls_cacert = /etc/ipa/ca.crt

Copy to Clipboard

Toggle word wrap

Configure NSS to use SSSD for passwords, groups, users, and netgroups.

vim /etc/nsswitch.conf

...
passwd:     files sss
shadow:     files sss
group:      files sss
...
netgroup:   files sss
...

vim /etc/nsswitch.conf

...
passwd:     files sss
shadow:     files sss
group:      files sss
...
netgroup:   files sss
...

Copy to Clipboard

Toggle word wrap

Configure the /etc/krb5.conf file to point to the IPA KDC.

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes
 allow_weak_crypto = true

[realms]
 EXAMPLE.COM = {
  kdc = ipaserver.example.com:88
  admin_server = ipaserver.example.com:749
  default_domain = example.com
}

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes
 allow_weak_crypto = true

[realms]
 EXAMPLE.COM = {
  kdc = ipaserver.example.com:88
  admin_server = ipaserver.example.com:749
  default_domain = example.com
}

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

Copy to Clipboard

Toggle word wrap

Update the /etc/pam.d configuration to use the pam_sss.so modules.

For /etc/pam.d/fingerprint-auth:

...
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
...
session     optional      pam_sss.so

...
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
...
session     optional      pam_sss.so

Copy to Clipboard

Toggle word wrap

For /etc/pam.d/system-auth:

...
auth        sufficient    pam_sss.so use_first_pass
...
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
...
password    sufficient    pam_sss.so use_authtok
...
session     optional      pam_sss.so

...
auth        sufficient    pam_sss.so use_first_pass
...
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
...
password    sufficient    pam_sss.so use_authtok
...
session     optional      pam_sss.so

Copy to Clipboard

Toggle word wrap

For /etc/pam.d/password-auth:

...
auth        sufficient    pam_sss.so use_first_pass
...
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
...
password    sufficient    pam_sss.so use_authtok
...
session     optional      pam_sss.so

...
auth        sufficient    pam_sss.so use_first_pass
...
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
...
password    sufficient    pam_sss.so use_authtok
...
session     optional      pam_sss.so

Copy to Clipboard

Toggle word wrap

For /etc/pam.d/smartcard-auth:

...
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
...
session     optional      pam_sss.so

...
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
...
session     optional      pam_sss.so

Copy to Clipboard

Toggle word wrap

Set up NFS to work with Kerberos.

Note

To help troubleshoot potential NFS setup errors, enable debug information in the /etc/sysconfig/nfs file.

RPCGSSDARGS="-vvv"
RPCSVCGSSDARGS="-vvv"

RPCGSSDARGS="-vvv"
RPCSVCGSSDARGS="-vvv"

Copy to Clipboard

Toggle word wrap

On an IPA server, add an NFS service principal for the NFS client.
```
ipa service-add nfs/ipaclient.example.com@EXAMPLE
```
```
# ipa service-add nfs/ipaclient.example.com@EXAMPLE
```
Copy to Clipboard Toggle word wrap
Note
This must be run from a machine with the ipa-admintools package installed so that the ipa command is available.
On the IPA server, obtain a keytab for the NFS service principal.
```
ipa-getkeytab -s ipaserver.example.com -p nfs/ipaclient.example.com@EXAMPLE -k /tmp/krb5.keytab
```
```
# ipa-getkeytab -s ipaserver.example.com -p nfs/ipaclient.example.com@EXAMPLE -k /tmp/krb5.keytab
```
Copy to Clipboard Toggle word wrap
Note
Some versions of the Linux NFS implementation have limited encryption type support. If the NFS server is hosted on a version older than Red Hat Enterprise Linux 5, use the -e des-cbc-crc option to the ipa-getkeytab command for any nfs/<FQDN> service keytabs to set up, both on the server and on all clients. This instructs the KDC to generate only DES keys.
When using DES keys, all clients and servers that rely on this encryption type need to have the allow_weak_crypto option enabled in the [libdefaults] section of the /etc/krb5.conf file. Without these configuration changes, NFS clients and servers are unable to authenticate to each other, and attempts to mount NFS filesystems may fail. The client's rpc.gssd and the server's rpc.svcgssd daemons may log errors indicating that DES encryption types are not permitted.
Copy the keytab from the IPA server to the NFS server. For example, if the IPA and NFS servers are on different machines:
```
scp /tmp/krb5.keytab root@nfs.example.com:/etc/krb5.keytab
```
```
# scp /tmp/krb5.keytab root@nfs.example.com:/etc/krb5.keytab
```
Copy to Clipboard Toggle word wrap

Copy the keytab from the IPA server to the IPA client. For example:

scp /tmp/krb5.keytab root@client.example.com:/etc/krb5.keytab

# scp /tmp/krb5.keytab root@client.example.com:/etc/krb5.keytab

Copy to Clipboard

Toggle word wrap

Configure the /etc/exports file on the NFS server.

/ipashare       gss/krb5p(rw,no_root_squash,subtree_check,fsid=0)

/ipashare       gss/krb5p(rw,no_root_squash,subtree_check,fsid=0)

Copy to Clipboard

Toggle word wrap

On the client, mount the NFS share.
- Always specify the share as nfs_server:/ /mountpoint.
- Use the same -o sec setting as is used in the /etc/exports file for the NFS server.
```
mount -v -t nfs4 -o sec=krb5p nfs.example.com:/ /mnt/ipashare
```
```
[root@client ~]# mount -v -t nfs4 -o sec=krb5p nfs.example.com:/ /mnt/ipashare
```
Copy to Clipboard Toggle word wrap

このコンテンツは選択した言語では利用できません。

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

多様性を受け入れるオープンソースの強化

会社概要

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links