このコンテンツは選択した言語では利用できません。
2.3. Manually Configuring a Linux Client
The
ipa-client-install command automatically configures services like Kerberos, SSSD, PAM, and NSS. However, if the ipa-client-install command cannot be used on a system for some reason, then the IPA client entries and the services can be configured manually.
- Install SSSD 1.5.x or later, if it is not already installed.
- On an IPA server. Create a host entry for the client.
$ ipa host-add --force --ip-address=192.168.166.31 client1.example.com
- On an IPA server. Create keytabs for the client.
- Log in as IPA; administrator.
$ kinit admin
- Set the client host to be managed by the server.
$ ipa host-add-managedby --hosts=ipaserver.example.com client1.example.com
- Generate the keytab for the client.
# ipa-getkeytab -s ipaserver.example.com -p host/client1.example.com -k /tmp/client1.keytab
- Copy the keytab to the client machine and rename it
/etc/krb5.ketab.Note
If there is an existing/etc/krb5.ketabthat should be preserved, the two files can be combined usingktutil. - Set the correct user permissions and, if necessary, SELinux contexts for the
/etc/krb5.ketabfile.chown root:root 0600 system_u:object_r:krb5_keytab_t:s0
- Configure SSSD by editing the
/etc/sssd/sssd.conffile to point to the IPA domain.[sssd] config_file_version = 2 services = nss, pam domains = example.com [nss] [pam] [domain/example.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = client1.example.com chpass_provider = ipa ipa_server = ipaserver.example.com ldap_tls_cacert = /etc/ipa/ca.crt
- Configure NSS to use SSSD for passwords, groups, users, and netgroups.
vim /etc/nsswitch.conf ... passwd: files sss shadow: files sss group: files sss ... netgroup: files sss ...
- Configure the
/etc/krb5.conffile to point to the IPA KDC.[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes allow_weak_crypto = true [realms] EXAMPLE.COM = { kdc = ipaserver.example.com:88 admin_server = ipaserver.example.com:749 default_domain = example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM - Update the
/etc/pam.dconfiguration to use thepam_sss.somodules.- For
/etc/pam.d/fingerprint-auth:... account [default=bad success=ok user_unknown=ignore] pam_sss.so ... session optional pam_sss.so
- For
/etc/pam.d/system-auth:... auth sufficient pam_sss.so use_first_pass ... account [default=bad success=ok user_unknown=ignore] pam_sss.so ... password sufficient pam_sss.so use_authtok ... session optional pam_sss.so
- For
/etc/pam.d/password-auth:... auth sufficient pam_sss.so use_first_pass ... account [default=bad success=ok user_unknown=ignore] pam_sss.so ... password sufficient pam_sss.so use_authtok ... session optional pam_sss.so
- For
/etc/pam.d/smartcard-auth:... account [default=bad success=ok user_unknown=ignore] pam_sss.so ... session optional pam_sss.so
- Set up NFS to work with Kerberos.
Note
To help troubleshoot potential NFS setup errors, enable debug information in the/etc/sysconfig/nfsfile.RPCGSSDARGS="-vvv" RPCSVCGSSDARGS="-vvv"
- On an IPA server, add an NFS service principal for the NFS client.
# ipa service-add nfs/ipaclient.example.com@EXAMPLE
Note
This must be run from a machine with the ipa-admintools package installed so that theipacommand is available. - On the IPA server, obtain a keytab for the NFS service principal.
# ipa-getkeytab -s ipaserver.example.com -p nfs/ipaclient.example.com@EXAMPLE -k /tmp/krb5.keytab
Note
Some versions of the Linux NFS implementation have limited encryption type support. If the NFS server is hosted on a version older than Red Hat Enterprise Linux 5, use the-e des-cbc-crcoption to theipa-getkeytabcommand for any nfs/<FQDN> service keytabs to set up, both on the server and on all clients. This instructs the KDC to generate only DES keys.When using DES keys, all clients and servers that rely on this encryption type need to have theallow_weak_cryptooption enabled in the[libdefaults]section of the/etc/krb5.conffile. Without these configuration changes, NFS clients and servers are unable to authenticate to each other, and attempts to mount NFS filesystems may fail. The client'srpc.gssdand the server'srpc.svcgssddaemons may log errors indicating that DES encryption types are not permitted. - Copy the keytab from the IPA server to the NFS server. For example, if the IPA and NFS servers are on different machines:
# scp /tmp/krb5.keytab root@nfs.example.com:/etc/krb5.keytab
- Copy the keytab from the IPA server to the IPA client. For example:
# scp /tmp/krb5.keytab root@client.example.com:/etc/krb5.keytab
- Configure the
/etc/exportsfile on the NFS server./ipashare gss/krb5p(rw,no_root_squash,subtree_check,fsid=0)
- On the client, mount the NFS share.
- Always specify the share as nfs_server:/ /mountpoint.
- Use the same
-o secsetting as is used in the/etc/exportsfile for the NFS server.
[root@client ~]# mount -v -t nfs4 -o sec=krb5p nfs.example.com:/ /mnt/ipashare
