Overview
This page will detail the installation of IPA Server for Identity, Authentication and Authorisation. As far as possible, there are no local user accounts that can login. The IdM Server will be setup with DNS enabled and as all servers will be VM's NTP will be disabled.
Prerequisites
You must follow the below installation steps prior to installing the Application. You must also know the DNS forwarders that will be used. These can be found by looking at the /etc/resolv.conf in a newly created VM.
Setup IPA Server
Install IPA Server. The bind packages are used for the DNS Server
yum install ipa-server bind bind-dyndb-ldap
Create the IdM Server Instance.
ipa-server-install --no-ntp --setup-dns --idstart=10000
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
This includes:
Configure a stand-alone CA (dogtag) for certificate management
Create and configure an instance of Directory Server
Create and configure a Kerberos Key Distribution Center (KDC)
Configure Apache (httpd)
Configure DNS (bind)
Excluded by options:
Configure the Network Time Daemon (ntpd)
To accept the default shown in brackets, press the Enter key.
Existing BIND configuration detected, overwrite? [no]: yes
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.
Server host name [ipaserver.example.com]:
Warning: skipping DNS resolution of host ipaserver.example.com
The domain name has been determined based on the host name.
Please confirm the domain name [example.com]:
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [EXAMPLE.COM]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.
Directory Manager password:
Password (confirm):
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.
IPA admin password:
Password (confirm):
Do you want to configure DNS forwarders? [yes]:
Enter the IP address of DNS forwarder to use, or press Enter to finish.
Enter IP address for a DNS forwarder: 172.17.1.26
DNS forwarder 172.17.1.26 added
Enter IP address for a DNS forwarder: 172.17.1.27
DNS forwarder 172.17.1.27 added
Enter IP address for a DNS forwarder:
Checking forwarders, please wait ...
Do you want to configure the reverse zone? [yes]:
Please specify the reverse zone name [10.10.10.in-addr.arpa.]:
Using reverse zone(s) 10.10.10.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: ipaserver.example.com
IP address(es): 10.10.10.10
Domain name: example.com
Realm name: EXAMPLE.COM
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 172.17.1.26, 172.17.1.27
Reverse zone(s): 10.10.10.in-addr.arpa.
Continue to configure the system with these values? [no]: yes
The ipa-dns-install command (which is run with the install script when the --setup-dns option is used) does not automatically configure the system's rndc service. This must be configured manually, after DNS is configured for IdM.
Create the rndc configuration file and key and set permissions. The permissions appear to be correct after running the rndc-confgen but as the Red Hat Documentation mentions them they have been listed for reference.
/usr/sbin/rndc-confgen -a
/sbin/restorecon /etc/rndc.key
chown root:named /etc/rndc.key
chmod 0640 /etc/rndc.key
Restart the SSH service to retrieve the Kerberos principal and to refresh the name server switch (NSS) configuration file:
systemctl start sshd
Authenticate to the Kerberos realm using the admin user's credentials to ensure that the user is
properly configured and the Kerberos realm is accessible.
kinit admin
Test the IdM configuration by running a command like ipa user-find
ipa user-find admin
Show the IdM Status
ipactl status
Amend default shell from /bin/sh to /bin/bash
ipa config-mod --defaultshell=/bin/bash
Configure the firewall to allow clients to access the IdM services.
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.105.94.0/24" service name="ldap" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.105.94.0/24" service name="ldaps" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.105.94.0/24" service name="http" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.105.94.0/24" service name="https" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.105.94.0/24" service name="dns" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.105.94.0/24" service name="kerberos" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.105.94.0/24" service name="kpasswd" accept'
firewall-cmd --reload
As the install for the server automatically installs the client, it does not allow you to either select options for the client install or reinstall the client. You therefore need to manually setup the mkhomedir for the users.
authconfig --enablemkhomedir --update
Install IPA Clients
Install the IPA Client
yum -y install ipa-client
There is a bug in ipa-client-4.1.0-18.el7_1.3 which causes the install to hang if NTP is not running. We therefore need to start NTP for installation purposes and then disable it afterwards.
systemctl start ntpd
Configure IPA. You will need the IPA admin password to compete this process.
ipa-client-install --enable-dns-updates --mkhomedir --no-ntp
Discovery was successful!
Hostname: server.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipaserver.example.com
BaseDN: dc=example,dc=co,dc=uk
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
User authorized to enroll computers: admin
Password for admin@EXAMPLE.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Valid From: Mon Jul 20 08:43:20 2015 UTC
Valid Until: Fri Jul 20 08:43:20 2035 UTC
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://ipaserver.example.com/ipa/json
Forwarding 'ping' to json server 'https://ipaserver.example.com/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://ipaserver.example.com/ipa/json'
Systemwide CA database updated.
Added CA certificates to the default NSS database.
Hostname (server2.example.com) not found in DNS
DNS server record set to: server2.example.com -> 10.10.10.11
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Forwarding 'host_mod' to json server 'https://ipaserver.example.com/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.com as NIS domain.
Client configuration complete.
Test connectivity to the IdM server.
getent passwd admin
admin:*:10000:10000:Administrator:/home/admin:/bin/bash
Stop the NTP service.
systemctl stop ntpd
User and Group Management
Creating Users
Usernames are created with firstname.lastname. The following options are used when creating users. --homedir and --shell are not necessarily required. For system accounts like rsync, make sure the shell is /sbin/nologin and setup ssh keys where required. If system accounts need to use ssh keys, you will need to create the home directories manually and copy the ssh private key into .ssh. See below for details.
--first=STR First name
--last=STR Last name
--homedir=STR Home directory - Will be chrooted directory for ftp users. If left out then home directory will be /home/username
--email=STR Email address
--random Generate a random user password
--city=STR City
--shell=STR If different from /bin/bash
# Standard User
ipa user-add first.last --first=First --last=Last --email=first.last@example.co.uk --city=London --random
# System User
ipa user-add "rsync" --first="Rsync" --last="User" --email="group@example.com" --shell="/sbin/nologin" --random --sshpubkey="ssh-rsa WX8TFT110Zev2VPjy5P6tWL Rsync"
Users can be added in bulk by using the following method. Adapt the fields in the file and command as necessary.
cat users.txt
"first1.last1" "First1" "Last1" "first1.last1@example.com" "London"
"first2.last2" "First2" "Last2" "first2.last2@example.com" "London"
awk '{print "ipa user-add "$1" --first="$2" --last="$3" --email="$4" --city="$5" --random"}' users.txt >> users.sh
chmod +x users.sh
Add #!/bin/bash to first line of users.sh
By piping to egrep you are getting the details required to send to the users.
./users.sh | egrep "User login|Random"
Adding ssh keys to users
Upload the users public key and then add to the user in IdM. You will also need to ensure that servers with users connecting with ssh keys has openssh configured to use sssd to request keys from the IdM server. This is done in the sshd_config file on the server and will require s a restart of sshd.
ipa user-mod jsmith --sshpubkey="ssh-rsa 12345abcde= ipaclient.example.com"
vim /etc/ssh/sshd_config
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
For system accounts requiring ssh keys, you will need to create the home directory and copy the private key into the .ssh folder.
mkdir -p /home/rsync/.ssh
cp private.key /home/rsync/.ssh/.
chown rsync:rsync /home/rsync
chmod -R 700 /home/rsync
chmod 400 /home/rsync/.ssh/private.key
Creating Groups and Adding Users to Groups
ipa group-add new_group --desc="This is a new group"
ipa group-add-member new_group --users=user1 --users=user2
Modifying User Attributes
User attributes like krbpasswordexpiration can be amended using ldapmodify and the Directory Manager account.
Create an LDIFF file similar to this.
dn: uid=user.name,cn=users,cn=accounts,dc=example,dc=co,dc=uk
changetype: modify
replace: krbpasswordexpiration
krbpasswordexpiration: 20160219113819Z
Process the LDIFF file
ldapmodify -h ipaserver.example.com -D cn="Directory Manager" -W -f example.ldiff
Hosts and Host Groups
Hosts are added to IdM automatically when the client is installed and so there shouldn't really be a need to add them manually. Adding hosts to groups can be done as follows.
ipa hostgroup-add --desc="Set of Servers" servers
ipa hostgroup-add-member servers --hosts={server1.example.com,server2.example.com}
HBAC Rules
Adding HBAC rules needs to be done in stages. First you create an HBAC Service and or group which is separate to adding services to a domain. Some more common services are have already been created and can be found using "ipa hbacsvc-find". Once added, you can create a base rule and then added user/services/hosts as required.
Creating HBAC Services and groups
Below is an example but note that you do not have to add a service to a group.
ipa hbacsvcgroup-add --desc="login services" login
ipa hbacsvc-add --desc="Login service" sshd
ipa hbacsvcgroup-add-member --hbacsvcs=sshd login
Setting Host-Based Access Control Rules
When creating rules, try and keep the naming convention service-group/user.
ipa hbacrule-add [--hostcat=all] --desc="Description" sshd-administrators
ipa hbacrule-add-user sshd-administrators --groups=administrators
ipa hbacrule-add-service --hbacsvcs=sshd sshd-administrators
ipa hbacrule-show sshd-administrators
Rule name: sshd-administrators
Host category: all
Enabled: TRUE
User Groups: administrators
Services: sshd
Sudo Rules
As per HBAC Rules, Sudo Rules are added in stages. First you create the sudo commands/groups, then create the sudo rule.
Creating Sudo Commands and Command Groups
Example 1 - Creating a single command # Add the command
ipa sudocmd-add "/bin/su -" --desc="Root Access"
Add the Sudo Rules
Example 1 - Creating root access with a sudo rule using a single command to all servers for a specific group.
# Create the rule
ipa sudorule-add root_access --desc="Root Access" --hostcat=all
# Add the allowed commands
ipa sudorule-add-allow-command root_access --sudocmds="/bin/su -"
# Add the allowed Users and/or Groups
ipa sudorule-add-user root_access --groups=administrators
# Add any required options as per sudoers man page. You must use single quotes.
ipa sudorule-add-option root_access --sudooption='!authenticate'
DNS
IdM provides the DNS for all internal DNS resources. The internal Domain Name is example.com which has been chosen to avoid clashing with any external DNS resources. DNS resources are managed with the "ipa dns*" command and sub commands. We will document examples below.
Adding cnames records
ipa dnsrecord-add example.com server1 --cname-rec="server1_cname"
ipa dnsrecord-add example.com server2 --cname-rec="server2_cname"
Errors/Issues
named-pkcs11.service failes to start
Example output.
# ipactl start
Existing service file detected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Job for named-pkcs11.service failed because the control process exited with error code. See "systemctl status named-pkcs11.service" and "journalctl -xe" for details.
Failed to start named Service
Shutting down
Aborting ipactl
Error message in /var/log/messages
LDAP error: Invalid credentials: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS f
ailure. Minor code may provide more information (Cannot create replay cache file /var/tmp/ldap_993: Permission denied): bind to LDAP server f
ailed
This can be due to an invalid cache. Remove the old cache file and start IPA again
rm -f /var/tmp/ldap_993
# ipactl start
Existing service file detected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting pki-tomcatd Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@server]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful