Connect Arch Linux to FreeIPA

Objectives

The goal of this guide is to connect an Arch Linux computer to a FreeIPA server.

This guide is base on the following documentation:

  • https://wiki.archlinux.org/index.php/FreeIPA

  • https://wiki.archlinux.org/index.php/LDAP_authentication

  • https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html

SSSD Installation

pacman -S sssd

SSSD Configuration

vi /etc/sssd/sssd.conf
[domain/mpilote.com]

id_provider = ipa
ipa_server = _srv_, srv-ldap.mpilote.com
ipa_domain = mpilote.com
ipa_hostname = wks-lpt01.mpilote.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
krb5_store_password_if_offline = True
realmd_tags = manages-system
default_shell = /usr/bin/zsh
override_shell = /usr/bin/zsh
use_fully_qualified_names = False
fallback_homedir = /home/%u

[sssd]
services = nss, pam, ssh, sudo
domains = mpilote.com

[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[secrets]

[session_recording]

chmod 600 /etc/sssd/sssd.conf

Kerberos Configuration

vi /etc/krb5.conf
[libdefaults]
        default_realm = MPILOTE.COM
        dns_lookup_realm = true
        dns_lookup_kdc = true
        rdns = false
        dns_canonicalize_hostname = false
        ticket_lifetime = 24h
        forwardable = yes
        udp_preference_limit = 0
        default_ccache_name = KEYRING:persistent:%{uid}

[realms]
        MPILOTE.COM = {
                admin_server = srv-ldap.mpilote.com
                kdc = srv-ldap.mpilote.com
                default_admin = mpilote.com
        }

[domain_realm]
        mpilote.com = MPILOTE.COM
        .mpilote.com = MPILOTE.COM
        wks-lpt01.mpilote.com = MPILOTE.COM
[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log

NSCD Configuration

vi /etc/nscd.conf
[...]
enable-cache		passwd		no
[...]
enable-cache		group		no
[...]
enable-cache		hosts		yes
[...]
enable-cache		netgroup	no
[...]

NSS Configuration

vi /etc/nsswitch.conf
# Name Service Switch configuration file.
# See nsswitch.conf(5) for details.

passwd: files sss mymachines systemd
group: files sss mymachines systemd
shadow: files sss
sudoers: files sss

publickey: files

hosts: files mymachines myhostname resolve [!UNAVAIL=return] dns
networks: files

protocols: files
services: files
ethers: files
rpc: files

netgroup: files

PAM Configuration

vi /etc/pam.d/system-auth
#%PAM-1.0

auth      sufficient pam_sss.so forward_pass
auth      required   pam_unix.so     try_first_pass nullok
auth      optional   pam_permit.so
auth      required   pam_env.so

account   [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so
account   required   pam_unix.so
account   optional   pam_permit.so
account   required   pam_time.so

password  sufficient pam_sss.so use_authtok
password  required   pam_unix.so     try_first_pass nullok sha512 shadow
password  optional   pam_permit.so

session   required   pam_mkhomedir.so skel=/etc/skel/ umask=0077
session   required   pam_limits.so
session   required   pam_unix.so
session   optional   pam_permit.so
vi /etc/pam.d/su
#%PAM-1.0

auth            sufficient      pam_rootok.so
auth            sufficient      pam_sss.so forward_pass
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            required        pam_unix.so

account         [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so
account         required        pam_unix.so

session         required        pam_unix.so
session         optional        pam_sss.so

Password Management

vi /etc/pam.d/passwd
#%PAM-1.0
password        sufficient      pam_sss.so
#password       required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password       required        pam_unix.so sha512 shadow use_authtok
password        required        pam_unix.so sha512 shadow nullok

SSH integration

vi /etc/ssh/sshd_config
[...]
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
[...]
vi /etc/ssh/ssh_config
[...]
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

Create host in FreeIPA

FreeipaAddHost.png

Enroll the client (On the FreeIPA server)

kinit admin
ipa-getkeytab -s srv-ldap.mpilote.com -p host/wks-lpt01.mpilote.com -k /tmp/wks-lpt01.keytab

Enroll the client (On the Client)

scp root@srv-ldap.mpilote.com:/tmp/wks-lpt01.keytab krb5.keytab
mv krb5.keytab /etc/krb5.keytab

Enable SSSD

systemctl enable sssd.service
reboot

Installation of an encrypted Arch Linux 

iwctl
station wlan0 scan
station wlan0 get-networks
station wlan0 connect SSID
exit
passwd
systemctl start sshd.service
ip addr

Variables

Set some variable

DRIVE=/dev/nvme0n1
o=defaults,x-mount.mkdir
o_btrfs=$o,compress=zstd,ssd,noatime

Partition Disk

sgdisk --clear \
       --new=1:0:+260MiB --typecode=1:ef00 --change-name=1:EFI \
       --new=2:0:+240MiB --typecode=2:8309 --change-name=2:cryptboot \
       --new=3:0:+32GiB  --typecode=3:8309 --change-name=3:cryptswap \
       --new=4:0:0       --typecode=4:8309 --change-name=4:cryptsystem \
       $DRIVE

Encrypt Disk

cryptsetup luksFormat --type luks1 --align-payload=8192 -s 512 -h sha512 -c aes-xts-plain64 /dev/disk/by-partlabel/cryptboot
cryptsetup luksFormat --align-payload=8192 -s 512 -h sha512 -c aes-xts-plain64 /dev/disk/by-partlabel/cryptsystem
cryptsetup luksFormat --align-payload=8192 -s 512 -h sha512 -c aes-xts-plain64 /dev/disk/by-partlabel/cryptswap
cryptsetup open /dev/disk/by-partlabel/cryptboot boot
cryptsetup open /dev/disk/by-partlabel/cryptsystem system
cryptsetup open /dev/disk/by-partlabel/cryptswap swap

Format disk

mkfs.fat -F32 -n EFI /dev/disk/by-partlabel/EFI
mkfs.ext4 -L boot /dev/mapper/boot
mkfs.btrfs --label system /dev/mapper/system
mkswap -L swap /dev/mapper/swap
swapon -L swap

Create btrfs Subvolume

mount -t btrfs LABEL=system /mnt
btrfs subvolume create /mnt/@
btrfs subvolume create /mnt/@home
btrfs subvolume create /mnt/@log
btrfs subvolume create /mnt/@pkg
btrfs subvolume create /mnt/@srv
btrfs subvolume create /mnt/@tmp
btrfs subvolume create /mnt/@root
btrfs subvolume create /mnt/@snapshots
umount -R /mnt

Mount Partition

mount -t btrfs -o subvol=@,$o_btrfs LABEL=system /mnt
mount -t btrfs -o subvol=@home,$o_btrfs LABEL=system /mnt/home
mount -t btrfs -o subvol=@log,$o_btrfs LABEL=system /mnt/var/log
mount -t btrfs -o subvol=@pkg,$o_btrfs LABEL=system /mnt/var/cache/pacman/pkg
mount -t btrfs -o subvol=@srv,$o_btrfs LABEL=system /mnt/srv
mount -t btrfs -o subvol=@tmp,$o_btrfs LABEL=system /mnt/var/tmp
mount -t btrfs -o subvol=@root,$o_btrfs LABEL=system /mnt/root
mount -t vfat -o $o LABEL=EFI /mnt/efi
mount -t ext4 -o $o LABEL=boot /mnt/boot

Pacstrap System

pacstrap /mnt base linux linux-firmware nano

Fstab

genfstab -L -p /mnt >> /mnt/etc/fstab

Chroot

arch-chroot /mnt

Set Locale

nano /etc/locale.gen
[...]
#en_SG.UTF-8 UTF-8
#en_SG ISO-8859-1
en_US.UTF-8 UTF-8
#en_US ISO-8859-1
#en_ZA.UTF-8 UTF-8
[...]
locale-gen
nano /etc/locale.conf
LANG=en_US.UTF-8

Set Timezone

ln -sf /usr/share/zoneinfo/America/Montreal /etc/localtime
timedatectl set-ntp true
hwclock --systohc

Set Hostname

nano /etc/hostname
wks-lpt01
nano /etc/hosts
127.0.0.1       localhost.localdomain   localhost
::1             localhost.localdomain   localhost
127.0.1.1       wks-lpt01.mpilote.com   wks-lpt01

Set Keymap

nano /etc/vconsole.conf
KEYMAP=us

Install Packages

pacman -Syu base-devel btrfs-progs gptfdisk zsh intel-ucode efibootmgr

Crypttab

dd bs=512 count=8 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock
chmod 600 /crypto_keyfile.bin
cryptsetup luksDump /dev/disk/by-partlabel/cryptsystem | grep UUID
cryptsetup luksDump /dev/disk/by-partlabel/cryptboot | grep UUID
cryptsetup luksDump /dev/disk/by-partlabel/cryptswap | grep UUID
cryptsetup -v luksAddKey /dev/disk/by-partlabel/cryptsystem /crypto_keyfile.bin
cryptsetup -v luksAddKey /dev/disk/by-partlabel/cryptswap /crypto_keyfile.bin
cryptsetup -v luksAddKey /dev/disk/by-partlabel/cryptboot /crypto_keyfile.bin
nano /etc/crypttab
# Configuration for encrypted block devices.
# See crypttab(5) for details.

# NOTE: Do not list your root (/) partition here, it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf).

#                                                           
boot           UUID=e0e548f9-f504-4461-942b-e897959c5c3e    /crypto_keyfile.bin
swap           UUID=5bd410bc-cd2c-4901-834f-fcc643cfd868    /crypto_keyfile.bin

Configure mkinitcpio

rm /etc/mkinitcpio.conf
nano /etc/mkinitcpio.conf
MODULES=""
BINARIES=""
FILES="/crypto_keyfile.bin"
HOOKS="base systemd sd-vconsole modconf keyboard block filesystems btrfs sd-encrypt fsck"
mkinitcpio -p linux

Configure & Install Grub

pacman -Syu grub
lsblk --nodeps --noheadings -oUUID /dev/disk/by-partlabel/cryptsystem
nano /etc/default/grub
# GRUB boot loader configuration

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet"
GRUB_CMDLINE_LINUX="rd.luks.name=425c4549-88c0-432f-a2ff-c1cf73de426d=cryptsystem rd.luks.key=425c4549-88c0-432f-a2ff-c1cf73de426d=/crypto_keyfile.bin"

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y
[..]
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB
grub-mkconfig -o /boot/grub/grub.cfg

Password

passwd

Create User

useradd -m -s /usr/bin/zsh -g users -G wheel martin
passwd martin

Gnome

pacman -Syu pipewire pipewire-jack pipewire-alsa pipewire-pulse wireplumber noto-fonts-emoji gnome networkmanager