Objectives
The goal of this guide is to connect an Arch Linux computer to a FreeIPA server.
This guide is base on the following documentation:
https://wiki.archlinux.org/index.php/FreeIPA
https://wiki.archlinux.org/index.php/LDAP_authentication
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
SSSD Installation
pacman -S sssdSSSD Configuration
vi /etc/sssd/sssd.conf
[domain/mpilote.com]
id_provider = ipa
ipa_server = _srv_, srv-ldap.mpilote.com
ipa_domain = mpilote.com
ipa_hostname = wks-lpt01.mpilote.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
krb5_store_password_if_offline = True
realmd_tags = manages-system
default_shell = /usr/bin/zsh
override_shell = /usr/bin/zsh
use_fully_qualified_names = False
fallback_homedir = /home/%u
[sssd]
services = nss, pam, ssh, sudo
domains = mpilote.com
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
chmod 600 /etc/sssd/sssd.confKerberos Configuration
vi /etc/krb5.conf
[libdefaults]
default_realm = MPILOTE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
MPILOTE.COM = {
admin_server = srv-ldap.mpilote.com
kdc = srv-ldap.mpilote.com
default_admin = mpilote.com
}
[domain_realm]
mpilote.com = MPILOTE.COM
.mpilote.com = MPILOTE.COM
wks-lpt01.mpilote.com = MPILOTE.COM
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
NSCD Configuration
vi /etc/nscd.conf
[...]
enable-cache passwd no
[...]
enable-cache group no
[...]
enable-cache hosts yes
[...]
enable-cache netgroup no
[...]NSS Configuration
vi /etc/nsswitch.conf
# Name Service Switch configuration file.
# See nsswitch.conf(5) for details.
passwd: files sss mymachines systemd
group: files sss mymachines systemd
shadow: files sss
sudoers: files sss
publickey: files
hosts: files mymachines myhostname resolve [!UNAVAIL=return] dns
networks: files
protocols: files
services: files
ethers: files
rpc: files
netgroup: filesPAM Configuration
vi /etc/pam.d/system-auth
#%PAM-1.0
auth sufficient pam_sss.so forward_pass
auth required pam_unix.so try_first_pass nullok
auth optional pam_permit.so
auth required pam_env.so
account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
password sufficient pam_sss.so use_authtok
password required pam_unix.so try_first_pass nullok sha512 shadow
password optional pam_permit.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.sovi /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
auth sufficient pam_sss.so forward_pass
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth required pam_unix.so
account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so
account required pam_unix.so
session required pam_unix.so
session optional pam_sss.soPassword Management
vi /etc/pam.d/passwd
#%PAM-1.0
password sufficient pam_sss.so
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password required pam_unix.so sha512 shadow use_authtok
password required pam_unix.so sha512 shadow nullokSSH integration
vi /etc/ssh/sshd_config
[...]
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
[...]vi /etc/ssh/ssh_config
[...]
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %hCreate host in FreeIPA
Enroll the client (On the FreeIPA server)
kinit admin
ipa-getkeytab -s srv-ldap.mpilote.com -p host/wks-lpt01.mpilote.com -k /tmp/wks-lpt01.keytabEnroll the client (On the Client)
scp root@srv-ldap.mpilote.com:/tmp/wks-lpt01.keytab krb5.keytab
mv krb5.keytab /etc/krb5.keytabEnable SSSD
systemctl enable sssd.service
reboot