Product SiteDocumentation Site

3.4. Manually Configuring a Linux Client

The ipa-client-install command automatically configures services like Kerberos, SSSD, PAM, and NSS. However, if the ipa-client-install command cannot be used on a system for some reason, then the FreeIPA client entries and the services can be configured manually.
  1. Install SSSD 1.5.x or later, if it is not already installed.
  2. On a FreeIPA server. Create a host entry for the client.
    $ ipa host-add --force --ip-address=192.168.166.31 client1.example.com
    Creating hosts manually is covered in Section 6.2, “Adding Host Entries”.
  3. On a FreeIPA server. Create keytabs for the client.
    1. Log in as FreeIPA; administrator.
      $ kinit admin
    2. Set the client host to be managed by the server.
      $ ipa host-add-managedby --hosts=ipaserver.example.com client1.example.com
    3. Generate the keytab for the client.
      # ipa-getkeytab -s ipaserver.example.com -p host/client1.example.com -k /tmp/client1.keytab
  4. Copy the keytab to the client machine and rename it /etc/krb5.ketab.

    TIP

    If there is an existing /etc/krb5.ketab that should be preserved, the two files can be combined using ktutil.
  5. Set the correct user permissions and, if necessary, SELinux contexts for the /etc/krb5.ketab file.
    chown root:root 0600
    system_u:object_r:krb5_keytab_t:s0
  6. Configure SSSD by editing the /etc/sssd/sssd.conf file to point to the FreeIPA domain.
    [sssd]
    config_file_version = 2
    services = nss, pam
    
    domains = example.com
    [nss]
    
    [pam]
    
    [domain/example.com]
    cache_credentials = True
    krb5_store_password_if_offline = True
    ipa_domain = example.com
    id_provider = ipa
    auth_provider = ipa
    access_provider = ipa
    ipa_hostname = client1.example.com
    chpass_provider = ipa
    ipa_server = ipaserver.example.com
    ldap_tls_cacert = /etc/ipa/ca.crt
  7. Configure NSS to use SSSD for passwords, groups, users, and netgroups.
    vim /etc/nsswitch.conf
    
    ...
    passwd:     files sss
    shadow:     files sss
    group:      files sss
    ...
    netgroup:   files sss
    ...
  8. Configure the /etc/krb5.conf file to point to the FreeIPA KDC.
    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
     default_realm = EXAMPLE.COM
     dns_lookup_realm = false
     dns_lookup_kdc = false
     rdns = false
     ticket_lifetime = 24h
     forwardable = yes
     allow_weak_crypto = true
    
    [realms]
     EXAMPLE.COM = {
      kdc = ipaserver.example.com:88
      admin_server = ipaserver.example.com:749
      default_domain = example.com
    }
    
    [domain_realm]
     .example.com = EXAMPLE.COM
     example.com = EXAMPLE.COM
  9. Update the /etc/pam.d configuration to use the pam_sss.so modules.
    • For /etc/pam.d/fingerprint-auth:
      ...
      account     [default=bad success=ok user_unknown=ignore] pam_sss.so
      ...
      session     optional      pam_sss.so
    • For /etc/pam.d/system-auth:
      ...
      auth        sufficient    pam_sss.so use_first_pass
      ...
      account     [default=bad success=ok user_unknown=ignore] pam_sss.so
      ...
      password    sufficient    pam_sss.so use_authtok
      ...
      session     optional      pam_sss.so
    • For /etc/pam.d/password-auth:
      ...
      auth        sufficient    pam_sss.so use_first_pass
      ...
      account     [default=bad success=ok user_unknown=ignore] pam_sss.so
      ...
      password    sufficient    pam_sss.so use_authtok
      ...
      session     optional      pam_sss.so
    • For /etc/pam.d/smartcard-auth:
      ...
      account     [default=bad success=ok user_unknown=ignore] pam_sss.so
      ...
      session     optional      pam_sss.so
  10. Set up NFS to work with Kerberos.

    TIP

    To help troubleshoot potential NFS setup errors, enable debug information in the /etc/sysconfig/nfs file.
    RPCGSSDARGS="-vvv"
    RPCSVCGSSDARGS="-vvv"
    1. On a FreeIPA server, add an NFS service principal for the NFS client.
      # ipa service-add nfs/ipaclient.example.com@EXAMPLE

      NOTE

      This must be run from a machine with the ipa-admintools package installed so that the ipa command is available.
    2. On the FreeIPA server, obtain a keytab for the NFS service principal.
      # ipa-getkeytab -s ipaserver.example.com -p nfs/ipaclient.example.com@EXAMPLE -k /tmp/krb5.keytab

      NOTE

      Some versions of the Linux NFS implementation have limited encryption type support. If the NFS server is hosted on a version older than Fedora 15, use the -e des-cbc-crc option to the ipa-getkeytab command for any nfs/<FQDN> service keytabs to set up, both on the server and on all clients. This instructs the KDC to generate only DES keys.
      When using DES keys, all clients and servers that rely on this encryption type need to have the allow_weak_crypto option enabled in the [libdefaults] section of the /etc/krb5.conf file. Without these configuration changes, NFS clients and servers are unable to authenticate to each other, and attempts to mount NFS filesystems may fail. The client's rpc.gssd and the server's rpc.svcgssd daemons may log errors indicating that DES encryption types are not permitted.
    3. Copy the keytab from the FreeIPA server to the NFS server. For example, if the FreeIPA and NFS servers are on different machines:
      # scp /tmp/krb5.keytab root@nfs.example.com:/etc/krb5.keytab
    4. Copy the keytab from the FreeIPA server to the FreeIPA client. For example:
      # scp /tmp/krb5.keytab root@client.example.com:/etc/krb5.keytab
    5. Configure the /etc/exports file on the NFS server.
      /ipashare       gss/krb5p(rw,no_root_squash,subtree_check,fsid=0)
    6. On the client, mount the NFS share.
      • Always specify the share as nfs_server:/ /mountpoint.
      • Use the same -o sec setting as is used in the /etc/exports file for the NFS server.
      [root@client ~]# mount -v -t nfs4 -o sec=krb5p nfs.example.com:/ /mnt/ipashare