We are going to configure a RHEL 7 system to authenticate against FreeIPA using LDAP/Kerberos.
Prerequisites
To get Kerberos running, NTP synchronisation and DNS resolution must be working.
We are going to use the FreeIPA server which we set up previously. Check this post for how to setup a FreeIPA server on RHEL 7.
Configure LDAP Authetication
We use a RHEL 7.0 server (instructions were also tested on a RHEL 7.2) with SELinux set to enforcing mode.
DNS is configured to point to the FreeIPA server:
# cat /etc/resolv.conf search rhce.local nameserver 10.8.8.70
# host 10.8.8.70 70.8.8.10.in-addr.arpa domain name pointer ipa.rhce.local.
Installation
# yum install -y nscd nss-pam-ldapd wget
Download the CA certificate from the IPA server to our local server:
# mkdir /etc/openldap/cacerts # wget -P /etc/openldap/cacerts/ ftp://ipa.rhce.local/pub/cacert.p12
Configuration
These are the defaults, do not change anything:
# egrep -i "sssd|lega" /etc/sysconfig/authconfig USESSSDAUTH=no FORCELEGACY=no USESSSD=yes
Ensure the nslcd service is enabled:
# systemctl enable nslcd
Run the authconfig in a text mode:
# authconfig-tui
In User Information, select Use LDAP, and under Authentication, select Use LDAP Authentication. In the LDAP Settings screen, select Use TLS and specify the following:
Server: ipa.rhce.local Base DN: dc=rhce,dc=local
Open /etc/nslcd.conf and add the following line to allow self-signed certificates to be used:
tls_reqcert never
Restart the nslcd service:
# systemctl restart nslcd
Verify by logging in with a LDAP user:
# su - alice su: warning: cannot change directory to /home/alice: No such file or directory $ id uid=1219400005(alice) gid=1219400005(alice) groups=1219400005(alice) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Configure Kerberos Authentication
Installation
# yum install -y pam_krb5 krb5-workstation
Configuration
I found erasing the file’s /etc/krb5.conf content helpful when configuring Kerberos authentication from scratch:
# > /etc/krb5.conf
Run the authconfig in a text mode:
# authconfig-tui
On the authentication Configuration screen, under Authentication, select Use Kerberos to enable Kerberos authorisation. In the LDAP Settings screen, do not change anything. In the Kerberos settings screen, specify the following:
Realm: RHCE.LOCAL KDC: ipa.rhce.local Admin Server: ipa.rhce.local
Obtain a Kerberos ticket for the Kerberos alice user:
# kinit alice
Verify the ticket:
# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 07/05/16 11:21:27 08/05/16 11:21:25 krbtgt/[email protected]
These are for references.
# cat /etc/krb5.conf
[libdefaults]
default_realm = RHCE.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
RHCE.LOCAL = {
kdc = ipa.rhce.local
admin_server = ipa.rhce.local
}
[domain_realm]
rhce.local = RHCE.LOCAL
.rhce.local = RHCE.LOCAL
Test Kerberos Configuration
# su - alice su: warning: cannot change directory to /home/alice: No such file or directory
$ hostname srv1.rhce.local
$ kinit Password for [email protected]:
$ klist Ticket cache: FILE:/tmp/krb5cc_1219400005 Default principal: [email protected] Valid starting Expires Service principal 07/05/16 11:25:26 08/05/16 11:25:23 krbtgt/[email protected]
We should be able to reconnect without giving any password:
$ ssh ipa.rhce.local Could not create directory '/home/alice/.ssh'. [...] Could not chdir to home directory /home/alice: No such file or directory
$ hostname ipa.rhce.local
Good day @tomas , i have managed to make kerberos authentication work against FREEIPA and everything checks out very well except i have one other worry.
using the yum pam_krb5 workstation-krb5 way ….my clients are able to authenticate nicely with no problems.the issue is the host principal is not automatically added under the hosts tab when you do the authconfig-tui, that is if i open the freeipa web access..
Which leads me to think that ,in the RHCE exam there might be 2 ways to do it
1) to add the host and nfs principals using the ktadd or
2) the host and nfs principals already exists in the freeipa server so all one need is to configure your client to authenticate
I am using freeipa 4.2
Good thinking, both ways are valid.
Thanks for the nice post. I followed both of your article, this one and the previous about setting up freeipa . Everything worked fine as mentioned in the post. Only thing i find different is when i login with a ipa user and issue the “hostname” command it is showing “localhost.localdomain” not my ipa server’s name.
Any idea why?
Have you set the hostname?
on the client or freeipa server?
On the server which you log into and see “localhost.localdomain”.
I have created a user ‘rumi’. On the server , as user ‘rumi when issue ‘hostname’ command, i see ipa.example.com, but on the client as user rumi i use hostname command i see localhost.localdomain.
Have you set any hostname on the client?
Nope, i have not touched the hostname on the client. Only edited the /etc/hosts file to point to the ipa server ip.
So now you know the reason it’s coming up as “localhost.localdomain”.
Oh my mistake.. i thought i am supposed to see the hostname of the host to which ipa user logged into, not the host from which he logged in. Thanks for the help.
Yes, you are supposed to see the hostname of the host you SSH into.
Now i am again confused after you comment. From what i understand, i have logged into the freeipa server from the client machine using a user created on the server. (No ssh). What am i supposed to see ?
How did you log in then? Please provide all commands that you typed, this may help to understand it better.
Here is how all the setup going on:
They both are running as VM through Virtualbox. (bridge networking)
They are on the LAN 192.168.8.0/24. I have setup the server and the client as you described(all same command) in the post. Only difference,i have used example.com instead of rhce.local.
In the client machine i have edited the /etc/resolv.conf to look it like your one in the post . Now i have booted the client machine in multi user target . Logged in the console as user ‘rumi’ , which is not a local account to this machine, its a user created in the freeipa server.
Now i use hostname command, what am i supposed to see? ipa server hostname or the client hostname?
All looks good, you configured your client machine for LDAP authentication. When you log into the client machine, you use an LDAP user (and not a local user as you mentioned). However, you still log into the client VM and not the FreeIPA VM.
here is the screenshot of my console.
And one more thing, how do i make the content of /etc/resolv.conf permanent? I mean changes i make will stay after reboot?
Thanks
You can instruct the NetworkManager to stop modifying DNS settings by placing dns=none into
/etc/NetworkManager/NetworkManager.conf.Or you can use a big hammer if truly desperate:
Tomas,
If you set tls_reqcert to never then the server certificate is never checked. The config will work even w/o copying the server certificate
Thanks.
Thanks for your feedback!
Tomas,
Is it supposed that after the actions described in this article I will be able to connect from a kerberos client to another kerberos client via ssh without a password?
For example, I have ipa.example.com, krbclient1.example.com and krbclient2.example.com
After all actions described in the article, I can connect to ipa.example.com from any of these two clients (like you wrote in the article). However, when I am trying to connect from one client to another, password is still prompted.
By the way, thank you for your articles!
Thanks