Setting up a FreeIPA Server on RHEL 7

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.

A FreeIPA server provides centralised authentication, authorisation and account information by storing data about user, groups, hosts and other objects necessary to manage the security aspects of a network of computers.

Software

Software used in this article:

1. RedHat Enterprise Linux 7.0
   1. ipa-server 3.3.3
   2. bind-dyndb-ldap 3.5
   3. bind 9.9.4
2. RedHat Enterprise Linux 7.1
   1. ipa-server 4.1.0
   2. bind-dyndb-ldap 6.0
   3. bind 9.9.4
3. RedHat Enterprise Linux 7.2
   1. ipa-server 4.2.0
   2. ipa-server-dns 4.2.0
   3. bind-dyndb-ldap 8.0
   4. bind 9.9.4

Before We Begin

We use a RHEL 7 server on a host-only VirtualBox network. We installed the FreeIPA server on all three RHEL versions, 7.0, 7.1 and 7.2. Apart from package installation (see below), configuration is basically the same.

SELinux is set to enforcing mode. The goal of setting up the FreeIPA server is to prepare for an RHCE, therefore the domain name we are going to use is simply rhce.local:

# hostnamectl set-hostname ipa.rhce.local

Add the following to /etc/hosts, where 10.8.8.70 is the IP of our IPA server:

10.8.8.70  ipa.rhce.local ipa

Our DNS forwarder is the Puppet/Spacewalk server (10.8.8.2) which we configured some time ago when setting up a home lab. It provides DNS, DHCP, NTP, NFS and SMTP services. Feel free to use Google’s public  DNS servers 8.8.8.8 and 8.8.4.4.

FreeIPA Installation

Package Installation on RHEL 7.0 and RHEL 7.1

The dependencies installed together with ipa-server include packages such as 389-ds-base for the LDAP service or krb5-server for the Kerberos service, as well as various identity management tools. The bind-dyndb-ldap package provides an LDAP back-end plug-in for BIND (it installs bind package as a dependency).

# yum install ipa-server bind-dyndb-ldap

Package Installation on RHEL 7.2

As of RHEL 7.2, ipa-server requires us to install ipa-server-dns package for integrated DNS.

# yum install ipa-server bind-dyndb-ldap ipa-server-dns

FreeIPA with DNS

Start the installation of the FreeIPA server, generate a DNS zone if it does not exist already and configure the DNS server:

# ipa-server-install --setup-dns

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Existing BIND configuration detected, overwrite? [no]: yes
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
.
Example: master.example.com.


Server host name [ipa.rhce.local]:

Warning: skipping DNS resolution of host ipa.rhce.local
The domain name has been determined based on the host name.

Please confirm the domain name [rhce.local]:

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [RHCE.LOCAL]:
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password: **********
Password (confirm): **********

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password: **********
Password (confirm): **********

Do you want to configure DNS forwarders? [yes]:
Enter the IP address of DNS forwarder to use, or press Enter to finish.
Enter IP address for a DNS forwarder: 10.8.8.2
DNS forwarder 10.8.8.2 added
Enter IP address for a DNS forwarder:
Do you want to configure the reverse zone? [yes]:
Please specify the reverse zone name [8.8.10.in-addr.arpa.]:
Using reverse zone 8.8.10.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      ipa.rhce.local
IP address:    10.8.8.70
Domain name:   rhce.local
Realm name:    RHCE.LOCAL

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    10.8.8.2
Reverse zone:  8.8.10.in-addr.arpa.

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/38]: creating directory server user
  [2/38]: creating directory server instance
  [3/38]: adding default schema
  [4/38]: enabling memberof plugin
  [5/38]: enabling winsync plugin
  [6/38]: configuring replication version plugin
  [7/38]: enabling IPA enrollment plugin
  [8/38]: enabling ldapi
  [9/38]: configuring uniqueness plugin
  [10/38]: configuring uuid plugin
  [11/38]: configuring modrdn plugin
  [12/38]: configuring DNS plugin
  [13/38]: enabling entryUSN plugin
  [14/38]: configuring lockout plugin
  [15/38]: creating indices
  [16/38]: enabling referential integrity plugin
  [17/38]: configuring certmap.conf
  [18/38]: configure autobind for root
  [19/38]: configure new location for managed entries
  [20/38]: configure dirsrv ccache
  [21/38]: enable SASL mapping fallback
  [22/38]: restarting directory server
  [23/38]: adding default layout
  [24/38]: adding delegation layout
  [25/38]: creating container for managed entries
  [26/38]: configuring user private groups
  [27/38]: configuring netgroups from hostgroups
  [28/38]: creating default Sudo bind user
  [29/38]: creating default Auto Member layout
  [30/38]: adding range check plugin
  [31/38]: creating default HBAC rule allow_all
  [32/38]: initializing group membership
  [33/38]: adding master entry
  [34/38]: configuring Posix uid/gid generation
  [35/38]: adding replication acis
  [36/38]: enabling compatibility plugin
  [37/38]: tuning directory server
  [38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
  [1/22]: creating certificate server user
  [2/22]: configuring certificate server instance
  [3/22]: stopping certificate server instance to update CS.cfg
  [4/22]: disabling nonces
  [5/22]: set up CRL publishing
  [6/22]: starting certificate server instance
  [7/22]: creating RA agent certificate database
  [8/22]: importing CA chain to RA certificate database
  [9/22]: fixing RA database permissions
  [10/22]: setting up signing cert profile
  [11/22]: set certificate subject base
  [12/22]: enabling Subject Key Identifier
  [13/22]: enabling CRL and OCSP extensions for certificates
  [14/22]: setting audit signing renewal to 2 years
  [15/22]: configuring certificate server to start on boot
  [16/22]: restarting certificate server
  [17/22]: requesting RA certificate from CA
  [18/22]: issuing RA agent certificate
  [19/22]: adding RA agent as a trusted user
  [20/22]: configure certificate renewals
  [21/22]: configure Server-Cert certificate renewal
  [22/22]: Configure HTTP to proxy connections
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring ipa-otpd
  [1/2]: starting ipa-otpd
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd): Estimated time 1 minute
  [1/14]: setting mod_nss port to 443
  [2/14]: setting mod_nss password file
  [3/14]: enabling mod_nss renegotiate
  [4/14]: adding URL rewriting rules
  [5/14]: configuring httpd
  [6/14]: setting up ssl
  [7/14]: setting up browser autoconfig
  [8/14]: publish CA cert
  [9/14]: creating a keytab for httpd
  [10/14]: clean up any existing httpd ccache
  [11/14]: configuring SELinux for httpd
  [12/14]: configure httpd ccache
  [13/14]: restarting httpd
  [14/14]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Restarting the certificate server
Configuring DNS (named)
  [1/11]: adding DNS container
  [2/11]: setting up our zone
  [3/11]: setting up reverse zone
  [4/11]: setting up our own record
  [5/11]: setting up records for other masters
  [6/11]: setting up CA record
  [7/11]: setting up kerberos principal
  [8/11]: setting up named.conf
  [9/11]: restarting named
  [10/11]: configuring named to start on boot
  [11/11]: changing resolv.conf to point to ourselves
Done configuring DNS (named).

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
==============================================================================
Setup complete

Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                  * 53: bind
                UDP Ports:
                  * 88, 464: kerberos
                  * 53: bind
                  * 123: ntp

        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

Configure firewall to allow traffic:

# firewall-cmd --permanent --add-service={http,https,ldap,ldaps,kerberos,dns,kpasswd,ntp}
# firewall-cmd --reload

Check the rules:

# firewall-cmd --list-services
dhcpv6-client dns http https kerberos kpasswd ldap ldaps ntp ssh:

Kerberos Ticket

Obtain a Kerberos ticket for the Kerberos admin user:

# kinit admin

Verify the ticket:

# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: [email protected]

Valid starting     Expires            Service principal
03/05/16 19:07:19  04/05/16 19:07:14  krbtgt/[email protected]

We now have a working FreeIPA service that provides LDAP, Kerberos, DNS and time services (using ntp, not chronyd).

A number of different services were installed together with a FreeIPA server. The ipactl utility can be used to stop, start or restart the entire IdM server:

# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

Content of the file /etc/resolv.conf:

search rhce.local
nameserver 127.0.0.1

Configure FreeIPA for User Authentication

Create FTP

Create of an FTP server to make the certificate and keytab files available.

# yum install -y vsftpd
# systemctl enable vsftpd && systemctl start vsftpd
# firewall-cmd --permanent --add-service=ftp
# firewall-cmd --reload

Copy the CA certificate of the IPA server to the FTP site:

# cp /root/cacert.p12 /var/ftp/pub

Create Users

Set default login shell to Bash:

# ipa config-mod --defaultshell=/bin/bash
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/bash
  Default users group: ipausers
  Default e-mail domain: rhce.local
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=RHCE.LOCAL
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE

Create a couple of users with Kerberos credentials.

# ipa user-add alice --first=alice --last=abernathy --password
Password:
Enter Password again to verify:
------------------
Added user "alice"
------------------
  User login: alice
  First name: alice
  Last name: abernathy
  Full name: alice abernathy
  Display name: alice abernathy
  Initials: aa
  Home directory: /home/alice
  GECOS: alice abernathy
  Login shell: /bin/bash
  Kerberos principal: [email protected]
  Email address: [email protected]
  UID: 1219400005
  GID: 1219400005
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

# ipa user-add vince --first=vincent --last=valentine --password
Password:
Enter Password again to verify:
------------------
Added user "vince"
------------------
  User login: vince
  First name: vincent
  Last name: valentine
  Full name: vincent valentine
  Display name: vincent valentine
  Initials: vv
  Home directory: /home/vince
  GECOS: vincent valentine
  Login shell: /bin/bash
  Kerberos principal: [email protected]
  Email address: [email protected]
  UID: 1219400006
  GID: 1219400006
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

Configure FreeIPA Server for Kerberised NFS

Obtain a Kerberos ticket before running IdM utilites.

# kinit admin

We need to create a couple of host entries for our test servers, srv1 and srv2. The first one will later be used as an NFS server, and the latter as an NFS client.

Add NFS host machine as a client to the IdM domain:

# ipa host-add --ip-address 10.8.8.71 srv1.rhce.local
----------------------------
Added host "srv1.rhce.local"
----------------------------
  Host name: srv1.rhce.local
  Principal name: host/[email protected]
  Password: False
  Keytab: False
  Managed by: srv1.rhce.local

Add NFS client machine as a client to the IdM domain:

# ipa host-add --ip-address 10.8.8.72 srv2.rhce.local
----------------------------
Added host "srv2.rhce.local"
----------------------------
  Host name: srv2.rhce.local
  Principal name: host/[email protected]
  Password: False
  Keytab: False
  Managed by: srv2.rhce.local

Create the NFS service entry in the IdM domain:

# ipa service-add nfs/srv1.rhce.local
----------------------------------------------
Added service "nfs/[email protected]"
----------------------------------------------
  Principal: nfs/[email protected]
  Managed by: srv1.rhce.local

# ipa service-add nfs/srv2.rhce.local
----------------------------------------------
Added service "nfs/[email protected]"
----------------------------------------------
  Principal: nfs/[email protected]
  Managed by: srv2.rhce.local

Add entry to the keytab file /etc/krb5.keytab:

# kadmin.local
Authenticating as principal admin/[email protected] with password.
kadmin.local:  ktadd nfs/srv1.rhce.local
Entry for principal nfs/srv1.rhce.local with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/srv1.rhce.local with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/srv1.rhce.local with kvno 1, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/srv1.rhce.local with kvno 1, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
kadmin.local:  ktadd nfs/srv2.rhce.local
Entry for principal nfs/srv2.rhce.local with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/srv2.rhce.local with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/srv2.rhce.local with kvno 1, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/srv2.rhce.local with kvno 1, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
kadmin.local:  quit

List keys held in a keytab file:

# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/[email protected]
   2 host/[email protected]
   2 host/[email protected]
   2 host/[email protected]
   1 nfs/[email protected]
   1 nfs/[email protected]
   1 nfs/[email protected]
   1 nfs/[email protected]
   1 nfs/[email protected]
   1 nfs/[email protected]
   1 nfs/[email protected]
   1 nfs/[email protected]

Generate keys to copy over to NFS systems. Make sure we generate the keys but do not save them in the host keytab!

# ipa-getkeytab -s ipa.rhce.local -p nfs/srv1.rhce.local -k /var/ftp/pub/srv1.keytab
# ipa-getkeytab -s ipa.rhce.local -p nfs/srv2.rhce.local -k /var/ftp/pub/srv2.keytab

Make the keytab file accessible to FTP clients as by default only root can read them:

# chmod 644 /var/ftp/pub/*.keytab

FTP access is mainly for those clients which cannot run ipa-getkeytab to create the keytab.

Configure DNS

DNS Zone Transfer

Allow zone transfer from the local network:

# ipa dnszone-mod --allow-transfer=10.8.8.0/24 rhce.local
  Zone name: rhce.local
  Authoritative nameserver: ipa.rhce.local.
  Administrator e-mail address: hostmaster.rhce.local.
  SOA serial: 1462361493
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Active zone: TRUE
  Allow query: any;
  Allow transfer: 10.8.8.0/24;

DNS Records

We can optionally create some DNS records (required for the sample RHCE exam):

# ipa dnsrecord-add rhce.local vhost1 --ttl=3600 --a-ip-address=10.8.8.71
# ipa dnsrecord-add rhce.local dynamic1 --ttl=3600 --a-ip-address=10.8.8.71

For a central mail server, we are going to need an MX record:

# ipa dnsrecord-add rhce.local @ --mx-rec="0 ipa.rhce.local."
  Record name: @
  MX record: 0 ipa.rhce.local.
  NS record: ipa.rhce.local.

Optional: Sample RHCE Exam Tasks

These below are only required if you’re setting up a FreeIPA server to use with our sample RHCE exam.

The users.txt file will be used for a scripting task:

# cat /var/ftp/pub/users.txt
testuser1
testuser2
testuser3

The file email.sh will be used for a dynamic web content task:

# cat /var/ftp/pub/email.sh
#!/bin/bash
echo "Content-type: text/html";
echo "";
echo "<html>";
echo "<body>";
echo "email from httpd"|mailx -s WebApp root;
echo "Email has been sent.";
echo "</body>";
echo "</html>";

The file index.php will be used for a dynamic web content task:

# cat /var/ftp/pub/index.php
<?php
$dbname = 'shop';
$dbuser = 'john';
$dbpass = 'pass';
$dbhost = 'srv2.rhce.local:5555';
$connect = mysql_connect($dbhost, $dbuser, $dbpass) or die("Unable to Connect to '$dbhost'");
mysql_select_db($dbname) or die("Could not open the db '$dbname'");
$test_query = "SHOW TABLES FROM $dbname";
$result = mysql_query($test_query);
$tblCnt = 0;
while($tbl = mysql_fetch_array($result)) {
  $tblCnt++;
  echo $tbl[0]."<br \>\n";
}
if (!$tblCnt) {
  echo "There are no tables<br \>\n";
} else {
  echo "There are $tblCnt tables<br \>\n";
}

The file app.wsgi will be used for a dynamic web content task:

# cat /var/ftp/pub/app.wsgi
def application(environ, start_response):
    status = '200 OK'
    output = 'This is WSGI application!\n'
    response_headers = [('Content-type', 'text/plain'),
                        ('Content-Length', str(len(output)))]
    start_response(status, response_headers)
    return [output]

Optional: NFS Server for Exported Home Directories

This is quite handy to have configured.

Package Installation and Firewall

Install nfs utilities, enable and start services:

# yum install nfs-utils
# systemctl enable rpcbind && systemctl start rpcbind
# systemctl enable nfs-server && systemctl start nfs-server

Configure firewalld for NFS (rpc-bind, nfs and mountd):

# firewall-cmd --add-service={nfs,mountd,rpc-bind} --permanent
# firewall-cmd --reload

Create Home Directories and Configure Exports

Create home directories for LDAP users alice and vince. Note the user ids and the group numbers:

# mkdir -m0750 -p /home/guests/{alice,vince}
# chown 512400001:512400001 /home/guests/alice/
# chown 512400003:512400003 /home/guests/vince/

Configure NFS exports:

# cat /etc/exports
/home/guests 10.8.8.0/24(rw,sync,no_subtree_check,root_squash)

# exportfs -rav
exporting 10.8.8.0/24:/home/guests

Set default home directory to /home/guests/:

# ipa config-mod --homedirectory=/home/guests
  Maximum username length: 32
  Home directory base: /home/guests
  Default shell: /bin/bash
  Default users group: ipausers
  Default e-mail domain: rhce.local
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=RHCE.LOCAL
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: nfs:NONE, MS-PAC

Modify the existing LDAP users to point to their new home directory:

# ipa user-mod alice --homedir=/home/guests/alice
---------------------
Modified user "alice"
---------------------
  User login: alice
  First name: alice
  Last name: abernathy
  Home directory: /home/guests/alice
  Login shell: /bin/bash
  Email address: [email protected]
  UID: 512400001
  GID: 512400001
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

# ipa user-mod vince --homedir=/home/guests/vince
---------------------
Modified user "vince"
---------------------
  User login: vince
  First name: vincent
  Last name: valentine
  Home directory: /home/guests/vince
  Login shell: /bin/bash
  Email address: [email protected]
  UID: 512400003
  GID: 512400003
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

Test from the FreeIPA server (requires no autofs configuration):

# su - alice
Last login: Sun Jul  3 16:20:50 BST 2016 on pts/0
-bash-4.2$ pwd
/home/guests/alice

You are likely to get the following error if the user has a cached session:

su: warning: cannot change directory to /home/alice: No such file or directory

To resolve, simply clear the SSSD cache and update all records:

# sss_cache -E

You will need to configure autofs on any other server which you want to log with an LDAP user from. On a client machine, install autofs:

# yum install autofs nfs-utils

Add the following line to the file /etc/auto.master:

/home/guests  /etc/auto.guests

Create the file /etc/auto.guests with the following content, where 10.8.8.70 is the IP address of the FreeIPA server:

* -rw 10.8.8.70:/home/guests/&

Enable and restart the autofs service:

# systemctl enable autofs && systemctl restart autofs

Try logging in with an LDAP user.