Red Hat IPA Server - Frank Reimer · Red Hat IPA Server On Red Hat Enterprise ... between the...

Red Hat IPA ServerOn Red Hat Enterprise Linux 6

Index1 Document change history.................................................................................................. 4

2 Introduction and overview..................................................................................................5

2.1 Schematic overview..............................................................................................................6

3 Basic requirements............................................................................................................. 7

3.1 Needed firewall ports............................................................................................................7

4 Installation and configuration of IPA master server........................................................8

4.1 Installation of needed packages...........................................................................................8

4.2 Initial configuration of IPA master.........................................................................................8

4.3 Prepare sync between IPA master and IPA slave................................................................9

4.4 Configure central IPA managed SUDO................................................................................9

5 Installation and configuration of IPA slave server...........................................................9

5.1 Installation of needed packages...........................................................................................9

5.2 Start replication with IPA master...........................................................................................9

5.3 Check replication.................................................................................................................. 9

6 Configure user and password sync between IPA and W2K8 AD controller...............11

6.1 Configure MMC snap in (on all W2K8 AD controllers).......................................................11

6.2 Import IPA CA certificate (on all W2K8 AD controllers)......................................................13

6.3 Import global CA certificate (on all W2K8 AD controllers)................................................. 15

6.4 Create and import self signed W2K8 certificate.................................................................15

6.4.1 Create certificate (on all W2K8 AD controllers)...........................................................15

6.4.2 Import self signed certificate on W2K8 AD controllers................................................17

6.4.3 Verify if LDAP over SSL is working on AD controller..................................................17

6.5 Reboot W2K8 AD controller............................................................................................... 18

7 Configure sync agreement between IPA and W2K8 AD controller..............................19

8 Install and configure Red Hat Pass-Sync tool (on all W2K8 AD controllers).............23

8.1 Install Red Hat Pass-Sync MSI package........................................................................... 23

8.2 Import of IPA CA Cert for Password Sync Tool.................................................................. 24

8.3 Reboot W2K8 AD controller............................................................................................... 24

9 Configure client for IPA user authentication..................................................................24

9.1 Red Hat Enterprise Linux 6................................................................................................ 24

9.1.1 Configure LDAP SUDO settings on client side........................................................... 25

9.2 SuSE Linux Enterprise 11.................................................................................................. 26

9.2.1 Install needed packages..............................................................................................26

9.2.2 Configure LDAPS connection......................................................................................26

9.2.3 Configure Kerberos......................................................................................................26

Title: Red Hat IPA Server on RHEL 6 Author: Frank Reimer Page: 2 of 39

9.2.4 Configure SUDO with LDAPS..................................................................................... 27

9.2.5 Configure NIS domainname........................................................................................ 27

9.2.6 Configure PAM.............................................................................................................28

9.2.7 Edit SSH client and server configuration.....................................................................29

9.2.8 Restrict access for defined users or user groups........................................................29

10 Backup..............................................................................................................................30

11 Troubleshooting / Hints / Advisories.............................................................................31

11.1 After upgrading to RHEL 6.6 replication stopped working............................................... 31

11.2 User home directory will not be created during first login on IPA server itself.................31

11.3 Active Directory password synchronization issues.......................................................... 32

11.4 Disable "Force new password" after AD password synchronization...............................34

12 Appendix A: Howto create your own CA...................................................................... 36

12.1 Install and create your CA................................................................................................36

12.2 Generate certificate request.............................................................................................38

12.3 Sign certificate requests...................................................................................................38


1 Document change historyVersion Date Author Description

1.0 2015-04-08 Frank Reimer Initial start of this document.

1.1 2015-04-09 Frank Reimer Chapter 12 (Appendix A) added, IPAcommands added in chapter 5.3,Configuration of users default shelladded in chapter 4.2

Used shape gallery for LibreOffice Draw:

VRTnetworkequipment_1.2.0-oo.oxt http://www.vrt.com.au/downloads/vrt-network-equipment


2 Introduction and overviewIn principle, a central Linux / UNIX user authentication should be provided for every user.Basically you will find Microsoft`s Active Directory as single point of truth regarding identitymanagement (IdM). Unfortunately a lot of requirements within the Linux / UNIX world arenot met by Active Directory like

Central sudo definitions Central host-based-access (actually for Red Hat systems only) Central unique user and group ID management

In this case Red Hat IPA server is the preferred solution to sync users and passwordsbetween the Windows and the Linux / UNIX world. Red Hat IPA server is shipped withstandard Red Hat Enterprise Linux 6 and is free of charge. Only the RHEL 6 standardserver packe YUM repository is needed. IPA uses standard tools like OpenLDAP, Kerberosetc. Because of this reason it is possible to connect nearly all UNIX based systems to theRed Hat IPA server. All user concerned actions within Active Directory (user creation, userdeletion, password changes, user deactivation) are directly synced to Red Hat IPA server. This document describes the installation and configuration of Red Hat IPA server with one-way-sync from Active Directory to Red Hat IPA server. This document also deals with self-signed certificates for the syncronization between Red Hat IPA and Active Directory. Butyou can of course use a central Certification Authotrity (CA) if one is in place.

Unfortunately the domain trust feature in Red Hat IPA on RHEL 6 is only a technicalpreview. Because of this it is recommended to install at minimum three Red Hat IPA serverfor each Active Directory domain you want to sync with due to availability reasons. All IPAserver within an Active Directory domain sync are in sync with each other. In this documentone of the IPA servers will be logically defined as IPA master server even if the IPA serverare in active-active mode. The IPA master server will be synced with only one Windows2008 R2 AD controller (even if there exist more than one AD controller per AD domain).

Afterwards all W2K8 AD controllers will have a password sync tool installed which will syncuser passwords to the IPA master server. In general this environment runs in a so calledmulti master mode because of the sync agreements between IPA and AD controller andbetween all IPA servers. All Linux / UNIX clients will then authenticate to two IPA serversbecause of availability reasons. The third IPA server will be used for backup purposes.Because no IPA client will connect to the third IPA server you can stop all IPA services onthe third IPA server and make consistent backups from the whole server.

In case of this documentation the needed servers and clients are named like this: W2K8 master domain controller: ad.testlab.local IPA master: ipa01.testlab.local IPA second master: ipa02.testlab.local IPA backup: ipa03.testlab.local Linux / UNIX client: client01.testlab.local

Attention: Replace the domain of the FQDN with the appropriate customers domainname.


2.1 Schematic overview


ad.testlab.local

AD Domain Controller

Red Hat IPA Server

IPA backup (replica)Ipa03.testlab.local

IPA masteripa01.testlab.local

IPA slave (replica)ipa02.testlab.local

client01.testlab.local

Linux / UNIX Server

Sync of AD users / passwords

replicationreplication

3 Basic requirementsSome basic requirements must be met to get IPA server with AD user / passwordsynchronization up and running.

1. Three Red Hat Enterprise Linux 6 servers with „@Base“ installation.2. Working DNS: all servernames must be resolvable with the whole FQDN within a

domain.3. NTP: all servers must be time synced with a central NTP server4. A global Certificate Authority (because we are working with self-signed certificates).

You will find a howto to create your own CA to work with self-signed certificates inAppendix A. Please create this CA first before you start installing IPA.

5. Windows 2008 R2 Active Directory with AD sync user which IPA will use to connectto AD controller with the following permissions:

a. Grant the sync user account “Replicating directory changes” rights to theappropriate Active Directory subtree.

b. Add the AD sync user to the group “Account Operator” and “Enterprise Read-Only Domain controller”. It is not necessary for the AD sync user to be amember of Domain Admin group!!!

3.1 Needed firewall ports

Source Destination Port Type Description

Admin Portal IPA (master / second master) 443 TCP IPA web gui

IPA master IPA second master 7389 TCP IPA replication




IPA second master IPA master 7389 TCP IPA replication




IPA (master / secondmaster)

AD controller 389 TCP LDAP


AD controller 636 TCP LDAPS


AD controller 88 TCP/UDP Kerberos


AD controller 464 TCP/UDP Kerberos

AD controller IPA (master / second master) 389 TCP LDAP

AD controller IPA (master / second master) 636 TCP LDAPS

AD controller IPA (master / second master) 88 TCP/UDP Kerberos


AD controller IPA (master / second master) 464 TCP/UDP Kerberos

IPA client IPA (master / second master) 389 TCP LDAP

IPA client IPA (master / second master) 636 TCP LDAPS

IPA client IPA (master / second master) 88 TCP/UDP Kerberos

IPA client IPA (master / second master) 464 TCP/UDP Kerberos

4 Installation and configuration of IPA master serverThis section describes the initial installation and configuration steps which are needed onIPA master server. In context of this documentation the IPA master server is called“ipa01.testlab.local”.

4.1 Installation of needed packagesPlease install appropriate packages for IPA server:

yum install ipa-server ipa-admintools

4.2 Initial configuration of IPA masterThe initial configuration of IPA master is quite easy:

ipa-server-install -r TESTLAB.LOCAL -n testlab.local -p <some-password> -a <some-password> --hostname ipa01.testlab.local -N --idstart=10000 --idmax=99999 -U

The meaning of the options is as follows:-r REALM_NAME

-n DOMAIN_NAME

-p Password of directory manager user “admin”

-a Kerberos password of user “admin”

--hostname FQDN of IPA master server

-N Do not configure NTP

--idstart IPA user ID management starts with ID…

--idmax IPA user ID management ends with ID…

Now change the users default shell to whatever you like (default is /bin/sh):

kinit adminipa config-mod --defaultshell=/bin/bash


4.3 Prepare sync between IPA master and IPA slaveOn IPA master perform the following steps to prepare the replication sync agreementbetween the IPA master and the IPA slave:

ipa-replica-prepare ipa02.testlab.local

scp /var/lib/ipa/replica-info-ipa02.testlab.local.gpg [email protected]:/var/lib/ipa/

The first step will create the appropriate sync file for the IPA slave server. During thesecond step the sync file will be copied to the IPA slave server.

Attention: each replica information file is created in the /var/lib/ipa/ directory as a GPG-encrypted file. Please ensure you delete this file after you successfull copied it to the IPAslave server because it contains critical data.

4.4 Configure central IPA managed SUDOSimply set a bind password for the IPA sudo account to use it afterwards on the Linuxclient side. On first IPA master perform the following command:

ldappasswd -x -S -W -h ipa01.testlab.local -ZZ -D "cn=Directory Manager" \ uid=sudo,cn=sysaccounts,cn=etc,dc=testlab,dc=local

5 Installation and configuration of IPA slave serverThe installation and configuration of the IPA slave server, which is calledipa02.testlab.local, is as easy as the installation and configuration of the IPA master server.

5.1 Installation of needed packagesPlease install appropriate packages for IPA server:

yum install ipa-server ipa-admintools

5.2 Start replication with IPA masterIt is only one step to get the replication now up and running:

ipa-replica-install --setup-ca /var/lib/ipa/replica-info-ipa02.testlab.local.gpg

5.3 Check replicationYou can check if replication is now working as expected in two ways. At first perform thefollowing command on both IPA servers:


ipa-replica-manage list

Now add one test user on one of the IPA servers. The user should be synced to all otherIPA servers. If this works fine delete the test user and proceed with the next steps.

On the IPA master server add one user as follows:

kinit adminipa user-add test --first=Test --last=User –password

Now check on the IPA slave server if the user also exists there:

kinit adminipa user-show test

You should see some output similar to this:

Anmeldename: test Vorname: Test Nachname: User Home-Verzeichnis: /home/test Anmeldeshell: /bin/bash Email-Adresse: [email protected] UID: 10001 Gruppen-ID: 10001 Konto ist deaktiviert: False Passwort: True Member of groups: ipausers Kerberos-Schlüssel verfügbar: True

Perform this check on all IPA server which are replicating each other. You can delete thetest user if your checks were successfull:

ipa user-del test


6 Configure user and password sync between IPA andW2K8 AD controller

6.1 Configure MMC snap in (on all W2K8 AD controllers)

1. On W2K8 master AD controller start MMC with „Start – Run – MMC“. If the MMC isstarted please klick on „Add/Remove Snap-in“. Activate

2. Select „Certificates“


3. Select „Computer account“ and then „Local computer“ and then „Local computer“


4. Save the new created MMC on Administrators Desktop as „Certificates (localcomputer)“

6.2 Import IPA CA certificate (on all W2K8 AD controllers)

1. Copy CA cert from IPA master (/etc/ipa/ca.crt) to one of the W2K8 domain controllerwhich you want to have a sync agreement with. In this document all neededcertificates are saved in „C:\Temp\certs“. But this also could be any other place onthe Windows server. The CA cert from ipa01.testlab.local is named ipa01.crt onW2K8 domain controller (only for a better overview)

2. Open the newly created MMC mentioned in „Configure MMC snap in“3. Expand the view an open „Trusted Root Certification Authorities“. Right klick on

„Certificates“ folder and select „Import“.


4. Slect the CA cert from ipa01.testlab.local

5. Place the certificate in the following key store


6. A new certificate is shown simply named „Certificate Authority“

6.3 Import global CA certificate (on all W2K8 AD controllers)Please perform the same steps as mentioned in chapter 4.2. In the context of thisdocumentation the global CA certificate is named „global-ca.crt“ and should also be savedin „C:\Temp\certs“ on all W2K8 AD controllers.

6.4 Create and import self signed W2K8 certificateTo get Active Directory up and running with LDAP over SSL self signed certificates have tobe created. To get the sync between IPA and AD controller up and running please performthe following steps:

6.4.1 Create certificate (on all W2K8 AD controllers)

1. First a certificate request must be created. Create a file called „request.inf“ and putin the following content. Please replace „Subject = "CN=<FQDN of ADcontroller>" ;“ with the appropriate FQDN of the AD controller on which you want togenerate a certificate request and place the file also in C:\Temp\certs:

;----------------- request.inf ----------------- [Version] Signature="$Windows NT$ [NewRequest]Subject = "CN=<FQDN of AD controller>" ; replace with the FQDN of the DC KeySpec = 1 KeyLength = 1024 ; Can be 1024, 2048, 4096, 8192, or 16384. ; Larger key sizes are more secure, but have ; a greater impact on performance. Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12RequestType = PKCS10 KeyUsage = 0xa0

[EnhancedKeyUsageExtension]


OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication;-----------------------------------------------

2. Now open a command line (cmd) and go to C:\Temp\certs3. Start the certificate request: „certreq -new request.inf request.req“

4. A new certificate request is created called „request.req“. Transfer this file to yourglobal CA server and create a self signed certificate based on this request. Pleasename the new certificate for the AD controller with the shortname of der ADcontrollers hostname “<shortname>.crt” (in the context of this documentation it is„ad.crt“). You can find a howto to create your own CA to sign certificates if no centralCA is in place in Appendix A.

5. Copy the new created certificate „ad.crt“ to W2K8 ad controller to C:\Temp\certs


6.4.2 Import self signed certificate on W2K8 AD controllers

1. Open the MMC created in chapter 4.1.2. Import the self signed certificate to the „Personal“ key store:

6.4.3 Verify if LDAP over SSL is working on AD controller

1. Start LDAP brwoser: Start – Run – ldp2. Open SSL connectoin to localhost:


3. The output should look like this:

6.5 Reboot W2K8 AD controllerReboot the AD controller now.


7 Configure sync agreement between IPA and W2K8AD controller

The sync agreement for user syncronisation will only be configured between IPA masterserver and W2K8 master AD controller. On IPA master ipa01.testlab.local perform thefollwing steps:

1. mkdir /etc/openldap/cacerts/2. copy W2K8 cert (ad.crt created in chapter 6.4.1) to /etc/openldap/cacerts/3. copy IPA /etc/ipa/ca.crt to /etc/openldap/cacerts/4. copy global CA certificate to /etc/openldap/cacerts/5. You should now have the following certificates saved under /etc/openldap/cacerts :

[root@ipa01 cacerts]# pwd /etc/openldap/cacerts [root@ipa01 cacerts]# ll insgesamt 12 -rw-r--r--. 1 root root 1168 6. Jan 13:16 ad.crt -r--r--r--. 1 root root 1321 6. Jan 13:16 ca.crt -rw-r--r--. 1 root root 1436 6. Jan 13:18 global-ca.pem

6. Now create a hash for all certificates saved in /etc/openldap/cacerts/:cacertdir_rehash /etc/openldap/cacerts/

7. vi /etc/openldap/ldap.confa. Comment out the following line: # TLS_CACERT /etc/ipa/ca.crtb. Add: TLS_CACERTDIR /etc/openldap/cacerts/c. Add: TLS_REQCERT allow

8. Test LDAP connection to W2K8 domain controller:

ldapsearch -x -H ldap://ad.testlab.local -D "cn=Administrator,cn=Users,dc=testlab,dc=local" -W -b "dc=testlab,dc=local" –ZZ

9. Now create replication agreement:

ipa-replica-manage connect --winsync --binddn cn=<ad-sync-user>,cn=users,dc=testlab,dc=local --bindpw <ad-sync-user-password> --passsync <pwd-for-password-sync> --cacert /etc/openldap/cacerts/global-ca.pem ad.testlab.local -v

Hint: The AD sync user account which is mentioned in chapter 1.3 bullet 6.

10. If replication was successfull, a message like this should be shown:


Added CA certificate /etc/openldap/cacerts/global-ca.pem to certificate database for ipa01.testlab.local ipa: INFO: AD Suffix is: DC=testlab,DC=local The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=testlab,dc=local ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update succeeded Connected 'ipa01.testlab.local' to 'ad.testlab.local'

11. Start user replication from AD to IPA master server:

ipa-replica-manage re-initialize --from ad.testlab.local

12.To test the sync agreement search for replicated AD user on IPA master:

kdestroykinit adminipa user-show <some-w2k8-ad-user>

13.To use only one-way-sync from AD to IPA the following configuration needs to beperformed on IPA master:

ldapmodify -x -D "cn=directory manager" -w <directory-manager-password> -p 389 -h ipa01.testlab.local

dn:cn=meToad.testlab.local,cn=replica,cn=dc\3Dtestlab\2Cdc\3Dlocal,cn=mapping tree,cn=configchangetype: modifyadd: oneWaySynconeWaySync: fromWindows


14.Restart dirsrv on all IPA master

service dirsrv restart

15.Check LDAP settings made in bullet 13 and search for “meToad”

ldapsearch -xLLL -D "cn=directory manager" -w start123 -p 389 -h ipa01.testlab.local -b cn=config objectclass=* -ZZ| less

Output should be similar to this (search for oneWaySync: fromWindows):

dn: cn=meToad.testlab.local,cn=replica,cn=dc\3Dtestlab\2Cdc\3Dlocal,cn=mapping tree,cn=confignsds7WindowsReplicaSubtree: cn=Users,DC=testlab,DC=localnsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=testlab,dc=localcn: meToad.testlab.localnsds7NewWinGroupSyncEnabled: falseobjectClass: nsDSWindowsReplicationAgreementobjectClass: topnsDS5ReplicaTransportInfo: TLSdescription: me to ad.testlab.localnsDS5ReplicaRoot: dc=testlab,dc=localnsDS5ReplicaHost: ad.testlab.localnsds5replicaTimeout: 120nsDS5ReplicaBindDN: cn=administrator,cn=users,dc=testlab,dc=localnsds7NewWinUserSyncEnabled: truensDS5ReplicaPort: 389nsds7WindowsDomain: testlab.localnsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcountnsDS5ReplicaBindMethod: simplensDS5ReplicaCredentials: {DES}+bVtMljz/SzP5Ozy8WhI5A==nsds7DirsyncCookie:: TVNEUwMAAAAgTqrch3rPAQAAAAAAAAAAKAAAAGWAAAAAAAAAAAAAAAAAA ABlgAAAAAAAAGAo6h4RvnlNp17tTSv4gawBAAAAAAAAAAEAAAAAAAAAYCjqHhG+eU2nXu1NK/iBrG eAAAAAAAAAnsds50ruv: {replicageneration} 53838f8d000000040000nsds50ruv: {replica 4 ldap://ipa01.testlab.local:389} 53839014000000040000 538 5fb90000000040000nsds50ruv: {replica 3 ldap://ipa02.testlab.local:389} 53838f91000000030000 538 5ef39000700030000

nsruvReplicaLastModified: {replica 4 ldap://ipa01.testlab.local:389} 5385fb90


nsruvReplicaLastModified: {replica 3 ldap://ipa02.testlab.local:389} 00000000oneWaySync: fromWindowsnsds5replicareapactive: 0nsds5replicaLastUpdateStart: 20140528151655Znsds5replicaLastUpdateEnd: 20140528151655Znsds5replicaChangesSentSinceStartup:: NDoxNS8wIA==nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate succeedednsds5replicaUpdateInProgress: FALSEnsds5replicaLastInitStart: 20140528151603Znsds5replicaLastInitEnd: 20140528151603Znsds5replicaLastInitStatus: 0 Total update succeeded


8 Install and configure Red Hat Pass-Sync tool (on allW2K8 AD controllers)

HINT: There is a limitation of the password sync tool offered by Red Hat. A user will onlybe able to login to a Linux / UNIX server once he changed his AD user password.Otherwise the password will not be synced to IPA during initial AD user creation. Thislimitation based on different password hashing functionalities between Windows AD andLinux in general.

8.1 Install Red Hat Pass-Sync MSI package1. Download RedHat-PassSync-1.1.5-x86_64.msi from Red Hat Enterprise Network

from the base Red Hat Enterprise Linux 6 channel.2. Copy MSI package to all W2K8 AD controllers3. Start installation process by double klick on RedHat-PassSync-1.1.5-x86_64.msi

Host Name: FQDN of IPA master server

Port Number: 636 (LDAP over SSL)

User Name: uid=passsync,cn=sysaccounts,cn=etc,dc=testlab,dc=local

Password: Sync password as defined in chapter 5 step9 (“… --passsync…”)

Cert Token: Not needed

Search Base: cn=users,cn=accounts,dc=testlab,dc=local


8.2 Import of IPA CA Cert for Password Sync ToolTo get the Red Hat Password Sync Tool up and running you need to install the IPA masterCA certificate into the Password Sync certificate key store. The following steps must beperformed on all W2K8 AD controllers:

1. Open a command line on W2K8 AD controller2. Go to directory "c:\Program Files\Red Hat Directory Password Synchronization" and

do the following:

c:\Program Files\Red Hat Directory Password Synchronization>certutil.exe -d . -A -n "RHEL6 IPA CA" -t CT,, -a -i c:\Temp\certs\ipa01.crt

3. Start the service “Password Synchronization”4. Check the log file “c:\Program Files\Red Hat Directory Password

Synchronization\passsync.log”

8.3 Reboot W2K8 AD controllerReboot the Windows server now. Otherwise the DLL`s provided by the Red Hat PassSyncwill not bei registered in Windows.

9 Configure client for IPA user authentication

9.1 Red Hat Enterprise Linux 6To get user authentication with IPA on Red Hat Enterprise Linux is very easy. Only a fewactions on client server are needed:

1. Install ipa-client on client01.testlab.local:

yum install ipa-client

2. Configure IPA client to communicate with both IPA servers:

ipa-client-install --domain=testlab.local --realm=TESTLAB.LOCAL --server=ipa01.testlab.local --server=ipa02.testlab.local -p admin -w <ipa-admin-password> --mkhomedir -N -U


9.1.1 Configure LDAP SUDO settings on client side

To use central IPA SUDO configurations perform the following steps on a RHEL client:

echo sudoers: files ldap >> /etc/nsswitch.confecho NISDOMAIN=testlab.local >> /etc/sysconfig/network

HINT: This only works with RHEL5.10 and later, RHEL6.4 and later. Otherwise you need toadd "nisdomainname testlab.local" in /etc/rc.d/rc.local

Create the LDAP configuration files as follows:

cat << EOF > /etc/sudo-ldap.confbinddn uid=sudo,cn=sysaccounts,cn=etc,dc=testlab,dc=localbindpw <password_set_in_2.4>ssl start_tlstls_cacertfile /etc/ipa/ca.crttls_checkpeer yesuri ldap://ipa01.testlab.local ldap://ipa02.testlab.localsudoers_base ou=SUDOers,dc=testlab,dc=localEOF

Restrict permissions to /etc/sudo-ldap.conf:

chmod 600 /etc/sudo-ldap.conf


9.2 SuSE Linux Enterprise 11ATTENTION: All related configuration are made manually. DO NOT USE YAST TOCONFIGURE KERBEROS AND LDAP!!!!

9.2.1 Install needed packages

zypper install pam_ldap nss_ldap pam_ldap32bit nss_ldap-32bit pam_krb5 krb5_client pam_krb5-32bit

9.2.2 Configure LDAPS connection

Replace the contents of /etc/openldap/ldap.conf with the following entries:

uri ldap://ipa01.testlab.local ldap://ipa02.testlab.localbase dc=testlab,dc=localTLS_CACERTDIR /etc/openldap/cacertsTLS_CACERT /etc/openldap/cacerts/ca.crt

Create the directory for IPA CA cert:

mkdir -p /etc/openldap/cacerts

Download needed certificate from IPA server:

wget -O /etc/openldap/cacerts/ca.crt http://ipa01.testlab.local/ipa/config/ca.crt

9.2.3 Configure Kerberos

Replace the contents of /etc/krb5.conf with the following entries:

[libdefaults]default_realm = TESTLAB.LOCALclockskew = 300

[realms]TESTLAB.LOCAL = {

kdc = ipa01.testlab.localdefault_domain = testlab.localadmin_server = ipa01.testlab.localkdc = ipa02.testlab.localadmin_server = ipa02.testlab.local


}

[logging]kdc = FILE:/var/log/krb5/krb5kdc.logadmin_server = FILE:/var/log/krb5/kadmind.log

default = SYSLOG:NOTICE:DAEMON

[domain_realm].testlab.local = TESTLAB.LOCAL

[appdefaults]pam = {

ticket_lifetime = 1drenew_lifetime = 1dforwardable = trueproxiable = falseminimum_uid = 1clockskew = 300external = sshduse_shmem = sshd

}

9.2.4 Configure SUDO with LDAPS

Replace the contents of /etc/ldap.conf with the following entries:

binddn uid=sudo,cn=sysaccounts,cn=etc,dc=testlab,dc=localbindpw start123ssl start_tlstls_cacertfile /etc/openldap/cacerts/ca.crttls_checkpeer yesuri ldap://ipa01.testlab.local ldap://ipa02.testlab.localsudoers_base ou=SUDOers,dc=testlab,dc=localbind_timelimit 5timelimit 30

Restrict permissions to /etc/ldap.conf:

chmod 600 /etc/ldap.conf

9.2.5 Configure NIS domainname

Configure nisdomainname on runtime:

nisdomainname testlab.local


Also add the following to /etc/sysconfig/network/config to have nisdomainname also beconfigured after reboot:

NETCONFIG_NIS_STATIC_DOMAIN="testlab.local"

9.2.6 Configure PAM

Edit /etc/pam.d/common-accountas follows:

account requisite pam_unix2.soaccount required pam_krb5.so use_first_pass ignore_unknown_principals account sufficient pam_localuser.so account required pam_ldap.so use_first_pass

Edit /etc/pam.d/common-authas follows:

auth required pam_env.soauth sufficient pam_unix2.soauth sufficient pam_krb5.so use_first_pass auth required pam_deny.so

Edit /etc/pam.d/common-password as follows:

password requisite pam_pwcheck.so nullok cracklib password [default=ignore success=1] pam_succeed_if.so uid > 999 quiet password sufficient pam_unix2.so use_authtok nullok password sufficient pam_krb5.so password required pam_deny.so

Edit /etc/pam.d/common-session as follows:

session optional pam_mkhomedir.sosession required pam_limits.sosession required pam_unix2.sosession optional pam_krb5.sosession optional pam_umask.so


9.2.7 Edit SSH client and server configuration

To use Kerberos tickets for passwordless user authentication the following changes has tobe made on SSH client and server side. Edit /etc/ssh/sshd_config as follows:

[...]GSSAPIAuthentication yes[...]

Also on SSH client side edit /etc/ssh/ssh_config:

GSSAPIAuthentication yes

9.2.8 Restrict access for defined users or user groups

At the moment there is no possibility to use IPA host based access control (HBAC) forother systems as Red Hat beause SuSE does not provide the IPA provider in the SSSDpackage. To restrict users loging in to a SLES client use the PAM module pam_access.

Add the following entry to /etc/pam.d/common-account

account required pam_access.so

Add defined IPA user groups to /etc/security/access.conf:

+: (<posix-ipa-user-group>) : ALL : ALL

Add the following to the end /etc/security/access.conf to restrict all other access:

-: ALL : ALL

Hint: If there occur some performance issues due to user login figure out if there is sometypo regarding user names or group names in /etc/security/access.conf.


10 BackupCurrently the only supported backup method for a Red Hat IPA server is to create a fullreplica of the IPA master server. For backup purposes install a third Red Hat Enterprise Linux 6 server. In the scope of thisdocument the server is named ipa03. Afterwards process with the following steps:

1. Install needed IPA packages as described in 3.1.2. Prepare for IPA replication on IPA master as described in 2.33. Install IPA replication as described in 3.2.4. Create periodic snapshots of the virtual machine of IPA backup server

(ipa03.testlab.local)5. Periodic sync of needed certificates via rsync from IPA master (ipa01) to IPA backup

(ipa03) as root cronjob. Add the following line to root`s cron on IPA master:

*/5 * * * * /usr/bin/rsync –av /etc/openldap/cacerts/ ipa03.testlab.local:/etc/openldap/cacerts/ > /dev/null 2>&1

6. Create SSH keys for passwordless rsync between IPA master and IPA backup. Allsteps has to be performed as user “root”:

On IPA master:ssh-keygen -t rsa -b 2048 # => Use default settings and do # => not define a password!On IPA backup:mkdir -p /root/.ssh

On IPA master:ssh-copy-id [email protected]


11 Troubleshooting / Hints / Advisories

11.1 After upgrading to RHEL 6.6 replication stopped workingProblem: After upgrading to RHEL 6.6 IPA replication stopped working. The IPA error log showed thefollowing entries:

[...]sasl_io_recv failed to decode packet for connection....[...]

The problem occurs because of too small buffer size.

Resolution: 1. Create an ldif file on all IPA server (e. g. packetsize.ldif)2. Paste the following entries to increase the nsslapd-sasl-max-buffer-size:

dn: cn=configchangetype: modifyreplace: nsslapd-sasl-max-buffer-sizensslapd-sasl-max-buffer-size: 2097152

3. Import ldif file

ldapmodify -h localhost -D "cn=directory manager" -w <password> -f packetsize.ldif -ZZ

4. The configuration change does not require a service restart.

11.2 User home directory will not be created during first loginon IPA server itself

To enable mkhomedir at first user login in IPA server simply perform the following on all IPAserver itself:

authconfig --enablemkhomedir --updateservice sssd restart

If you install the IPA client on all Linux clients with ipa-client-install this option isautomatically set to PAM with the option “--mkhomedir".


The authconfig command change the following PAM entries:

grep -i mkhomedir /etc/pam.d/*/etc/pam.d/fingerprint-auth:session optional pam_oddjob_mkhomedir.so/etc/pam.d/fingerprint-auth-ac:session optional pam_oddjob_mkhomedir.so/etc/pam.d/password-auth:session optional pam_oddjob_mkhomedir.so/etc/pam.d/password-auth-ac:session optional pam_oddjob_mkhomedir.so/etc/pam.d/smartcard-auth:session optional pam_oddjob_mkhomedir.so/etc/pam.d/smartcard-auth-ac:session optional pam_oddjob_mkhomedir.so/etc/pam.d/system-auth:session optional pam_oddjob_mkhomedir.so/etc/pam.d/system-auth-ac:session optional pam_oddjob_mkhomedir.so

11.3 Active Directory password synchronization issuesIf password synchronization from Active Directory to Red Hat IPA does not work it could becaused by a couple of problems.

1. Check IPA dirsrv logs: Open /var/log/dirsrv/slapd-<REALM>/access and/var/log/dirsrv/slapd-<REALM>/error and try to find any hint for certificate issues. Ifeverything seems to be ok regarding certificates proceed with the next step.

2. Check the PasswordSync tool log on Active Directory controller: Open “c:\ProgramFiles\Red Hat Directory Password Synchronization\passsync.log”

a. Check if you see entries like this:

ipa Modify password failed for remote entry Insufficient access

b. In this case the user passsync on IPA has not sufficient permissions to changeuser passwords. To verify this do the following on the master IPA server:

ldappasswd -D "uid=passsync,cn=sysaccounts,cn=etc,dc=testlab,dc=local" -w <bind-password-of-passsync-user> -s <new-user-password> -h localhost -ZZ uid=<some-synced-AD-user>,cn=users,cn=accounts,dc=testlab,dc=local

c. If you see a message like this, the user has insufficient permissions:

Result: Insufficient access (50)Additional info: Insufficient access rights

d. In this case something went wrong during the creation of the winsync-agreement. Usually IPA automatically creates an LDAP access controlinstruction (aci) for the passsync user which allows to change user passwords.


To verify if the aci exists perform the following command and search for"passsync"

ldapsearch -x -D "cn=directory manager" -w <bindpw-of-directory-manager> -b "dc=testlab,dc=local" aci | less

If you don`t find the entry:

aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Windows PassSync service can write passwords"; allow (write) userdn="ldap:///uid=passsync,cn=sysaccounts,cn=etc,dc=testlab,dc=local";)

you have to create the aci manually:

Create an ldif file, for example aci-passssync-pwchange.ldif and add thefollowing:

dn: dc=testlab,dc=localchangetype: modifyadd: aciaci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Windows PassSync service can write passwords"; allow (write) userdn="ldap:///uid=passsync,cn=sysaccounts,cn=etc,dc=testlab,dc=local";)

Import the LDIF into LDAP:

ldapmodify -h localhost -D "cn=directory manager" -w <bindpw-of-directory-manager> -f aci-passssync-pwchange.ldif -ZZ

Please verify if the aci now exists (search for passsync):

ldapsearch -x -D "cn=directory manager" -w <bindpw-of-directory-manager> -b "dc=testlab,dc=local" aci | less

Restart dirsrv on all IPA servers


Reset some Active Directory user on one AD controller and check/var/log/dirsrv/slapd-<REALM>/access. Password sync should now work.


If you need further informations regarding ACI please visit:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html

11.4 Disable "Force new password" after AD passwordsynchronization

The man page of "ipa-replica-manage" describes the following:

"PassSync is a Windows service that runs on AD Domain Controllers to interceptpassword changes. It sends these password changes to the IPA LDAP server over TLS.These password changes bypass normal IPA password policy settings and the passwordis not set to immediately expire. This is because by the time IPA receives the passwordchange it has already been accepted by AD so it is too late to reject it.

IPA maintains a list of DNs that are excempt from password policy. A special user is addedautomatically when a winsync replication agreement is created. The DN of this user isadded to the excemption list stored in passSyncManagersDNs in the entrycn=ipa_pwd_extop,cn=plugins,cn=config."

For some reasons the IPA passsync user will sometimes not be added to the excemptionlist stored in passSyncManagersDNs. This is the case if some AD user changes hispassword and tries to login to a Linux IPA client the user is forced to set a new password.

To change this behaviour you have to add the passsync user manually to the excemptionlist stored in passSyncManagersDNs in the entry

cn=ipa_pwd_extop,cn=plugins,cn=config

1. Create an LDIF file, for example disable-pwchange-after-sync.ldif

dn: cn=ipa_pwd_extop,cn=plugins,cn=configchangetype: modifyadd: passSyncManagersDNspassSyncManagersDNs: uid=passsync,cn=sysaccounts,cn=etc,dc=testlab,dc=local

2. Import the LDIF into LDAP:

ldapmodify -h localhost -D "cn=directory manager" -w <bindpw-of-directory-manager> -f disable-pwchange-after-sync.ldif -ZZ


3. Restart dirsrv on all IPA servers


If you need further informations please refer to the official Red Hat 6 IPA serverdocumentation

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Identity_Management_Guide/Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US.pdf.


12 Appendix A: Howto create your own CAIn this appendix you will find a basic description how to create your own CA to signcertificates. This appendix based on the insctructions which you can find in rsyslog manpages (TLS-protected syslog).

12.1 Install and create your CAYou need to install GnuTLS utils:

yum install gnutls-utils

If the package is installed you need to create your private CA key:

cd /etc/pki/CA/ls -1

certscrlnewcertsprivate

certtool --generate-privkey --outfile private/ca-key.pem --bits 4096

chmod 400 private/ca-key.pem

Now create the self-signed CA certificate:

certtool --generate-self-signed --load-privkey private/ca-key.pem --outfile certs/ca-cert.pem

Please answer the red marked questions as follows:

Generating a self signed certificate...Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.Country name (2 chars): USOrganization name: SomeOrgOrganizational unit name: SomeOULocality name: SomewhereState or province name: CACommon name: someName (not necessarily DNS!)


UID: This field should not be used in new certificates.E-mail: Enter the certificate's serial number (decimal):

Activation/Expiration time.The certificate will expire in (days): 3650

Extensions.Does the certificate belong to an authority? (Y/N): yPath length constraint (decimal, -1 for no constraint): Is this a TLS web client certificate? (Y/N): Is this also a TLS web server certificate? (Y/N): Enter the e-mail of the subject of the certificate: [email protected] the certificate be used to sign other certificates? (Y/N): yWill the certificate be used to sign CRLs? (Y/N): Will the certificate be used to sign code? (Y/N): Will the certificate be used to sign OCSP requests? (Y/N): Will the certificate be used for time stamping? (Y/N): Enter the URI of the CRL distribution point: X.509 Certificate Information:

Version: 3Serial Number (hex): 485a365eValidity:

Not Before: Thu Jun 19 10:35:12 UTC 2008Not After: Sun Jun 17 10:35:25 UTC 2018

Subject: C=US,O=SomeOrg,OU=SomeOU,L=Somewhere,ST=CA,CN=someName (not necessarily DNS!)

Subject Public Key Algorithm: RSAModulus (bits 2048):

d9:9c:82:46:24:7f:34:8f:60:cf:05:77:71:82:61:6605:13:28:06:7a:70:41:bf:32:85:12:5c:25:a7:1a:5a28:11:02:1a:78:c1:da:34:ee:b4:7e:12:9b:81:24:70ff:e4:89:88:ca:05:30:0a:3f:d7:58:0b:38:24:a9:b72e:a2:b6:8a:1d:60:53:2f:ec:e9:38:36:3b:9b:77:935d:64:76:31:07:30:a5:31:0c:e2:ec:e3:8d:5d:13:0111:3d:0b:5e:3c:4a:32:d8:f3:b3:56:22:32:cb:de:7d64:9a:2b:91:d9:f0:0b:82:c1:29:d4:15:2c:41:0b:97

Exponent:01:00:01

Extensions:Basic Constraints (critical):

Certificate Authority (CA): TRUESubject Alternative Name (not critical):

RFC822name: [email protected] Usage (critical):


Certificate signing.Subject Key Identifier (not critical):

fbfe968d10a73ae5b70d7b434886c8f872997b89Other Information:

Public Key Id:fbfe968d10a73ae5b70d7b434886c8f872997b89

Is the above information ok? (Y/N): y

12.2 Generate certificate requestOn your CA (or any other server) you can generate a certificate request for other machineslike this:

cd /etc/pki/CA

certtool --generate-request --load-privkey private/ca-key.pem --outfile crl/<hostname>-request.pem

12.3 Sign certificate requestsTo sign certificate request and create a certificate for other machines do the following:

cd /etc/pki/CA

certtool --generate-certificate --load-request crl/<hostname>-request.pem --outfile certs/<hostname>-cert.pem --load-ca-certificate certs/ca-cert.pem --load-ca-privkey private/ca-key.pem

Please answer the red marked questions as follows:

Generating a signed certificate...Enter the certificate's serial number (decimal):

Activation/Expiration time.The certificate will expire in (days): 3650

Extensions.Do you want to honour the extensions from the request? (y/N):


Does the certificate belong to an authority? (Y/N): nIs this a TLS web client certificate? (Y/N): yIs this also a TLS web server certificate? (Y/N): yEnter the dnsName of the subject of the certificate: machine.testlab.local {This is the name of the machine that will use the certificate}Enter the IP address of the subject of certificate:Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/N): Will the certificate be used for encryption (RSA ciphersuites)? (Y/N): X.509 Certificate Information:

Version: 3Serial Number (hex): 485a3819Validity:

Not Before: Thu Jun 19 10:42:54 UTC 2008Not After: Wed Mar 16 10:42:57 UTC 2011

Subject: C=US,O=SomeOrg,OU=SomeOU,L=Somewhere,ST=CA,CN=machine.example.net

Subject Public Key Algorithm: RSAModulus (bits 2048):

b2:4e:5b:a9:48:1e:ff:2e:73:a1:33:ee:d8:a2:af:ae2f:23:76:91:b8:39:94:00:23:f2:6f:25:ad:c9:6a:ab2d:e6:f3:62:d8:3e:6e:8a:d6:1e:3f:72:e5:d8:b9:e0d0:79:c2:94:21:65:0b:10:53:66:b0:36:a6:a7:cd:461e:2c:6a:9b:79:c6:ee:c6:e2:ed:b0:a9:59:e2:49:dac7:e3:f0:1c:e0:53:98:87:0d:d5:28:db:a4:82:36:ed3a:1e:d1:5c:07:13:95:5d:b3:28:05:17:2a:2b:b6:8e8e:78:d2:cf:ac:87:13:15:fc:17:43:6b:15:c3:7d:b9

Exponent:01:00:01

Extensions:Basic Constraints (critical):

Certificate Authority (CA): FALSEKey Purpose (not critical):

TLS WWW Client.TLS WWW Server.

Subject Alternative Name (not critical):DNSname: machine.example.net

Subject Key Identifier (not critical):0ce1c3dbd19d31fa035b07afe2e0ef22d90b28ac

Authority Key Identifier (not critical):fbfe968d10a73ae5b70d7b434886c8f872997b89

Other Information:Public Key Id:

0ce1c3dbd19d31fa035b07afe2e0ef22d90b28ac

Is the above information ok? (Y/N): y


Red Hat IPA Server - Frank Reimer · Red Hat IPA Server On Red Hat Enterprise ... between the...

Documents

Transcript of Red Hat IPA Server - Frank Reimer · Red Hat IPA Server On Red Hat Enterprise ... between the...