[Freeipa-users] FreeIPA client setup in AWS
Mohan Cheema
mohan.cheema at arrkgroup.com
Wed Oct 9 10:31:02 UTC 2013
Thanks Rob your comment helped me.
I'm putting the steps here just in case somebody needs it.
First Install IPA Client
Get the rpm from centos site (see get.txt)
# mkdir -p /opt/ipa && cd /opt/ipa
# vi get.txt
Paste the following
http://mirror.centos.org/centos/6/os/x86_64/Packages/ipa-client-3.0.0-25.el6
.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/autofs-5.0.5-73.el6.x86
_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/certmonger-0.61-3.el6.x
86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/ipa-python-3.0.0-25.el6
.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/keyutils-1.4-4.el6.x86_
64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/libcollection-0.6.0-9.e
l6.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/libdhash-0.4.2-9.el6.x8
6_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/libevent-1.4.13-4.el6.x
86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/libgssglue-0.1-11.el6.x
86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/libini_config-0.6.1-9.e
l6.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/libipa_hbac-1.9.2-82.el
6.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/libipa_hbac-python-1.9.
2-82.el6.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/libldb-1.1.13-3.el6.x86
_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/libnl-1.1-14.el6.x86_64
.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/libpath_utils-0.2.1-9.e
l6.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/libref_array-0.1.1-9.el
6.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/libsss_autofs-1.9.2-82.
el6.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/libtalloc-2.0.7-2.el6.x
86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/libtasn1-2.3-3.el6_2.1.
x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/libtdb-1.2.10-1.el6.x86
_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/libtevent-0.9.17-1.el6.
x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/libtiff-3.9.4-9.el6_3.x
86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/libtirpc-0.2.1-5.el6.x8
6_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/nfs-utils-1.2.3-36.el6.
x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/nfs-utils-lib-1.1.5-6.e
l6.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/oddjob-0.30-5.el6.x86_6
4.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/oddjob-mkhomedir-0.30-5
.el6.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/pyOpenSSL-0.10-2.el6.x8
6_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/pytalloc-2.0.7-2.el6.x8
6_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/python-kerberos-1.1-6.2
.el6.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/python-krbV-1.0.90-3.el
6.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/python-ldap-2.3.10-1.el
6.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/python-lxml-2.2.3-1.1.e
l6.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/python-netaddr-0.7.5-4.
el6.noarch.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/python-nss-0.13-1.el6.x
86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/rpcbind-0.2.0-11.el6.x8
6_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/samba4-libs-4.0.0-55.el
6.rc4.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/sssd-1.9.2-82.el6.x86_6
4.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/sssd-client-1.9.2-82.el
6.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/xmlrpc-c-1.16.24-1209.1
840.el6.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/xmlrpc-c-client-1.16.24
-1209.1840.el6.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/cups-libs-1.4.2-48.el6_
3.3.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/cyrus-sasl-gssapi-2.1.2
3-13.el6_3.1.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/avahi-libs-0.6.25-12.el
6.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/gnutls-2.8.5-10.el6.x86
_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/bind-libs-9.8.2-0.17.rc
1.el6.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/libsss_idmap-1.9.2-82.e
l6.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/libxslt-1.1.26-2.el6_3.
1.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/cyrus-sasl-lib-2.1.23-1
3.el6_3.1.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/keyutils-libs-1.4-4.el6
.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/krb5-libs-1.10.3-10.el6
.x86_64.rpm
http://mirror.centos.org/centos/6/os/x86_64/Packages/c-ares-1.7.0-6.el6.x86_
64.rpm
# wget -i get.txt
# rpm -ivh *.rpm --nodeps
Get latest openssh from amazon repository to /opt
# mkdir -p /opt/ssh
# cd /opt/ssh
# wget
http://packages.us-east-1.amazonaws.com/2013.09/main/201309001984/x86_64/Pac
kages/openssh-server-6.2p2-4.34.amzn1.x86_64.rpm
# wget
http://packages.us-east-1.amazonaws.com/2013.09/main/201309001984/x86_64/Pac
kages/openssh-6.2p2-4.34.amzn1.x86_64.rpm
# wget
http://packages.us-east-1.amazonaws.com/2013.09/main/201309001984/x86_64/Pac
kages/openssh-clients-6.2p2-4.34.amzn1.x86_64.rpm
# rpm -Uvh *.rpm
# yum update -y
# ipa-client-install --server kdc1.iocs-systems.internal --server
kdc2.iocs-systems.internal --domain IOCS-SYSTEMS.INTERNAL --fixed-primary
--mkhomedir
# vi /etc/ssh/sshd_config
Add following lines at the end
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
# service sshd restart
# mkdir -p /etc/selinux/targeted/logins
That's it.
Regards,
Mohan
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Friday, October 04, 2013 2:03 PM
> To: Mohan Cheema; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] FreeIPA client setup in AWS
>
> Mohan Cheema wrote:
> > Hi,
> >
> > We are number of Amazon AMI (Amazon Linux) in AWS. As this is based
> on
> > RHEL we installed number of packages to enable user on those machine
> to
> > get authenticated against ipa. The client gets configured with below
> > warning.
> >
> > -----------------------------------
> > WARNING Installed OpenSSH server does not support dynamically loading
> > authorized user keys. Public key authentication of IPA users will not
> be
> > available.
> > -----------------------------------
> >
> > When user tries to authenticate the SSH connection is dropped, ipa
> > server issues the authentication ticket to the machine.
> >
> > Packages that has been installed.
> >
> > ----------------------------------------------
> > ipa-python-3.0.0-25.el6.x86_64.rpm
> >
> > python-ldap-2.3.10-1.el6.x86_64.rpm
> >
> > cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64.rpm
> >
> > pam_krb5-2.3.11-9.el6.i686.rpm
> >
> > sssd-1.9.2-82.el6.x86_64.rpm
> >
> > certmonger-0.61-3.el6.x86_64.rpm
> >
> > oddjob-mkhomedir-0.30-5.el6.x86_64.rpm
> >
> > python-krbV-1.0.90-3.el6.x86_64.rpm
> >
> > libsss_autofs-1.9.2-82.el6.x86_64.rpm
> >
> > autofs-5.0.5-73.el6.x86_64.rpm
> >
> > nfs-utils-1.2.3-36.el6.x86_64.rpm
> >
> > sssd-client-1.9.2-82.el6.x86_64.rpm
> >
> > python-kerberos-1.1-6.2.el6.x86_64.rpm
> >
> > python-nss-0.13-1.el6.x86_64.rpm
> >
> > python-lxml-2.2.3-1.1.el6.x86_64.rpm
> >
> > python-netaddr-0.7.5-4.el6.noarch.rpm
> >
> > pyOpenSSL-0.10-2.el6.x86_64.rpm
> >
> > libipa_hbac-python-1.9.2-82.el6.x86_64.rpm
> >
> > libgssglue-0.1-11.el6.x86_64.rpm
> >
> > nfs-utils-lib-1.1.5-6.el6.x86_64.rpm
> >
> > rpcbind-0.2.0-11.el6.x86_64.rpm
> >
> > oddjob-0.30-5.el6.x86_64.rpm
> >
> > libipa_hbac-1.9.2-82.el6.x86_64.rpm
> >
> > libldb-1.1.13-3.el6.x86_64.rpm
> >
> > libsss_idmap-1.9.2-82.el6.x86_64.rpm
> >
> > libevent-1.4.13-4.el6.x86_64.rpm
> >
> > libtalloc-2.0.7-2.el6.x86_64.rpm
> >
> > keyutils-1.4-4.el6.x86_64.rpm
> >
> > libdhash-0.4.2-9.el6.x86_64.rpm
> >
> > libtirpc-0.2.1-5.el6.x86_64.rpm
> >
> > ipa-client-3.0.0-25.el6.x86_64.rpm
> >
> > libtevent-0.9.17-1.el6.x86_64.rpm
> >
> > libtdb-1.2.10-1.el6.x86_64.rpm
> >
> > libini_config-0.6.1-9.el6.x86_64.rpm
> >
> > libcollection-0.6.0-9.el6.x86_64.rpm
> >
> > libpath_utils-0.2.1-9.el6.x86_64.rpm
> >
> > libref_array-0.1.1-9.el6.x86_64.rpm
> >
> > c-ares-1.7.0-6.el6.x86_64.rpm
> >
> > samba4-libs-4.0.0-55.el6.rc4.x86_64.rpm
> >
> > libnl-1.1-14.el6.x86_64.rpm
> > ----------------------------------------------
> >
> > Are there any other package that need to be installed to make it
> working.
> >
> > Below is the ssh version.
> >
> > # rpm -qa | grep ssh
> >
> > libssh2-1.4.2-1.10.amzn1.x86_64
> >
> > openssh-6.2p2-4.34.amzn1.x86_64
> >
> > openssh-clients-6.2p2-4.34.amzn1.x86_64
> >
> > openssh-server-6.2p2-4.34.amzn1.x86_64
>
> I'm guessing the problem is the Amazon-specific version of ssh. It
> needs
> to support one of these command combinations:
>
> AuthorizedKeysCommand and AuthorizedKeysCommandUser
> AuthorizedKeysCommand and AuthorizedKeysCommandRunAs
> PubKeyAgent and PubKeyAgentRunAs
>
> /var/log/ipaclient-install.log should contain the output of the probing
> for this support.
>
> rob
More information about the Freeipa-users
mailing list