[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Freeipa-users] Connecting Ubuntu to IPA



Hi,

I've connected and used IPA successfully with Ubuntu 10.04, 10.10, and 11.04. NFS4+KRB successfully in 10.10 and 11.04.

Install the packages below, substitute libpam-ldap for libpam-ldapd if you prefer PADL's ldap liberary which can use groups within groups for user accounts. ldapld can't, however it offers a daemon which connect to a LDAP server, and workaround for such as issues with Thunderbird crashing, etc. I have not been able to get the sssd that comes with Ubuntu to work.

Copy /etc/ipa/ca.crt from the IPA host to /etc/ipa/ca.crt on the Ubuntu host.

Replace /etc/krb5.conf, /etc/ntp.conf, /etc/ldap.conf (make /etc/ldap/ldap.conf a symlink to /etc/ldap.conf), /etc/idmapd.conf (nfs4), /etc/nslcd.conf, /etc/default/autofs, /etc/nsswitch.conf, /etc/default/nfs-common. See attached files for examples.

Add the following to /etc/ssh/sshd_config:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

And the following to /etc/ssh/ssh_config:
Host *
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

Run this command to make sure ldap+krb has been configured in PAM after the packages has been installed: $ /usr/sbin/pam-auth-update --package --force

This gives you a Ubuntu system configured for IPA with autofs and nfs4+krb5, and ssh krb ticket forwarding. Looking forward to when SSSD comes in version 1.5.x in Ubuntu! :)

I've set the ldap timeouts very low so you might need tweaking for this to work over a WAN/slow link, but it makes the client much more responsive if your first listed IPA/LDAP server becomes unavailable.


Packages:
        autofs5                 action=install
        autofs5-ldap            action=install
        krb5-user               action=install
        krb5-clients            action=install
        nfs-client              action=install
        nfs4-acl-tools          action=install
        ldap-auth-config        action=install
        ldap-utils              action=install
        #libpam-ldap            action=install
        libpam-ldapd            action=install
        libpam-krb5             action=install
        libpam-ccreds           action=install
        libpam-foreground       action=install
        libnss-ldap             action=install
        nscd                    action=install
        ntp                     action=install



Rgds,
Siggi



On 06/09/2011 02:43 AM, Steven Jones wrote:
Hi,

I am still tryig to figure getting ubuntu connected....

So to get a non-rhel client computer into freeipa the first thing I have to do is make a client computer instance in freepia first? or doesnt it matter? ie can a non rhel client only do authentication or can it be acted upon fully as per a rhel client?

Are there certificates for ssl or something that have to be copied over to the client(s)?

I dont have it working yet beyond I can do a kinit and admin and give a password and then do klist etc....

:/

Its proving very painful....

regards

Steven


8><----

Maybe this article could be a good jumping-off point?
http://www.aput.net/~jheiss/krbldap/howto.html

It's pretty old, but seems to bring together many things and overview them well, with enough static examples to give you a feel for what you're getting into.

8><---

thanks, its helping.

_______________________________________________
Freeipa-users mailing list
Freeipa-users redhat com
https://www.redhat.com/mailman/listinfo/freeipa-users

#
# Define default options for autofs.
#
# MASTER_MAP_NAME - default map name for the master map.
#
MASTER_MAP_NAME="/etc/auto.master"
#
# TIMEOUT - set the default mount timeout (default 600).
#
TIMEOUT=300
#
# NEGATIVE_TIMEOUT - set the default negative timeout for
# 		     failed mount attempts (default 60).
#
#NEGATIVE_TIMEOUT=60
#
# MOUNT_WAIT - time to wait for a response from umount(8).
# 	       Setting this timeout can cause problems when
# 	       mount would otherwise wait for a server that
# 	       is temporarily unavailable, such as when it's
# 	       restarting. The defailt of waiting for mount(8)
# 	       usually results in a wait of around 3 minutes.
#
#MOUNT_WAIT=-1
#
# UMOUNT_WAIT - time to wait for a response from umount(8).
#
#UMOUNT_WAIT=12
#
# BROWSE_MODE - maps are browsable by default.
#
BROWSE_MODE="yes"
#
# MOUNT_NFS_DEFAULT_PROTOCOL - specify the default protocol used by
# 			       mount.nfs(8). Since we can't identify
# 			       the default automatically we need to
# 			       set it in our configuration. This will
# 			       only make a difference for replicated
# 			       map entries as availability probing isn't
# 			       used for single host map entries.
#
#MOUNT_NFS_DEFAULT_PROTOCOL=3
MOUNT_NFS_DEFAULT_PROTOCOL=4
#
# APPEND_OPTIONS - append to global options instead of replace.
#
#APPEND_OPTIONS="yes"
#
# LOGGING - set default log level "none", "verbose" or "debug"
#
LOGGING="debug"
#
# Define base dn for map dn lookup.
#
# Define server URIs
#
# LDAP_URI - space seperated list of server uris of the form
# 	     <proto>://<server>[/] where <proto> can be ldap
# 	     or ldaps. The option can be given multiple times.
# 	     Map entries that include a server name override
# 	     this option.
#
#	     This configuration option can also be used to
#	     request autofs lookup SRV RRs for a domain of
#	     the form <proto>:///[<domain dn>]. Note that a
#	     trailing "/" is not allowed when using this form.
#	     If the domain dn is not specified the dns domain
#	     name (if any) is used to construct the domain dn
#	     for the SRV RR lookup. The server list returned
#	     from an SRV RR lookup is refreshed according to
#	     the minimum ttl found in the SRV RR records or
#	     after one hour, whichever is less.
#
LDAP_URI="ldap://ipa01.ix.test.com ldap://ipa02.ix.test.com";
#
# LDAP__TIMEOUT - timeout value for the synchronous API  calls
#		  (default is LDAP library default).
#
#LDAP_TIMEOUT=-1
#
# LDAP_NETWORK_TIMEOUT - set the network response timeout (default 8).
#
#LDAP_NETWORK_TIMEOUT=8
#
# SEARCH_BASE - base dn to use for searching for map search dn.
# 		Multiple entries can be given and they are checked
# 		in the order they occur here.
#
SEARCH_BASE="cn=default,cn=automount,dc=ix,dc=test,dc=com"
#
# Define the LDAP schema to used for lookups
#
# If no schema is set autofs will check each of the schemas
# below in the order given to try and locate an appropriate
# basdn for lookups. If you want to minimize the number of
# queries to the server set the values here.
#
#MAP_OBJECT_CLASS="nisMap"
#ENTRY_OBJECT_CLASS="nisObject"
#MAP_ATTRIBUTE="nisMapName"
#ENTRY_ATTRIBUTE="cn"
#VALUE_ATTRIBUTE="nisMapEntry"
#
# Other common LDAP nameing
#
#MAP_OBJECT_CLASS="automountMap"
#ENTRY_OBJECT_CLASS="automount"
#MAP_ATTRIBUTE="ou"
#ENTRY_ATTRIBUTE="cn"
#VALUE_ATTRIBUTE="automountInformation"
#
MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="automountMapName"
ENTRY_ATTRIBUTE="automountKey"
VALUE_ATTRIBUTE="automountInformation"
#
# AUTH_CONF_FILE - set the default location for the SASL
#			   authentication configuration file.
#
#AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf"
#
# MAP_HASH_TABLE_SIZE - set the map cache hash table size.
# 			Should be a power of 2 with a ratio roughly
# 			between 1:10 and 1:20 for each map.
#
#MAP_HASH_TABLE_SIZE=1024
#
# General global options
#
# If the kernel supports using the autofs miscellanous device
# and you wish to use it you must set this configuration option
# to "yes" otherwise it will not be used.
USE_MISC_DEVICE="yes"
#
#OPTIONS=""
#
[General]

Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = ix.test.com

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = IX.TEST.COM
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes
 allow_weak_crypto = true

[realms]
 IX.TEST.COM = {
  default_domain = ix.test.com
  pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
 .ix.test.com = IX.TEST.COM
 ix.test.com = IX.TEST.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

###DEBCONF###
##
## Configuration of this file will be managed by debconf as long as the
## first line of the file says '###DEBCONF###'
##
## You should use dpkg-reconfigure to configure this file via debconf
##

#
# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a 
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
#host ipa01.ix.test.com ipa02.ix.test.com

# The distinguished name of the search base.
base dc=ix,dc=test,dc=com

# Another way to specify your LDAP server is to provide an
#uri ldapi:///
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/   
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

uri ldap://ipa01.ix.test.com ldap://ipa02.ix.test.com

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=padl,dc=com

# The credentials to bind with. 
# Optional: default is no credential.
#bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=example,dc=net

# The port.
# Optional: default is 389.
port 389

# The search scope.
scope sub
#scope one
#scope base

# Search timelimit
timelimit 3

# Bind/connect timelimit
bind_timelimit 1

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard
bind_policy soft

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Filter to AND with uid=%s
#pam_filter objectclass=account

# The user ID attribute (defaults to uid)
#pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

# Group member attribute
#pam_member_attribute uniquemember

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
pam_password md5

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service. 
#pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password clear_remove_old
#pam_password nds

# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX		base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd	ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd	ou=People,dc=padl,dc=com?one
#nss_base_shadow	ou=People,dc=padl,dc=com?one
#nss_base_group		ou=Group,dc=padl,dc=com?one
#nss_base_hosts		ou=Hosts,dc=padl,dc=com?one
#nss_base_services	ou=Services,dc=padl,dc=com?one
#nss_base_networks	ou=Networks,dc=padl,dc=com?one
#nss_base_protocols	ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc		ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers	ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks	ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams	ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases	ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup	ou=Netgroup,dc=padl,dc=com?one

nss_base_passwd		cn=users,cn=accounts,dc=ix,dc=test,dc=com?sub
nss_base_shadow		cn=users,cn=accounts,dc=ix,dc=test,dc=com?sub
nss_base_group		cn=groups,cn=accounts,dc=ix,dc=test,dc=com?sub
nss_base_netgroup	cn=ng,cn=compat,dc=ix,dc=test,dc=com?sub

nss_schema rfc2307bis
nss_map_attribute	uniqueMember	member

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute	rfc2307attribute	mapped_attribute
#nss_map_objectclass	rfc2307objectclass	mapped_objectclass

# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member

# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad

# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword

# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache

# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,couchdb,daemon,games,gammu,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid,libvirt-qemu,list,lp,mail,man,messagebus,news,nslcd,ntp,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,statd,sync,sys,syslog,uml-net,usbmux,uucp,vde2-net,vdr,www-data
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

threads 10

# The location at which the LDAP server(s) should be reachable.
uri DNS

# The search base that will be used for all queries.
base dc=ix,dc=test,dc=com

# The LDAP protocol version to use.
ldap_version 3

# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
ssl start_tls
tls_reqcert never
tls_cacertfile /etc/ipa/ca.crt

# The search scope.
scope sub

bind_timelimit 1
timelimit 3
reconnect_sleeptime 1
reconnect_retrytime 10

nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,games,gdm,gnats,hplip,irc,kernoops,libuuid,list,lp,mail,man,messagebus,news,ntp,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,statd,sync,sys,syslog,usbmux,uucp,www-data

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: files ldap
group: files ldap
shadow: files ldap

hosts:          files dns 
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
ethers:		files
netmasks:   	files

netgroup: 	ldap
automount:  	files ldap

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server ipa01.ix.test.com
server ipa02.ix.test.com

#broadcast 192.168.1.255 key 42		# broadcast server
#broadcastclient			# broadcast client
#broadcast 224.0.1.1 key 42		# multicast server
#multicastclient 224.0.1.1		# multicast client
#manycastserver 239.255.254.254		# manycast server
#manycastclient 239.255.254.254 key 42	# manycast client

# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available.
#server	127.127.1.0	# local clock
#fudge	127.127.1.0 stratum 10

# Drift file.  Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
driftfile /var/lib/ntp/drift

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".

# Do you want to start the statd daemon? It is not needed for NFSv4.
NEED_STATD=

# Options for rpc.statd.
#   Should rpc.statd listen on a specific port? This is especially useful
#   when you have a port-based firewall. To use a fixed port, set this
#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
#   For more information, see rpc.statd(8) or http://wiki.debian.org/?SecuringNFS
STATDOPTS=

# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]