Installing and Uninstalling an Identity Management Client Manually

Updated -

Note: Automated installation and uninstallation using the ipa-client-install utility is much simpler. See the Linux Domain Identity, Authentication, and Policy Guide.

Installing an IdM Client Manually

Prerequisites

Install the required client packages:

# yum install sssd

On the Server

Log in as admin.

$ kinit admin

Create a host entry for the client. Specify the client's IP address and host name. For example:

$ ipa host-add --ip-address=203.0.113.1 client.example.com

For details on creating host entries, see the Linux Domain Identity, Authentication, and Policy Guide.

Set the client to be managed by the IdM server:

$ ipa host-add-managedby --hosts=server.example.com client.example.com

On the Client

Configure SSSD to point to the IdM domain by saving the following configuration in the /etc/sssd/sssd.conf file:

[sssd]
config_file_version = 2
services = nss, pam

domains = example.com
[nss]

[pam]

[domain/example.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client.example.com
chpass_provider = ipa
ipa_server = server.example.com
ldap_tls_cacert = /etc/ipa/ca.crt

Run the authconfig utility to configure various services to use SSSD. This updates the /etc/nsswitch.conf file and several files in the /etc/pam.d/ directory:

# authconfig --update --enablesssd --enablesssdauth

For details, see the authconfig(8) man page.

Configure Kerberos to point to the IdM KDC. Edit the /etc/krb5.conf file to include these settings:

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = EXAMPLE.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}

[realms]
  EXAMPLE.COM = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt

  }

[domain_realm]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM

Get the IdM server's CA certificate from the server:

# curl -o /etc/ipa/ca.crt http://server.example.com/ipa/config/ca.crt

Install the CA certificate in the system's NSS database:

# certutil -A -d /etc/ipa/nssdb -n "IPA CA" -t CT,C,C -a -i /etc/ipa/ca.crt

Generate the keytab for the client:

 # ipa-getkeytab -s server.example.com -D "cn=Directory Manager" -w <Directory manager Password>  -p host/client.example.com -k /etc/krb5.keytab

Make sure the certmonger service is running and enable it to start on boot.

# systemctl start certmonger.service
# systemctl enable certmonger.service

Let certmonger generate a certificate signing request (CSR) for the client and submit it to the IdM CA for signing:

# ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/client.example.com -N 'CN=client.example.com,O=EXAMPLE.COM'

This sets up a host certificate for the client.

Set a NIS domain name for the client:

# authconfig --nisdomain=client.example.com --update

Restart the domain name service to apply the change:

# systemctl restart rhel-domainname.service

Note: The NIS domain does not actually have to exist. It is also not required to have a NIS server installed. For details on the NIS domain name requirements, see the Linux Domain Identity, Authentication, and Policy Guide.

Add sudo to the list of services in the [sssd] section in the /etc/sssd/sssd.conf file:

[sssd]
services = nss, pam, sudo

Enable SSSD as a source for sudo rules. Open the /etc/nsswitch.conf file, and make sure the sudoers entry includes the following:

sudoers: files sss

This configures the sudo utility to be used with SSSD.

Restart SSSD:

# systemctl restart sssd.service

Run the ipa-client-automount utility, which automatically configures NFS for IdM. See the Linux Domain Identity, Authentication, and Policy Guide for details.

Uninstalling an IdM Client Manually

On the Client

Log in as admin:

$ kinit admin

Remove the old host name from the main keytab. To do this, either remove every principal in the realm, or remove specific principals.

  • To remove every principal:

    $ ipa-rmkeytab -k /etc/krb5.keytab -r EXAMPLE.COM

  • To remove specific principals:

    $ ipa-rmkeytab -k /etc/krb5.keytab -p host/server.example.com@EXAMPLE.COM

List every certificate being tracked by the certmonger service. Note the database and nick name for each certificate:

$ ipa-getcert list

Disable tracking for each of the displayed certificates. For example:

$ ipa-getcert stop-tracking -n "Server-Cert" -d /etc/httpd/alias

On the Server

Log in as admin:

$ kinit admin

Remove the client host from the IdM DNS domain. This cleans up the old IdM entries associated with the client and allows it to be re-enrolled cleanly at a later time.

$ ipa host-del client.example.com

Remove the DNS entries for the client host manually from the server. See the Linux Domain Identity, Authentication, and Policy Guide.

Comments