Installing and Uninstalling an Identity Management Client Manually
Table of Contents
Note: Automated installation and uninstallation using the ipa-client-install utility is much simpler. See the Linux Domain Identity, Authentication, and Policy Guide.
Installing an IdM Client Manually
Prerequisites
Install the required client packages:
# yum install sssd
On the Server
Log in as admin.
$ kinit admin
Create a host entry for the client. Specify the client's IP address and host name. For example:
$ ipa host-add --ip-address=203.0.113.1 client.example.com
For details on creating host entries, see the Linux Domain Identity, Authentication, and Policy Guide.
Set the client to be managed by the IdM server:
$ ipa host-add-managedby --hosts=server.example.com client.example.com
On the Client
Configure SSSD to point to the IdM domain by saving the following configuration in the /etc/sssd/sssd.conf file:
[sssd]
config_file_version = 2
services = nss, pam
domains = example.com
[nss]
[pam]
[domain/example.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client.example.com
chpass_provider = ipa
ipa_server = server.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
Run the authconfig utility to configure various services to use SSSD. This updates the /etc/nsswitch.conf file and several files in the /etc/pam.d/ directory:
# authconfig --update --enablesssd --enablesssdauth
For details, see the authconfig(8) man page.
Configure Kerberos to point to the IdM KDC. Edit the /etc/krb5.conf file to include these settings:
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
EXAMPLE.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Get the IdM server's CA certificate from the server:
# curl -o /etc/ipa/ca.crt http://server.example.com/ipa/config/ca.crt
Install the CA certificate in the system's NSS database:
# certutil -A -d /etc/ipa/nssdb -n "IPA CA" -t CT,C,C -a -i /etc/ipa/ca.crt
Generate the keytab for the client:
# ipa-getkeytab -s server.example.com -D "cn=Directory Manager" -w <Directory manager Password> -p host/client.example.com -k /etc/krb5.keytab
Make sure the certmonger service is running and enable it to start on boot.
# systemctl start certmonger.service
# systemctl enable certmonger.service
Let certmonger generate a certificate signing request (CSR) for the client and submit it to the IdM CA for signing:
# ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/client.example.com -N 'CN=client.example.com,O=EXAMPLE.COM'
This sets up a host certificate for the client.
Set a NIS domain name for the client:
# authconfig --nisdomain=client.example.com --update
Restart the domain name service to apply the change:
# systemctl restart rhel-domainname.service
Note: The NIS domain does not actually have to exist. It is also not required to have a NIS server installed. For details on the NIS domain name requirements, see the Linux Domain Identity, Authentication, and Policy Guide.
Add sudo to the list of services in the [sssd] section in the /etc/sssd/sssd.conf file:
[sssd]
services = nss, pam, sudo
Enable SSSD as a source for sudo rules. Open the /etc/nsswitch.conf file, and make sure the sudoers entry includes the following:
sudoers: files sss
This configures the sudo utility to be used with SSSD.
Restart SSSD:
# systemctl restart sssd.service
Run the ipa-client-automount utility, which automatically configures NFS for IdM. See the Linux Domain Identity, Authentication, and Policy Guide for details.
Uninstalling an IdM Client Manually
On the Client
Log in as admin:
$ kinit admin
Remove the old host name from the main keytab. To do this, either remove every principal in the realm, or remove specific principals.
-
To remove every principal:
$ ipa-rmkeytab -k /etc/krb5.keytab -r EXAMPLE.COM
-
To remove specific principals:
$ ipa-rmkeytab -k /etc/krb5.keytab -p host/server.example.com@EXAMPLE.COM
List every certificate being tracked by the certmonger service. Note the database and nick name for each certificate:
$ ipa-getcert list
Disable tracking for each of the displayed certificates. For example:
$ ipa-getcert stop-tracking -n "Server-Cert" -d /etc/httpd/alias
On the Server
Log in as admin:
$ kinit admin
Remove the client host from the IdM DNS domain. This cleans up the old IdM entries associated with the client and allows it to be re-enrolled cleanly at a later time.
$ ipa host-del client.example.com
Remove the DNS entries for the client host manually from the server. See the Linux Domain Identity, Authentication, and Policy Guide.
Comments