5.4. Manually Configuring a Linux Client

The ipa-client-install command automatically configures services like Kerberos, SSSD, PAM, and NSS. However, if the ipa-client-install command cannot be used on a system for some reason, then the IdM client entries and the services can be configured manually.

5.4.1. Setting up an IdM Client (Full Procedure)

  1. Install SSSD, if it is not already installed.
  2. Optional. Install the IdM tools so that administrative tasks can be performed from the host.
    [root@client ~]# yum install ipa-admintools
  3. On an IdM server. Create a host entry for the client.
    [jsmith@client ~]$ kinit admin
    [jsmith@client ~]$ ipa host-add --force --ip-address= ipaclient.example.com
    Creating hosts manually is covered in Section 5.4.2, “Other Examples of Adding a Host Entry”.
  4. On an IdM server. Create keytabs for the client.
    1. Log in as IdM administrator.
      [jsmith@client ~]$ kinit admin
    2. Set the client host to be managed by the server.
      [jsmith@client ~]$ ipa host-add-managedby --hosts=server.example.com ipaclient.example.com
    3. Generate the keytab for the client.
      [jsmith@client ~]$ ipa-getkeytab -s server.example.com -p host/ipaclient.example.com -k /tmp/ipaclient.keytab
  5. Copy the keytab to the client machine and rename it /etc/krb5.keytab.


    If there is an existing /etc/krb5.keytab that should be preserved, the two files can be combined using ktutil.
  6. Set the correct user permissions for the /etc/krb5.keytab file.
    [root@client ~]# chown root:root /etc/krb5.keytab 
    [root@client ~]# chmod 0600 /etc/krb5.keytab
  7. Set the SELinux contexts for the /etc/krb5.keytab file.
    [root@client ~]# chcon system_u:object_r:krb5_keytab_t:s0 /etc/krb5.keytab
  8. Configure SSSD by editing the /etc/sssd/sssd.conf file to point to the IdM domain.
    [root@client ~]# touch /etc/sssd/sssd.conf
    [root@client ~]# vim /etc/sssd/sssd.conf
    config_file_version = 2
    services = nss, pam
    domains = example.com
    cache_credentials = True
    krb5_store_password_if_offline = True
    ipa_domain = example.com
    id_provider = ipa
    auth_provider = ipa
    access_provider = ipa
    ipa_hostname = ipaclient.example.com
    chpass_provider = ipa
    ipa_server = server.example.com
    ldap_tls_cacert = /etc/ipa/ca.crt
  9. Configure NSS to use SSSD for passwords, groups, users, and netgroups.
    [root@client ~]# vim /etc/nsswitch.conf
    passwd:     files sss
    shadow:     files sss
    group:      files sss
    netgroup:   files sss
  10. Configure the /etc/krb5.conf file to point to the IdM KDC.
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
     default_realm = EXAMPLE.COM
     dns_lookup_realm = false
     dns_lookup_kdc = false
     rdns = false
     ticket_lifetime = 24h
     forwardable = yes
     allow_weak_crypto = true
     EXAMPLE.COM = {
      kdc = server.example.com:88
      admin_server = server.example.com:749
      default_domain = example.com
     .example.com = EXAMPLE.COM
     example.com = EXAMPLE.COM
  11. Update the /etc/pam.d configuration to use the pam_sss.so modules.
    • For /etc/pam.d/fingerprint-auth:
      account     [default=bad success=ok user_unknown=ignore] pam_sss.so
      session     optional      pam_sss.so
    • For /etc/pam.d/system-auth:
      auth        sufficient    pam_sss.so use_first_pass
      account     [default=bad success=ok user_unknown=ignore] pam_sss.so
      password    sufficient    pam_sss.so use_authtok
      session     optional      pam_sss.so
    • For /etc/pam.d/password-auth:
      auth        sufficient    pam_sss.so use_first_pass
      account     [default=bad success=ok user_unknown=ignore] pam_sss.so
      password    sufficient    pam_sss.so use_authtok
      session     optional      pam_sss.so
    • Enrollment_with_Separation_of_DutiesFor /etc/pam.d/smartcard-auth:
      account     [default=bad success=ok user_unknown=ignore] pam_sss.so
      session     optional      pam_sss.so
  12. Install the IdM server's CA certificate.
    1. Obtain the certificate from the server.
      [root@ipaclient ~]# wget -O /etc/ipa/ca.crt http://ipa.example.com/ipa/config/ca.crt
    2. Install the certificate in the system's NSS database.
      [root@ipaclient ~]# certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i /etc/ipa/ca.crt
  13. Set up a host certificate for the host in IdM.
    1. Make sure certmonger is running.
      [root@ipaclient ~]# service certmonger start


      Configure chkconfig so that the certmonger service starts by default.
      [root@ipaclient ~]# chkconfig certmonger on
    2. Use the ipa-getcert command, which creates and manages the certificate through certmonger. The options are described more in Section B.1, “Requesting a Certificate with certmonger”.
      [root@ipaclient ~]# ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/ipaclient.example.com -N 'CN=ipaclient.example.com,O=EXAMPLE.COM'
    If administrative tools were not installed on the client, then the certificate can be generated on an IdM server, copied over to the host, and installed using certutil.
  14. Set up NFS to work with Kerberos.


    To help troubleshoot potential NFS setup errors, enable debug information in the /etc/sysconfig/nfs file.
    1. On an IdM server, add an NFS service principal for the NFS client.
      [root@ipaclient ~]# ipa service-add nfs/ipaclient.example.com@EXAMPLE


      This must be run from a machine with the ipa-admintools package installed so that the ipa command is available.
    2. On the IdM server, obtain a keytab for the NFS service principal.
      [root@ipaclient ~]# ipa-getkeytab -s server.example.com -p nfs/ipaclient.example.com@EXAMPLE -k /tmp/krb5.keytab


      Some versions of the Linux NFS implementation have limited encryption type support. If the NFS server is hosted on a version older than Red Hat Enterprise Linux 6, use the -e des-cbc-crc option to the ipa-getkeytab command for any nfs/<FQDN> service keytabs to set up, both on the server and on all clients. This instructs the KDC to generate only DES keys.
      When using DES keys, all clients and servers that rely on this encryption type need to have the allow_weak_crypto option enabled in the [libdefaults] section of the /etc/krb5.conf file. Without these configuration changes, NFS clients and servers are unable to authenticate to each other, and attempts to mount NFS filesystems may fail. The client's rpc.gssd and the server's rpc.svcgssd daemons may log errors indicating that DES encryption types are not permitted.
    3. Copy the keytab from the IdM server to the NFS server. For example, if the IdM and NFS servers are on different machines:
      [root@ipaclient ~]# scp /tmp/krb5.keytab root@nfs.example.com:/etc/krb5.keytab
    4. Copy the keytab from the IdM server to the IdM client. For example:
      [root@ipaclient ~]# scp /tmp/krb5.keytab root@client.example.com:/etc/krb5.keytab
    5. Configure the /etc/exports file on the NFS server.
      /ipashare       gss/krb5p(rw,no_root_squash,subtree_check,fsid=0)
    6. On the client, mount the NFS share.
      • Always specify the share as nfs_server:/ /mountpoint.
      • Use the same -o sec setting as is used in the /etc/exports file for the NFS server.
      [root@client ~]# mount -v -t nfs4 -o sec=krb5p nfs.example.com:/ /mnt/ipashare

5.4.2. Other Examples of Adding a Host Entry

Section 5.4.1, “Setting up an IdM Client (Full Procedure)” covers the full procedure for configuring an IdM client manually. One of those steps is creating a host entry, and there are several different ways and options to perform that. Adding Host Entries from the Web UI

  1. Open the Identity tab, and select the Hosts subtab.
  2. Click the Add link at the top of the hosts list.
  3. Fill in the machine name and select the domain from the configured zones in the drop-down list. If the host has already been assigned a static IP address, then include that with the host entry so that the DNS entry is fully created.
    DNS zones can be created in IdM, which is described in Section 17.6.1, “Adding Forward DNS Zones”. If the IdM server does not manage the DNS server, the zone can be entered manually in the menu area, like a regular text field.


    Select the Force checkbox to add the host DNS record, even if the hostname cannot be resolved.
    This is useful for hosts which use DHCP and do not have a static IP address. This essentially creates a placeholder entry in the IdM DNS service. When the DNS service dynamically updates its records, the host's current IP address is detected and its DNS record is updated.
  4. Click the Add and Edit button to go directly to the expanded entry page and fill in more attribute information. Information about the host hardware and physical location can be included with the host entry. Adding Host Entries from the Command Line

Host entries are created using the host-add command. This commands adds the host entry to the IdM Directory Server. The full list of options with host-add are listed in the ipa host manpage. At its most basic, an add operation only requires the client hostname to add the client to the Kerberos realm and to create an entry in the IdM LDAP server:
$ ipa host-add client1.example.com
If the IdM server is configured to manage DNS, then the host can also be added to the DNS resource records using the --ip-address and --force options.

Example 5.6. Creating Host Entries with Static IP Addresses

$ ipa host-add --force --ip-address= client1.example.com
Commonly, hosts may not have a static IP address or the IP address may not be known at the time the client is configured. For example, laptops may be preconfigured as Identity Management clients, but they do not have IP addresses at the time they're configured. Hosts which use DHCP can still be configured with a DNS entry by using --force. This essentially creates a placeholder entry in the IdM DNS service. When the DNS service dynamically updates its records, the host's current IP address is detected and its DNS record is updated.

Example 5.7. Creating Host Entries with DHCP

$ ipa host-add --force client1.example.com
Host records are deleted using the host-del command. If the IdM domain uses DNS, then the --updatedns option also removes the associated records of any kind for the host from the DNS.
$ ipa host-del --updatedns client1.example.com