SSSD is available on many platforms besides Fedora and RHEL. Currently, the ipa-client-install tool only works with these platforms.
It would be beneficial to document the manual steps necessary to acquire a host keytab and configure SSSD to connect to a FreeIPA server.
Hey Steve,
What exactly needs to be done? I'm guessing....
Is it possible to run ipa-getkeytab? What package needs to be installed to get that? Or is there another method to get the keytab?
What's the procedure to configure SSSD? Is it like http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Deployment_Guide/Configuring_Domains.html#Configuring_Domains-Setting_up_Kerberos_Authentication ?
Adding Rob to the CC. He knows the details better than I do.
It's not quite the same as the Kerberos authentication approach. I want us to document how to use the IPA provider in SSSD, rather than treating it as an LDAP+KRB5 setup (so people can use HBAC for access control).
As I understand it, the basic steps will be setting up a new host in FreeIPA, then running ipa-getkeytab on a system that supports ipa-admintools, copying that keytab to the non-Fedora/RHEL client, and setting up SSSD, nsswitch.conf, krb5.conf and /etc/pam.d appropriately.
Lets assume that we don't have ipa-getkeytab on our target machine (and can't easily get it).
To get a keytab for machine B while on machine A there are a couple of options.
You can get a keytab for a machine if: - your user is in the admins group - your user is in the "IT Specialist' role
You can also create a new role to do this, you need either: - add the "host administrators" privilege - add a new privilege that has the "enroll a host" permission
OR
A host can obtain a keytab for hosts and services it manages. To let host A get a keytab for host B, create host B and run:
$ ipa host-add-managedby --hosts=hostA hostB
Ok, now we have a user/host that has rights to generate a keytab for host B.
# kinit admin/someuser
# kinit -kt /etc/krb5.keytab host/hostA.example.com
Retrieve the keytab:
# ipa-getkeytab -s ipaserver.example.com -p host/hostB.example.com -k /tmp/hostB.keytab
The host principal for hostB is now in keytab /tmp/hostB.keytab. Securely move this to hostB, rename it as /etc/krb5.keytab and set the correct permissions (probably want root:root 0600). May even want to set SELinux context to system_u:object_r:krb5_keytab_t:s0
If hostB already has an /etc/krb5.keytab that has existing contents you want to keep you can use ktutil to combine them (beyond the scope of this exercise).
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=782241
Steve had a similar content related to his tech review of the client install chapter. I added this section, based on the info in this ticket: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/linux-manual.html
I just neglected to update the ticket. :/
Rename component.
Metadata Update from @sgallagh: - Issue assigned to elladeon - Issue set to the milestone: FreeIPA 3.0 Core Effort Remaining Work
Login to comment on this ticket.