I’ve gotten used to having freeipa-client
available in dnf
or apt
repos, so I’ve rarely setup clients manually. However, I did today in Raspbian on my Raspberry Pi. I wanted to document it here mainly for my own memory. It was extremely straightforward but there were a couple tweaks needed. (In this doc “example.com” replaces my domain).
On the Pi install sssd, libnss-sss, libpam-sss, openssh-server krb5-user, and krb5-config.
On the FreeIPA server:
$ kinit admin
$ ipa host-add --ip-address=192.168.0.3 pi.example.com
$ ipa host-add-managedby --hosts=freeipa.example.com pi.example.com
$ ipa-getkeytab -s freeipa.example.com -p host/pi.example.com -k /tmp/pi.keytab
$ scp /tmp/pi.keytab pi:/etc/krb5.keytab
This mostly took care of it but the SSSD conf file needed to be configured. I had an old config from another server that needed to be “upgraded” using this script leaving me with this in /etc/sssd/sssd.conf:
[sssd]
config_file_version = 2
[domain/example.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = pi.example.com
chpass_provider = ipa
ipa_server = _srv_, freeipa.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh
domains = example.com
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
Then, in FreeIPA’s web interface, I went to Authentication > Certificates and open up CN=Certificate Authority,O=EXAMPLE.COM
(serial number 1 in my case), copied the certificate value, and pasted it into /etc/ipa/ca.crt on my Pi.
I then opened /etc/ssh/sshd_config and changed GSSAPIAuthentication
to “yes”. Once I restarted SSSD and SSH, everything worked like a charm