Manually enroll SLES12 systems to Redhat IdM

RHEL and Ubuntu systems leverage the ipa-client software to easily enrolled them to a Redhat IdM system. Unfortunately SLES12 lacks the required packages. Nevertheless, SLES12 systems can be enrolled manually. This article is about how to achieve this.

Why using IPA for SLES systems?

Most organizations are not pure RHEL or pure SLES shops, the reality shows a heterogeneous mix of Linux distributions in corporate data centers. It makes sense to use the same authentication and authorization system to manage them.

Disclaimer

All the “special” behavior of SLES12 is based on SP2 without any patches, I do not have a SLES subscription for this test. Some of this behavior may have been fixed.

Before touching any system, please have a valid backup ready, just in case.

Preparation work

IPA is picky when it comes to host names, they must be fully qualified. Unfortunately, the default for SLES systems is to use the short host name, this must be changed first, otherwise the functionality will be limited (besides that short host names are a potential security thread).

sles12sp2:~ # hostnamectl set-hostname $(hostname -f)

In case hostname -f does not work, check if the fully qualified host name is set to the primary IP address in /etc/hosts and try again.

Unfortunately this will not survive a reboot, a dirty hack is needed. If someone has a better idea, please let me know.

sles12sp2:~ # echo 'echo $(hostname -f) > /proc/sys/kernel/hostname' >> /etc/init.d/boot.local

Please ensure that system time is correct as Kerberos is picky about having the time in sync with the KDC.

Install the required software

SLES12 comes with the basic IPA libraries and the sssd plugin needed. It just lacks the ipa-client.

sles12sp2:~ # zypper install sssd-ipa sssd-tools sssd-krb5 krb5-client sssd-ad

All dependencies will be installed automatically.

Enable sssd start at boot time, as it is not by default

sles12sp2:~ # systemctl enable sssd

Remove nscd, caching will be done by sssd.

sles12sp2:~ # zypper remove nscd

Log out and in again to get /usr/lib/mit/ in the PATH environment.

Adding the host to IPA

[root@ipa1 ~]# ipa host-add --ip-address=192.168.100.115 sles12sp2.example.com 
----------------------------------
Added host "sles12sp2.example.com"
----------------------------------
  Host name: sles12sp2.example.com
  Principal name: host/sles12sp2.example.com@EXAMPLE.COM
  Principal alias: host/sles12sp2.example.com@EXAMPLE.COM
  Password: False
  Keytab: False
  Managed by: sles12sp2.example.com
[root@ipa1 ~]# 

Generating the Kerberos Keytab and copy it to the destination host

[root@ipa1 ~]# ipa-getkeytab -s ipa1.example.com -p host/sles12sp2.example.com@EXAMPLE.COM -k sles12sp2.example.com.keytab
Keytab successfully retrieved and stored in: sles12sp2.example.com.keytab
[root@ipa1 ~]#  

Copy the Keytab to the system:

[root@ipa1 ~]# scp sles12sp2.example.com.keytab sles12sp2.example.com:/etc/krb5.keytab

Ensure ownership and permissions are set correctly

sles12sp2:~ # chmod 0600 /etc/krb5.keytab
sles12sp2:~ # chown root:root /etc/krb5.keytab

Configuration

Usually Yast is a quite nice tool to configure a SLES system. Unfortunately Yast is very confusing when it comes to SSSD configuration. Lets do it manually.

Get the IPA CA certificate

sles12sp2:~ # mkdir /etc/ipa
sles12sp2:~ # wget http://ipa1.example.com/ipa/config/ca.crt -O /etc/ipa/ca.crt

/etc/krb5.conf

sles12sp2:~ # cat > /etc/krb5.conf << EOF

[plugins]
 localauth = {
  module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
 }


[libdefaults]
  default_realm = EXAMPLE.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  dns_canonicalize_hostname = false
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  canonicalize = true
  default_ccache_name = KEYRING:persistent:%{uid}

[realms]
  EXAMPLE.COM = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt
    pkinit_pool = FILE:/etc/ipa/ipa.crt

  }

[domain_realm]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM
  $(hostname) = EXAMPLE.COM
EOF

/etc/sssd/sssd.conf/

sles12sp2:~ # cat > /etc/sssd/sssd.conf << EOF
[domain/example.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = $(hostname)
chpass_provider = ipa
ipa_server = _srv_, ipa1.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh

domains = example.com
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[ifp]

[secrets]
EOF

Ensure ownership and permissions are correct:

sles12sp2:~ # chown root:root /etc/sssd/sssd.conf
sles12sp2:~ # chmod 600 /etc/sssd/sssd.conf

Restart sssd

sles12sp2:~ # systemctl restart sssd

nsswitch.conf and PAM

Enable sssd

sles12sp2:~ # pam-config --add --sss

Enable automatic homedir creation on first login

sles12sp2:~ # pam-config --add --mkhomedir --mkhomedir-umask=0077

Change nsswitch.conf to use sssd

sles12sp2:~ # sed -i 's/passwd: compat/passwd: compat sss/g' /etc/nsswitch.conf
sles12sp2:~ # sed -i 's/group:  compat/group: compat sss/g' /etc/nsswitch.conf
sles12sp2:~ # echo "sudoers: sss" >> /etc/nsswitch.conf

Configure sshd and ssh to use GSSAPI for authentication

sles12sp2:~ # cat >> /etc/ssh/sshd_config << EOF
GSSAPIAuthentication yes
EOF
sles12sp2:~ # cat >> /etc/ssh/ssh_config << EOF
GSSAPIAuthentication yes
EOF

Reboot to ensure its all working and caches are clean

sles12sp2:~ # reboot

Further readings

Conclusion

Using IPA for authenticating users on SLES systems works, but it is not as comfortable as with RHEL, Fedora and Ubuntu. Suse should include the ipa-client in its distribution.

Enrolling SLES systems is not easy to automate without the ipa-client, probably Ansible could help here.

The functionality is almost the same to that for RHEL7, HBAC (host based access control) is working as expected, the same applies to centralized sudoers. Unfortunately the sssd-tools are quite outdated, sss_cache -E will not delete the sudoers cache. Suse should rebase sssd to the latest upstream version. Suse customers can file a request for enhancement in the SUSE Customer Center 😉

Have fun 🙂

Configure SSSD to work on IPv6-only Hosts

SSSD is used for the client side of IPA and other centralized Identity Management Services. Unfortunately it does not behave as it should. The default is to look up first IPv4 addresses and if that fails IPv6 should be used. Well, if IPv4 fails, the whole request fails and you got weird error messages when joining an IPA domain.

As the pool for IPv4 addresses is depleted, IPv6 is getting more and more important. Thus, IPv6-only hosts are on the rise.

Here is an example error message from the IPA client.

[root@ipv6host ~]# ipa-client-install
[output ommited] 
SSSD enabled
Configured /etc/openldap/ldap.conf
Unable to find 'admin' user with 'getent passwd admin@example.com'!
Unable to reliably detect configuration. Check NSS setup manually.
[output ommited]

The host itself gets properly joined to the IPA domain and authentication works with Kerberos but you can not log in because SSSD fails.

Workaround

Configure SSSD to only use IPv6. This is done in /etc/sssd/sssd.conf

[domain/example.com]
lookup_family_order = ipv6_only
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipv6host.example.com
chpass_provider = ipa
ipa_server = _srv_, ipa1.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh

domains = example.com
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

Solution

At the moment there is no solution yet (just the workaround described), but its addressed at the SSSD project team, as you can see in https://pagure.io/SSSD/sssd/issue/2128 and https://bugzilla.redhat.com/show_bug.cgi?id=1021435

Happy IPv6-ing 🙂

Using IPA for user authentication and RBAC in Ansible Tower

Ansible is a great orchestration tool. Ansible Tower is the enterprise version of Ansible adding features like a WebUI, RestAPI and others.

Tower has also some features like role-based access control allowing to control which user is allowed to run which playbooks on which infrastructure, servers and so on.

In larger environments, this is not done manually but using a centrally managed Identity Management System such as Redhat IdM with IPA or Microsoft Active Directory.

This post covers how to set up Ansible Tower to leverage the use of IPA features in a simple way. Its going to use one Organizaion.

License needed

Unfortunately Tower is not yet an open source with an upstream project, this will still take some time, please be patient. Please ensure you got a license for the “standard” or “premium” edition of Ansible Tower since this is a requirement for LDAP integration, please see https://www.ansible.com/tower-editions.

Preparation in IPA

Create a bind user for Ansible

ldapmodify -x -D 'cn=Directory Manager' -W <<EOF
dn: uid=ansible,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: system
userPassword: supersecret
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
EOF

Lets create the group in IPA

ipa2:~# ipa group-add --nonposix ansible
ipa2:~# ipa group-add-member ansible --users=jdoe

The default behavior is that every user in IPA/LDAP can log in to Tower, if not assigned to a Team, the user has no privileges, however, this is not something you want. Therefore the group “ansible” is used to restrict logins to users of that group.

LDAP tree

Non-Kerberized Web application usually query the compat LDAP tree for authentication. However, the compat tree does not expose all the required LDAP attributes (yet) I.e sn or mail are missing. There is a request for enhancement pending, see also https://bugzilla.redhat.com/show_bug.cgi?id=1362272.

We are going to customize the LDAP queries for the “normal” LDAP tree in IPA. Unfortunately this means it only works with with users created in IPA. If you are using a cross domain trust with Microsoft Active directory, the AD users are not able to log in in Ansible Tower. In such a case, set up Ansible Tower to query AD directly.

Configuring Ansible Tower

Edit the file /etc/tower/conf.d/ldap.py and add/edit the following lines to be able to look up users and groups:

AUTH_LDAP_SERVER_URI = 'ldap://ipa2.example.com:389'
AUTH_LDAP_BIND_DN = 'uid=ansible,cn=sysaccounts,cn=etc,dc=example,dc=com'
AUTH_LDAP_BIND_PASSWORD = 'supersecret'
AUTH_LDAP_USER_SEARCH = LDAPSearch(
    'cn=users,cn=accounts,dc=example,dc=com',
    ldap.SCOPE_SUBTREE,
    '(uid=%(user)s)',
AUTH_LDAP_USER_ATTR_MAP = {
    'first_name': 'givenName',
    'last_name': 'sn',
    'email': 'mail',
}
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    'cn=groups,cn=accounts,dc=example,dc=com',    # Base DN
    ldap.SCOPE_SUBTREE,
    '(objectClass=group)',
)

If you want to prevent any user to login to Ansible Tower, you can restrict it to one group, in this example a user must be member of the group ansible to be able to log in. This is strongly recommended

AUTH_LDAP_REQUIRE_GROUP = 'cn=ansible,cn=groups,cn=accounts,dc=example,dc=com'

You can also define a ipa group which gets automatically the superuser role assigned.

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    'is_superuser': 'cn=admins,cn=groups,cn=accounts,dc=example,dc=com',
}

Next will be how to auto assign users to teams, this will be done later in a separate post.

Have fun 🙂

FreeIPA and Selective 2FA with Kerberos Authentication Indicators

One of the major new features in FreeIPA 4.4 is the introduction of Authentication Indicators in Kerberos tickets. This allows you to selectively enforce 2FA.

Usecases

Usually a Linux environment consists on a lot of different services. Some of them are security sensitive such as payroll systems while others are more relaxed such as simple Intranet Webservers.

Some services do not nicely play with 2FA, see https://blog.delouw.ch/2015/04/09/2fa-with-free-ipa-the-good-the-bad-and-the-ugly/. With Authentication Indicators you can allow users accessing this services without 2FA while deploying 2FA on all other services.

One of the obstacles for 2FA is user acceptance. With selective 2FA you can enforce it on the critical servers and/or services only.

Limitations

At the moment, selective 2FA with Authentication Indicators is only working with Fedora 24 and 25. There is no support (yet) for RHEL and its EL clones such as CentOS. Support for Authentication was added in SSSD 1.14, please also see the Release notes for SSSD 1.14.

At the moment, users on RHEL clients always need to provide the second factor. This probably will change for RHEL 7.3. Please also see Bugzilla #1290381. It is already included in public Beta.

Testing the new release

FreeIPA 4.4.2 is available in Fedora 25 Beta. SSSD 1.14 is available on Fedora 24 and newer and in RHEL 7.3 Beta.

Installing FreeIPA 4.4

Get Fedora 25 Beta and install four servers with it. (two replicas, two clients). Fedora 25 Beta can be downloaded here.

[root@ipa1 ~]# dnf -y install freeipa-server freeipa-server-dns

Dependencies will be resolved automatically.

Configure FreeIPA

For tests only, you can disable firewalld to avoid connectivity problems.

[root@ipa2 ~]# systemctl stop firewalld
[root@ipa2 ~]# systemctl disable firewalld

Note: the –allow-zone-overlap is only needed if you make tests with existing DNS domains such as example.com. Usually you should not use this parameter to not violate the highlander principle.

[root@ipa1 ~]# ipa-server-install --subject="O=EXAMPLE.COM 2016101501" --allow-zone-overlap --setup-dns --forwarder=8.8.8.8 --forwarder=8.8.4.4 

Install a replica

The second replica is first set up as a normal IPA Client and will then be promoted to be a replica.

Be sure you point your DNS to the first replica to allow detection of SRV DNS entries to correctly setup the client.

[root@ipa2 ~]# dnf -y install freeipa-server freeipa-server-dns 

Now setup the replica as a client

[root@ipa2 ~]# ipa-client-install

Get a Kerberos Ticket as admin user

[root@ipa2 ~]# kinit admin

Promote to be a replica

[root@ipa2 ~]# ipa-replica-install --setup-dns --setup-ca --forwarder=8.8.8.8 --forwarder=8.8.4.4

Enroll two or more clients

For our tests we need some clients, enroll some

Enable 2FA Authentication

As a default, 2FA is not enabled, lets change that

[root@ipa2 ~]# ipa config-mod --user-auth-type={password,otp}

Add some users

Add one or more users and set a password. Log in and set a new valid password

To be able to authenticate with both, Password only and 2FA, we need to provide that information when creating a new user. You also need to set an initial password.

[root@ipa2 ~]# ipa user-add --user-auth-type={password,otp} --first Joe --last Doe --shell=/bin/bash jdoe
[root@ipa2 ~]# ipa passwd jdoe

Get a Kerberos Ticket for jdoe, you will be promted to set a new password.

[root@ipa2 ~]# kinit jdoe
Password for jdoe@EXAMPLE.COM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[root@ipa2 ~]# 

Add a 2FA Soft token

You can assign yourself a soft token with the CLI or WebUI.

[root@ipa2 ~]# ipa otptoken-add jdoe
----------------------
Added OTP token "jdoe"
----------------------
  Unique ID: jdoe
  Type: TOTP
  Owner: jdoe
  Manager: jdoe
  Algorithm: sha1
  Digits: 6
  Clock interval: 30
  URI: otpauth://totp/jdoe@EXAMPLE.COM:jdoe?digits=6&secret=NOBAETXGLCVEW7BSINC6II4XLSPTFPDK&period=30&algorithm=SHA1&issuer=jdoe%40EXAMPLE.COM


█████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████
████ ▄▄▄▄▄ ██  ▀▄▄▀▄▄█▄█ ▀█ ▄▀█▀█▀ ▄█▄█▄  ▀▀ █ ▄▄▄▄▄ ████
████ █   █ █  ▄▀▄█▀ ▄▀█▀██▄▄ ▀▀ ▀█▄ ▀   ▀▀█ ▄█ █   █ ████
████ █▄▄▄█ █  ▀▀▀  ▀█▄ ▀█▄ ▄▄▄ ▄▄▀▀▀▄▀▀▀▀ ▀███ █▄▄▄█ ████
████▄▄▄▄▄▄▄█ ▀▄▀ █ █ █ █▄▀ █▄█ ▀ ▀ ▀▄▀▄█▄▀ █ █▄▄▄▄▄▄▄████
████▄▀▄▄ ▄▄██▀▀███▄▄▄▀▄▀██    ▄█▀ ▀ ▄ ▀█ ▀██▄█ ▄▄ ▄██████
████ ▀  ▄▄▄▄ ▀▀█▄▀▄█ ▀▀ ▀▄▄█▄█▀  ▄▀▄ ▄█▄▄█▄█▄ ▀█▀██▄▀████
████▄▀ ▄▀▄▄▄████▄ ██ ▄█▀▀▄ ▄▄██ █ █▄█▄  ▄▄▄█▀▀ ▀▀█▀ █████
████  ▄▀▀█▄▄██▀▄██▀▄▄▀▄▀ ▄ ▄▀█▄ █ ▄███ ▄▀  ▀▄▀▀▄▀ ▀ ▄████
█████▄ █▀▀▄▄▄▄ █  ▀▄█▄▀█ ▄▀█▄▄▀▀ ▀█▄ ▄ ▄█    ▀█▀ ▄▄▄█████
████  ▄   ▄▀▄ █▀█ █▀██  ▄ ▀▄█▀▀▀▄▀ ▄▄▄█▄▀ █▄▀▀  ▀▄█ ▀████
████ ▀▀ ▄▀▄▀▄█▄ ▄  ▀▀ █▀ ▄███▀ ▄ ▄▀█ ▄█▄█▀█ ▄██ ██ ▄▀████
████▀▀   ▄▄▄  ▀ ▀  ██▀  ██ ▄▄▄  █▄█ █▄▄▄▄▀ █ ▄▄▄ ▀█  ████
████▀▀▀▄ █▄█ █▄██▄▄▄ ▀█▀ ▀ █▄█  ▀ ▀ ▄▄█▀█▀▄█ █▄█  ▄▄█████
█████▄█▄▄ ▄  █▀▀█     ▄ ▄▄ ▄ ▄▄▄▄█▀█ ▄▄▄▄███    ▄▄▄▀ ████
████▄███▀█▄ ▀ ▄▄▀▄▀▀ ▄█▄██▄▀▄█▄███▀██▀▄█ ▄▄▄ ██▀█▄▄▄█████
████ ▄▀▄██▄▄▄▄██▄▀▀   ▀▄█▀█▀█▀█▄▄█ ▀█ ▄█ █▀▀▀▄█▀▄ █▄ ████
████▀█▄█▀▄▄█▄▀ ▀ ▀█▄▄▄▀▀█ ▀█▀█▄▄█▄ ▀█▀██ ▄ ▄▀█▀ █ █▄ ████
████▀█▀█▀▄▄▄██ ▀▀██▀ ▀▀▀ ▄▀ ▄█▄▄█▄▄███▀▀ ▀ ▄▀▀▄▀▄▄██▀████
████▀▄██ ▀▄█▀█ ▀   ▀▀█▄▄▀▄ ▄▄▄██ ▄▀ ▀█▄█▄ ▄▄▀▄ ▀▄▄  ▀████
█████ ▀▀█▄▄▀ █  ▄▄█▄█▀ ███▄▄▄▄▄█ ▄ ▄█▄▄▄   ██▄▀▀   ▄▄████
████▄▄▄███▄▄▀█   ███▄▀▀█ ▄ ▄▄▄ ▄█▀  ██ ███▀  ▄▄▄ ▄██ ████
████ ▄▄▄▄▄ █▀█▄▄▄ ▄▀▄██▀▀▀ █▄█ ▀ █▀▄█▄▄ ██▄▀ █▄█ ▀▄█▀████
████ █   █ █ ▄█▀▄  █▄▄▄▀▀  ▄ ▄▄█▄▀▀ █  ▄ ▀▄█     ▄▀ ▀████
████ █▄▄▄█ █▄▀▄▀█▄  █ ▀▀ ▀▄█▀▄█ █▀▄▄██▀ ▄█▄▄ ▀█ █▄ █ ████
████▄▄▄▄▄▄▄█▄▄█▄▄▄▄█▄███▄▄▄▄▄▄██▄██▄▄▄▄▄▄█▄▄▄▄█████▄▄████
█████████████████████████████████████████████████████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀


[root@ipa2 ~]# 

You can add this QR code with the FreeOTP or Google Authenticator

Enforcing 2FA on a host principal

To enforce 2FA on a host, alter the host configuration as follows:

[root@ipa2 ~]# ipa host-mod  --auth-ind=otp ipaclient44-fedora24.example.com

You now can try to log in with one and two factors on that host and on some other hosts to see the difference.

Enforcing 2FA on a service

Enforcing of 2FA can also be done on a single (Kerberized) service.

[root@ipa2 ~]# ipa service-mod --auth-ind=otp http/ipaclient.example.com

Further reading

There are plenty of documents available on the internet, here is a choice:

Have fun 🙂