Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.

--- content:serverbasics:docker-freeipa [2025/04/04 17:23] – [Central DNS for the Domain] obel1x
+++ content:serverbasics:docker-freeipa [2026/03/06 16:39] (aktuell) – [Setup Sudoers with FreeIPA/SSSD] obel1x
@@ Zeile 10: / Zeile 10: @@
 You will need a Docker- Host, that is rechable from the Internet with its fully qualifierd Domain- Name (FQDN) as described in the chapters before. The given Ports must be reachable from the clients.
 ===== Docker composer =====
@@ Zeile 102: / Zeile 101: @@
  ipa_journal:
  caddy_data:
+networks:
+# Still needs to be defined while without it won't enable ipv6
+  default:
+    driver: bridge
+    enable_ipv6: true
 </file>
-The caddy_data Volume contains the Certifictes for encryption from Caddy as described in [[.:docker-caddy|]].
+The caddy_data Volume contains the Certifictes for encryption from Caddy as described in [[:content:serverbasics:docker-caddy|]].
 __**STRONG ADVISE: Do not open Ports of your firewall of the services Kerberos, LDAP or DNS until you configured everything first, otherwise your Server will be very insecure at this stage!**__
@@ Zeile 131: / Zeile 136: @@
 As the internal Certificate of FreeIPA will be self-signed, the verification is turned off first. Later the Cert is replaced by the ACME- letsencrypt- Certificate of Caddy, so you may turn this on again. But there is no benefit, as the SSL Connection is always internally proxied by Caddy, so there will be NO insecured Connections to the net.
-===== Encryption =====
+===== Certificate- Setup - SSL for LDAP and Kerberos =====
 First thing you should do, is to secure the (Kerberos and LDAP)- ports with the certificate from letsenrcypt that Caddy gave you when openining the Webservice for IPA at [FQDN_HOSTNAME]. Without those matching certificates in place, Kerberos later won't accept the self signed- certificates that FreeIPA will create during install.
@@ Zeile 187: / Zeile 192: @@
 **Caution: Not renewing those Certificates will LOCK YOU OUT OF FREEIPA COMPLETEY with NOT OPTION to correct that after the certificates have expired!**
 ==== Explanation of the Commands, Checks and Debugging ====
@@ Zeile 259: / Zeile 266: @@
 Well, you're in trouble. The only way, i found to fix this, is to adjust the Hosts time to some time before that expiration- date, start the Container with "DEBUG_NO_EXIT: 1" and run the script manally.
 ===== Web- Gui / Logon =====
@@ Zeile 487: / Zeile 493: @@
 After that, the LDAP- Query should work. Test it:
 <code>
 docker@servername:~> ldapsearch -xv -W -H ldaps://ipa.domain.tld -b "cn=users,cn=accounts,dc=domain,dc=tld" -D "uid=USERID,cn=users,cn=accounts,dc=domain,dc=tld"
 ldap_initialize( ldaps://ipa.domain.tld:636/??base )
@@ Zeile 518: / Zeile 524: @@
 </code>
-==== Jxplorer - GUI for LDAP ====
-A very nice tool for exploring your LDAP- Tree is: http://jxplorer.org/index.html
+==== Jxplorer - GUI for LDAP ====
+A very nice tool for exploring your LDAP- Tree is: [[http://jxplorer.org/index.html|http://jxplorer.org/index.html]]
 ===== Port opening =====
@@ Zeile 538: / Zeile 544: @@
 This is done by adding an NS- Entry to you Internet-DNS. Please check yout ISP- Docs for how to add that NS entry for your domain:
 <code>
 clients.domain.tld  42363 IN NS ipa.domain.tld.
@@ Zeile 567: / Zeile 573: @@
   - Install a working Kerberos-Client and enroll your PC to the Domain
   - Logon to your Linux- PC using SSSD/Kerberos
+==== Install Kerberos-Client and enroll your PC to the Domain ====
+Currently unfortunatelly i was not able to get Leap 15.6 working with freeipa-client (which worked for 15.5). So i switched to fedora (the KDE- Spin is very nice)
+On Fedora, you can archive the Installation like this (Docs at [[https://www.freeipa.org/page/ConfiguringFedoraClients|https://www.freeipa.org/page/ConfiguringFedoraClients]]
+<code>
+#:> sudo yum install ipa-client
+</code>
+After that, go on with the next chapter [[https://obel1x.de/dokuwiki/doku.php?id=content:serverbasics:docker-freeipa#integrate_to_the_domain|https://obel1x.de/dokuwiki/doku.php?id=content:serverbasics:docker-freeipa#integrate_to_the_domain]]
+----
+Using Ferdora, skip this!
+After a fresh Install of OpenSUSE, you frist need to get the Package freeipa-client.
+I personally made it working that way:
+  * Open Yast
+  * Choose User and Group- Management
+  * Go to Authentication Settings
+  * Select SSSD and Add a new FreeIPA-Domain.
+      * Enable Domain Logons
+      * Create Home-Directory = yes
+      * Sync Users and Groups
+      * SSH + Sudo = yes
+As IPA- Server use ''ipa.domain.tld'', no hostname set. The Network- Domain is ''clients.domain.tld''
+After those settings, exit from Yast. Do not care about Errors, that SSSD is not working: Your Client is missing important Domain Integration, so the service will fail.
+As the time beeing, there is no official Package for Leap 15.6. So you may use mine:
+<code>
+zypper addrepo https://download.opensuse.org/repositories/home:obel1x/15.6/home:obel1x.repo
+zypper refresh
+zypper install freeipa-client
+#Add Additional Packages / setup some needed files
+pip3 install ifaddr
+ln /usr/lib/mit/bin/kdestroy /usr/bin/kdestroy
+</code>
+=== Integrate to the Domain ===
+After that, you need to setup your Client maybe with this small script, called ipa_register_host.sh which you can put to /root:
+<file>
+#!/bin/bash
+TLDOMAIN=domain.tld
+DOMAIN=clients.${TLDOMAIN}
+SERVERFQDN=ipa.${TLDOMAIN}
+#Serialnr of this device
+HOSTNM=pc$(dmidecode -t system|grep -i "serial"|sed 's/Serial Number: //'|xargs|cut -c1-60|tr '[:upper:]' '[:lower:]'|sed 's/[^0-9a-z]*//g')
+FQDN=${HOSTNM}.${DOMAIN}
+echo "${FQDN} wird der Domain ${DOMAIN} hinzugefügt"
+hostnamectl set-hostname ${HOSTNM}
+#Check, if hostname is resolvable to this host - if not, add entry to /etc/hosts
+if ! grep -q ${FQDN} "/etc/hosts"; then
+  echo "Adding Host ${FQDN} to /etc/hosts"
+  echo "">>"/etc/hosts"
+  echo "127.0.0.1   ${FQDN} ${HOSTNM}">>"/etc/hosts"
+fi
+INSTCMD="ipa-client-install --mkhomedir --force-join --no-ntp --principal=admin --domain=${DOMAIN} --server=${SERVERFQDN} --hostname=${FQDN}"
+echo ${INSTCMD}
+${INSTCMD}
+echo "Ende Installation, sie können das Fenster schließen"
+</file>
+This script will integrate your PC into your IPA- Domain. Have the Password of your IPA- Admin ready.
+After that, the SSSD should start, you may start, check and enable the Service.
+ <font 18px/inherit;;#e74c3c;;inherit>ATTENTION: When you now restart your PC and you have only WLAN enabled, the login WILL FAIL, because WLAN is activated AFTER logon. So SSSD cannot check your Domain and your Account and thus user logon will fail.</font>
+To prevent this, use a network- cable and configure Networking at system start, OR configure your wireless lan to be setup first. Or first logon as root, then as User.
+You should frist check on non-graphical terminal if this will work, because errors will be shown there. Good Luck.
+==== Setup your Browser to trust your IPA-Server ====
+This one is on Firefox, as it works.
+Go to your IPAs ipa.domain.tld/ipa/config/ssbrowser.html website. You can also find the LInk at the initial Logon-Page.
+For me, the Button ''Import Certificate''  did not install automagically - use right- click and save to a file named ipa.crt.
+Than open Firefox settings, Privacy and Security, Authorities- Tab and select Import. Use the downloaded file and select all Checkboxes. This installs your IPA- Authority to your Browser as trusted CA.
+Do Steps 2 - 5 as described.
+After that, and after loggon to your pc with your FreeIPA-User, the User should automagically be logged on when you open ipa.domain.tld.
+If not, check if your klist shows some vaild Tickets. Otherwise inspect if this works:
+<code>
+HOSTNAME:~ # kinit admin
+Password for admin@DOMAIN.TLD:
+HOSTNAME:~ # klist
+Ticket cache: KEYRING:persistent:0:0
+Default principal: admin@DOMAIN.TLD
+Valid starting     Expires            Service principal
+/07/25 12:58:27  04/08/25 12:40:12  krbtgt/DOMAIN.TLD@DOMAIN.TLD
+</code>
+This should be all needed to work for Firefox.
+==== Setup Sudoers with FreeIPA/SSSD ====
+This is quite a cool feature to have client admin- users managed by putting them in an IPA- group. When Loggin in with SSSD they will get added to the sudoers, making them admin on the given machines. Check this out: [[https://www.howtoforge.de/anleitung/wie-integriere-ich-sudoers-in-den-freeipa-server/|https://www.howtoforge.de/anleitung/wie-integriere-ich-sudoers-in-den-freeipa-server/]]
+==== Additional Groups ====
+You can also add System- Groups in IPA, that the client may have. E.g. a very nice group to have, would be a group named "wheel". That group enables all users in it to install Software without beeing asked for a password.
+You can add the clientadmins- group to the wheel- group so all users of the clientadmins group will be in wheel to (check in IPA with the "indirect members" view, if wheel has all users, which clientsadmins has as "direct members" to make it work !).
 ===== Next Steps =====
-Next, you can integrate a Middleware for Authentication. You could, but you should NOT use FreeIPAs LDAP- Service directly as Authentication- Source for anything, as LDAP is very costy and would not deliver all needed APIs e.g. for SSO. This is part of your Middleware, so checkout [[.:docker-authentik|]] to read further.
+Next, you can integrate a Middleware for Authentication. You could, but you should NOT use FreeIPAs LDAP- Service directly as Authentication- Source for anything, as LDAP is very costy and would not deliver all needed APIs e.g. for SSO. This is part of your Middleware, so checkout [[:content:serverbasics:docker-authentik|]] to read further.
+===== Special Annotations =====
+Here are some Points, tha may be relevant in special Cases.
+==== Backup and Restore ====
+If you ever need to restore your IPA- Volumes (wihcih may be for e.g. after broken Updates), be very careful about ownership of the files. IPA contains many Services, that are critical about which user owns the configurationfiles. When you are Backing up with Nextclouds-Borg, you CANNOT restore those files 1:1 from your Host itself - as this may destroy ownerships.
+Here are a few special files and users to pay attention to:
+User Dirsrv
+<code>
+# chgrp named /data/etc/named.conf
+# chown named:named /etc/named.keytab
+# chown root:named -R -h -L /data/etc/named
+# chown named:named -R -h -L /data/var/named
+# chown dirsrv:dirsrv -R -h -L /data/var/lib/dirsrv
+# chown dirsrv:dirsrv -R -h -L /data/var/log/dirsrv
+# chown dirsrv:dirsrv -R -h -L /data/etc/dirsrv
+# chown root:pkiuser /data/var/lib/ipa/pki-ca/publish -h -L
+# chown pkiuser:pkiuser /data/var/lib/ipa/pki-ca/publish/* -h -L
+# chown pkiuser:pkiuser /data/etc/sysconfig/pki-tomcat -h -L -R
+# chown pkiuser:pkiuser /data/etc/sysconfig/pki/tomcat/pki-tomcat -h -L -R
+# chown pkiuser:pkiuser /data/etc/pki/pki-tomcat -h -L -R
+# chown pkiuser:pkiuser /data/etc/pki/pki-tomcat -h -L -R
+# chown pkiuser:pkiuser /data/var/lib/pki/pki-tomcat -h -L -R
+# chown pkiuser:pkiuser /data/var/log/pki/pki-tomcat -h -L -R
+# chown root:named -h -L /etc/rndc.key
+# chown root:ipaapi /data/var/lib/ipa/ra-agent.* -h -L
+</code>
+so e.g.:
+<code>
+# ls -lZ /etc/dirsrv/ds.keytab
+-rw——-. dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 /etc/dirsrv/ds.keytab
+</code>