FreeIPA/Red Hat IDM

I’m working on bringing my 100+ servers under FreeIPA, aka a centralized Identity Management system. Since FreeIPA is an upstream source for Red Hat IDM, I added it to the title.

Installing FreeIPA on servers is bog simple. Run

# ipa-client-install
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Client hostname: bldr0cuomshift.internal.pri
Realm: INTERNAL.PRI
DNS Domain: internal.pri
IPA Server: lnmt1cuomifidm1.internal.pri
BaseDN: dc=internal,dc=pri

Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin@INTERNAL.PRI:
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=INTERNAL.PRI
    Issuer:      CN=Certificate Authority,O=INTERNAL.PRI
    Valid From:  2020-06-27 03:52:06
    Valid Until: 2040-06-27 03:52:06

Enrolled in IPA realm INTERNAL.PRI
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm INTERNAL.PRI
trying https://lnmt1cuomifidm1.internal.pri/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://lnmt1cuomifidm1.internal.pri/ipa/json'
trying https://lnmt1cuomifidm1.internal.pri/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://lnmt1cuomifidm1.internal.pri/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://lnmt1cuomifidm1.internal.pri/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://lnmt1cuomifidm1.internal.pri/ipa/session/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring internal.pri as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

Then I migrate local accounts over to use IDM instead. This has been working just fine on CentOS and Red Hat 7. The script I use was running:

# getent -s sss passwd [account]

This returns only accounts that are managed in IDM. So I can then change the file ownerships and group ownerships of files the local account owns.

Issue though. With CentOS 8 (and I assume Red Hat 8), the command returns information for local non-IDM accounts. This is unexpected behavior and breaks my script. Not killer of course but it does mean I would have to manually identify local users and make sure they’re in IDM before trying to convert them. And the script deletes the local user which causes other problems if it deletes a non-IDM local user.

# getent -s sss passwd bin
bin:x:1:1:bin:/bin:/sbin/nologin

This is unexpected behavior. With CentOS 7, this returns blank but with CentOS 8, this returns bin.

What happened is the sssd behavior changed. The enable_files_domain option under [sssd] in the /etc/sssd/sssd.conf file is set to false by default in CentOS 7 however in CentOS 8, the default is now true. This means local accounts are also cached by sssd and are returned when querying with getent.

After making the change, the following now happens as expected:

# getent -s sss passwd bin

And continue on with adding servers to IDM.

If you find you need to remove a system from IDM, first check /home to see what accounts exist and compare against /etc/passwd. Basically you need to change the permissions for every file to match the new user that you’ll create.

cd /home
ls -l
ipa-client-install --uninstall
find / -gid [id] -print
find / -uid [id] -print
useradd -c "comment" -d /home/[homedir] -s /bin/ksh -m [username]
passwd [username]
This entry was posted in Computers, FreeIPA and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *