LPIC-3 Mixed Environments 3.0 Introduction #05: 305 Linux Identity Management and File Sharing
This blog posting is the fifth and final in a series that helps you prepare for the new version 3.0 of the LPIC-3 Mixed Environments exam. In the previous posts we have learned a lot about managing identities for Windows systems. Even though Linux can be configured to use Active Directory too, a solution that manages identities as well as other system properties explicitly for Linux would allow a finer grade of control. FreeIPA is such a solution. In this post, we will set up a FreeIPA domain, let it manage a client, and establish a trust relationship to an Active Directory domain.
Setting up Virtual Machines for FreeIPA
Just as in last week’s article, you have to extend your lab environment by a few more virtual machines. Three new Linux VMs are recommended, two that become FreeIPA servers and one that joins the domain as a client. To keep track of how we use the virtual machines in this article, name them something like ipaserver1, ipaserver2, and ipaclient1. As usual, use your favorite Linux distribution but make sure it provides recent FreeIPA packages.
FreeIPA is the upstream project for Red Hat’s Identity Management product (IDM). Therefore a lot of the FreeIPA documentation that we will review this week is actually Red Hat’s IDM documentation. A good first piece to read is the first chapter of the ‘Planning Identity Management’ guide, which explains the principles and architecture of FreeIPA.
Installing the First FreeIPA Server
For our example lab, the FreeIPA domain has to use a different DNS zone from the one used by the existing Windows domain. The IDM documentation provides more details about choosing a good domain name. Make sure to configure your new VMs to use the right DNS zone.
Install the FreeIPA server packages on the two server virtual machines. Also install AD Trust support, which might be a dedicated package. Some additional preparations that usually are required are described in the IDM’s server preparation guide.
For the purpose of your lab, you should set up FreeIPA to become a certificate authority and a name server. The IDM installation documentation provides all the necessary steps. Eventually it boils down to running ipa-server-install with the correct options and providing some information that the command prompts for.
Once the setup is complete, the ipactl command is used to manage the various FreeIPA components. Make sure they are all running and ensure they are automatically started when the virtual machine boots.
Adding a Replica Server for Redundancy
Just as with Active Directory, FreeIPA domains usually run multiple servers for redundancy. We will add the second server as a replica to the domain we have just created. The IDM documentation provides guidance on how to prepare the virtual machine to become a replica.
In our case the virtual machine is not yet a member of the domain. The command ipa-replica-install therefore first joins the virtual machine to the domain as a client and then promotes it to a replica. The documentation for installing a replica provides more details. The credentials required to join the server to the domain can be interactively specified during the installation. Replication architecture can become complex, so consult the IDM documentation for details about planning a replication architecture.
Joining a Client to the Domain
You now have two IPA servers running, but you are still missing a client to manage. On the third new virtual machine, install the FreeIPA client package and work through the requirements for client setups.
The setup itself is performed with the ipa-client-install command. By default, the command runs interactively and asks for all required information. The client installation documentation explains the various options, including the ability to provide credentials during the setup or to create a one time password to join the client to the domain in advance.
Once the setup is complete, take a look at the /etc/openldap/ldap.conf and /etc/sssd/sssd.conf> files. Also check that the client can access the domain databases by looking up some domain user information, for example, by running id admin. From now on, FreeIPA can be used to manage the client.
Managing the Domain Resources
The actual interaction with FreeIPA happens through the ipa command. This utility is structured in a series of subcommands to manage the various resource types of a FreeIPA domain. Luckily, these subcommands follow a very specific structure that makes them easy to remember. The documentation contains an introduction that explains these patterns Remembering these patterns comes in particularly handy in an exam situation where it is important to get an idea of the purpose of a certain utility or recognize a specific command.
When working with FreeIPA, a Kerberos ticket is required. This ticket can be procured and managed using the regular Kerberos tools such as kinit or klist>. The ipa command supports management for all resources in the domain. The exam objectives explicitly mention the administration of users, user groups, role based access control, hosts, and host groups. Take special care on the lifecycle of the various resource types, because the concept of a staging user, for example, is unique to FreeIPA and does not exist in Active Directory.
Resources in FreeIPA can be also managed using a web interface. In this posting we focus on the command line, because this is the form of management you will be tested on in the exam. However, the web interface is still useful to confirm that the commands run successfully and to get an overview of the various options and properties of each managed resource.
FreeIPA offers centralized management for various services on all clients in a FreeIPA domain. Even though the exam objectives ask you only to be aware of these capabilities, it is still worth the time to test this setup for one of the various services, such as sudo.
Establishing a Trust Relationship to Active Directory
No matter how great Linux is, a lot of companies still run Windows systems and use Active Directory to manage these systems. Luckily, FreeIPA can establish a trust relationship with an Active Directory domain. This allows users managed in Active Directory to also log into Linux clients of the trusting IPA domain, including using single sign-on.
In order to set up the trust relationship, the domains need to be able to see each other in the DNS. There are various ways to achieve this, including the mutual configuration of DNS forward zones. Alternatively, each DNS server could be configured with A, AAAA, and NS records to delegate the respective zones to the correct name servers. Depending on the setup, it might be an alternative approach to have forward requests from both domains to an external recursive name server that forwards queries to the correct authoritative name server.
The ipa-adtrust-install command prepares the FreeIPA server and ipa trust-add finally sets up the trust. The IDM documentation explains the entire procedure and shows how to confirm that the setup succeeded.
Since Windows users have different properties from those of Linux users, Active Directory users may not have POSIX attributes such as the home directory path or the login shell. FreeIPA supports so-called ID views that add such attributes to users from another domain. These attributes remain within the FreeIPA domain and are effective only for IPA Linux clients.
Configuring NFSv4 Shares and Mounts
When sharing files between Linux systems, NFS is often used instead of SMB. The final subject on the exam covers the configuration of NFS shares and mounts, including some advanced features of NFSv4. Red Hat provides a good summary of how to configure NFS shares and how to mount NFS exports. The documentation also explains the role of the various NFS components and has a dedicated chapter on some of the advanced NFSv4 features such as authentication.
The Linux-NFS wiki provides some more information on NFS ACLs, The wiki also summarizes the use of NFS and FreeIPA. The University of Michigan adds a good explanation of ID mapping in NFS as well as another good summary of the NFSv4 configuration.
This is the final blog post regarding the LPIC-3 Mixed Environment exam. I hope this series helped you to prepare for the exam and set up a playground to experiment with all the commands and options mentioned in the exam objectives, even if they weren’t discussed explicitly in this series. If you decide to prove your new skills by taking the LPIC-3 exam, I wish you the best of luck.
Finally, I cannot conclude this blog series without shoutouts to the Samba team and the folks at Red Hat. We have referenced the Samba Wiki and the FreeIPA/Red Hat IDM documentation a lot; both are excellent resources for the exam preparation. Thank you all for all your efforts you put in your development and documentation. You’re doing great work.