RH362 - ch03s04

Bookmark this page

Guided Exercise: Installing an Identity Management Client

Configure the system prerequisites and then install an IdM client.

Outcomes

Install an IdM client manually.
View client log files.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start install-client

Instructions

[student@workstation ~]$ ssh client
[student@client ~]$ sudo -i
[sudo] password for student: student
[root@client ~]#

Install the ipa-client package.

[root@client ~]# dnf install ipa-client
...output omitted...

Change the client DNS server configuration to use the idm machine. Set 172.25.250.8 as the DNS server for the eth0 interface.

[root@client ~]# nmcli connection modify "System eth0" ipv4.dns 172.25.250.8
[root@client ~]# nmcli connection up "System eth0"

Query the DNS server for the LDAP and Kerberos SRV records. The ipa-client-install command performs the same lookups to determine the realm, the domain name, and the IdM server address.

[root@client ~]# dig SRV _ldap._tcp.lab.example.com
...output omitted...
;; ANSWER SECTION:
_ldap._tcp.lab.example.com. 86400 IN  SRV 0 100 389 idm.lab.example.com.
...output omitted...
[root@client ~]# dig SRV _kerberos._tcp.lab.example.com
...output omitted...
;; ANSWER SECTION:
_kerberos._tcp.lab.example.com. 86400 IN SRV  0 100 88 idm.lab.example.com.
...output omitted...

Install the client by using the unattended option. Provide the principal and password as arguments to the ipa-client-install command.

[root@client ~]# ipa-client-install \
  --principal=admin \
  --password=RedHat123^ \
  --unattended
This program will set up IPA client.
Version 4.10.0

Discovery was successful!
Client hostname: client.lab.example.com
Realm: LAB.EXAMPLE.COM
DNS Domain: lab.example.com
IPA Server: idm.lab.example.com
BaseDN: dc=lab,dc=example,dc=com

Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Time synchronization was successful.
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=LAB.EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=LAB.EXAMPLE.COM
    Valid From:  2023-05-04 12:50:30
    Valid Until: 2043-05-04 12:50:30

...output omitted...
Configuring lab.example.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

Verify that you can authenticate to IdM as the admin user. The admin user is the only account present on initial IdM installations.

Use the kinit command to authenticate to IdM.

[root@client ~]# kinit admin
Password for admin@LAB.EXAMPLE.COM:RedHat123^

View the admin user's Kerberos ticket granting ticket and then exit the client machine.

[root@client ~]# klist
Ticket cache: KCM:0
Default principal: admin@LAB.EXAMPLE.COM

Valid starting     Expires            Service principal
05/09/23 08:43:15  05/10/23 08:31:37  krbtgt/LAB.EXAMPLE.COM@LAB.EXAMPLE.COM
[root@client ~]# exit
[student@client ~]$ exit
[student@workstation ~]$

On the idm machine, view the log file entries related to the client machine.

[student@workstation ~]$ ssh idm
[student@idm ~]$ sudo -i
[sudo] password for student: student

View the KDC log entries for the client machine. Note the Authentication Server requests (AS_REQ) and the Ticket Granting Server requests (TGS_REQ).

[root@idm ~]# grep client /var/log/krb5kdc.log
...output omitted...
May 09 08:36:43 idm.lab.example.com krb5kdc[35615](info): AS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 172.25.250.11: NEEDED_PREAUTH: host/client.lab.example.com@LAB.EXAMPLE.COM for krbtgt/LAB.EXAMPLE.COM@LAB.EXAMPLE.COM, Additional pre-authentication required
May 09 08:36:43 idm.lab.example.com krb5kdc[35615](info): AS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 172.25.250.11: ISSUE: authtime 1683635803, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha1-96(18)}, host/client.lab.example.com@LAB.EXAMPLE.COM for krbtgt/LAB.EXAMPLE.COM@LAB.EXAMPLE.COM
May 09 08:36:43 idm.lab.example.com krb5kdc[35616](info): TGS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17)}) 172.25.250.11: ISSUE: authtime 1683635803, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, host/client.lab.example.com@LAB.EXAMPLE.COM for ldap/idm.lab.example.com@LAB.EXAMPLE.COM

View the named.service unit log entries for the client machine. This log entry shows the creation of several DNS resource records for the client machine.

[root@idm ~]# journalctl -u named.service | grep client.*updating
...output omitted...
May 09 08:36:41 idm.lab.example.com named[36075]: client @0x7f6ba46f42a8 172.25.250.11#37715/key host/client.lab.example.com\@LAB.EXAMPLE.COM: updating zone 'lab.example.com/IN': deleting rrset at 'client.lab.example.com' A
May 09 08:36:41 idm.lab.example.com named[36075]: client @0x7f6ba46f2d78 172.25.250.11#40515/key host/client.lab.example.com\@LAB.EXAMPLE.COM: updating zone 'lab.example.com/IN': deleting rrset at 'client.lab.example.com' AAAA
May 09 08:36:41 idm.lab.example.com named[36075]: client @0x7f6ba46f5ac8 172.25.250.11#54037/key host/client.lab.example.com\@LAB.EXAMPLE.COM: updating zone 'lab.example.com/IN': adding an RR at 'client.lab.example.com' A 172.25.250.11
May 09 08:36:42 idm.lab.example.com named[36075]: client @0x7f6b9c1191f8 172.25.250.11#34669/key host/client.lab.example.com\@LAB.EXAMPLE.COM: updating zone 'lab.example.com/IN': deleting rrset at 'client.lab.example.com' SSHFP

Exit the idm machine.

[root@idm ~]# exit
[student@idm ~]$ exit
[student@workstation ~]$

In a web browser, navigate to https://idm.lab.example.com. Log in as the admin user, with RedHat123^ as the password. The default location is the Identity → Users tab.
Notice the Active users, Stage users, and Preserved users user categories to the left.
Navigate to Identity → Hosts and then click client.lab.example.com.
Notice that under the Enrollment section, a Kerberos key is present, and the host state is provisioned.

Uninstall client from the IdM domain, and then have it rejoin the domain. Observe the changes to the host record during these operations.

[student@workstation ~]$ ssh client
[student@client ~]$ sudo -i
[sudo] password for student: student
[root@client ~]#

Authenticate to IdM as the admin user.

[root@client ~]# kinit admin
Password for admin@LAB.EXAMPLE.COM:RedHat123^

Use the ipa host-show command to view the host record for the client machine. Notice that enrolled hosts have a keytab assigned.

[root@idm ~]# ipa host-show client.lab.example.com
  Host name: client.lab.example.com
  Platform: x86_64
  Operating system: 5.14.0-162.6.1.el9_1.x86_64
  Principal name: host/client.lab.example.com@LAB.EXAMPLE.COM
  Principal alias: host/client.lab.example.com@LAB.EXAMPLE.COM
  SSH public key fingerprint: SHA256:nsAhtPf63BBbCLM1Id0xRylNydtD/YA77vIxcdasoyQ root@client.lab.example.com (ssh-rsa),
                              SHA256:NXRWlqv64y6Yah+nFoMIV+UAKLuc/q3JlTnFlIJGFFE root@client.lab.example.com (ecdsa-sha2-nistp256),
                              SHA256:SoDhJiFDRSSb8tDwhHH51qiumaF9M+L9F7hz3PjDvQg root@client.lab.example.com (ssh-ed25519)
  Password: False
  Keytab: True
  Managed by: client.lab.example.com

Unenroll the IdM client.

[root@client ~]# ipa-join --unenroll
Unenrollment successful.

On the idm machine, view the host record for the client machine again by using the ipa host-show command. Note that unenrolling a host removes the keytab in the client host record, but no changes are mode to the client machine.

[root@idm ~]# ipa host-show client.lab.example.com
  Host name: client.lab.example.com
  Platform: x86_64
  Operating system: 5.14.0-162.6.1.el9_1.x86_64
  Principal name: host/client.lab.example.com@LAB.EXAMPLE.COM
  Principal alias: host/client.lab.example.com@LAB.EXAMPLE.COM
  SSH public key fingerprint: SHA256:nsAhtPf63BBbCLM1Id0xRylNydtD/YA77vIxcdasoyQ root@client.lab.example.com (ssh-rsa),
                              SHA256:NXRWlqv64y6Yah+nFoMIV+UAKLuc/q3JlTnFlIJGFFE root@client.lab.example.com (ecdsa-sha2-nistp256),
                              SHA256:SoDhJiFDRSSb8tDwhHH51qiumaF9M+L9F7hz3PjDvQg root@client.lab.example.com (ssh-ed25519)
  Password: False
  Keytab: False
  Managed by: client.lab.example.com

Rejoin the client machine to the IdM domain.

[root@client ~]# ipa-join
Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=LAB.EXAMPLE.COM
[root@client ~]# exit
[student@client ~]$ exit
[student@workstation ~]$

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish install-client

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8