Identity and Access Management

Foreman Smart Proxy - FreeIPA DNS

The SmartProxy DNS module can update any DNS server that complies with the ISC Dynamic DNS Update standard.  Updates can also be made using GSS-TSIG, additional providers are available for managing libvirt’s embedded DNS server, and Microsoft Active Directory using dnscmd, for static DNS records.

This guide will focus on FreeIPA and kerberos for SmartProxy DNS management.

FreeIPA configuration

A service principal is required for the Smart Proxy

foremanproxy/proxy.example.com@EXAMPLE.COM.

Create a new service principal for the SmartProxy. On any IPA server or controller node:

ipa service-add foremanproxy/proxy.example.com@EXAMPLE.COM.

On the SmartProxy host, get the keytab file

ipa-getkeytab -p foremanproxy/proxy.example.com@EXAMPLE.COM -s ipa-server.example.com -k /etc/foreman-proxy/dns.keytab

Set permissions and owner for the keytab.

chmod 0600 /etc/foreman-proxy/dns.keytab && chown foreman-proxy /etc/foreman-proxy/dns.keytab

In the FreeIPA web UI, go to the DNS zone, then to the Settings tab, verify that “Dynamic update”  is set to “True”, and add the following to the BIND update policy a new grant:

grant foremanproxy\047proxy.example.com@EXAMPLE.COM wildcard * ANY;

 ACLs should be updated for both forward and reverse zones.
Note the \047 is written verbatim, and don’t forget the semicolon.

Proxy configuration

Update the proxy DNS configuration file (/etc/foreman-proxy/settings.d/dns.yml) with the following setting:

:use_provider: dns_nsupdate_gss

And the DNS GSS configuration file (/etc/foreman-proxy/settings.d/dns_nsupdate_gss.yml) with:

:dns_server: 127.0.0.1 or ip of DNS
:dns_tsig_keytab: /etc/foreman-proxy/dns.keytab :dns_tsig_principal: foremanproxy/proxy.example.com@EXAMPLE.COM

Ensure the dns_key setting is not specified, or is commented out.

Restart the smart proxy service.

systemctl restart foreman-proxy

check the log file for any errors or warnings.

tail -fn100 /var/log/foreman-proxy/proxy.log

Update Foreman

After adding a Smart Proxy plugin, you must instruct Foreman to rescan the configuration.

In Foreman, Go to the Smart Proxies Use the Actions drop-down menu and select  “Refresh Features” .

Add the Smart Proxy as a DNS proxy on the subnets and domains as needed.

IPA - Basic Commands

A basic list of command to manage FreeIPA services.

 

DNS

Add new a record and reverse record.

An A record is used to map an FQDN to an IP address. The A record is created using the following:

ipa dnsrecord-add <forward-zone>  <short-name> --a-rec <IP of A record>

The reverse, or pointer, record is used to map the IP to a hostname. The command to create a pointer is:

ipa dnsrecord-add <reverse-zone> <num> --ptr-rec <host-FQDN>.

Note the trailing dot. This is very important. 

This is an example of adding server1.i.example.com with the IP of 192.168.4.11 to the FreeIPA DNS.

ipa dnsrecord-add i.example.com  server1 --a-rec 192.168.4.11
ipa dnsrecord-add 4.168.192.in-addr.arpa 11 --ptr-rec server1.i.example.com.

Hosts

Remove a failed or dead host.

ipa host-del server1 --updatedns

Including the --updatedns option will also remove all of the linked DNS entries for this host.

Services

The service must include the service / FQDN of the host.

ipa service-add nfs/server1.i.example.com

Users

Add a new user lab1

ipa user-add lab1

Change the new user's password

 ipa passwd lab1

IPA - Fast and Dirty

This guide explains how to deploy FreeIPA the quickest way possible. 

This is not for production.

You will need a fresh install of CentOS 7. The latest edition will be fine.

As root, update the server and install the requirements.

yum update -y
yum install -y ipa-server bind-dyndb-ldap ipa-server-dns

Open the firewall ports and reload the firewall.

firewall-cmd --permanent --add-service={http,https,ftp,ldap,ldaps,kerberos,kpasswd,dns,ntp}
firewall-cmd --reload

Run the IPA Server install.

ipa-server-install --setup-dns --allow-zone-overlap
kinit admin

Follow the install prompts. Answer each item. If you don't know, choose the default option.

kinit admin
<enter password entered durring ipa setup>
klist # to view the ticket. 

Check the IPA Server status.

ipactl status

Example:

# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

If there were no errors, then you have a running IPA Server. Log in to the IPA server to begin management tasks. To use the web interface go to https://<fqdn of the IPA server. 

To setup a simple method for transferring the CA certificate is ftp. In this example vsftpd is used. The firewall ports were already opened during the IPA setup.

yum install -y vsftpd
systemctl enable --now vsftpd # or systemctl enable vsftpd; systemctl start vsftpd
cp /etc/ipa/ca.crt /var/ftp/pub

Now non-IPA clients will be able to securely access the LDAP. Add this certificate to web browsers or other application to trust web services that use the IPA sever as a CA.