2024年4月12日 星期五

FreeIPA + FreeRadius

Reference:
https://www.howtoforge.com/how-to-install-freeipa-on-rocky-linux/
https://blog.csdn.net/cjenjingwen/article/details/121969001

RockyLinux 9.2 minimal
hostnamectl set-hostname freeipa.anasys.local
vi /etc/hosts
    add 192.168.2.197    freeipa.anasys.local    freeipa
hostname -f

#### 安裝 FreeIPA
#RockyLinux 已經有 IDM packages
#https://forums.rockylinux.org/t/missing-groups-or-modules-idm-dl1/9279/5
#dnf module enable idm:DL1 (Rocky Linux 8才需要裝)

dnf install ipa-server ipa-server-dns -y
ipa-server-install --setup-dns --allow-zone-overlap


This program will set up the IPA Server.
Version 4.10.2

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the NTP client (chronyd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)
  * Configure SID generation
  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com


Server host name [freeipa.anasys.local]:

Warning: skipping DNS resolution of host freeipa.anasys.local
The domain name has been determined based on the host name.

Please confirm the domain name [anasys.local]:

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [ANASYS.LOCAL]:

Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password: myPassword
Password (confirm):

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password: myPassword
Password (confirm):

Checking DNS domain anasys.local., please wait ...
Do you want to configure DNS forwarders? [yes]:
Following DNS servers are configured in /etc/resolv.conf: 192.168.1.231
Do you want to configure these servers as DNS forwarders? [yes]:
All detected DNS servers were added. You can enter additional addresses now:
Enter an IP address for a DNS forwarder, or press Enter to skip:
DNS forwarders: 192.168.1.231
Checking DNS forwarders, please wait ...
Do you want to search for missing reverse zones? [yes]:
Do you want to create reverse zone for IP 192.168.2.197 [yes]:
Please specify the reverse zone name [2.168.192.in-addr.arpa.]:
Using reverse zone(s) 2.168.192.in-addr.arpa.
Trust is configured but no NetBIOS domain name found, setting it now.
Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.


NetBIOS domain name [ANASYS]:
Do you want to configure chrony with NTP server or pool address? [no]:

The IPA Master Server will be configured with:
Hostname:       freeipa.anasys.local
IP address(es): 192.168.2.197
Domain name:    anasys.local
Realm name:     ANASYS.LOCAL

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=ANASYS.LOCAL
Subject base: O=ANASYS.LOCAL
Chaining:     self-signed

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       192.168.1.231
Forward policy:   only
Reverse zone(s):  2.168.192.in-addr.arpa.

Continue to configure the system with these values? [no]: yes
The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Disabled p11-kit-proxy
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/43]: creating directory server instance
Validate installation settings ...
Create file system structures ...
Perform SELinux labeling ...
Create database backend: dc=anasys,dc=local ...
Perform post-installation tasks ...
  [2/43]: tune ldbm plugin
  [3/43]: adding default schema
  [4/43]: enabling memberof plugin
  [5/43]: enabling winsync plugin
  [6/43]: configure password logging
  [7/43]: configuring replication version plugin
  [8/43]: enabling IPA enrollment plugin
  [9/43]: configuring uniqueness plugin
  [10/43]: configuring uuid plugin

==============================================================================
Setup complete

Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                  * 53: bind
                UDP Ports:
                  * 88, 464: kerberos
                  * 53: bind
                  * 123: ntp

        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful

#Setting Up Firewalld
firewall-cmd --add-service={http,https,dns,ntp,freeipa-ldap,freeipa-ldaps} --permanent
firewall-cmd --reload

#Verifying Kerberos Admin Authentication
kinit admin
Password for admin@ANASYS.LOCAL: myPassword
klist

#Logging in to FreeIPA Dashboard
#設定DNS record for freeipa.anasys.local 或修改自己Windows hosts file
https://freeipa.anasys.local/ipa/ui/
username: admin
password: myPassword

#策略 / 密碼策略
https://cloud.tencent.com/developer/ask/sof/108546103
#將密碼改為不過期
最大生存期(天): 0
最小生存期(小時): 0

幫user變更密碼方式:
1. disable OTP
2. reset passwd
3. 用 user account login and change passwd
4. enable OTP

#### 安裝 FreeRadius
yum install freeradius freeradius-utils freeradius-ldap freeradius-krb5 -y

vi /etc/raddb/clients.conf
client localnet {
        ipaddr = 192.168.2.0/24
        proto = *
        secret = myKey
        nas_type = none
        limit {
                max_connections = 30
                life = 0
                idle_timeout = 30
        }
}

vi /etc/raddb/sites-enabled/default
    #  The ldap module reads passwords from the LDAP database.
    ldap
    if ((ok || updated) && User-Password) {
        update {
            control:Auth-Type := ldap
        }
    }
    #移除註解
    Auth-Type LDAP {
        ldap
    }

vi /etc/raddb/sites-enabled/inner-tunnel
    #  The ldap module reads passwords from the LDAP database.
    ldap
    if ((ok || updated) && User-Password) {
        update {
            control:Auth-Type := ldap
        }
    }
    #移除註解
    Auth-Type LDAP {
        ldap
    }

ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/

vi /etc/raddb/mods-enabled/ldap
    server = 'freeipa.anasys.local'
    base_dn = 'cn=users,cn=accounts,dc=anasys,dc=local'

firewall-cmd --permanent --zone=public --add-port=1812/udp --add-port=1813/udp
systemctl restart firewalld

cd /etc/raddb/certs
./bootstrap

systemctl enable radiusd
systemctl start radiusd

#登入 https://freeipa.anasys.local/ 建立 user account chdu
#用chdu帳號登入網頁,變更密碼
radtest chdu myPassword freeipa.anasys.local 1812 myKey
#成功會看到
Sent Access-Request Id 197 from 0.0.0.0:46367 to 192.168.2.197:1812 length 74
        User-Name = "chdu"
        User-Password = "myPassword"
        NAS-IP-Address = 192.168.2.197
        NAS-Port = 1812
        Message-Authenticator = 0x00
        Cleartext-Password = "myPassword"
Received Access-Accept Id 197 from 192.168.2.197:1812 to 192.168.2.197:46367 length 20


#### FreeRadius 加上 MSCHAP v2 認證
https://fy.blackhats.net.au/blog/2015-07-06-freeipa-giving-permissions-to-service-accounts/
yum install freeipa-server-trust-ad -y
ipa-adtrust-install

The log file for this installation can be found in /var/log/ipaserver-adtrust-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.

admin password: myPassword

WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing samba configuration.


Do you wish to continue? [no]: yes
Do you want to enable support for trusted domains in Schema Compatibility plugin?
This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.

Enable trusted domains support in slapi-nis? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring CIFS
  [1/24]: validate server hostname
  [2/24]: stopping smbd
  [3/24]: adding RID bases
RID bases already set, nothing to do
  [4/24]: creating samba domain object
Samba domain object already exists
  [5/24]: retrieve local idmap range
  [6/24]: writing samba config file
  [7/24]: creating samba config registry
  [8/24]: adding cifs Kerberos principal
  [9/24]: adding cifs and host Kerberos principals to the adtrust agents group
  [10/24]: check for cifs services defined on other replicas
  [11/24]: adding cifs principal to S4U2Proxy targets
  [12/24]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do
  [13/24]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [14/24]: activating CLDAP plugin
  [15/24]: activating sidgen task
Sidgen task plugin already configured, nothing to do
  [16/24]: map BUILTIN\Guests to nobody group
  [17/24]: configuring smbd to start on boot
  [18/24]: enabling trusted domains support for older clients via Schema Compatibility plugin
  [19/24]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [20/24]: adding fallback group
Fallback group already set, nothing to do
  [21/24]: adding Default Trust View
  [22/24]: setting SELinux booleans
  [23/24]: starting CIFS services
  [24/24]: restarting smbd
Done configuring CIFS.

=============================================================================
Setup complete

You must make sure these network ports are open:
        TCP Ports:
          * 135: epmap
          * 138: netbios-dgm
          * 139: netbios-ssn
          * 445: microsoft-ds
          * 1024..1300: epmap listener range
          * 3268: msft-gc
        UDP Ports:
          * 138: netbios-dgm
          * 139: netbios-ssn
          * 389: (C)LDAP
          * 445: microsoft-ds

See the ipa-adtrust-install(1) man page for more details

=============================================================================

#查詢帳號
ldapwhoami -Y GSSAPI
#查詢結果
SASL/GSSAPI authentication started
SASL username: admin@ANASYS.LOCAL
SASL SSF: 256
SASL data security layer installed.
dn: uid=admin,cn=users,cn=accounts,dc=anasys,dc=local

ldapsearch -H ldap://freeipa.anasys.local -x -D 'cn=Directory Manager' -W -LLL -Z '(uid=chdu)' ipaNTHash

設定權限
ipa permission-add 'ipaNTHash service read' --attrs=ipaNTHash --type=user  --right=read
ipa privilege-add 'Radius services' --desc='Privileges needed to allow radiusd servers to operate'
ipa privilege-add-permission 'Radius services' --permissions='ipaNTHash service read'
ipa role-add 'Radius server' --desc="Radius server role"
ipa role-add-privilege --privileges="Radius services" 'Radius server'

#add the service account
ipa service-add 'radius/freeipa.anasys.local'

ipa-getkeytab -p 'radius/freeipa.anasys.local' -s freeipa.anasys.local -k /root/radiusd.keytab
kinit -t /root/radiusd.keytab -k radius/freeipa.anasys.local (會切換成radius/freeipa.anasys.local)
ldapwhoami -Y GSSAPI

#修改service account passwd
vi /root/radius_service.txt
dn: krbprincipalname=radius/freeipa.anasys.local@anasys.local,cn=services,cn=accounts,dc=anasys,dc=local
changetype: modify
add: objectClass
objectClass: simpleSecurityObject
-
add: userPassword
userPassword: myPassword

ldapmodify -f /root/radius_service.txt -D 'cn=Directory Manager' -W -H ldap://freeipa.anasys.local -Z
ldapwhoami -Z -D 'krbprincipalname=radius/freeipa.anasys.local@anasys.local,cn=services,cn=accounts,dc=anasys,dc=local' -W

#把 radius 加入 role
#登入 https://freeipa.anasys.local/ 在 身份/服務 將 radius/freeipa.anasys.local@ANASYS.LOCAL 加入角色 Radius server

ldapwhoami -Z -D 'krbprincipalname=radius/freeipa.anasys.local@anasys.local,cn=services,cn=accounts,dc=anasys,dc=local' -W


https://fy.blackhats.net.au/blog/2016-01-13-freeradius-using-mschapv2-with-freeipa/
cd /etc/raddb/mods-available
cp ldap ldap.bk
vi /etc/raddb/mods-enabled/ldap
identity = 'krbprincipalname=radius/freeipa.anasys.local@anasys.local,cn=services,cn=accounts,dc=anasys,dc=local'
password = 'myPassword'

update {
      ....snip......
      control:NT-Password        := 'ipaNTHash'
}

user {
       #base_dn = "${..base_dn}"
       base_dn = "cn=users,cn=accounts,dc=anasys,dc=local"
        ....snip....
}

vi /etc/raddb/mods-enabled/eap
eap {
      ....snip......
        #default_eap_type = md5 (修改兩處)
        default_eap_type = mschapv2
}

systemctl restart radiusd
radtest -t mschap chdu myPassword freeipa.anasys.local 1812 myKey

#radius debug mode
systemctl stop radiusd
radiusd -X

後記:
FreeIPA + FreeRadius 如果 client 用 MSChapv2 驗證,不能搭配 OTP token。
如果要用 FreeIPA + OTP + FreeRadius 只能用 PAP (密碼不加密) 驗證,這樣安全性並不會比較好。

沒有留言:

張貼留言