coreos / fedora-coreos-docs

Documentation for Fedora CoreOS
https://docs.fedoraproject.org/en-US/fedora-coreos/
Other
51 stars 124 forks source link

[Request] Document using SSSD LDAP auth against FreeIPA #77

Open dcode opened 4 years ago

dcode commented 4 years ago

I've been trying to use FreeIPA Container to manage some new infrastructure using FCOS as the primary platform. I found this comment on the fedora-coreos-tracker issues that provided some of the info, and I added some bits that seem to be required from other reading I've done.

The result, is the fcct snippet that is attached.

fcct-sssd_freeipa-snippet.yml.txt

This configuration results in a somewhat working sssd. If I'm logged in as the core user, I can successfully get some information, but not everything.

[core@example-0 ~]$ id dcode
uid=1024800001(dcode) gid=1024800001(dcode) groups=1024800001(dcode)
[core@example-0 ~]$ getent passwd dcode
dcode:*:1024800001:1024800001:Derek Ditch:/home/dcode:/bin/sh
[core@example-0 ~]$ getent group dcode
dcode:*:1024800001:
[core@example-0 ~]$ getent group admins
admins:*:1024800000:
[core@example-0 ~]$ sss_ssh_authorizedkeys dcode
Error looking up public keys

Since sssd is clearly in the platform for this explicit purpose, can we get a working example against FreeIPA? and maybe some people might be interested in AD or something.

Thanks!

dcode commented 4 years ago

Oh, just realized there's a mistake in the snippet. You can't download the IPA cert over HTTPS because the server doesn't have a trusted certificate. I actually moved it over to an HTTP server, which FreeIPA apparently doesn't do itself anymore...at least not in the container.