Using the ipa CLI from an unenrolled workstation

FreeIPA is a useful tool for managing hosts. I find myself wanting to do work on remote systems from my desktop using the ipa CLI. Here’s how I set it up.

I have installed the IPA server on a RedHat cloud image, so the default user for remote access is cloud-user. For Fedora it would be ‘fedora’ and for Centos it would be ‘centos’, but the rest is the same.

My remote host has a FQDN of ipa.ayoung.os1.test, a non-routable IPv4 address and an entry in my /etc/hosts file that references it. ipa.ayoung.os1.test

I can ssh to the host via:
ssh cloud-user@ipa.ayoung.os1.test

I’ll make a local directory to stash files:

mkdir /tmp/ayoung.os1
scp  cloud-user@openstack.ayoung.os1.test:/etc/krb5.conf /tmp/ayoung.os1
scp  cloud-user@openstack.ayoung.os1.test:/etc/ipa/default.conf /tmp/ayoung.os1/ipa.conf
curl -o /tmp/ayoung.os1/ca.crt http://ipa.ayoung.os1.test/ipa/config/ca.crt

I can get a Kerberos TGT once I’ve set the appropriate Environment variables.

export KRB5CCNAME=/tmp/ayoung.os1/ccache
export KRB5_CONFIG=/tmp/ayoung.os1/krb5.conf
kinit admin@AYOUNG.OS1.TEST
Password for admin@AYOUNG.OS1.TEST: 
[ayoung@ayoung541 ayoung.os1]$ klist
Ticket cache: FILE:/tmp/ayoung.os1/ccache
Default principal: admin@AYOUNG.OS1.TEST

Valid starting       Expires              Service principal
09/18/2015 13:37:23  09/19/2015 13:37:20  krbtgt/AYOUNG.OS1.TEST@AYOUNG.OS1.TEST

IPA uses NSS as the cryptography libary,and assumes the certificates are stored in /etc/ipa/nssdb/.
Older versions had it in /etc/pki/nssdb. Since my laptop is not enrolled as an IPA client, I need to make this directory and populate the NSS certificate store.

sudo mkdir  /etc/ipa/nssdb
sudo chown 666 /etc/ipa/nssdb
sudo certutil -N -d /etc/ipa/nssdb
sudo certutil -d /etc/ipa/nssdb -A -n 'IPA CA' -t CT,, -a -i /tmp/ayoung.os1/ca.crt 
sudo chmod 644 /etc/ipa/nssdb/*

Test that the NSS Database works

certutil -d /etc/ipa/nssdb -L

Certificate Nickname                                         Trust Attributes

IPA CA                                                       CT,, 

Run the ipa client like this:

$ ipa -c /tmp/ayoung.os1/ipa.conf user-find
2 users matched
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 733200000
  GID: 733200000
  Account disabled: False
  Password: True
  Kerberos keys available: True

  User login: ayoung
  First name: Adam
  Last name: Young
  Home directory: /home/ayoung
  Login shell: /bin/sh
  Email address: ayoung@ayoung.os1.test
  UID: 733200001
  GID: 733200001
  Account disabled: False
  Password: True
  Kerberos keys available: True
Number of entries returned 2

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.