RHEL IdM Notes

Posted on By William Jojo
Docs

(Updated May 23, 2025)

Table of Contents

    Overview
    Network
    sysctl.conf
    Chrony and BIND
    Firewall
    IdM Setup
    Clients
    NFS and Automount
    Final Thoughts

Overview

These documents provide a fundamental design for supporting Identity Management (IdM) in a mixed RHEL and Ubuntu environment. This was initially designed on VMware Fusion. The choice of both Ubuntu (non-GUI server) and RHEL (GUI server) was made to maintain chops in both environments, to leverage the specific strengths of each platform, and to coordinate a heterogeneous model of desktop support.

Here are the basic servers.

172.16.35.11 time1 (Ubuntu 24.04 - chrony and bind)
172.16.35.12 time2 (Ubuntu 24.04 - chrony and bind)
172.16.35.13 idm1  (RHEL 9.x - IdM)
172.16.35.14 idm2  (RHEL 9.x - IdM)
172.16.35.15 store (Ubuntu24.04 - NFS)

172.16.35.21 desk1 (Ubuntu 24.04 Desktop, ipa client)
172.16.35.22 desk2 (RHEL 9.x Desktop, ipa client)

Network

Now we get into the basic network configs for the two types of systems.

Ubuntu

Basic network config for Ubuntu in /etc/netplan/50-cloud-init.yaml

network:
  version: 2
  ethernets:
    ens160:
      dhcp4: false
      addresses:
      - 172.16.35.11/24
      routes:
      - to: default
        via: 172.16.35.2
      nameservers:
        addresses: [172.16.35.11,172.16.35.12]
        search: [csskid.net]

RHEL

Use the nmtui command to set similar values to those used in the Ubuntu example.

sysctl.conf

The following is a sysctl.conf file that’s been tuned over the years.

###
### SYSTEM SECURITY ###
###

# Enable address Space Randomization
kernel.randomize_va_space = 2

# Restrict core dumps
fs.suid_dumpable = 0

# Hide kernel pointers
kernel.kptr_restrict = 1

# Restrict access to kernel logs
kernel.dmesg_restrict = 1

# Restrict ptrace scope
kernel.yama.ptrace_scope = 1

# Protect links on the filesystem
fs.protected_hardlinks = 1
fs.protected_symlinks = 1

###
### IMPROVE SYSTEM MEMORY MANAGEMENT ###
###

# Increase size of file handles and inode cache
fs.file-max = 209708

# Do less swapping
vm.swappiness = 30
vm.dirty_ratio = 30
vm.dirty_background_ratio = 5

# specifies the minimum virtual address that a process is allowed to mmap
vm.mmap_min_addr = 4096

# 50% overcommitment of available memory
vm.overcommit_ratio = 50
vm.overcommit_memory = 0

# Set maximum amount of memory allocated to shm to 256MB
kernel.shmmax = 268435456
kernel.shmall = 268435456

# Keep at least 64MB of free RAM space available
vm.min_free_kbytes = 65535

###
### Deprecated/Not-in-use keys for security
###

# The contents of /proc//maps and smaps files are only visible to
# readers that are allowed to ptrace() the process
# kernel.maps_protect = 1

# Enable ExecShield
# kernel.exec-shield = 1

###
### NETWORK SECURITY ###
###

# Do not allow unprivileged users to run code in the kernel through BPF
kernel.unprivileged_bpf_disabled = 1
# Enable JIT compiler against SPECTRE variants
net.core.bpf_jit_enable = 1
# Harden BPF JIT compiler
net.core.bpf_jit_harden = 1

# Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 4096

# Disable packet forwarding
net.ipv4.ip_forward = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.default.forwarding = 0

# Enable IP spoofing protection
# Turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Disable Redirect Sending
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Disable IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Don't relay bootp
net.ipv4.conf.all.bootp_relay = 0

# Disable proxy ARP
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2

# Mitigate time-wait assassination hazards in TCP
net.ipv4.tcp_rfc1337 = 1

# Disable logging martian packages
# Otherwise it might cause DOS
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.all.log_martians = 0

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# IPv6 DISABLE
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

# Ensure that subsequent connections use the new values
# PUT TO THE END
net.ipv4.route.flush = 1
net.ipv6.route.flush = 1

For the RHEL IdM servers, the following must be changed from the above:

net.ipv6.conf.lo.disable_ipv6 = 0

The installer scripts need IPv6 in the lo device or the installation will simply fail.

Chrony and BIND

Chrony

The two time servers will provide NTP and BIND for our environment. This is to keep NTP and DNS services alive even during IdM maintenance windows.

apt install chrony bind9

You can check basic Chrony operations with:

chronyc tracking
chronyc sources

Make sure external access is allowed (adjust for your subnet):

echo "allow 172.16.35.0/24" > /etc/chrony/conf.d/allow.conf
systemctl restart chrony
ss -panu

For the last command, make sure you see 0.0.0.0:123 in the Local Address.

BIND

Setting up BIND is a bit more involved. These directions are loosely based on DigitalOcean’s BIND instructions.

Firewall

Ubuntu

In the file /etc/default/ufw (unless you need it) turn off IPv6 with:

IPV6=no
ufw allow from any to any port 22
ufw allow from any to any port 123
ufw allow from any to any port 53
ufw enable

RHEL

Use firewall-cmd or the GUI firewall-config to establish the following services, which are necessary prior to installing IdM.

[root@idm1 ~]# firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources:
  services: cockpit dhcpv6-client dns http https kerberos kpasswd ldap ldaps ntp ssh
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

IdM Setup

PRIMARY

The following command should be run on the PRIMARY. This command assumes DNS will be provided externally.

[root@idm1 ~]# ipa-server-install

We will use all of the integrated services except for the DNS. Be sure to note the Directory and admin passwords. You will also be specifying the NTP (chrony) servers in the setup.

If anything goes wrong on the install, pay close attention to the output and the log details.

You may receive a warning about chrony not being reachable. This is only a warning, but you should confirm firewall settings and confirm that the server can synchronize with the time services.

When the installation is complete, you’ll receive a notification that the DNS entries are in /tmp/ipa.system.records.SOMENAME.db.

IMPORTANT!
Ensure the DNS entries provided by the installation are added and functional BEFORE you start the replica installation!

REPLICA

To install the replica, it’s somewhat easier to create the account on the primary. On the PRIMARY server run the following:

ipa host-add idm2.csskid.net --random
ipa hostgroup-add-member ipaservers --hosts idm2.csskid.net

Be sure to get the randomly generated password, which will be used for the next step on the REPLICA.

[root@idm2 ~]# ipa-replica-install --setup-ca -p '8Wi{O%eBttw^tAU+q(Qpv~'

If you run into errors, be sure to check the log. The most common errors are:

  • The /etc/hosts file has not been updated to show FQDN and short names for the IP associated with the server.
  • Firewalls are incorrectly configured. BOTH the primary and replica should be checked. Rules must be configured PRIOR to installation.
  • Reverse DNS does not resolve correctly. Replica will fail if reverse DNS is not functioning or not resolving components needed for services.
  • Password is not correct for the replica to join the domain. Check the password or generate a new one with ipa host-mod --random.

Generate the additional DNS entries needed for the new replica to be found.

ipa dns-update-system-records --dry-run --out /tmp/dnsrecords.nsupdate

You can copy/paste the screen output of the IPA DNS records directly into your forward zone, replacing the entries entered when you updated the primary. You can also use the nsupdate command if you like.

Clients

Ensure that clients are already configured with the proper hostnames and are using the DNS servers for your IPA services.

You can pre-enroll the clients like you did the replica, but it’s not a requirement. Pre-enrolling is helpful if you intend to script the installs.

Ubuntu

Start by installing the freeipa-client package. 

apt install freeipa-client
Technical Note
If you get asked for the realm name (CSSKID.NET), the realm servers (KDCs), and the realm password server (admin_server), you likely do not have your network configure correctly. The client will use your DNS suffix to sniff out the IdM servers through DNS lookups.

Now run

ipa-client-install

Providing the time servers, you can then enroll the client in the realm with the admin credentials.

RHEL

This is similar to the Ubuntu install

dnf install ipa-client

Now run

ipa-client-install

NFS and Automount

The NFS server will be running Ubuntu 24.04 as an IdM client. Install the NFS server and set up a general home space.

apt install nfs-kernel-server autofs
mkdir -p /srv/nfs/nfs_share
chown nobody:nogroup /srv/nfs/nfs_share
chmod 751 /srv/nfs/nfs_share

Now, set up the server as a member of the IdM.

apt install freeipa-client
ipa-client-install

Create the basic export by adding it to /etc/exports.

FIX ME

Now, set up the IdM to be aware of the automount export.

root@store:/srv/nfs/homes# ipa service-add nfs/store.csskid.net
-----------------------------------------------
Added service "nfs/store.csskid.net@CSSKID.NET"
-----------------------------------------------
  Principal name: nfs/store.csskid.net@CSSKID.NET
  Principal alias: nfs/store.csskid.net@CSSKID.NET
  Managed by: store.csskid.net

Setup the keytab.

root@store:/srv/nfs/homes# ipa-getkeytab -s idm1.csskid.net -p nfs/store.csskid.net -k /etc/krb5.keytab
Keytab successfully retrieved and stored in: /etc/krb5.keytab

Configure the automount.

root@store:/srv/nfs/homes# ipa-client-automount
Searching for IPA server...
IPA server: DNS discovery
Location: default
Continue to configure the system with these values? [no]: yes
Configured /etc/default/nfs-common
Configured /etc/idmapd.conf
Restarting sssd, waiting for it to become available.
Started autofs

Set up the automount location.

root@store:~# ipa automountlocation-add store
--------------------------------
Added automount location "store"
--------------------------------
  Location: store

Set up the map.

root@store:~# ipa automountmap-add store auto.homes
--------------------------------
Added automount map "auto.homes"
--------------------------------
  Map: auto.homes

Add the key to the store.

root@store:~# ipa automountkey-add store auto.homes --key='*' --info='sec=krb5i,vers=4 store.csskid.net:/srv/nfs/homes'
-----------------------
Added automount key "*"
-----------------------
  Key: *
  Mount information: sec=krb5i,vers=4 store.csskid.net:/srv/nfs/homes

NFS Client

On Ubuntu, you’ll install nfs-common to mount NFS shares.

apt install nfs-common autofs sssd-tools

Configure automount

root@desk1:~# ipa-client-automount --location store -U
Searching for IPA server...
IPA server: DNS discovery
Location: store
Configured /etc/default/nfs-common
Configured /etc/idmapd.conf
Restarting sssd, waiting for it to become available.
Started autofs

Final Thoughts

Random Commands

kinit admin

ipa config-show

ipa host-mod --random

ipa server-del idm2.csskid.net --force

ipa host-add idm2.csskid.net --random
ipa hostgroup-add-member ipaservers --hosts idm2.csskid.net


ipa-client-install
ipa-client-install --uninstall