Setting Up FreeIPA With Ansible

Table of Contents

I set up IdM to manage credentials. It’s currently a barebones system, but I’ll flesh it out as time goes on.

Install FreeIPA

The FreeIPA project makes this incredibly easy as a matter of fact, by providing the ansible-freeipa project. One caveat is that despite saying they support CentOS 7.4+, the replica script requires FreeIPA 4.6, which is not officially available.

I looked into the possibility of using a Fedora, but after considering pros and cons, I decided to stick with CentOS, and work around this limitation.

Preparation

Since the FreeIPA server setup will be creating an existing DNS zone on my network, I had the option of either explicitly allowing overlap, or of disabling local zones on my nameserver and statically assigning hosts. I chose the latter, despite it being a bit more work, since it seemed cleaner and less error-prone.

I also updated the DHCP server so the primary DNS is the IPA server.

I deployed a static hosts list with the following task:

  - name: "Build hosts file"
    lineinfile:
      dest: /etc/hosts
      regexp: '.*{{ item }}$'
      line: "{{ hostvars[item].ansible_host }} {{ item }} {{ hostvars[item].inventory_hostname_short }}"
      state: present
    with_items: "{{ groups['all'] }}"

ipaserver-install

First, I spun up two CentOS 7 VMs, ipa1 and ipa2. I used groupvars to allocate a little more RAM, swap, and disk space:

# ipaservers
---
virtio: '{"virtio0":"gluster:15,cache=none,discard=on,format=qcow2"}'
swap: 2048
memory: 4096

Since a lot of the variables for the ansible-freeipa script are common to the primary server, the replicas, and the clients, I put the following in group_vars/all

---
searchdomain: 'lan.nathancurry.com'

ipaserver_domain: 'lan.nathancurry.com'
ipaserver_realm: 'LAN.NATHANCURRY.COM'
ipaserver_forwarders:
  - 10.3.3.2
  - 10.3.3.3
ipaserver_no_reverse: false
ipaserver_setup_dns: yes

ipaclient_domain: 'lan.nathancurry.com'
ipaclient_no_ntp: 'yes'

I of course set passwords in the vault.

Documentation doesn’t line up precisely with the reality of deploying the scripts, so while the variables for ipaserver_domain and ipaserver_realm were billed as pre-existing configurations to join, I got errors until I added them.

Once everything was set, I had a working FreeIPA deployment within about 15 minutes. Which is a notable improvement over last time.

ipaclient-install

This was as easy as the server install. I had to add the IPA server to /etc/resolv.conf on the clients:

- name: resolv
  lineinfile:
    path: /etc/resolv.conf
    state: present
    line: nameserver 10.3.3.11
    insertbefore: 'BOF'

I’m not particularly proud of that one, but it worked.

---
ipaclient_domain: lan.nathancurry.com
ipaclient_realm: LAN.NATHANCURRY.COM
ipaclient_no_ntp: true
ipaclient_allow_repair: true
ipaclient_force_join: true

ipaservers:
  - ipa1.lan.nathancurry.com

ipacelient_servers:
  - ipa1.lan.nathancurry.com

I ran the role on all the other hosts except my hypervisors, since they’re on Debian Stretch, which has no FreeIPA build.

Adding Hypervisors

I ran this one-off playbook to add the hosts:

---
- name: Add hosts
  hosts: ipa1.lan.nathancurry.com
  vars_files:
    - ~/0/vault/secrets.yml

  tasks:
  - name: add host
    ipa_host:
      fqdn: "{{ item }}"
      ip_address: "{{ host_vars[item].ansible_host }}"
      ipa_host: "{{ freeipa_server }}"
      ipa_pass: "{{ ipaadmin_password }}"
    with_items: "{{ groups['hypervisors'] }}"


  - name: get keytab
    command: 'ipa-getkeytab -s {{ freeipa_server}} -p hots/{{ item }} -k /tmp/{{ hostvars[item].inventory_hostname_short }}.keytab'

And then manually installed the keytabs on their respective hosts at /etc/krb5.keytab

Then on the hosts:

# apt-get install sssd libnss-sss libpam-sss krb5-user

I can now run kinit admin and authenticate.

Conclusion

I still need to configure FreeIPA for authentication and service sharing, but this is a good start.