Unit 3: User management and Kerberos authentication

This unit introduces the ipa CLI program and the web interface. We will perform some simple administrative tasks: adding groups and users and managing group membership.

Web UI

Visit https://server.ipademo.local/. You'll get a TLS untrusted issuer warning which you can dismiss (by adding a temporary exception). Log in as admin.

Welcome to the FreeIPA Web UI. Most management activities can be performed here, or via the ipa CLI program. Use the Web UI to perform the following actions:

  1. Add a User with the username alice.

  2. Add a User Group for system administrators named sysadmin.

  3. Add alice to the sysadmin group.

CLI

Make sure you have a Kerberos ticket for admin (reminder: kinit admin).

Most FreeIPA administrative actions can be carried out using the ipa CLI program. Let's see what commands are available:

[server]% ipa help commands
automember-add                    Add an automember rule.
automember-add-condition          Add conditions to an automember rule.
automember-default-group-remove   Remove default (fallback) group for all unmatched entries.
automember-default-group-set      Set default (fallback) group for all unmatched entries.
automember-default-group-show     Display information about the default (fallback) automember groups.
...

Whoa! There are nearly 400 commands! We'll be using only a handful of these today. Note that command completion is enabled in the shell, so you can type a partial command and press <TAB> a couple of times to see what commands are available, e.g. all the commands starting with cert-:

[server]$ ipa cert-<TAB>
cert-find         cert-request      cert-show
cert-remove-hold  cert-revoke       cert-status

You'll notice that commands are grouped by topic, or the kind of object they act upon. Run ipa help topics to list all topics. You can read a general overview of a topic by running ipa help <topic>, and specific information on a particular command by running ipa help <command>.

Add a user named bob from the CLI. Use the CLI help to find the right command (hint: the user plugin provides the command).

User authentication

We have seen how to authenticate as admin. The process is the same for regular users - just kinit <username>!

Try to authenticate as bob:

[server]$ kinit bob
kinit: Pre-authentication failed: Invalid argument while getting initial credentials

If you did not encounter this error, congratulations - you must be a disciplined reader of documentation! To set an initial password when creating a user via the ipa user-add command you must supply the --password flag (the command will prompt for the password).

Use the ipa passwd command to (re)set a user's password:

[server]$ ipa passwd bob
New Password:
Enter New Password again to verify:
----------------------------------------
Changed password for "bob@IPADEMO.LOCAL"
----------------------------------------

Whenever a user has their password reset (including the first time it is set), the next kinit will prompt them to enter a new password:

[server]$ kinit bob
Password for bob@IPADEMO.LOCAL:
Password expired.  You must change it now.
Enter new password:
Enter it again:

Now bob has a TGT (run klist to confirm) which he can use to authenticate himself to other hosts and services. Try logging into client.ipademo.local:

[server]$ ssh bob@client.ipademo.local
Creating home directory for bob.
[bob@client]$

You are now logged into the client as bob. Type ^D or exit to log out and return to the server shell. If you run klist again, you will see not only the TGT but a service ticket that was automatically acquired to log in to client.ipademo.local without prompting for a password. Kerberos is a true single sign-on protocol!

[server]$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: bob@IPADEMO.LOCAL

Valid starting       Expires              Service principal
06/04/2018 21:45:50  06/05/2018 21:38:24  host/client.ipademo.local@IPADEMO.LOCAL
06/04/2018 21:38:41  06/05/2018 21:38:24  krbtgt/IPADEMO.LOCAL@IPADEMO.LOCAL

Now that you have created some users, it's time to define some access policies. Proceed to Unit 4: Host-based access control (HBAC).

Alternatively, if you are interested in SSH public key management for users and hosts, jump ahead to Unit 10: SSH user and host key management.