[[linux_wiki:freeipa_client_enroll]]

FreeIPA Client Enroll

General Information

Enrolling a new client with FreeIPA servers.

Checklist


The Script

ipa-enroll-client.sh
#!/bin/bash
# Name: ipa-enroll-client.sh
# Description: Sets up a system with sssd and configures to point to IPA servers
# Last Updated: 12/28/2016
# Recent Changes:-Copied from ldap migrate script for a base. Minor formatting.
###################################################################################
 
##### Customize These Variables #####
 
# Domain Name
domain_name="example.com"
 
# IPA Servers
ipa_server1="ipaserver01.${domain_name}"
ipa_server2="ipaserver02.${domain_name}"
 
# User with permissions to enroll/admin hosts into realm
# For security purposes, this account should not be able to login to any systems
enroll_user="enrolladmin"
 
# Password of Enroll User
enroll_pw="enroll-secret-here"
 
##### End of Customize Variables #####
 
#### Functions Here: Main Starts After ####
function check_os_type
{
  if [ -f /etc/system-release-cpe ];then
    distro=$(awk -F: '{printf "%s", $3}' /etc/system-release-cpe)
    major_version=$(awk -F: '{printf "%d", $5}' /etc/system-release-cpe)
  elif [ -f /etc/redhat-release ];then
    distro=$(awk '{printf "%s", $1}' /etc/redhat-release)
    major_version=$(awk -F. '{print $1}' /etc/redhat-release | awk '{printf "%d", $3}')
  fi
}
 
function show_usage
{
  echo -e "\n==== IPA: Enroll a Client with the IPA Domain ===="
  echo -e "\nDescripton: Sets up a system with sssd and configures to point to IPA servers."
  echo -e "\n--Usage--"
  echo -e "-h                    => Display usage."
  echo -e "-i                    => Interactive Mode (Unattended is default)."
  echo -e "\n--Other Requirements--"
  echo -e "-> FreeIPA admin access for interactive mode."
  echo -e
}
 
#### End of Functions ####
 
#=======================
# Get Script Arguments
#=======================
# Reset POSIX variable in case it has been used previously in this shell
OPTIND=1
 
#Default Settings
interactive="no"
 
while getopts "hi" opt; do
  case "${opt}" in
    h) # -h (help) argument
      show_usage
      exit 0
    ;;
    i) # -i (interactive) argument
      interactive="yes"
    ;;
    *) # invalid argument
      show_usage
      exit 0
    ;;
  esac
done
 
#==================
# Main Starts Here
#==================
 
# Pre-checks
check_os_type
 
#==============================================================
# Confirm running the script
#==============================================================
echo -e "=============================================="
echo -e "####======== IPA: Enroll Client  =========####"
echo -e "=============================================="
echo
echo -e "Warning: This script will disable nscd/nslcd, install sssd, and set LDAP authentication to IPA servers."
echo -e "Detected Distro: ${distro} ${major_version}"
if [[ ${interactive} == "no" ]]; then
  echo -e "Mode: Unattended"
else
  echo -e "Mode: Interactive"
fi
echo -e "\n=>Continue?[y/n]:\c"
read run_script
 
if [[ ${run_script} != "y" ]]; then
  echo -e "\n>>Will not run the IPA Enroll Client script. Exiting..."
  exit 1
fi
 
echo -e "\n>>Installing the ipa-client..."
yum -y install ipa-client
 
echo -e "\n>>Configuring IPA authentication..."
case ${major_version} in
  "7")
    if [[ ${interactive} == "no" ]]; then
      ## Unattended ##
      ipa-client-install --domain=${domain_name} --server=${ipa_server1} --server=${ipa_server2} --mkhomedir --no-dns-sshfp --fixed-primary --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --principal ${enroll_user} --password=${enroll_pw} --unattended --force-join
    else
      ## Interactive ##
      ipa-client-install --domain=${domain_name} --server=${ipa_server1} --server=${ipa_server2} --mkhomedir --no-dns-sshfp --fixed-primary --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --force-join
    fi
  ;;
  "6")
    if [[ ${interactive} == "no" ]]; then
      ## Unattended ##
      ipa-client-install --domain=${domain_name} --server=${ipa_server2} --server=${ipa_server1} --mkhomedir --no-dns-sshfp --fixed-primary --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --principal ${enroll_user} --password=${enroll_pw} --unattended --force-join
    else
      ## Interactive ##
      ipa-client-install --domain=${domain_name} --server=${ipa_server2} --server=${ipa_server1} --mkhomedir --no-dns-sshfp --fixed-primary --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --force-join
    fi
  ;;
  "5")
    if [[ ${interactive} == "no" ]]; then
      ## Unattended ##
      ipa-client-install --domain=${domain_name} --server=${ipa_server1} --server=${ipa_server2} --mkhomedir --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --principal ${enroll_user} --password=${enroll_pw} --unattended --force-join
    else
      ## Interactive ##
      ipa-client-install --domain=${domain_name} --server=${ipa_server1} --server=${ipa_server2} --mkhomedir --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --force-join
    fi
  ;;
esac
 
echo -e "\n>>Redeploying sshd config (ipa-client-install changed it)..."
rhncfg-client get /etc/ssh/sshd_config
 
echo -e "\n>>Restarting sshd..."
case ${major_version} in
  "7")
    systemctl restart sshd
  ;;
"6"|"5")
    service sshd restart
  ;;
esac
 
echo -e "\n>>Disabling nscd/nslcd..."
case ${major_version} in
  "7")
    systemctl stop nslcd
    systemctl stop nscd
    systemctl disable nslcd
    systemctl disable nscd
  ;;
  "6")
    service nslcd stop
    service nscd stop
    chkconfig nslcd off
    chkconfig nscd off
  ;;
  "5")
    service nscd stop
    chkconfig nscd off
  ;;
esac
 
echo -e "\n>>Disabling ldap identification, ldap auth, and force legacy (sssd used instead)..."
case ${major_version} in
  "7"|"6")
    authconfig --disableldap --disableldapauth --disableforcelegacy --update
  ;;
  "5")
    authconfig --disableldap --disableldapauth --update
  ;;
esac
 
echo -e "\n>>Restarting sssd..."
case ${major_version} in
  "7")
    systemctl restart sssd
  ;;
  "6"|"5")
    service sssd restart
  ;;
esac
 
echo -e "\n>>Starting and enabling oddjobd..."
case ${major_version} in
  "7")
    systemctl start oddjobd
    systemctl enable oddjobd
  ;;
  "6")
    service messagebus start
    service oddjobd start
    chkconfig messagebus on
    chkconfig oddjobd on
  ;;
  "5")
    service messagebus start
    service oddjobd start
    chkconfig messagebus on
    chkconfig oddjobd on
  ;;
esac
 
if [[ ${major_version} == "6" ]]; then
 
  echo -e "\n>>Checking for sssd.conf client idle timeout. (fix for EL6 cron bug)..."
 
  if [[ $(grep client_idle_timeout /etc/sssd/sssd.conf) ]]; then
    echo -e "->Client idle timeout found in sssd.conf, will not append"
  else
    echo -e "\n->Adding client idle timeout to sssd.conf (fix for EL6 cron bug)..."
    sed -i '/services = nss, sudo, pam, ssh/ a\client_idle_timeout=75' /etc/sssd/sssd.conf
    service sssd restart
    service crond restart
  fi
 
fi
 
echo -e "\n============================================="
echo -e "####==== IPA: Enroll Client Complete ====####"
echo -e "============================================="

  • linux_wiki/freeipa_client_enroll.txt
  • Last modified: 2019/05/26 03:50
  • (external edit)