# Open source alternative to Microsoft Windows Active Directory# Primarily used as an integrated management solution for Unix environments.# Similar to Active Directory, FreeIPA implements a full LDAP directory infrastructure# So all together we have a Unix host management system# Complete with LDAP and Kerberos that allows for multi-factor authentication.
Informations
Files
# Kerberos informations to get enrolled (location of KDCs...)
/etc/krb5.conf
# Default configuration file (set system-wide defaults)
/etc/ipa/default.conf
# Required on all hosts inside the domain (authentication process)
/etc/krb5.keytab
Environment variables
# Location of the CCACHE
KRB5CCNAME
# Location of the keytab
KRB5_KTNAME
# Location of Kerberos configuration file
KRB5_CONFIG
# Location of Kerberos configuration file with additional information (KDC)
KRB5_KDC_PROFILE
# Default type of replay cache
KRB5RCACHETYPE
# Directory for replay caches
KRB5RCACHEDIR
# Location of logs
KRB5_TRACE
# Default client keytab filename
KRB5_CLIENT_KTNAME
# Default port for kprop
KPROP_PORT
Binaries
# Standard for managing domain
ipa
# Destroy any current Kerberos tickets in the users session
kdestroy
# Establish, or renew Kerberos tickets
kinit
# Lists any current Kerberos tickets in use
klist
# Change a Kerberos prinipal's password
kpasswd
# Alternative for the su binary
ksu
# Switch the current credential cache in use
kswitch
# Acquires a service ticket for the specified Kerberos principals and # Prints out the key version numbers of each
kvno
Authentication
# CCache# File used to store tickets, usually in /tmp# Parsing ticket using klistexportKRB5CCNAME=/tmp/krb5cc_0
klist /tmp/krb5cc_0
# Unix Keyring# Admins can store tickets inside keyring# Tickey can extract Kerberos tickets from the keyring (https://github.com/TarlogicSecurity/tickey)
kinit admin
klist
./tickey
exportKRB5CCNAME=/tmp/<ticket_outfile>
klist
# Keytab# It consists of pairs of Kerberos principals and encrypted keys that are derived # From the Kerberos password associated with the principal# Keytab parser (https://github.com/its-a-feature/KeytabParser) can parse for ticket generation
python KeytabParser.py /etc/krb5.keytab
kinit -kt /etc/krb5.keytab host/name.domain.local@domain.local
klist
Enumeration
# Hosts, Users and Groups# Hosts, and users can be sorted into containers called “Host Groups” and “User Groups” respectively# Similar to OU in Active Directory# Host-Based Access Control Rules (HBAC-Rules), Privileges, Roles, and Sudo-Rules# Can be applied to any of the objects above# You can enumerate using LDAP queries or built-in FreeIPA tools
# LDAP Queries# Get all unauthenticated accessible data
ldapsearch -x
# After authentication, get all users
kinit -kt /etc/krb5.keytab
ldapsearch -Y gssapi -b "cn=users,cn=compat,dc=westeros,dc=local"# Get all hosts
ldapsearch -Y gssapi -b "cn=computers,cn=accounts,dc=westeros,dc=local"# Host group
ldapsearch -Y gssapi -b "cn=hostgroups,cn=accounts,dc=westeros,dc=local"# User groups
ldapsearch -Y gssapi -b "cn=groups,cn=accounts,dc=westeros,dc=local"
# Built-in tools# Installed by default when enrolling, but need valid account# If you find yourself in a situation where you are lacking a valid domain credential# Each host is deployed with a keytab credential for that host. # This keytab can be used to obtain a valid Credential Cache(CCACHE) TGT for the host itself
ipa user-find
ipa usergroup-find
ipa host-find
ipa host-group-find
-------------------
ipa user-show <username> --all
ipa usergroup-show <user group> --all
ipa host-find <host> --all
ipa hostgroup-show <host group> --all
# HBAC-Rules# Access controls, at a high level, define who has access to what# Get all HBAC-Rules
ldapsearch -Y gssapi -b "cn=hbac,dc=westeros,dc=local"# Built-in
ipa hbacrule-find
-----------------
ipa hbacrule-show <hbacrule> --all
# Sudo-Rules# Equivalent to HBAC-Rules but additionnal info can be set (sudoers options, run as...)# Get all Sudo-Rules
ldapsearch -Y gssapi -b "cn=sudorules,cn=sudo,dc=westeros,dc=local"# Built-in
ipa sudorule-find
-----------------
ipa sudorule-show <sudorule> --all
# Role-Bases Access Control# Role-based access control (RBAC) is a hierarchical way of organizing access to the data managed by FreeIPA# Get all roles
ldapsearch -Y gssapi -b "cn=roles,cn=accounts,dc=westeros,dc=local"# Built-in
ipa role-find
ipa role-show <role> --all
ipa privilege-find
ipa privilege-show <privilege> --all
ipa permission-find
ipa permission-show <permission> --all