3.2 KiB
Developing the realmd component
This adds functionality to Cockpit to join an AD or IPA domain.
Some features of Cockpit require a domain to test. Cockpit should work with either Active Directory or IPA.
Running a test domain
To contribute to this component, run a test domain which ends
up being rather easy. Install the stuff in test/README
near the
top. And then do the following:
$ bots/vm-run --network services
That runs an IPA domain. Now in another terminal do the following:
$ sudo /bin/sh -c "echo -e 'domain cockpit.lan\nsearch cockpit.lan\nnameserver 10.111.112.100\n' > /etc/resolv.conf"
Make sure this works:
$ realm discover cockpit.lan
And now you're ready to use the feature. There's an account called "admin" with the password "foobarfoo".
To test your DNS, the following should succeed without any error messages on your server with cockpit:
$ host cockpit.lan
Now verify that you can authenticate against the IPA server. See password above.
$ kinit admin@COCKPIT.LAN
Password for admin@COCKPIT.LAN:
Setting up Single Sign on
Cockpit can perform single sign on authentication via Kerberos. To test and work on this feature, you must have a domain on your network. See section above if you do not.
Use the following guide to configure things, with more troubleshooting advice below:
https://cockpit-project.org/guide/latest/sso.html
BUG: The host name of the computer Cockpit is running on should end with the domain name. If it does not, then rename the computer Cockpit is running on: realmd bug
$ sudo hostnamectl set-hostname my-server.domain.com
BUG: If your domain is an IPA domain, then you need to explictly add a service before Cockpit can be used with Single Sign on. The following must be done on the computer running Cockpit. realmd bug
$ sudo -s
# kinit admin@COCKPIT.LAN
# ipa service-add --ok-as-delegate=true --force HTTP/my-server.cockpit.lan@COCKPIT.LAN
# ipa-getkeytab -q -s services.cockpit.lan -p HTTP/my-server.cockpit.lan -k /etc/krb5.keytab
Now when you go to your cockpit instance you should be able to log in without authenticating. Make sure to use the full hostname that you set above, the one that includes the domain name.
If you want to use Cockpit to connect to a second server make sure that second server is joined to a domain, and that you can ssh into it using GSSAPI authentication with the domain user:
$ ssh -o PreferredAuthentications=gssapi-with-mic admin@my-server2.domain.com
If you thought that was nasty and tiresome, it's because it is at present :S
Using delegated credentials
Cockpit can delegate forwardable credentials. Make sure to specify you want them during kinit:
$ kinit -f admin@COCKPIT.LAN
$ klist -f
Default principal: admin@COCKPIT.LAN
...
Flags: FIA
Use the IPA GUI to setup "Trusted for delegation" for the host and service that Cockpit is running on. Make sure to tell the browser to delegate credentials as seen in the guide:
https://cockpit-project.org/guide/latest/sso.html
Ze goggles, zey do nothing!