How-To Linux Security

How to manage users and groups in FreeIPA Server

In this guide we will learn how to manage FreeIPA users and groups.

After installing FreeIPA server and initializing kerberos ticket, you would want to do identity management next, which starts with creating groups and users.

Prerequisites

For this guide, you will need a functioning freeipa server. Checkout these guides on how to set up freeipa server:

Top proceed, you also need to have a valid kerberos ticket. Generate ticket for principal using this:

kinit [principal]

This is for my admin user:

$ kinit admin
Password for admin@IPA.CITIZIX.COM:

Confirm ticket validation by listing cached Kerberos tickets using this command:

$ klist
Ticket cache: KCM:1000
Default principal: admin@IPA.CITIZIX.COM

Valid starting       Expires              Service principal
12/02/2021 21:38:40  12/03/2021 20:58:27  krbtgt/IPA.CITIZIX.COM@IPA.CITIZIX.COM

The default lifetime of the ticket is 24 hours

Related Content

Managing Groups in FreeIPA

In FreeIPA, a user group is a set of users with common password policies, privileges, and other characteristics. A user group can include:

  1. FreeIPA users
  2. Other user groups
  3. External users, i.e users that exist outside of FreeIPA domain

Supported group types are:

  • POSIX groups – This is the default type which supports Linux POSIX attributes for group members. Groups that interact with Active Directory cannot use POSIX attributes(e.g uidNumber and gidNumber)
  • Non-POSIX groups – These do not support POSIX attributes. For example, they do not have GID.
  • External groups – Used to add group members that exist in an identity store outside of the FreeIPA domain, such as [local system, _Active Directory domain or a directory se_rvice]. These groups do not support POSIX attributes.

Below groups are created by default at the installation and configuration of FreeIPA Server:

  • admins – Consist of all users with administrative privileges, including the default admin user
  • ipausers – Consist of all FreeIPA users
  • trust admins – Users with privileges to manage the Active Directory trusts

When a user is added to a user group, the user gains the privileges and policies associated with the group

Add User Group in FreeIPA

Use this command to add group called qa in FreeIPA

ipa group-add --desc='QA Engineers' qa

This is the output on my server

$ ipa group-add --desc='QA Engineers' qa
----------------
Added group "qa"
----------------
  Group name: qa
  Description: QA Engineers
  GID: 1063800004

By default, the command above adds a POSIX user group. To specify a different group type, add as an option to the command:

# Create an external group
$ ipa group-add --external groupname 

# Create a non-POSIX group
$ ipa group-add --nonposix groupname
Using Custom Group ID

To specify a custom Group ID(GID), use the option gid=custom_GID

$ <em>ipa group-add gid=custom_GID groupname</em>

But you’ll have be careful to avoid ID conflicts.

Searching for user groups

Display all user groups:

$ ipa group-find
----------------
5 groups matched
----------------
  Group name: admins
  Description: Account administrators group
  GID: 1063800000

  Group name: editors
  Description: Limited admins who can edit other users
  GID: 1063800002

  Group name: ipausers
  Description: Default group for all users

  Group name: qa
  Description: QA Engineers
  GID: 1063800004

  Group name: trust admins
  Description: Trusts administrators group
----------------------------
Number of entries returned 5
----------------------------

Display all non-POSIX groups:

$ ipa group-find --nonposix
----------------
2 groups matched
----------------
  Group name: ipausers
  Description: Default group for all users

  Group name: trust admins
  Description: Trusts administrators group
----------------------------
Number of entries returned 2
----------------------------

Display all POSIX groups:

$ ipa group-find --posix
----------------
3 groups matched
----------------
  Group name: admins
  Description: Account administrators group
  GID: 1063800000

  Group name: editors
  Description: Limited admins who can edit other users
  GID: 1063800002

  Group name: qa
  Description: QA Engineers
  GID: 1063800004
----------------------------
Number of entries returned 3
----------------------------

Display all external group:

$ ipa group-find --external
----------------
0 groups matched
----------------
----------------------------
Number of entries returned 0
----------------------------

Search FreeIPA group accounts.

ipa group-find development

You can also limit the search results to groups that contain a particular user:

$ ipa group-find --user=user_name

The inverse is true when searching for groups that do not contain a particular user:

$ ipa group-find --no-user=user_name

Add members to a FreeIPA group account.

ipa group-add-member --users=jdoe qa

Add FreeIPA group to FreeIPA group nested

ipa group-add-member --groups=development engineering

Remove FreeIPA group accounts.

ipa group-del qa

Managing Users in FreeIPA

Add a FreeIPA User Account

The command syntax is:

$ ipa user-add

These are the commonly used_ ipa user-add_ command options:

  • –first=STR – User’s first name
  • –last=STR – User’s last name
  • –cn=STR – User account full name
  • –homedir=STR – Home directory
  • –shell=STR – Login shell
  • –email=STR – Email address
  • –password – Prompt to set the user password
  • –mobile=STR – Mobile Telephone Number

The command runs a script where you can add basic data necessary for creating a user account.

$ ipa user-add
First name: John
Last name: Doe
User login [jdoe]: jdoe
-----------------
Added user "jdoe"
-----------------
  User login: jdoe
  First name: John
  Last name: Doe
  Full name: John Doe
  Display name: John Doe
  Initials: JD
  Home directory: /home/jdoe
  GECOS: John Doe
  Login shell: /bin/bash
  Principal name: jdoe@IPA.CITIZIX.COM
  Principal alias: jdoe@IPA.CITIZIX.COM
  Email address: jdoe@ipa.citizix.com
  UID: 1063800005
  GID: 1063800005
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

A user password is not set while the user account is being created.

To assign user a password, use the ipa command to add the user with below option:

First delete the user

<meta charset="utf-8">$ ipa user-del jdoe
-------------------
Deleted user "jdoe"
-------------------

Then create user specifying password

$ ipa user-add --first=John --last=Doe --password jdoe
Password:
Enter Password again to verify:
-----------------
Added user "jdoe"
-----------------
  User login: jdoe
  First name: John
  Last name: Doe
  Full name: John Doe
  Display name: John Doe
  Initials: JD
  Home directory: /home/jdoe
  GECOS: John Doe
  Login shell: /bin/bash
  Principal name: jdoe@IPA.CITIZIX.COM
  Principal alias: jdoe@IPA.CITIZIX.COM
  User password expiration: 20211202190348Z
  Email address: jdoe@ipa.citizix.com
  UID: 1063800006
  GID: 1063800006
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

To change password for a FreeIPA user account

$ ipa passwd jdoe
New Password:
Enter New Password again to verify:
-------------------------------------------
Changed password for "jdoe@IPA.CITIZIX.COM"
-------------------------------------------

Lock User Account

$ ipa user-disable jdoe
----------------------------
Disabled user account "jdoe"
----------------------------

Unlock user account

$ ipa user-enable jdoe
---------------------------
Enabled user account "jdoe"
---------------------------

Search FreeIPA user accounts

$ ipa user-find jdoe
--------------
1 user matched
--------------
  User login: jdoe
  First name: John
  Last name: Doe
  Home directory: /home/jdoe
  Login shell: /bin/bash
  Principal name: jdoe@IPA.CITIZIX.COM
  Principal alias: jdoe@IPA.CITIZIX.COM
  Email address: jdoe@ipa.citizix.com
  UID: 1063800006
  GID: 1063800006
  Account disabled: False
----------------------------
Number of entries returned 1
----------------------------

Show raw user in freeipa

$ ipa user-show --raw jdoe
  uid: jdoe
  givenname: John
  sn: Doe
  homedirectory: /home/jdoe
  loginshell: /bin/bash
  krbcanonicalname: jdoe@IPA.CITIZIX.COM
  krbprincipalname: jdoe@IPA.CITIZIX.COM
  mail: jdoe@ipa.citizix.com
  uidnumber: 1063800006
  gidnumber: 1063800006
  nsaccountlock: FALSE
  has_password: TRUE
  has_keytab: TRUE

To change created user information use command syntax:

$ ipa [global-options] user-mod LOGIN

To modify password

$ ipa user-mod --password jdoe
Password:
Enter Password again to verify:
--------------------
Modified user "jdoe"
--------------------
  User login: jdoe
  First name: John
  Last name: Doe
  Home directory: /home/jdoe
  Login shell: /bin/bash
  Principal name: jdoe@IPA.CITIZIX.COM
  Principal alias: jdoe@IPA.CITIZIX.COM
  Email address: jdoe@ipa.citizix.com
  UID: 1063800006
  GID: 1063800006
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

Remove FreeIPA user accounts

ipa user-del jdowe

Add a member to a user group by using the command syntax:

ipa [global-options] group-add-member GROUP-NAME [options]

Common options:

  • –users=STR – Users to add to the group
  • –groups=STR – Groups to add to the named group
  • –services=STR – Services to add to the group
  • –external=STR Members of a trusted domain in DOM\name or name@domain form

See below examples on adding user/group to a group

Add the user jdoe as a member manager of qa:

$ ipa group-add-member qa --users=jdoe
  Group name: qa
  Description: QA Engineers
  GID: 1063800004
  Member users: jdoe
-------------------------
Number of members added 1
-------------------------

Add a user as a member manager to a user group

$ ipa group-add-member-manager developers --users=jdoe
  Group name: <meta charset="utf-8">developers
  GID: <meta charset="utf-8">106380005
  Membership managed by users: <meta charset="utf-8">jdoe
-------------------------
Number of members added 1
-------------------------

User jdoe can now manage members of developers.

Or add the group qa as a member manager of developers:

$ ipa group-add-member-manager developers --groups=qa
  Group name: developers
  GID: 320800004
  Membership managed by groups: qa
  Membership managed by users: jdoe
-------------------------
Number of members added 1
-------------------------

$ ipa group-show devops
  Group name: developers
  GID: 320800004
  Membership managed by groups: <em>qa</em>
  Membership managed by users: <em>jdoe</em>

Group qa will then be able to manage members of developers.

Add add as a member of another group

Add add group_b as a member of group_a:

$ ipa group-add-member group_a --groups=group_b

Removing a member from a user group

First confirm that the group includes the member you want to remove.

ipa group-show

Remove a member from a user group by using the ipa group-remove-member command while specifying members to remove using these options:

  • --users removes a FreeIPA user
  • --external removes a user that exists outside the FreeIPA domain, in the format of DOMAIN\user_name or user_name@domain
  • --groups removes a user group

For example, to remove jmutai from a group called sysadmins:

$ ipa group-remove-member qa --users=jdoe
  Group name: qa
  GID: 320800003
---------------------------
Number of members removed 1
---------------------------

Remove user1, user2, and group1 from a group called group_name:

ipa group-remove-member group_name --users=user1 --users=user2 --groups=group1

Removing users or groups as member managers from a user group

Command syntax:

 ipa group-remove-member-manager GROUP-NAME [options]

options to use:

  • –users=STR users to remove
  • –groups=STR groups to remove

For example, to remove the user user1 as a member manager of group1:

$ ipa group-remove-member-manager group1 --users=user1

Remove the group sysadmins as a member manager of devops:

$ ipa group-remove-member-manager developers --groups=qa
  Group name: developers
  GID: 320800004
  Membership managed by users: jdoe
---------------------------
Number of members removed 1
---------------------------

The group and its member will not be able to manage developers group members after removal.

Add Existing local Users to FreeIPA Directory.

Set the same password with the username on this example, but it is required to change at initial login

# extract local users who have 1000-9999 digit UID
# this is an example
#!/bin/bash

for line in `grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd`
do
   USER=`echo $line | cut -d: -f1`
   FIRST=`echo $line | cut -d: -f5 | awk {'print $1'}`
   LAST=`echo $line | cut -d: -f5 | awk {'print $2'}`

   [ ! "$FIRST" ] && FIRST=$USER
   [ ! "$LAST" ] && LAST=$USER

   echo $USER | ipa user-add $USER --first=$FIRST --last=$LAST --password
done
Freeipa
Last updated on Oct 14, 2024 11:46 +0300
comments powered by Disqus
© 2020 - 2024 Citizix, Inc.
Citizix Ltd
Built with Hugo
Theme Stack designed by Jimmy