FreeIPA Client Configuration in Linux

Learn how to perform a FreeIPA client configuration on Linux for centralized authentication and identity management. Step-by-step guidance included. #centlinux #linux #freeipa

What is FreeIPA Client?

A FreeIPA Client is a system that is configured to interact with a FreeIPA server for centralized identity management and authentication services. Here are the key aspects and functionalities of a FreeIPA Client:

1. Authentication: The Client authenticates users against the FreeIPA server using technologies like Kerberos and LDAP.
2. SSO (Single Sign-On): Once authenticated, users can access various services and resources without needing to re-enter their credentials, enhancing user convenience and security.
3. Identity Management: The Client can manage user accounts, groups, and policies locally, with updates synchronized with the FreeIPA server.
4. Automated Configuration: Client configuration typically involves automated setup of system services (such as Kerberos, LDAP client, and DNS settings) to integrate seamlessly with the FreeIPA domain.
5. Secure Communication: All communications between the FreeIPA Server and Client are encrypted, ensuring the confidentiality and integrity of data transmissions.
6. Policy Enforcement: FreeIPA Clients can enforce access control policies defined centrally on the FreeIPA server, ensuring consistent security across the network.
7. Integration with Linux Systems: FreeIPA Clients are primarily designed for integration with Linux and Unix-like operating systems, providing a cohesive identity and access management solution within these environments.

Overall, FreeIPA Clients extend the capabilities of the FreeIPA server by allowing systems to leverage centralized authentication and identity management services, thereby simplifying administration and enhancing security in enterprise environments.

Environment Specification

We have successfully configured a Identity Management (IdM) Server using FreeIPA in my previous post install FreeIPA Server on CentOS 7. Now it’s time to configure a Linux Machine as FreeIPA client.

FreeIPA Server

• IP Address – 192.168.116.200/24
• Hostname – ipaserver.example.com

FreeIPA Client

• IP Address – 192.168.116.201/24
• Hostname – client1.example.com

Recommended Training: Complete Linux Training Course to Get Your Dream IT Job 2025 from Imran Afzal

FreeIPA Server-Side Configuration

Connect to ipaserver.example.com and add ‘A’ record of client1.example.com to DNS Server.

kinit admin
ipa dnsrecord-add example.com client1 --ttl=3600 --a-ip-

Output:

address=192.168.116.201
  Record name: client1
  Time to live: 3600
  A record: 192.168.116.201

TP-Link Dual-Band AX3000 Wi-Fi 6 Router Archer AX55 | Wireless Gigabit Internet Router for Home | EasyMesh Compatible | VPN Clients & Server | HomeShield, OFDMA, MU-MIMO | USB 3.0 | Secure by Design

(4459948)

$71.99 (as of June 21, 2025 19:12 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

FreeIPA Client Configuration in Linux

Connect to client1.example.com now and set DNS Server settings.

nmcli connection modify eno16777728 ipv4.dns 192.168.116.200
nmcli connection down eno16777728 ; nmcli connection up eno16777728

Install required packages. Our client already configured to use a local yum repository.

yum install -y ipa-client

To keep it brief, I trimmed the output of the command above. Let’s configure FreeIPA Client now.

ipa-client-install --force-ntpd

Output:

Discovery was successful!
Hostname: client1.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipaserver.example.com
BaseDN: dc=example,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin@EXAMPLE.COM:
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
    Valid From:  Fri Jul 27 17:03:24 2018 UTC
    Valid Until: Tue Jul 27 17:03:24 2038 UTC

Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://ipaserver.example.com/ipa/xml
Forwarding 'ping' to server 'https://ipaserver.example.com/ipa/xml'
Forwarding 'env' to server 'https://ipaserver.example.com/ipa/xml'
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Forwarding 'host_mod' to server 'https://ipaserver.example.com/ipa/xml'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.

I used –force-ntpd option to force use of ntpd because, myclient is using the chronyd service and it is conflicting with ntpd.

To let the system, create Users’ home directories on first login, use the following command.

authconfig --update --enablemkhomedir

client1.example.com has been successfully configured as FreeIPA Client.

Login to client1.example.com with a central user. I am login with user ahmer that I have created during configuration of FreeIPA Server.

su - ahmer

Check user information.

id

Output:

uid=1692200001(ahmer) gid=1692200001(ahmer) groups=1692200001(ahmer) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c102I use id command to confirm the UID of the user and that the user ahmer is a central user.

Linux QuickStudy Laminated Reference Guide (QuickStudy Computer)

(4751134)

$6.95 (as of June 21, 2025 19:51 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

Conclusion – FreeIPA Client Configuration in Linux

Configuring a FreeIPA client on Linux enhances your system’s integration with a centralized identity management solution. By joining your system to a FreeIPA server, you enable streamlined authentication, improved security, and easier management of user access. With these configurations in place, your environment benefits from simplified administration and a more robust security posture.

Struggling with Linux server management? I offer professional support to ensure your servers are secure, optimized, and always available. Visit my Fiverr profile to learn more!