How to install FreeIPA on Rocky Linux 9

Learn how to install FreeIPA on Rocky Linux 9 with our comprehensive step-by-step guide. Set up this powerful identity management and authentication system to enhance your network security and management. #centlinux #linux #freeipa

What is FreeIPA?

FreeIPA is a free and open source identity management system. FreeIPA is the upstream open-source project for Red Hat Identity Management. FreeIPA aims to provide a centrally managed Identity, Policy, and Audit (IPA) system. It uses a combination of Fedora Linux, 389 Directory Server, MIT Kerberos, NTP, DNS, the DogTag certificate system, SSSD and other free/open-source components. (FreeIPA Official website)

FreeIPA includes extensible management interfaces (CLI, Web UI, XMLRPC and JSONRPC API) and Python SDK for the integrated CA, and BIND with a custom plugin for the integrated DNS server. Each of the major components of FreeIPA operates as a preexisting free/open-source project. The bundling of these components into a single manageable suite with a comprehensive management interface is GPLv3, but that does not change the licenses of the components.

Since version 3.0.0, FreeIPA uses Samba to integrate with Microsoft’s Active Directory by way of Cross Forest Trusts. FreeIPA provides support for Linux, Unix-based, Windows and Mac OS X computers.

Environment Specification

We are using a minimal Rocky Linux 9 virtual machine with following specifications.

• CPU – 3.4 Ghz (2 cores)
• Memory – 2 GB
• Storage – 20 GB
• Operating System – Rocky Linux release 9.0 (Blue Onyx)
• Hostname – ipa-server-01.centlinux.com
• IP Address – 192.168.116.5/24

For a versatile and efficient Home Lab setup to experiment with FreeIPA and other Linux server projects on Rocky Linux 9, consider using either a compact Mini PC or a reliable VPS like Bluehost. Mini PCs provide dedicated local hardware, perfect for hands-on learning, uninterrupted testing, and complete control over your environment.

[Grab a Mini PC for your Home Lab – Shop with Us!]

Alternatively, a Bluehost VPS offers scalable remote infrastructure with easy access, ideal for experimenting with server deployments and cloud-based configurations without hardware constraints.

[Try Bluehost VPS Now – Perfect for Linux & DevOps Enthusiasts!]

Both options allow you to tailor your environment and gain valuable practical experience in managing identity services.

Disclaimer: This post may contain affiliate links. If you make a purchase through these links, I may earn a small commission at no extra cost to you, which supports the ongoing creation of Linux and DevOps tutorials.

Update your Rocky Linux 9 Server

Connect with ipa-server-01.centlinux.com as root user by using a ssh client.

Refresh the yum cache by executing following command.

dnf makecache

Execute following dnf command to update your Rocky Linux server.

dnf update -y

If the above command updates your Linux Kernel, then you should reboot your operating system before moving forward.

reboot

After reboot, check your Linux Kernel and operating system versions.

cat /etc/rocky-release
uname -r

Output:

Rocky Linux release 9.0 (Blue Onyx)
5.14.0-70.22.1.el9_0.x86_64

Amazon Fire HD 8 Kids Pro tablet (newest model), ages 6-12. Bright 8″ HD screen, includes ad-free content, parental controls, 13-hr battery, slim case for older kids, 32GB, Hello Teal

(4653317)

53% Off $139.99 $64.99 (as of November 11, 2025 09:55 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

SAVE UP TO $70: Get a full-feature tablet (not a toy) made for big kids ages 6–12, 6-month subscription Amazon Kids+ and a slim Kid-Friendly Case, versus items purchased separately. 2 YEAR WORRY-FREE GUARANTEE INCLUDED: If it breaks, return it and we… read more

Configure Server Time Zone

The FreeIPA server provides the NTP services to network devices, therefore it is recommended that you should set the time zone before performing IPA server configurations.

timedatectl set-timezone America/Chicago

Verify that the time zone is set successfully.

timedatectl

Output:

               Local time: Sun 2022-09-11 11:16:55 CDT
           Universal time: Sun 2022-09-11 16:16:55 UTC
                 RTC time: Sun 2022-09-11 16:16:56
                Time zone: America/Chicago (CDT, -0500)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

Set Static IP Address and Hostname:

By using hostnamectl command, set a FQDN for your Linux server.

hostnamectl set-hostname ipa-server-01.centlinux.com

Set a Static IP Address, Default Gateway and DNS for your network connection by executing nmcli command.

nmcli connection modify ens33 \
ipv4.method manual \
ipv4.address 192.168.116.5/24 \
ipv4.gateway 192.168.116.2 \
ipv4.dns 192.168.116.2

Restart network connection to apply changes.

nmcli connection down ens33 ; nmcli c up ens33

Output:

Connection 'ens33' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)

Execute following command to configure name resolution by means of Local DNS Resolver.

echo "192.168.116.5 ipa-server-01.centlinux.com ipa-server-01" >> /etc/hosts

Perform a ping test to verify your above server configurations.

ping ipa-server-01.centlinux1.com

Read Also: How to install FreeIPA on CentOS 7

Install FreeIPA on Rocky Linux 9

All packages that are required to install FreeIPA on Rocky Linux 9 are available in standard yum repositories. Therefore, you can easily install it by using dnf command.

dnf install -y freeipa-server freeipa-server-dns freeipa-client

To setup your IPA server, you need to execute ipa-server-install command.

You can either execute ipa-server-install command in interactive mode or unattended mode.

Following variation of ipa-server-install command installs and configures your IPA server in unattended mode.

ipa-server-install \
--unattended \
--realm CENTLINUX.COM \
--ds-password Ahmer@1234 \
--admin-password Ahmer@1234 \
--setup-dns \
--auto-reverse \
--forwarder 192.168.116.2

Output:

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.9.8

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the NTP client (chronyd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)
  * Configure SID generation
  * Configure the KDC to enable PKINIT

Warning: skipping DNS resolution of host ipa-server-01.centlinux1.com
The domain name has been determined based on the host name.

Checking DNS domain centlinux.com., please wait ...
Checking DNS forwarders, please wait ...
Checking DNS domain 116.168.192.in-addr.arpa., please wait ...
Reverse zone 116.168.192.in-addr.arpa. will be created
Using reverse zone(s) 116.168.192.in-addr.arpa.
Trust is configured but no NetBIOS domain name found, setting it now.

The IPA Master Server will be configured with:
Hostname:       ipa-server-01.centlinux.com
IP address(es): 192.168.116.5
Domain name:    centlinux1.com
Realm name:     CENTLINUX1.COM

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=CENTLINUX.COM
Subject base: O=CENTLINUX.COM
Chaining:     self-signed

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       192.168.116.2
Forward policy:   only
Reverse zone(s):  116.168.192.in-addr.arpa.

Disabled p11-kit-proxy
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/41]: creating directory server instance
Validate installation settings ...
Create file system structures ...
Perform SELinux labeling ...
Create database backend: dc=centlinux,dc=com ...
Perform post-installation tasks ...
  [2/41]: tune ldbm plugin
  [3/41]: adding default schema
  [4/41]: enabling memberof plugin
  [5/41]: enabling winsync plugin
  [6/41]: configure password logging
  [7/41]: configuring replication version plugin
  [8/41]: enabling IPA enrollment plugin
  [9/41]: configuring uniqueness plugin
  [10/41]: configuring uuid plugin
  [11/41]: configuring modrdn plugin
  [12/41]: configuring DNS plugin
  [13/41]: enabling entryUSN plugin
  [14/41]: configuring lockout plugin
  [15/41]: configuring topology plugin
  [16/41]: creating indices
  [17/41]: enabling referential integrity plugin
  [18/41]: configuring certmap.conf
  [19/41]: configure new location for managed entries
  [20/41]: configure dirsrv ccache and keytab
  [21/41]: enabling SASL mapping fallback
  [22/41]: restarting directory server
  [23/41]: adding sasl mappings to the directory
  [24/41]: adding default layout
  [25/41]: adding delegation layout
  [26/41]: creating container for managed entries
  [27/41]: configuring user private groups
  [28/41]: configuring netgroups from hostgroups
  [29/41]: creating default Sudo bind user
  [30/41]: creating default Auto Member layout
  [31/41]: adding range check plugin
  [32/41]: creating default HBAC rule allow_all
  [33/41]: adding entries for topology management
  [34/41]: initializing group membership
  [35/41]: adding master entry
  [36/41]: initializing domain level
  [37/41]: configuring Posix uid/gid generation
  [38/41]: adding replication acis
  [39/41]: activating sidgen plugin
  [40/41]: activating extdom plugin
  [41/41]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/10]: adding kerberos container to the directory
  [2/10]: configuring KDC
  [3/10]: initialize kerberos container
  [4/10]: adding default ACIs
  [5/10]: creating a keytab for the directory
  [6/10]: creating a keytab for the machine
  [7/10]: adding the password extension to the directory
  [8/10]: creating anonymous principal
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa-custodia
  [1/5]: Making sure custodia container exists
  [2/5]: Generating ipa-custodia config file
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/29]: configuring certificate server instance
  [2/29]: stopping certificate server instance to update CS.cfg
  [3/29]: backing up CS.cfg
  [4/29]: Add ipa-pki-wait-running
  [5/29]: secure AJP connector
  [6/29]: reindex attributes
  [7/29]: exporting Dogtag certificate store pin
  [8/29]: disabling nonces
  [9/29]: set up CRL publishing
  [10/29]: enable PKIX certificate path discovery and validation
  [11/29]: authorizing RA to modify profiles
  [12/29]: authorizing RA to manage lightweight CAs
  [13/29]: Ensure lightweight CAs container exists
  [14/29]: Ensuring backward compatibility
  [15/29]: starting certificate server instance
  [16/29]: configure certmonger for renewals
  [17/29]: requesting RA certificate from CA
  [18/29]: publishing the CA certificate
  [19/29]: adding RA agent as a trusted user
  [20/29]: configure certificate renewals
  [21/29]: Configure HTTP to proxy connections
  [22/29]: updating IPA configuration
  [23/29]: enabling CA instance
  [24/29]: importing IPA certificate profiles
  [25/29]: migrating certificate profiles to LDAP
  [26/29]: adding default CA ACL
  [27/29]: adding 'ipa' CA entry
  [28/29]: configuring certmonger renewal for lightweight CAs
  [29/29]: deploying ACME service
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
  [1/3]: configuring TLS for DS instance
  [2/3]: adding CA certificate entry
  [3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring ipa-otpd
  [1/2]: starting ipa-otpd
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd)
  [1/22]: stopping httpd
  [2/22]: backing up ssl.conf
  [3/22]: disabling nss.conf
  [4/22]: configuring mod_ssl certificate paths
  [5/22]: setting mod_ssl protocol list
  [6/22]: configuring mod_ssl log directory
  [7/22]: disabling mod_ssl OCSP
  [8/22]: adding URL rewriting rules
  [9/22]: configuring httpd
Nothing to do for configure_httpd_wsgi_conf
  [10/22]: setting up httpd keytab
  [11/22]: configuring Gssproxy
  [12/22]: setting up ssl
  [13/22]: configure certmonger for renewals
  [14/22]: publish CA cert
  [15/22]: clean up any existing httpd ccaches
  [16/22]: enable ccache sweep
  [17/22]: configuring SELinux for httpd
  [18/22]: create KDC proxy config
  [19/22]: enable KDC proxy
  [20/22]: starting httpd
  [21/22]: configuring httpd to start on boot
  [22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: disabling Schema Compat
  [6/10]: starting directory server
  [7/10]: upgrading server
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server
Done.
Restarting the KDC
dnssec-validation yes
Configuring DNS (named)
  [1/12]: generating rndc key file
  [2/12]: adding DNS container
  [3/12]: setting up our zone
  [4/12]: setting up reverse zone
  [5/12]: setting up our own record
  [6/12]: setting up records for other masters
  [7/12]: adding NS record to the zones
  [8/12]: setting up kerberos principal
  [9/12]: setting up named.conf
created new /etc/named.conf
created named user config '/etc/named/ipa-ext.conf'
created named user config '/etc/named/ipa-options-ext.conf'
created named user config '/etc/named/ipa-logging-ext.conf'
  [10/12]: setting up server configuration
  [11/12]: configuring named to start on boot
  [12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/7]: checking status
  [2/7]: setting up bind-dyndb-ldap working directory
  [3/7]: setting up kerberos principal
  [4/7]: setting up SoftHSM
  [5/7]: adding DNSSEC containers
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Configuring SID generation
  [1/8]: creating samba domain object
  [2/8]: adding admin(group) SIDs
  [3/8]: adding RID bases
  [4/8]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [5/8]: activating sidgen task
  [6/8]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [7/8]: adding fallback group
  [8/8]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
Done.
Configuring client side components
This program will set up IPA client.
Version 4.9.8

Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: ipa-server-01.centlinux.com
Realm: CENTLINUX1.COM
DNS Domain: centlinux1.com
IPA Server: ipa-server-01.centlinux.com
BaseDN: dc=centlinux1,dc=com

Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring centlinux1.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

==============================================================================
Setup complete

Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                  * 53: bind
                UDP Ports:
                  * 88, 464: kerberos
                  * 53: bind
                  * 123: ntp

        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful

After successful configuration, check the version of your IPA server.

ipa --version

Output:

VERSION: 4.9.8, API_VERSION: 2.246

Read Also: How to install FreeIPA on CentOS 8

Configure Linux Firewall

Rocky Linux 9 has a predefined Firewall service for FreeIPA. You can allow this service to open all the relevant service ports at once.

firewall-cmd --permanent --add-service=freeipa-4
firewall-cmd --reload

Configure IPA Server

Verify the status of IPA services.

ipactl status

Output:

Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

Before starting administration of FreeIPA server, you need to acquire a Kerberos ticket.

kinit admin

Check list of available kerberos tickets.

klist

Output:

Ticket cache: KCM:0
Default principal: admin@CENTLINUX.COM

Valid starting       Expires              Service principal
09/11/2022 13:40:21  09/12/2022 12:43:44  krbtgt/CENTLINUX.COM@CENTLINUX.COM

You have acquired a kerberos ticket for 23 hours.

Check FreeIPA server configurations.

ipa config-show

Output:

  Maximum username length: 32
  Maximum hostname length: 64
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: centlinux.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=CENTLINUX.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash, KDC:Disable Last Success
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  IPA masters: ipa-server-01.centlinux.com
  IPA master capable of PKINIT: ipa-server-01.centlinux.com
  IPA CA servers: ipa-server-01.centlinux.com
  IPA CA renewal master: ipa-server-01.centlinux.com
  IPA DNS servers: ipa-server-01.centlinux.com

Configure DNS Server

Allow zone transfer from local network.

ipa dnszone-mod --allow-transfer=192.168.116.0/24 centlinux.com

Output:

  Zone name: centlinux.com.
  Active zone: TRUE
  Authoritative nameserver: ipa-server-01.centlinux.com.
  Administrator e-mail address: hostmaster.centlinux.com.
  SOA serial: 1662920566
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant CENTLINUX.COM krb5-self * A; grant CENTLINUX.COM
                      krb5-self * AAAA; grant CENTLINUX1.COM krb5-self * SSHFP;
  Dynamic update: TRUE
  Allow query: any;
  Allow transfer: 192.168.116.0/24;

Add MX (Mail Exchange) record in your Private DNS server.

ipa dnsrecord-add centlinux.com @ --mx-rec="0 mail-server.centlinux.com"

Output:

  Record name: @
  MX record: 0 mail-server.centlinux.com
  NS record: ipa-server-01.centlinux.com.

PDF Reader for Fire Tablet

(5051)

$2.99 (as of November 11, 2025 20:27 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

PDF Reader for Fire Tablet ✔Fast PDF Viewer ✔Simple List of PDF Files ✔Share and Print PDF ✔55 Different Themes ✔Horizontal Scrolling ✔High Quality Rendering ✔Anti Aliasing ✔Double Tap to Zoom in and Zoom out ✔View Page Count and Total Pages Count

Configure User Home Directories

You need to install nfs-utils package to configure a NFS server. FreeIPA has already installed nfs-utils package as a dependency.

Enable and start nfs-server and rpcbind services.

systemctl enable --now nfs-server rpcbind

Allow NFS server related ports in Linux firewall.

firewall-cmd --permanent --add-service={nfs,mountd,rpc-bind}
firewall-cmd --reload

Create a directory to store FreeIPA users’ home directories.

mkdir /home/guests

Export users’ home directories.

echo '/home/guests 192.168.116.0/24(rw,sync,no_subtree_check,root_squash)' >> /etc/exports
exportfs -rav

Output:

exporting 192.168.116.0/24:/home/guests

Add NFS service in FreeIPA server.

ipa service-add nfs/ipa-server-01.centlinux.com

Output:

---------------------------------------------------------------
Added service "nfs/ipa-server-01.centlinux.com@CENTLINUX.COM"
---------------------------------------------------------------
  Principal name: nfs/ipa-server-01.centlinux.com@CENTLINUX.COM
  Principal alias: nfs/ipa-server-01.centlinux.com@CENTLINUX.COM
  Managed by: ipa-server-01.centlinux.com

To add an entry in keytab, you need to connect to kadmin shell.

kadmin.local

Output:

Authenticating as principal admin/admin@CENTLINUX.COM with password.

Now, execute following command to add required entry .

ktadd nfs/ipa-server-01.centlinux.com

Output:

Entry for principal nfs/ipa-server-01.centlinux.com with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipa-server-01.centlinux.com with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipa-server-01.centlinux.com with kvno 1, encryption type aes128-cts-hmac-sha256-128 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipa-server-01.centlinux.com with kvno 1, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipa-server-01.centlinux.com with kvno 1, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipa-server-01.centlinux.com with kvno 1, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.

Exit from kadmin shell.

exit

Configure default home directory and shell for new FreeIPA users.

ipa config-mod --homedirectory=/home/guests --defaultshell=/bin/bash

Output:

  Maximum username length: 32
  Maximum hostname length: 64
  Home directory base: /home/guests
  Default shell: /bin/bash
  Default users group: ipausers
  Default e-mail domain: centlinux.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=CENTLINUX.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash, KDC:Disable Last Success
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  IPA masters: ipa-server-01.centlinux.com
  IPA master capable of PKINIT: ipa-server-01.centlinux.com
  IPA CA servers: ipa-server-01.centlinux.com
  IPA CA renewal master: ipa-server-01.centlinux.com
  IPA DNS servers: ipa-server-01.centlinux.com

Philips Norelco Shaver 3900 Series, Wet and Dry Electric Shaver, P-Cap, Travel Pouch, Charging Stand, Storm Blue, Model S3341/92

(44548866)

$79.96 (as of November 11, 2025 20:10 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

SkinProtect Technology: Achieve a clean, gentle shave with 5D pivot contour and AntiCorrosion Shaving System ContourFlex: 5-directional pivoting head adjusts to face and neck curves, ensuring smooth contact ComfortCut Blades: Rounded caps shield blad… read more

Create a FreeIPA user

Create a new FreeIPA user with the help of following command.

ipa user-add ipauser1 --first=ahmer --last=m --password

Output:

Password:
Enter Password again to verify:
---------------------
Added user "ipauser1"
---------------------
  User login: ipauser1
  First name: ahmer
  Last name: m
  Full name: ahmer m
  Display name: ahmer m
  Initials: am
  Home directory: /home/guests/ipauser1
  GECOS: ahmer m
  Login shell: /bin/bash
  Principal name: ipauser1@CENTLINUX.COM
  Principal alias: ipauser1@CENTLINUX.COM
  User password expiration: 20220911184641Z
  Email address: ipauser1@centlinux.com
  UID: 930600003
  GID: 930600003
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

Create home directory for FreeIPA user.

mkdir -m0750 -p /home/guests/ipauser1
chown 930600003:930600003 /home/guests/ipauser1

Your FreeIPA server has been configured successfully. Besides Linux CLI, you can also perform administration of your Linux server by using the Rocky Identity Management, a web based user interface, provided herewith.

Open URL https://ipa-server-01.centlinux.com/ipa/ui in a web browser.

Login as admin user.

Add a Linux Client in IPA Server

Add a new Linux machine in FreeIPA server.

ipa host-add --ip-address 192.168.116.11 ipa-client1.centlinux.com

Output:

---------------------------------------
Added host "ipa-client1.centlinux.com"
---------------------------------------
  Host name: ipa-client1.centlinux.com
  Principal name: host/ipa-client1.centlinux.com@CENTLINUX.COM
  Principal alias: host/ipa-client1.centlinux.com@CENTLINUX.COM
  Password: False
  Keytab: False
  Managed by: ipa-client1.centlinux.com

Add our Linux machine in DNS server.

ipa dnsrecord-add centlinux.com ipaclient1 --ttl=3600 --a-ip-address=192.168.116.11

Output:

  Record name: ipaclient1
  Time to live: 3600
  A record: 192.168.116.11

Install IPA Client on Linux

To configure a Linux machine as FreeIPA client, you need to install following packages on it.

dnf install -y freeipa-client

Configure autofs to automatically mount the FreeIPA users’ home directory on ipaclient machine after successful login.

echo '* -rw 192.168.116.5:/home/guests/&' >> /etc/auto.guests
echo '/home/guests /etc/auto.guests' >> /etc/auto.master

Enable and start autofs service.

systemctl enable --now autofs.service

Add DNS server in network configurations of Linux client.

nmcli c m ens33 ipv4.dns 192.168.116.5
nmcli c down ens33 ; nmcli c up ens33

Test DNS resolution by using dig command.

dig ipa-server-01.centlinux.com

Output:

; <<>> DiG 9.16.23-RH <<>> ipa-server-01.centlinux.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50501
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: cf3d2ea5d1b3b69e01000000631f525df897f1176b2d53e6 (good)
;; QUESTION SECTION:
;ipa-server-01.centlinux1.com.  IN      A

;; ANSWER SECTION:
ipa-server-01.centlinux1.com. 1200 IN   A       192.168.116.5

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Sep 12 10:38:05 CDT 2022
;; MSG SIZE  rcvd: 101

Configure Linux client by using ipa-client-install command.

ipa-client-install \ 
--enable-dns-updates \ 
--mkhomedir \
--ntp-server=192.168.116.5:323

Output:

This program will set up IPA client.
Version 4.8.0

Discovery was successful!
Client hostname: ipa-client1.centlinux.com
Realm: CENTLINUX.COM
DNS Domain: centlinux.com
IPA Server: ipa-server-01.centlinux.com
BaseDN: dc=centlinux,dc=com
NTP server: 192.168.116.5:323

Continue to configure the system with these values? [no]: yes
Synchronizing time
Augeas failed to configure file /etc/chrony.conf
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: admin
Password for admin@CENTLINUX.COM:
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=CENTLINUX.COM
    Issuer:      CN=Certificate Authority,O=CENTLINUX.COM
    Valid From:  2020-02-06 18:32:37
    Valid Until: 2040-02-06 18:32:37

Enrolled in IPA realm CENTLINUX1.COM
Created /etc/ipa/default.conf
Configured sudoers in /etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm CENTLINUX1.COM
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring centlinux1.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

Edit SSH server configurations to use your FreeIPA service.

vi /etc/ssh/sshd_config

Find and set following directives in this file.

KerberosAuthentication no
UsePAM yes

Restart sshd.service to apply changes.

systemctl restart sshd.service

Now login as ipauser1.

su - ipauser1

Check status of ipauser1 home directory.

mount | grep /ipauser1

Output:

192.168.116.5:/home/guests/ipauser1 on /home/guests/ipauser1 type nfs4 (rw,relatime,vers=4.2,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.116.11,local_lock=none,addr=192.168.116.5)

You can see that the home directory for user ipauser1 has been mounted by autofs service.

Video Tutorial: Install FreeIPA on Rocky Linux 9

Final Thoughts

Congratulations on successfully learning how to install FreeIPA on Rocky Linux 9! With FreeIPA set up, you now have a robust identity management and authentication system that enhances your network security and management. Utilize its powerful features to streamline user management, improve access controls, and ensure secure authentication across your network.

Need a dependable Linux system administrator? I specialize in managing, optimizing, and securing Linux servers to keep your operations running flawlessly. Check out my services!

FAQs

1. Can FreeIPA be installed alongside other identity services like LDAP?
Yes, but it requires careful configuration to avoid conflicts, as FreeIPA uses its own integrated LDAP server.

2. Is a GUI available for managing FreeIPA on Rocky Linux 9?
FreeIPA offers a web UI for management, but initial setup and advanced tasks typically use the command line.

3. What are the minimal hardware requirements for FreeIPA on a small server?
At least 2 CPU cores, 4GB RAM, and 20GB disk space are recommended for basic FreeIPA operation.

4. Can FreeIPA be used to manage Windows clients in a Rocky Linux environment?
Yes, FreeIPA supports integration with Windows clients via Kerberos and LDAP protocols.

5. How do I back up FreeIPA data safely before making changes?
Use the built-in ipa-backup command to create a consistent backup of configuration and data.

What’s Next

If you’re serious about building a career in IT, the Complete Linux Training Course to Get Your Dream IT Job 2025 by Imran Afzal is one of the best investments you can make in yourself. This highly rated course takes you from the basics of Linux to advanced system administration skills, preparing you for real-world IT roles and certifications.

Whether you’re a beginner or brushing up your skills, the structured lessons, hands-on labs, and career-oriented approach make it a perfect choice to boost your confidence and job readiness. Enroll now and start your Linux journey today!

Disclaimer: This post contains affiliate links. If you purchase through these links, I may earn a small commission at no additional cost to you. This helps support the site and allows me to continue creating valuable content.