Learn how to install FreeIPA on Rocky Linux 9 with our comprehensive step-by-step guide. Set up this powerful identity management and authentication system to enhance your network security and management. #centlinux #linux #freeipa
Table of Contents
What is FreeIPA? :
FreeIPA is a free and open source identity management system. FreeIPA is the upstream open-source project for Red Hat Identity Management. FreeIPA aims to provide a centrally managed Identity, Policy, and Audit (IPA) system. It uses a combination of Fedora Linux, 389 Directory Server, MIT Kerberos, NTP, DNS, the DogTag certificate system, SSSD and other free/open-source components.
FreeIPA includes extensible management interfaces (CLI, Web UI, XMLRPC and JSONRPC API) and Python SDK for the integrated CA, and BIND with a custom plugin for the integrated DNS server. Each of the major components of FreeIPA operates as a preexisting free/open-source project. The bundling of these components into a single manageable suite with a comprehensive management interface is GPLv3, but that does not change the licenses of the components.
Since version 3.0.0, FreeIPA uses Samba to integrate with Microsoft’s Active Directory by way of Cross Forest Trusts. FreeIPA provides support for Linux, Unix-based, Windows and Mac OS X computers.
Environment Specification
We are using a minimal Rocky Linux 9 virtual machine with following specifications.
- CPU – 3.4 Ghz (2 cores)
- Memory – 2 GB
- Storage – 20 GB
- Operating System – Rocky Linux release 9.0 (Blue Onyx)
- Hostname – ipa-server-01.centlinux.com
- IP Address – 192.168.116.5/24
Update your Rocky Linux 9 Server
Connect with ipa-server-01.centlinux.com as root user by using a ssh client.
Refresh the yum cache by executing following command.
# dnf makecache Rocky Linux 9 - BaseOS 1.5 kB/s | 3.6 kB 00:02 Rocky Linux 9 - AppStream 1.3 kB/s | 3.6 kB 00:02 Rocky Linux 9 - Extras 1.5 kB/s | 2.9 kB 00:01 Metadata cache created.
Execute following dnf command to update your Rocky Linux server.
# dnf update -y
If the above command updates your Linux Kernel, then you should reboot your operating system before moving forward.
# reboot
After reboot, check your Linux Kernel and operating system versions.
# cat /etc/rocky-release Rocky Linux release 9.0 (Blue Onyx) # uname -r 5.14.0-70.22.1.el9_0.x86_64
Configure Server Time Zone
The FreeIPA server provides the NTP services to network devices, therefore it is recommended that you should set the time zone before performing IPA server configurations.
# timedatectl set-timezone America/Chicago
Verify that the time zone is set successfully.
# timedatectl
Local time: Sun 2022-09-11 11:16:55 CDT
Universal time: Sun 2022-09-11 16:16:55 UTC
RTC time: Sun 2022-09-11 16:16:56
Time zone: America/Chicago (CDT, -0500)
System clock synchronized: yes
NTP service: active
RTC in local TZ: noSet Static IP Address and Hostname:
By using hostnamectl command, set a FQDN for your Linux server.
# hostnamectl set-hostname ipa-server-01.centlinux.com
Set a Static IP Address, Default Gateway and DNS for your network connection by executing nmcli command.
# nmcli connection modify ens33 > ipv4.method manual > ipv4.address 192.168.116.5/24 > ipv4.gateway 192.168.116.2 > ipv4.dns 192.168.116.2
Restart network connection to apply changes.
# nmcli connection down ens33 ; nmcli c up ens33 Connection 'ens33' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2) Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
Execute following command to configure name resolution by means of Local DNS Resolver.
# echo "192.168.116.5 ipa-server-01.centlinux.com ipa-server-01" >> /etc/hosts
Perform a ping test to verify your above server configurations.
# ping ipa-server-01.centlinux1.com PING ipa-server-01.centlinux1.com (192.168.116.5) 56(84) bytes of data. 64 bytes from ipa-server-01.centlinux1.com (192.168.116.5): icmp_seq=1 ttl=64 time=0.066 ms 64 bytes from ipa-server-01.centlinux1.com (192.168.116.5): icmp_seq=2 ttl=64 time=0.100 ms ^C
Install FreeIPA on Rocky Linux 9
All packages that are required to install FreeIPA on Rocky Linux 9 are available in standard yum repositories. Therefore, you can easily install it by using dnf commmand.
# dnf install -y freeipa-server freeipa-server-dns freeipa-client
To setup your IPA server, you need to execute ipa-server-install command.
You can either execute ipa-server-install command in interactive mode or unattended mode.
Following variation of ipa-server-install command installs and configures your IPA server in unattended mode.
# ipa-server-install
> --unattended
> --realm CENTLINUX.COM
> --ds-password Ahmer@1234
> --admin-password Ahmer@1234
> --setup-dns
> --auto-reverse
> --forwarder 192.168.116.2
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.9.8
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the NTP client (chronyd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
* Configure SID generation
* Configure the KDC to enable PKINIT
Warning: skipping DNS resolution of host ipa-server-01.centlinux1.com
The domain name has been determined based on the host name.
Checking DNS domain centlinux.com., please wait ...
Checking DNS forwarders, please wait ...
Checking DNS domain 116.168.192.in-addr.arpa., please wait ...
Reverse zone 116.168.192.in-addr.arpa. will be created
Using reverse zone(s) 116.168.192.in-addr.arpa.
Trust is configured but no NetBIOS domain name found, setting it now.
The IPA Master Server will be configured with:
Hostname: ipa-server-01.centlinux.com
IP address(es): 192.168.116.5
Domain name: centlinux1.com
Realm name: CENTLINUX1.COM
The CA will be configured with:
Subject DN: CN=Certificate Authority,O=CENTLINUX.COM
Subject base: O=CENTLINUX.COM
Chaining: self-signed
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 192.168.116.2
Forward policy: only
Reverse zone(s): 116.168.192.in-addr.arpa.
Disabled p11-kit-proxy
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/41]: creating directory server instance
Validate installation settings ...
Create file system structures ...
Perform SELinux labeling ...
Create database backend: dc=centlinux,dc=com ...
Perform post-installation tasks ...
[2/41]: tune ldbm plugin
[3/41]: adding default schema
[4/41]: enabling memberof plugin
[5/41]: enabling winsync plugin
[6/41]: configure password logging
[7/41]: configuring replication version plugin
[8/41]: enabling IPA enrollment plugin
[9/41]: configuring uniqueness plugin
[10/41]: configuring uuid plugin
[11/41]: configuring modrdn plugin
[12/41]: configuring DNS plugin
[13/41]: enabling entryUSN plugin
[14/41]: configuring lockout plugin
[15/41]: configuring topology plugin
[16/41]: creating indices
[17/41]: enabling referential integrity plugin
[18/41]: configuring certmap.conf
[19/41]: configure new location for managed entries
[20/41]: configure dirsrv ccache and keytab
[21/41]: enabling SASL mapping fallback
[22/41]: restarting directory server
[23/41]: adding sasl mappings to the directory
[24/41]: adding default layout
[25/41]: adding delegation layout
[26/41]: creating container for managed entries
[27/41]: configuring user private groups
[28/41]: configuring netgroups from hostgroups
[29/41]: creating default Sudo bind user
[30/41]: creating default Auto Member layout
[31/41]: adding range check plugin
[32/41]: creating default HBAC rule allow_all
[33/41]: adding entries for topology management
[34/41]: initializing group membership
[35/41]: adding master entry
[36/41]: initializing domain level
[37/41]: configuring Posix uid/gid generation
[38/41]: adding replication acis
[39/41]: activating sidgen plugin
[40/41]: activating extdom plugin
[41/41]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
[1/10]: adding kerberos container to the directory
[2/10]: configuring KDC
[3/10]: initialize kerberos container
[4/10]: adding default ACIs
[5/10]: creating a keytab for the directory
[6/10]: creating a keytab for the machine
[7/10]: adding the password extension to the directory
[8/10]: creating anonymous principal
[9/10]: starting the KDC
[10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa-custodia
[1/5]: Making sure custodia container exists
[2/5]: Generating ipa-custodia config file
[3/5]: Generating ipa-custodia keys
[4/5]: starting ipa-custodia
[5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/29]: configuring certificate server instance
[2/29]: stopping certificate server instance to update CS.cfg
[3/29]: backing up CS.cfg
[4/29]: Add ipa-pki-wait-running
[5/29]: secure AJP connector
[6/29]: reindex attributes
[7/29]: exporting Dogtag certificate store pin
[8/29]: disabling nonces
[9/29]: set up CRL publishing
[10/29]: enable PKIX certificate path discovery and validation
[11/29]: authorizing RA to modify profiles
[12/29]: authorizing RA to manage lightweight CAs
[13/29]: Ensure lightweight CAs container exists
[14/29]: Ensuring backward compatibility
[15/29]: starting certificate server instance
[16/29]: configure certmonger for renewals
[17/29]: requesting RA certificate from CA
[18/29]: publishing the CA certificate
[19/29]: adding RA agent as a trusted user
[20/29]: configure certificate renewals
[21/29]: Configure HTTP to proxy connections
[22/29]: updating IPA configuration
[23/29]: enabling CA instance
[24/29]: importing IPA certificate profiles
[25/29]: migrating certificate profiles to LDAP
[26/29]: adding default CA ACL
[27/29]: adding 'ipa' CA entry
[28/29]: configuring certmonger renewal for lightweight CAs
[29/29]: deploying ACME service
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[2/3]: adding CA certificate entry
[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd)
[1/22]: stopping httpd
[2/22]: backing up ssl.conf
[3/22]: disabling nss.conf
[4/22]: configuring mod_ssl certificate paths
[5/22]: setting mod_ssl protocol list
[6/22]: configuring mod_ssl log directory
[7/22]: disabling mod_ssl OCSP
[8/22]: adding URL rewriting rules
[9/22]: configuring httpd
Nothing to do for configure_httpd_wsgi_conf
[10/22]: setting up httpd keytab
[11/22]: configuring Gssproxy
[12/22]: setting up ssl
[13/22]: configure certmonger for renewals
[14/22]: publish CA cert
[15/22]: clean up any existing httpd ccaches
[16/22]: enable ccache sweep
[17/22]: configuring SELinux for httpd
[18/22]: create KDC proxy config
[19/22]: enable KDC proxy
[20/22]: starting httpd
[21/22]: configuring httpd to start on boot
[22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Restarting the KDC
dnssec-validation yes
Configuring DNS (named)
[1/12]: generating rndc key file
[2/12]: adding DNS container
[3/12]: setting up our zone
[4/12]: setting up reverse zone
[5/12]: setting up our own record
[6/12]: setting up records for other masters
[7/12]: adding NS record to the zones
[8/12]: setting up kerberos principal
[9/12]: setting up named.conf
created new /etc/named.conf
created named user config '/etc/named/ipa-ext.conf'
created named user config '/etc/named/ipa-options-ext.conf'
created named user config '/etc/named/ipa-logging-ext.conf'
[10/12]: setting up server configuration
[11/12]: configuring named to start on boot
[12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/7]: checking status
[2/7]: setting up bind-dyndb-ldap working directory
[3/7]: setting up kerberos principal
[4/7]: setting up SoftHSM
[5/7]: adding DNSSEC containers
[6/7]: creating replica keys
[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Configuring SID generation
[1/8]: creating samba domain object
[2/8]: adding admin(group) SIDs
[3/8]: adding RID bases
[4/8]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
[5/8]: activating sidgen task
[6/8]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
[7/8]: adding fallback group
[8/8]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
Done.
Configuring client side components
This program will set up IPA client.
Version 4.9.8
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: ipa-server-01.centlinux.com
Realm: CENTLINUX1.COM
DNS Domain: centlinux1.com
IPA Server: ipa-server-01.centlinux.com
BaseDN: dc=centlinux1,dc=com
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring centlinux1.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful
After successful configuration, check the version of your IPA server.
# ipa --version VERSION: 4.9.8, API_VERSION: 2.246
Configure Linux Firewall:
Rocky Linux 9 has a predefined Firewall service for FreeIPA. You can allow this service to open all the relevant service ports at once.
# firewall-cmd --permanent --add-service=freeipa-4 success # firewall-cmd --reload success
Configure IPA Server:
Verify the status of IPA services.
# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
Before starting administration of FreeIPA server, you need to acquire a Kerberos ticket.
# kinit admin
Password for admin@CENTLINUX.COM:
Check list of available kerberos tickets.
# klist
Ticket cache: KCM:0
Default principal: admin@CENTLINUX.COM
Valid starting Expires Service principal
09/11/2022 13:40:21 09/12/2022 12:43:44 krbtgt/CENTLINUX.COM@CENTLINUX.COM
You have acquired a kerberos ticket for 23 hours.
Check FreeIPA server configurations.
# ipa config-show
Maximum username length: 32
Maximum hostname length: 64
Home directory base: /home
Default shell: /bin/sh
Default users group: ipausers
Default e-mail domain: centlinux.com
Search time limit: 2
Search size limit: 100
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: FALSE
Certificate Subject base: O=CENTLINUX.COM
Password Expiration Notification (days): 4
Password plugin features: AllowNThash, KDC:Disable Last Success
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023
Default PAC types: MS-PAC, nfs:NONE
IPA masters: ipa-server-01.centlinux.com
IPA master capable of PKINIT: ipa-server-01.centlinux.com
IPA CA servers: ipa-server-01.centlinux.com
IPA CA renewal master: ipa-server-01.centlinux.com
IPA DNS servers: ipa-server-01.centlinux.com
Configure DNS Server
Allow zone transfer from local network.
# ipa dnszone-mod --allow-transfer=192.168.116.0/24 centlinux.com
Zone name: centlinux.com.
Active zone: TRUE
Authoritative nameserver: ipa-server-01.centlinux.com.
Administrator e-mail address: hostmaster.centlinux.com.
SOA serial: 1662920566
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant CENTLINUX.COM krb5-self * A; grant CENTLINUX.COM
krb5-self * AAAA; grant CENTLINUX1.COM krb5-self * SSHFP;
Dynamic update: TRUE
Allow query: any;
Allow transfer: 192.168.116.0/24;
Add MX (Mail Exchange) record in your Private DNS server.
# ipa dnsrecord-add centlinux.com @ --mx-rec="0 mail-server.centlinux.com"
Record name: @
MX record: 0 mail-server.centlinux.com
NS record: ipa-server-01.centlinux.com.
Configure User Home Directories
You need to install nfs-utils package to configure a NFS server. FreeIPA has already installed nfs-utils package as a dependency.
Enable and start nfs-server and rpcbind services.
# systemctl enable --now nfs-server rpcbind Created symlink /etc/systemd/system/multi-user.target.wants/nfs-server.service → /usr/lib/systemd/system/nfs-server.service.
Allow NFS server related ports in Linux firewall.
# firewall-cmd --permanent --add-service={nfs,mountd,rpc-bind}
success
# firewall-cmd --reload
successCreate a directory to store FreeIPA users’ home directories.
# mkdir /home/guests
Export users’ home directories.
# echo '/home/guests 192.168.116.0/24(rw,sync,no_subtree_check,root_squash)' >> /etc/exports # exportfs -rav exporting 192.168.116.0/24:/home/guests
Add NFS service in FreeIPA server.
# ipa service-add nfs/ipa-server-01.centlinux.com
---------------------------------------------------------------
Added service "nfs/ipa-server-01.centlinux.com@CENTLINUX.COM"
---------------------------------------------------------------
Principal name: nfs/ipa-server-01.centlinux.com@CENTLINUX.COM
Principal alias: nfs/ipa-server-01.centlinux.com@CENTLINUX.COM
Managed by: ipa-server-01.centlinux.com
Add entry in keytab.
# kadmin.local
Authenticating as principal admin/admin@CENTLINUX.COM with password.
kadmin.local: ktadd nfs/ipa-server-01.centlinux.com
Entry for principal nfs/ipa-server-01.centlinux.com with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipa-server-01.centlinux.com with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipa-server-01.centlinux.com with kvno 1, encryption type aes128-cts-hmac-sha256-128 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipa-server-01.centlinux.com with kvno 1, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipa-server-01.centlinux.com with kvno 1, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipa-server-01.centlinux.com with kvno 1, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
kadmin.local: exit
Configure default home directory and shell for new FreeIPA users.
# ipa config-mod --homedirectory=/home/guests --defaultshell=/bin/bash
Maximum username length: 32
Maximum hostname length: 64
Home directory base: /home/guests
Default shell: /bin/bash
Default users group: ipausers
Default e-mail domain: centlinux.com
Search time limit: 2
Search size limit: 100
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: FALSE
Certificate Subject base: O=CENTLINUX.COM
Password Expiration Notification (days): 4
Password plugin features: AllowNThash, KDC:Disable Last Success
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023
Default PAC types: MS-PAC, nfs:NONE
IPA masters: ipa-server-01.centlinux.com
IPA master capable of PKINIT: ipa-server-01.centlinux.com
IPA CA servers: ipa-server-01.centlinux.com
IPA CA renewal master: ipa-server-01.centlinux.com
IPA DNS servers: ipa-server-01.centlinux.com
Create a FreeIPA user
Create a new FreeIPA user with the help of following command.
# ipa user-add ipauser1 --first=ahmer --last=m --password
Password:
Enter Password again to verify:
---------------------
Added user "ipauser1"
---------------------
User login: ipauser1
First name: ahmer
Last name: m
Full name: ahmer m
Display name: ahmer m
Initials: am
Home directory: /home/guests/ipauser1
GECOS: ahmer m
Login shell: /bin/bash
Principal name: ipauser1@CENTLINUX.COM
Principal alias: ipauser1@CENTLINUX.COM
User password expiration: 20220911184641Z
Email address: ipauser1@centlinux.com
UID: 930600003
GID: 930600003
Password: True
Member of groups: ipausers
Kerberos keys available: True
Create home directory for FreeIPA user.
# mkdir -m0750 -p /home/guests/ipauser1 # chown 930600003:930600003 /home/guests/ipauser1
Your FreeIPA server has been configured successfully. Besides Linux CLI, you can also perform administration of your Linux server by using the Rocky Identity Management, a web based user interface, provided herewith.
Open URL https://ipa-server-01.centlinux.com/ipa/ui in a web browser.
Login as admin user.
Add a Linux Client in IPA Server
Add a new Linux machine in FreeIPA server.
# ipa host-add --ip-address 192.168.116.11 ipa-client1.centlinux.com
---------------------------------------
Added host "ipa-client1.centlinux.com"
---------------------------------------
Host name: ipa-client1.centlinux.com
Principal name: host/ipa-client1.centlinux.com@CENTLINUX.COM
Principal alias: host/ipa-client1.centlinux.com@CENTLINUX.COM
Password: False
Keytab: False
Managed by: ipa-client1.centlinux.com
Add our Linux machine in DNS server.
# ipa dnsrecord-add centlinux.com ipaclient1 --ttl=3600 --a-ip-address=192.168.116.11
Record name: ipaclient1
Time to live: 3600
A record: 192.168.116.11
Install IPA Client on Linux
To configure a Linux machine as FreeIPA client, you need to install following packages on it.
# dnf install -y freeipa-client
Configure autofs to automatically mount the FreeIPA users’ home directory on ipaclient machine after successful login.
# echo '* -rw 192.168.116.5:/home/guests/&' >> /etc/auto.guests # echo '/home/guests /etc/auto.guests' >> /etc/auto.master
Enable and start autofs service.
# systemctl enable --now autofs.service Created symlink /etc/systemd/system/multi-user.target.wants/autofs.service → /usr/lib/systemd/system/autofs.service.
Add DNS server in network configurations of Linux client.
# nmcli c m ens33 ipv4.dns 192.168.116.5 # nmcli c down ens33 ; nmcli c up ens33 Connection 'ens33' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1) Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
Test DNS resolution by using dig command.
# dig ipa-server-01.centlinux.com
; <<>> DiG 9.16.23-RH <<>> ipa-server-01.centlinux.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50501
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: cf3d2ea5d1b3b69e01000000631f525df897f1176b2d53e6 (good)
;; QUESTION SECTION:
;ipa-server-01.centlinux1.com. IN A
;; ANSWER SECTION:
ipa-server-01.centlinux1.com. 1200 IN A 192.168.116.5
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Sep 12 10:38:05 CDT 2022
;; MSG SIZE rcvd: 101
Configure Linux client as follows.
# ipa-client-install
> --enable-dns-updates
> --mkhomedir
> --ntp-server=192.168.116.5:323
This program will set up IPA client.
Version 4.8.0
Discovery was successful!
Client hostname: ipa-client1.centlinux.com
Realm: CENTLINUX.COM
DNS Domain: centlinux.com
IPA Server: ipa-server-01.centlinux.com
BaseDN: dc=centlinux,dc=com
NTP server: 192.168.116.5:323
Continue to configure the system with these values? [no]: yes
Synchronizing time
Augeas failed to configure file /etc/chrony.conf
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: admin
Password for admin@CENTLINUX.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=CENTLINUX.COM
Issuer: CN=Certificate Authority,O=CENTLINUX.COM
Valid From: 2020-02-06 18:32:37
Valid Until: 2040-02-06 18:32:37
Enrolled in IPA realm CENTLINUX1.COM
Created /etc/ipa/default.conf
Configured sudoers in /etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm CENTLINUX1.COM
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring centlinux1.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
Edit SSH server configurations to use your FreeIPA service.
# vi /etc/ssh/sshd_config
Find and set following directives in this file.
KerberosAuthentication no UsePAM yes
Restart sshd.service to apply changes.
# systemctl restart sshd.service
Now login as ipauser1.
# su - ipauser1 $ mount | grep /ipauser1 192.168.116.5:/home/guests/ipauser1 on /home/guests/ipauser1 type nfs4 (rw,relatime,vers=4.2,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.116.11,local_lock=none,addr=192.168.116.5)
You can see that the home directory for user ipauser1 has been mounted by autofs service.
To develop expertise in FreeIPA, we recommend that, you should attend online training: Identity Management on Linux FreeIPA IdM
Video: How to install FreeIPA on Rocky Linux 9
Final Thoughts
Congratulations on successfully learning how to install FreeIPA on Rocky Linux 9! With FreeIPA set up, you now have a robust identity management and authentication system that enhances your network security and management. Utilize its powerful features to streamline user management, improve access controls, and ensure secure authentication across your network. If you need further assistance or custom solutions, feel free to check out my services on Fiverr here.