Site icon CentLinux

How to install FreeIPA on Rocky Linux 9

Share on Social Media

Learn how to install FreeIPA on Rocky Linux 9 with our comprehensive step-by-step guide. Set up this powerful identity management and authentication system to enhance your network security and management. #centlinux #linux #freeipa

What is FreeIPA? :

FreeIPA is a free and open source identity management system. FreeIPA is the upstream open-source project for Red Hat Identity ManagementFreeIPA aims to provide a centrally managed Identity, Policy, and Audit (IPA) system. It uses a combination of Fedora Linux, 389 Directory Server, MIT Kerberos, NTP, DNS, the DogTag certificate system, SSSD and other free/open-source components. 

FreeIPA includes extensible management interfaces (CLI, Web UI, XMLRPC and JSONRPC API) and Python SDK for the integrated CA, and BIND with a custom plugin for the integrated DNS server. Each of the major components of FreeIPA operates as a preexisting free/open-source project. The bundling of these components into a single manageable suite with a comprehensive management interface is GPLv3, but that does not change the licenses of the components.

Since version 3.0.0, FreeIPA uses Samba to integrate with Microsoft’s Active Directory by way of Cross Forest Trusts. FreeIPA provides support for Linux, Unix-based, Windows and Mac OS X computers.

Environment Specification

We are using a minimal Rocky Linux 9 virtual machine with following specifications.

Update your Rocky Linux 9 Server

Connect with ipa-server-01.centlinux.com as root user by using a ssh client.

Refresh the yum cache by executing following command.

# dnf makecache
Rocky Linux 9 - BaseOS                          1.5 kB/s | 3.6 kB     00:02
Rocky Linux 9 - AppStream                       1.3 kB/s | 3.6 kB     00:02
Rocky Linux 9 - Extras                          1.5 kB/s | 2.9 kB     00:01
Metadata cache created.

Execute following dnf command to update your Rocky Linux server.

# dnf update -y

If the above command updates your Linux Kernel, then you should reboot your operating system before moving forward.

# reboot

After reboot, check your Linux Kernel and operating system versions.

# cat /etc/rocky-release
Rocky Linux release 9.0 (Blue Onyx)

# uname -r
5.14.0-70.22.1.el9_0.x86_64

Configure Server Time Zone

The FreeIPA server provides the NTP services to network devices, therefore it is recommended that you should set the time zone before performing IPA server configurations.

# timedatectl set-timezone America/Chicago

Verify that the time zone is set successfully.

# timedatectl
               Local time: Sun 2022-09-11 11:16:55 CDT
           Universal time: Sun 2022-09-11 16:16:55 UTC
                 RTC time: Sun 2022-09-11 16:16:56
                Time zone: America/Chicago (CDT, -0500)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

Set Static IP Address and Hostname:

By using hostnamectl command, set a FQDN for your Linux server.

# hostnamectl set-hostname ipa-server-01.centlinux.com

Set a Static IP Address, Default Gateway and DNS for your network connection by executing nmcli command.

# nmcli connection modify ens33 
> ipv4.method manual 
> ipv4.address 192.168.116.5/24 
> ipv4.gateway 192.168.116.2 
> ipv4.dns 192.168.116.2

Restart network connection to apply changes.

# nmcli connection down ens33 ; nmcli c up ens33
Connection 'ens33' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)

Execute following command to configure name resolution by means of Local DNS Resolver.

# echo "192.168.116.5 ipa-server-01.centlinux.com ipa-server-01" >> /etc/hosts

Perform a ping test to verify your above server configurations.

# ping ipa-server-01.centlinux1.com
PING ipa-server-01.centlinux1.com (192.168.116.5) 56(84) bytes of data.
64 bytes from ipa-server-01.centlinux1.com (192.168.116.5): icmp_seq=1 ttl=64 time=0.066 ms
64 bytes from ipa-server-01.centlinux1.com (192.168.116.5): icmp_seq=2 ttl=64 time=0.100 ms
^C

Install FreeIPA on Rocky Linux 9

All packages that are required to install FreeIPA on Rocky Linux 9 are available in standard yum repositories. Therefore, you can easily install it by using dnf commmand.

# dnf install -y freeipa-server freeipa-server-dns freeipa-client

To setup your IPA server, you need to execute ipa-server-install command.

You can either execute ipa-server-install command in interactive mode or unattended mode.

Following variation of ipa-server-install command installs and configures your IPA server in unattended mode.

# ipa-server-install 
> --unattended
> --realm CENTLINUX.COM
> --ds-password Ahmer@1234
> --admin-password Ahmer@1234
> --setup-dns
> --auto-reverse
> --forwarder 192.168.116.2

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.9.8

This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the NTP client (chronyd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
* Configure SID generation
* Configure the KDC to enable PKINIT

Warning: skipping DNS resolution of host ipa-server-01.centlinux1.com
The domain name has been determined based on the host name.

Checking DNS domain centlinux.com., please wait ...
Checking DNS forwarders, please wait ...
Checking DNS domain 116.168.192.in-addr.arpa., please wait ...
Reverse zone 116.168.192.in-addr.arpa. will be created
Using reverse zone(s) 116.168.192.in-addr.arpa.
Trust is configured but no NetBIOS domain name found, setting it now.

The IPA Master Server will be configured with:
Hostname: ipa-server-01.centlinux.com
IP address(es): 192.168.116.5
Domain name: centlinux1.com
Realm name: CENTLINUX1.COM

The CA will be configured with:
Subject DN: CN=Certificate Authority,O=CENTLINUX.COM
Subject base: O=CENTLINUX.COM
Chaining: self-signed

BIND DNS server will be configured to serve IPA domain with:
Forwarders: 192.168.116.2
Forward policy: only
Reverse zone(s): 116.168.192.in-addr.arpa.

Disabled p11-kit-proxy
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/41]: creating directory server instance
Validate installation settings ...
Create file system structures ...
Perform SELinux labeling ...
Create database backend: dc=centlinux,dc=com ...
Perform post-installation tasks ...
[2/41]: tune ldbm plugin
[3/41]: adding default schema
[4/41]: enabling memberof plugin
[5/41]: enabling winsync plugin
[6/41]: configure password logging
[7/41]: configuring replication version plugin
[8/41]: enabling IPA enrollment plugin
[9/41]: configuring uniqueness plugin
[10/41]: configuring uuid plugin
[11/41]: configuring modrdn plugin
[12/41]: configuring DNS plugin
[13/41]: enabling entryUSN plugin
[14/41]: configuring lockout plugin
[15/41]: configuring topology plugin
[16/41]: creating indices
[17/41]: enabling referential integrity plugin
[18/41]: configuring certmap.conf
[19/41]: configure new location for managed entries
[20/41]: configure dirsrv ccache and keytab
[21/41]: enabling SASL mapping fallback
[22/41]: restarting directory server
[23/41]: adding sasl mappings to the directory
[24/41]: adding default layout
[25/41]: adding delegation layout
[26/41]: creating container for managed entries
[27/41]: configuring user private groups
[28/41]: configuring netgroups from hostgroups
[29/41]: creating default Sudo bind user
[30/41]: creating default Auto Member layout
[31/41]: adding range check plugin
[32/41]: creating default HBAC rule allow_all
[33/41]: adding entries for topology management
[34/41]: initializing group membership
[35/41]: adding master entry
[36/41]: initializing domain level
[37/41]: configuring Posix uid/gid generation
[38/41]: adding replication acis
[39/41]: activating sidgen plugin
[40/41]: activating extdom plugin
[41/41]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
[1/10]: adding kerberos container to the directory
[2/10]: configuring KDC
[3/10]: initialize kerberos container
[4/10]: adding default ACIs
[5/10]: creating a keytab for the directory
[6/10]: creating a keytab for the machine
[7/10]: adding the password extension to the directory
[8/10]: creating anonymous principal
[9/10]: starting the KDC
[10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa-custodia
[1/5]: Making sure custodia container exists
[2/5]: Generating ipa-custodia config file
[3/5]: Generating ipa-custodia keys
[4/5]: starting ipa-custodia
[5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/29]: configuring certificate server instance
[2/29]: stopping certificate server instance to update CS.cfg
[3/29]: backing up CS.cfg
[4/29]: Add ipa-pki-wait-running
[5/29]: secure AJP connector
[6/29]: reindex attributes
[7/29]: exporting Dogtag certificate store pin
[8/29]: disabling nonces
[9/29]: set up CRL publishing
[10/29]: enable PKIX certificate path discovery and validation
[11/29]: authorizing RA to modify profiles
[12/29]: authorizing RA to manage lightweight CAs
[13/29]: Ensure lightweight CAs container exists
[14/29]: Ensuring backward compatibility
[15/29]: starting certificate server instance
[16/29]: configure certmonger for renewals
[17/29]: requesting RA certificate from CA
[18/29]: publishing the CA certificate
[19/29]: adding RA agent as a trusted user
[20/29]: configure certificate renewals
[21/29]: Configure HTTP to proxy connections
[22/29]: updating IPA configuration
[23/29]: enabling CA instance
[24/29]: importing IPA certificate profiles
[25/29]: migrating certificate profiles to LDAP
[26/29]: adding default CA ACL
[27/29]: adding 'ipa' CA entry
[28/29]: configuring certmonger renewal for lightweight CAs
[29/29]: deploying ACME service
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[2/3]: adding CA certificate entry
[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd)
[1/22]: stopping httpd
[2/22]: backing up ssl.conf
[3/22]: disabling nss.conf
[4/22]: configuring mod_ssl certificate paths
[5/22]: setting mod_ssl protocol list
[6/22]: configuring mod_ssl log directory
[7/22]: disabling mod_ssl OCSP
[8/22]: adding URL rewriting rules
[9/22]: configuring httpd
Nothing to do for configure_httpd_wsgi_conf
[10/22]: setting up httpd keytab
[11/22]: configuring Gssproxy
[12/22]: setting up ssl
[13/22]: configure certmonger for renewals
[14/22]: publish CA cert
[15/22]: clean up any existing httpd ccaches
[16/22]: enable ccache sweep
[17/22]: configuring SELinux for httpd
[18/22]: create KDC proxy config
[19/22]: enable KDC proxy
[20/22]: starting httpd
[21/22]: configuring httpd to start on boot
[22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Restarting the KDC
dnssec-validation yes
Configuring DNS (named)
[1/12]: generating rndc key file
[2/12]: adding DNS container
[3/12]: setting up our zone
[4/12]: setting up reverse zone
[5/12]: setting up our own record
[6/12]: setting up records for other masters
[7/12]: adding NS record to the zones
[8/12]: setting up kerberos principal
[9/12]: setting up named.conf
created new /etc/named.conf
created named user config '/etc/named/ipa-ext.conf'
created named user config '/etc/named/ipa-options-ext.conf'
created named user config '/etc/named/ipa-logging-ext.conf'
[10/12]: setting up server configuration
[11/12]: configuring named to start on boot
[12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/7]: checking status
[2/7]: setting up bind-dyndb-ldap working directory
[3/7]: setting up kerberos principal
[4/7]: setting up SoftHSM
[5/7]: adding DNSSEC containers
[6/7]: creating replica keys
[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Configuring SID generation
[1/8]: creating samba domain object
[2/8]: adding admin(group) SIDs
[3/8]: adding RID bases
[4/8]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
[5/8]: activating sidgen task
[6/8]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
[7/8]: adding fallback group
[8/8]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
Done.
Configuring client side components
This program will set up IPA client.
Version 4.9.8

Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: ipa-server-01.centlinux.com
Realm: CENTLINUX1.COM
DNS Domain: centlinux1.com
IPA Server: ipa-server-01.centlinux.com
BaseDN: dc=centlinux1,dc=com

Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring centlinux1.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

==============================================================================
Setup complete

Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
* 123: ntp

2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful

After successful configuration, check the version of your IPA server.

# ipa --version
VERSION: 4.9.8, API_VERSION: 2.246

Configure Linux Firewall:

Rocky Linux 9 has a predefined Firewall service for FreeIPA. You can allow this service to open all the relevant service ports at once.

# firewall-cmd --permanent --add-service=freeipa-4
success
# firewall-cmd --reload
success

Configure IPA Server:

Verify the status of IPA services.

# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

Before starting administration of FreeIPA server, you need to acquire a Kerberos ticket.

# kinit admin
Password for admin@CENTLINUX.COM:

Check list of available kerberos tickets.

# klist
Ticket cache: KCM:0
Default principal: admin@CENTLINUX.COM

Valid starting Expires Service principal
09/11/2022 13:40:21 09/12/2022 12:43:44 krbtgt/CENTLINUX.COM@CENTLINUX.COM

You have acquired a kerberos ticket for 23 hours.

Check FreeIPA server configurations.

# ipa config-show
Maximum username length: 32
Maximum hostname length: 64
Home directory base: /home
Default shell: /bin/sh
Default users group: ipausers
Default e-mail domain: centlinux.com
Search time limit: 2
Search size limit: 100
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: FALSE
Certificate Subject base: O=CENTLINUX.COM
Password Expiration Notification (days): 4
Password plugin features: AllowNThash, KDC:Disable Last Success
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023
Default PAC types: MS-PAC, nfs:NONE
IPA masters: ipa-server-01.centlinux.com
IPA master capable of PKINIT: ipa-server-01.centlinux.com
IPA CA servers: ipa-server-01.centlinux.com
IPA CA renewal master: ipa-server-01.centlinux.com
IPA DNS servers: ipa-server-01.centlinux.com

Configure DNS Server

Allow zone transfer from local network.

# ipa dnszone-mod --allow-transfer=192.168.116.0/24 centlinux.com
Zone name: centlinux.com.
Active zone: TRUE
Authoritative nameserver: ipa-server-01.centlinux.com.
Administrator e-mail address: hostmaster.centlinux.com.
SOA serial: 1662920566
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3600
BIND update policy: grant CENTLINUX.COM krb5-self * A; grant CENTLINUX.COM
krb5-self * AAAA; grant CENTLINUX1.COM krb5-self * SSHFP;
Dynamic update: TRUE
Allow query: any;
Allow transfer: 192.168.116.0/24;

Add MX (Mail Exchange) record in your Private DNS server.

# ipa dnsrecord-add centlinux.com @ --mx-rec="0 mail-server.centlinux.com"
Record name: @
MX record: 0 mail-server.centlinux.com
NS record: ipa-server-01.centlinux.com.

Configure User Home Directories

You need to install nfs-utils package to configure a NFS server. FreeIPA has already installed nfs-utils package as a dependency.

Enable and start nfs-server and rpcbind services.

# systemctl enable --now nfs-server rpcbind
Created symlink /etc/systemd/system/multi-user.target.wants/nfs-server.service → /usr/lib/systemd/system/nfs-server.service.

Allow NFS server related ports in Linux firewall.

# firewall-cmd --permanent --add-service={nfs,mountd,rpc-bind}
success
# firewall-cmd --reload
success

Create a directory to store FreeIPA users’ home directories.

# mkdir /home/guests

Export users’ home directories.

# echo '/home/guests 192.168.116.0/24(rw,sync,no_subtree_check,root_squash)' >> /etc/exports
# exportfs -rav
exporting 192.168.116.0/24:/home/guests

Add NFS service in FreeIPA server.

# ipa service-add nfs/ipa-server-01.centlinux.com
---------------------------------------------------------------
Added service "nfs/ipa-server-01.centlinux.com@CENTLINUX.COM"
---------------------------------------------------------------
Principal name: nfs/ipa-server-01.centlinux.com@CENTLINUX.COM
Principal alias: nfs/ipa-server-01.centlinux.com@CENTLINUX.COM
Managed by: ipa-server-01.centlinux.com

Add entry in keytab.

# kadmin.local
Authenticating as principal admin/admin@CENTLINUX.COM with password.
kadmin.local: ktadd nfs/ipa-server-01.centlinux.com
Entry for principal nfs/ipa-server-01.centlinux.com with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipa-server-01.centlinux.com with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipa-server-01.centlinux.com with kvno 1, encryption type aes128-cts-hmac-sha256-128 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipa-server-01.centlinux.com with kvno 1, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipa-server-01.centlinux.com with kvno 1, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipa-server-01.centlinux.com with kvno 1, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
kadmin.local: exit

Configure default home directory and shell for new FreeIPA users.

# ipa config-mod --homedirectory=/home/guests --defaultshell=/bin/bash
Maximum username length: 32
Maximum hostname length: 64
Home directory base: /home/guests
Default shell: /bin/bash
Default users group: ipausers
Default e-mail domain: centlinux.com
Search time limit: 2
Search size limit: 100
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: FALSE
Certificate Subject base: O=CENTLINUX.COM
Password Expiration Notification (days): 4
Password plugin features: AllowNThash, KDC:Disable Last Success
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023
Default PAC types: MS-PAC, nfs:NONE
IPA masters: ipa-server-01.centlinux.com
IPA master capable of PKINIT: ipa-server-01.centlinux.com
IPA CA servers: ipa-server-01.centlinux.com
IPA CA renewal master: ipa-server-01.centlinux.com
IPA DNS servers: ipa-server-01.centlinux.com

Create a FreeIPA user

Create a new FreeIPA user with the help of following command.

# ipa user-add ipauser1 --first=ahmer --last=m --password
Password:
Enter Password again to verify:
---------------------
Added user "ipauser1"
---------------------
User login: ipauser1
First name: ahmer
Last name: m
Full name: ahmer m
Display name: ahmer m
Initials: am
Home directory: /home/guests/ipauser1
GECOS: ahmer m
Login shell: /bin/bash
Principal name: ipauser1@CENTLINUX.COM
Principal alias: ipauser1@CENTLINUX.COM
User password expiration: 20220911184641Z
Email address: ipauser1@centlinux.com
UID: 930600003
GID: 930600003
Password: True
Member of groups: ipausers
Kerberos keys available: True

Create home directory for FreeIPA user.

# mkdir -m0750 -p /home/guests/ipauser1
# chown 930600003:930600003 /home/guests/ipauser1

Your FreeIPA server has been configured successfully. Besides Linux CLI, you can also perform administration of your Linux server by using the Rocky Identity Management, a web based user interface, provided herewith.

Open URL https://ipa-server-01.centlinux.com/ipa/ui in a web browser.

IPA Server Login

Login as admin user.

IPA Server Active Users

Add a Linux Client in IPA Server

Add a new Linux machine in FreeIPA server.

# ipa host-add --ip-address 192.168.116.11 ipa-client1.centlinux.com
---------------------------------------
Added host "ipa-client1.centlinux.com"
---------------------------------------
Host name: ipa-client1.centlinux.com
Principal name: host/ipa-client1.centlinux.com@CENTLINUX.COM
Principal alias: host/ipa-client1.centlinux.com@CENTLINUX.COM
Password: False
Keytab: False
Managed by: ipa-client1.centlinux.com

Add our Linux machine in DNS server.

# ipa dnsrecord-add centlinux.com ipaclient1 --ttl=3600 --a-ip-address=192.168.116.11
Record name: ipaclient1
Time to live: 3600
A record: 192.168.116.11

Install IPA Client on Linux

To configure a Linux machine as FreeIPA client, you need to install following packages on it.

# dnf install -y freeipa-client

Configure autofs to automatically mount the FreeIPA users’ home directory on ipaclient machine after successful login.

# echo '* -rw 192.168.116.5:/home/guests/&' >> /etc/auto.guests
# echo '/home/guests /etc/auto.guests' >> /etc/auto.master

Enable and start autofs service.

# systemctl enable --now autofs.service
Created symlink /etc/systemd/system/multi-user.target.wants/autofs.service → /usr/lib/systemd/system/autofs.service.

Add DNS server in network configurations of Linux client.

# nmcli c m ens33 ipv4.dns 192.168.116.5
# nmcli c down ens33 ; nmcli c up ens33
Connection 'ens33' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)

Test DNS resolution by using dig command.

# dig ipa-server-01.centlinux.com

; <<>> DiG 9.16.23-RH <<>> ipa-server-01.centlinux.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50501
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: cf3d2ea5d1b3b69e01000000631f525df897f1176b2d53e6 (good)
;; QUESTION SECTION:
;ipa-server-01.centlinux1.com. IN A

;; ANSWER SECTION:
ipa-server-01.centlinux1.com. 1200 IN A 192.168.116.5

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Sep 12 10:38:05 CDT 2022
;; MSG SIZE rcvd: 101

Configure Linux client as follows.

# ipa-client-install 
> --enable-dns-updates
> --mkhomedir
> --ntp-server=192.168.116.5:323
This program will set up IPA client.
Version 4.8.0

Discovery was successful!
Client hostname: ipa-client1.centlinux.com
Realm: CENTLINUX.COM
DNS Domain: centlinux.com
IPA Server: ipa-server-01.centlinux.com
BaseDN: dc=centlinux,dc=com
NTP server: 192.168.116.5:323

Continue to configure the system with these values? [no]: yes
Synchronizing time
Augeas failed to configure file /etc/chrony.conf
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: admin
Password for admin@CENTLINUX.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=CENTLINUX.COM
Issuer: CN=Certificate Authority,O=CENTLINUX.COM
Valid From: 2020-02-06 18:32:37
Valid Until: 2040-02-06 18:32:37

Enrolled in IPA realm CENTLINUX1.COM
Created /etc/ipa/default.conf
Configured sudoers in /etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm CENTLINUX1.COM
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring centlinux1.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

Edit SSH server configurations to use your FreeIPA service.

# vi /etc/ssh/sshd_config

Find and set following directives in this file.

KerberosAuthentication no
UsePAM yes

Restart sshd.service to apply changes.

# systemctl restart sshd.service

Now login as ipauser1.

# su - ipauser1
$ mount | grep /ipauser1
192.168.116.5:/home/guests/ipauser1 on /home/guests/ipauser1 type nfs4 (rw,relatime,vers=4.2,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.116.11,local_lock=none,addr=192.168.116.5)

You can see that the home directory for user ipauser1 has been mounted by autofs service.

To develop expertise in FreeIPA, we recommend that, you should attend online training: Identity Management on Linux FreeIPA IdM

Video Tutorial: Install FreeIPA on Rocky Linux 9

Final Thoughts

Congratulations on successfully learning how to install FreeIPA on Rocky Linux 9! With FreeIPA set up, you now have a robust identity management and authentication system that enhances your network security and management. Utilize its powerful features to streamline user management, improve access controls, and ensure secure authentication across your network. If you need further assistance or custom solutions, feel free to check out my services on Fiverr here.

Exit mobile version