FreeIPA: Installing the FreeIPA Client And Some Basic User Configuration

How-To: FreeIPA

By Ben Sweet from unsplash.com

24th July 2023

Updated 16th September 2023

The FreeIPA client enables LDAP authentication on your Linux client machines. It automatically configures domain and LDAP settings to work with the configured FreeIPA domain.

The FreeIPA client software can be (in relative terms) easily installed on Linux Distributions that are Debian-based or Redhat-based.

Assumptions

DNS Server is already configured. Otherwise you have to manually add the FreeIPA FQDN to the /etc/hosts file.

Prerequisites

Configuration needed on the IPA server

Chrony, the application handling NTP service on the FreeIPA server, needs to be configured to allow incoming connections:

sudo nano /etc/chrony.conf

… 
# Allow NTP client access from local network.  
allow 10.8.0.0/13     
allow 2001:DB8:1234:8000::/49 
… 

# Select which information is logged.  
#log measurements statistics tracking  
server ntp1.bit.nl iburst  
server ntp2.bit.nl iburst  

Create a User

You can do this in the WebGUI, but for demonstration purpose, lets configure it in CLI to speed things up:

Step 1: Establish or renew Kerberos ticket

To be able to administer FreeIPA services, one has to have a valid kerberos ticket. It’s equivalent of logging in to the WebGUI.

On the FreeIPA Server:

kinit admin

[root@sauna-ipa /]# kinit admin
Password for admin@BASTUKLUBBEN.ONLINE: 
[root@sauna-ipa /]#

To check the validity of the kerberos ticket:

[root@sauna-ipa /]# klist
Ticket cache: KCM:0
Default principal: admin@BASTUKLUBBEN.ONLINE

Valid starting       Expires              Service principal
07/09/2023 21:49:21  07/10/2023 21:02:07  krbtgt/BASTUKLUBBEN.ONLINE@BASTUKLUBBEN.ONLINE

Step 2: Set the default shell to bash (Optional)

Not required but strongly recommended. The default shell for users is /bin/sh. You can change the default shell profile for all users with this command:

ipa config-mod --defaultshell=/bin/bash

Step 3: Create a user

ipa user-add sysadm --first=System --last=Admin --password

[root@sauna-ipa /]# ipa user-add sysadm --first=System --last=Admin --password
Password: 
Enter Password again to verify: 
-------------------
Added user "sysadm"
-------------------
  User login: sysadm
  First name: System
  Last name: Admin
  Full name: System Admin
  Display name: System Admin
  Initials: SA
  Home directory: /home/sysadm
  GECOS: System Admin
  Login shell: /bin/bash
  Principal name: sysadm@BASTUKLUBBEN.ONLINE
  Principal alias: sysadm@BASTUKLUBBEN.ONLINE
  User password expiration: 20230709195644Z
  Email address: sysadm@bastuklubben.online
  UID: 1902600005
  GID: 1902600005
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

Install FreeIPA Client on Ubuntu 22.04/CentOS/Fedora

The steps below are going to be the same for all distributions unless otherwise specified.

Step 1: Add FQDN to your hostname

sudo nano /etc/hostname 

sauna-nms.bastuklubben.online 

sudo halt --reboot 

Step 2: Install Free IPA Client:

Ubuntu:  

sudo apt install freeipa-client

CentOS:

sudo yum install ipa-client

Fedora:

sudo dnf install ipa-client

Just press Enter if this shows up: 

Step 3: Configure FreeIPA Client: 

If you are running IPv4 only, this command should be sufficient:

sudo ipa-client-install --mkhomedir

If for some reason automatic domain discovery fails, you can try enter the domain manually:

sudo ipa-client-install --mkhomedir --domain BASTUKLUBBEN.ONLINE --server sauna-ipa.bastuklubben.online

nms@sauna-nms:~$ sudo ipa-client-install --mkhomedir --domain BASTUKLUBBEN.ONLINE --server sauna-ipa.bastuklubben.online 

  
This program will set up IPA client.  
Version 4.9.8  
 
WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd  
 
Autodiscovery of servers for failover cannot work with this configuration.  
If you proceed with the installation, services will be configured to always access the dis 
covered server for all operations and will not fail over to other servers in case of failure.  
Proceed with fixed values and no DNS discovery? [no]: yes  
Do you want to configure chrony with NTP server or pool address? [no]:    
Client hostname: sauna-nms.bastuklubben.online  
Realm: BASTUKLUBBEN.ONLINE  
DNS Domain: bastuklubben.online  
IPA Server: sauna-ipa.bastuklubben.online  
BaseDN: dc=bastuklubben,dc=online   
 
Continue to configure the system with these values? [no]: yes  
Synchronizing time  
Configuration of chrony was changed by installer.  
Attempting to sync time with chronyc.  
Time synchronization was successful.  
User authorized to enroll computers: admin  
Password for admin@BASTUKLUBBEN.ONLINE:   
Successfully retrieved CA cert  
   Subject:     CN=Certificate Authority,O=BASTUKLUBBEN.ONLINE  
   Issuer:      CN=Certificate Authority,O=BASTUKLUBBEN.ONLINE  
   Valid From:  2023-05-18 14:47:04  
   Valid Until: 2043-05-18 14:47:04  
 
Enrolled in IPA realm BASTUKLUBBEN.ONLINE  
Created /etc/ipa/default.conf  
Configured /etc/sssd/sssd.conf  
Configured /etc/krb5.conf for IPA realm BASTUKLUBBEN.ONLINE  
Systemwide CA database updated.  
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub  
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub  
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub  
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub  
SSSD enabled  
Configured /etc/openldap/ldap.conf  
Unable to find 'admin' user with 'getent passwd admin@bastuklubben.online'!  
Unable to reliably detect configuration. Check NSS setup manually.  
Configured /etc/ssh/ssh_config  
Configured /etc/ssh/sshd_config.d/04-ipa.conf  
Configuring bastuklubben.online as NIS domain.  
Client configuration complete.  
The ipa-client-install command was successful 

As you can see, there is a problem, and it is IPv6 related. After the installation we need to add one SSSD parameter:

Step 4: Add IPv6 workaround (Only applicable on IPv6 networks):

sudo nano /etc/sssd/sssd.conf

[domain/bastuklubben.online]  
 
id_provider = ipa  
ipa_server = _srv_, sauna-ipa.bastuklubben.online  
ipa_domain = bastuklubben.online  
ipa_hostname = sauna-nms.bastuklubben.online  
auth_provider = ipa  
chpass_provider = ipa  
access_provider = ipa  
cache_credentials = True  
ldap_tls_cacert = /etc/ipa/ca.crt  
krb5_store_password_if_offline = True  
lookup_family_order = ipv6_only  
 
[sssd]  
services = nss, pam, ssh, sudo  
 
domains = bastuklubben.online  
[nss]  
homedir_substring = /home  
 
...

sudo service sssd restart

Note: The last 2 computers I added to the domain, didn’t actually need that workaround. Perhaps it is finally fixed by the time you read this.

Update 16th September 2023: I have enrolled a few more machines now and as far as I can tell, it sometimes works without the workaround, sometimes not.

Step 5: Configure automatic creation of home directory

Edit this file to look like this:

nano /usr/share/pam-configs/mkhomedir

Name: Create home directory on login
Default: no 
Priority: 900
Session-Type: Additional
Sessions-Interactive-Only: yes
Session:
  required pam_mkhomedir.so umask=0077 skel=/etc/skel

sudo pam-auth-update --enable mkhomedir

Step 6: test

Either logout and login with a defined user in the FreeIPA domain, or use SSH:

ssh sysadm@::1

Conclusion

Installation of the FreeIPA Client is fairly easily done. The only thing that consumed alot of time was that IPv6 bug. As a IPv6 pioneer, these things happen from time.

There are alot of similar guides out there and I have tried to combine the best of all of them. These have been my sources:

• One Good guide: https://www.linuxtechi.com/configure-freeipa-client-on-ubuntu/

• One OK guide: https://computingforgeeks.com/how-to-configure-freeipa-client-on-ubuntu-centos/

• I had to find a mkhomedir file that actually worked: https://github.com/debops/debops/issues/483

• IPv6 Workaround: https://pagure.io/freeipa/issue/8243