# Setup FreeIPA # Initial FreeIPA Setup and Install # FreeIPA ## Basics FreeIPA (a.k.a. Identity Management by RedHat) is a free, open source alternative to Active Directory type services for Linux / Unix. The Installation of the server side works best on RedHat, Fedora, and / or CentOS systems (all RedHat based systems). A client must be installed in order to join a Machine to the domain and use the IPA system for authenticaion. ## Requirements ## Server - Needs to have a fixed (sttic) IP Address. - Needs to have a FQDN (Fully Qualified Domain Name) - The Domain Name must be owned by you, or a local only type domain (best to end with .local). - You must update the server's hostname and /etc/hosts file entries. - The FQDN must be first after the IP in /etc/hosts, and then the shortname afterthat. - Example: FQDN = ipa.mydomain.local Shortname = ipa ### The Download Process 1. You must download the freeipa server software if it's not already in the distro you chose. 2. You then run the installation of the software and configure the server. ### DNS It is extremely important to have a system setup for DNS, and to ensure that your LAN can find machines by hostname, not just by IP address. - For this I use Pi-Hole. I make manual entries for the machines I'm adding to the domain. - I check this by using nslookup If you don't have a shared server for shared home directories, you should enable the ability to make home directories for each domain user sho may log into a system. You do this with the --enablemkhomedir option on the server. ### My Commands and Steps Install Fedora 32 Workstation Make sure it's updated completely - use sudo dnf update -y Make sure you have an IP on the LAN (using Virtual Box or VirtManager you need to ensure you've setup and enabled a bridged network connection. Edit the hostname and /etc/hosts files: sudo nano /etc/hostname make sure to enter an FQDN (can't be localhost at all). Now update the /etc/hosts file using sudo nano /etc/hosts and make sure it looks something like 192.168.7.226 ipa.mydomain.local ipa 127.0.0.1 localhost The next bits are easier to run as root, so just do sudo su and enter your sudo password when prompted. You also need to setup your firewall to have some open ports. Luckily on Fedora this is easily accomplished with two commands. firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent Now, we'll pull down the freeipa seerver software. yum install freeipa-server freeipa-server-dns nfs-utils Next, we reboot so nfs-utils will kick in. reboot Once back up, go back into root: sudo su Enter your sudo password when prompted. Once you have your pre-requisites installed and setup we'll run the ipa-server-install command and go through the steps to get our server setup. ipa-server-install --mkhomedir There will be some question during the process we need to answer... After a successful install, you'll want to run the command kinit admin As this generates the necessary admin keys to get the Web UI ready for login, as well as for running admin commands from the cli if desired. --- ## Client Install For the client install we'll use Ubuntu 20.04. Ubuntu is one of the most popular, if not the most popular desktop distributionsn for Linux, our there, thus I'm using it for this demo. First, we'll install ubuntu 20.04. Next, update the OS and make sure all updates are installed with sudo apt update && sudo apt upgrade -y Next, make sure you've setup the IP address as part of your LAN (particularly if you're using Virtualbox or VirtManager - you need to have a bridge network setup so the machine can see / reach other machines). ## Setup IP and FQDN ip addr show Will show you a list of ip addresses assigned to various network interfaces on the install. You want the one that matches your LAN IP pattern. In my case, i'll be using the one with "192.168.7.x" Next, just as with the server, we need to ensure that the IP is set as a static IP, and we need to make sure we give the machine a FQDN (Fully Qualified Domain Name - e.g. "ipa-client1.mydomain.local"). sudo nano /etc/hosts In this file ensure you have the following setup: 127.0.0.1 localhost 127.0.1.1 ipa-client1.mydomain.local ipa-client1 192.168.7.x ipa-client1.mydomain.local ipa-client1 192.168.7.150 ipasrv2.mydomain.local ipasrv2 Next, make sure the "/etc/hostname" file also has the correct hosname. sudo nano /etc/hostname it should have something like: ipa-client1.mydomain.local If not, make sure to change it to the proper hostname, then save. Finally, make sure to add a DNS reference in your local DNS (router, or whatever, but in my case a Pi-Hole) to the client machine FQDN and IP. ## Download the Software Now, we need to download the freeipa client. sudo apt install freeipa-client While this isn't that actual client install and configuration, it will actually prompt you for a couple of bits of information, so you need to know what that is and be ready. First screen in the terminal will be for "Configuring Kerberos Authentication", and will ask for the Kerberos version X realm. this is basically the domain, and may be filled in by default, so if it is, just tab to 'ok', and move on. If not, type in the domain in all caps: MYDOMAIN.LOCAL then tab to 'Ok' and move forward. Next, it will ask for the Kerberos server for your realm. This is just the FQDN of your server that we setup previously. ipasrv2.mydomain.local Next is the Administrative server for your Kerberos realm. It's the same server. ipasrv2.mydomain.local Once you've entered those items, the download / install will continue. ## Check your network settings one more time Now, before we move forward with the final configuration and install of the freeipa client, it's a good idea to make sure that our server and client resolve to the right name and IP. nslookup ipa-client1.mydomain.local You should get the proper IP back. nslookup ipasrv2.mydomain.local Again, you should get the proper IP back. ## Run the final Install and Configuration This is again, easier to run as root, so you can do: sudo su - in a terminal, and enter your sudo user password when prompted. Now, we'll run our final install command for our Free IPA client machine. ipa-client-install --mkhomedir PLEASE NOTE: The --mkhomedir part is VERY IMPORTANT. If you do this, without that bit, and you have not setup network storage for user home directories somewhere else (and I'm not covering that here), then the client install may succeed, but upon trying to login using an LDAP user afterward, you'll get frustrated when you aren't taken to the desktop. This happens becuase the system doesn't know where your home directory is, and won't create one for you without that flag. ### Interactive Install Prompts As with our server install, the client install has interactive prompts, and you will likely have to fill out a few bits of information as it goes through. When you are done you should see a message that says: `The ipa-client-install command was successful` Time for one last reboot. \# Logging in with LDAP / FreeIPA user Before you try to login wtih LDAP, you of cource need to create a user. For this we go back to the server web ui, and get started.