Mastodon Skip to main content

Initial FreeIPA Setup and Install

FreeIPA

Basics

FreeIPA (a.k.a. Identity Management by RedHat) is a free, open source alternative to Active Directory type services for Linux / Unix.

The Installation of the server side works best on RedHat, Fedora, and / or CentOS systems (all RedHat based systems).

A client must be installed in order to join a Machine to the domain and use the IPA system for authenticaion.

Requirements

Server

  • Needs to have a fixed (sttic) IP Address.
  • Needs to have a FQDN (Fully Qualified Domain Name)
    • The Domain Name must be owned by you, or a local only type domain (best to end with .local).
  • You must update the server's hostname and /etc/hosts file entries.
    • The FQDN must be first after the IP in /etc/hosts, and then the shortname afterthat.
      • Example:  FQDN = ipa.mydomain.local    Shortname = ipa

The Download Process

  1. You must download the freeipa server software if it's not already in the distro you chose.
  2. You then run the installation of the software and configure the server.

DNS

It is extremely important to have a system setup for DNS, and to ensure that your LAN can find machines by hostname, not just by IP address.

  • For this I use Pi-Hole.  I make manual entries for the machines I'm adding to the domain.
  • I check this by using nslookup

If you don't have a shared server for shared home directories, you should enable the ability to make home directories for each domain user sho may log into a system.

You do this with the --enablemkhomedir option on the server.

My Commands and Steps

Install Fedora 32 Workstation

Make sure it's updated completely - use sudo dnf update -y

Make sure you have an IP on the LAN (using Virtual Box or VirtManager you need to ensure you've setup and enabled a bridged network connection.

Edit the hostname and /etc/hosts files:

sudo nano /etc/hostname

make sure to enter an FQDN (can't be localhost at all).

Now update the /etc/hosts file using

sudo nano /etc/hosts

and make sure it looks something like

192.168.7.226   ipa.mydomain.local ipa

127.0.0.1 localhost

The next bits are easier to run as root, so just do

sudo su

and enter your sudo password when prompted.

You also need to setup your firewall to have some open ports.  Luckily on Fedora this is easily accomplished with two commands.

firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps

firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent

Now, we'll pull down the freeipa seerver software.

yum install freeipa-server freeipa-server-dns nfs-utils

Next, we reboot so nfs-utils will kick in.

reboot

Once back up, go back into root:

sudo su

Enter your sudo password when prompted.

Once you have your pre-requisites installed and setup we'll run the ipa-server-install command and go through the steps to get our server setup.

ipa-server-install --mkhomedir

There will be some question during the process we need to answer...

After a successful install, you'll want to run the command

kinit admin

As this generates the necessary admin keys to get the Web UI ready for login, as well as for running admin commands from the cli if desired.


Client Install

For the client install we'll use Ubuntu 20.04. Ubuntu is one of the most popular, if not the most popular desktop distributionsn for Linux, our there, thus I'm using it for this demo.

First, we'll install ubuntu 20.04.

Next, update the OS and make sure all updates are installed with

sudo apt update && sudo apt upgrade -y

Next, make sure you've setup the IP address as part of your LAN (particularly if you're using Virtualbox or VirtManager - you need to have a bridge network setup so the machine can see / reach other machines).

Setup IP and FQDN

ip addr show

Will show you a list of ip addresses assigned to various network interfaces on the install.

You want the one that matches your LAN IP pattern.
In my case, i'll be using the one with "192.168.7.x"

Next, just as with the server, we need to ensure that the IP is set as a static IP, and we need to make sure we give the machine a FQDN (Fully Qualified Domain Name - e.g. "ipa-client1.mydomain.local").

sudo nano /etc/hosts

In this file ensure you have the following setup:

127.0.0.1 localhost

127.0.1.1 ipa-client1.mydomain.local ipa-client1

192.168.7.x ipa-client1.mydomain.local ipa-client1

192.168.7.150 ipasrv2.mydomain.local ipasrv2

Next, make sure the "/etc/hostname" file also has the correct hosname.

sudo nano /etc/hostname

it should have something like:

ipa-client1.mydomain.local

If not, make sure to change it to the proper hostname, then save.

Finally, make sure to add a DNS reference in your local DNS (router, or whatever, but in my case a Pi-Hole) to the client machine FQDN and IP.

Download the Software

Now, we need to download the freeipa client.

sudo apt install freeipa-client

While this isn't that actual client install and configuration, it will actually prompt you for a couple of bits of information, so you need to know what that is and be ready.

First screen in the terminal will be for "Configuring Kerberos Authentication", and will ask for the Kerberos version X realm.

this is basically the domain, and may be filled in by default, so if it is, just tab to 'ok', and move on. If not, type in the domain in all caps:

MYDOMAIN.LOCAL

then tab to 'Ok' and move forward.

Next, it will ask for the Kerberos server for your realm. This is just the FQDN of your server that we setup previously.

ipasrv2.mydomain.local

Next is the Administrative server for your Kerberos realm. It's the same server.

ipasrv2.mydomain.local

Once you've entered those items, the download / install will continue.

Check your network settings one more time

Now, before we move forward with the final configuration and install of the freeipa client, it's a good idea to make sure that our server and client resolve to the right name and IP.

nslookup ipa-client1.mydomain.local

You should get the proper IP back.

nslookup ipasrv2.mydomain.local

Again, you should get the proper IP back.

Run the final Install and Configuration

This is again, easier to run as root, so you can do:

sudo su -

in a terminal, and enter your sudo user password when prompted.

Now, we'll run our final install command for our Free IPA client machine.

ipa-client-install --mkhomedir

PLEASE NOTE: The --mkhomedir part is VERY IMPORTANT.

If you do this, without that bit, and you have not setup network storage for user home directories somewhere else (and I'm not covering that here), then the client install may succeed, but upon trying to login using an LDAP user afterward, you'll get frustrated when you aren't taken to the desktop.

This happens becuase the system doesn't know where your home directory is, and won't create one for you without that flag.

Interactive Install Prompts

As with our server install, the client install has interactive prompts, and you will likely have to fill out a few bits of information as it goes through.

When you are done you should see a message that says:

`The ipa-client-install command was successful`

Time for one last reboot.

# Logging in with LDAP / FreeIPA user

Before you try to login wtih LDAP, you of cource need to create a user.  For this we go back to the server web ui, and get started.