Initial FreeIPA Setup and Install
FreeIPA
Basics
FreeIPA (a.k.a. Identity Management by RedHat) is a free, open source alternative to Active Directory type services for Linux / Unix.
The Installation of the server side works best on RedHat, Fedora, and / or CentOS systems (all RedHat based systems).
A client must be installed in order to join a Machine to the domain and use the IPA system for authenticaion.
Requirements
Server
- Needs to have a fixed (sttic) IP Address.
- Needs to have a FQDN (Fully Qualified Domain Name)
- The Domain Name must be owned by you, or a local only type domain (best to end with .local).
- You must update the server's hostname and /etc/hosts file entries.
- The FQDN must be first after the IP in /etc/hosts, and then the shortname afterthat.
- Example: FQDN = ipa.mydomain.local Shortname = ipa
- The FQDN must be first after the IP in /etc/hosts, and then the shortname afterthat.
The Download Process
- You must download the freeipa server software if it's not already in the distro you chose.
- You then run the installation of the software and configure the server.
DNS
It is extremely important to have a system setup for DNS, and to ensure that your LAN can find machines by hostname, not just by IP address.
- For this I use Pi-Hole. I make manual entries for the machines I'm adding to the domain.
- I check this by using nslookup
If you don't have a shared server for shared home directories, you should enable the ability to make home directories for each domain user sho may log into a system.
You do this with the --enablemkhomedir option on the server.
My Commands and Steps
Install Fedora 32 Workstation
Make sure it's updated completely - use sudo dnf update -y
Make sure you have an IP on the LAN (using Virtual Box or VirtManager you need to ensure you've setup and enabled a bridged network connection.
Edit the hostname and /etc/hosts files:
sudo nano /etc/hostname
make sure to enter an FQDN (can't be localhost at all).
Now update the /etc/hosts file using
sudo nano /etc/hosts
and make sure it looks something like
192.168.7.226 ipa.mydomain.local ipa
127.0.0.1 localhost
The next bits are easier to run as root, so just do
sudo su
and enter your sudo password when prompted.
You also need to setup your firewall to have some open ports. Luckily on Fedora this is easily accomplished with two commands.
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent
Now, we'll pull down the freeipa seerver software.
yum install freeipa-server freeipa-server-dns nfs-utils
Next, we reboot so nfs-utils will kick in.
reboot
Once back up, go back into root:
sudo su
Enter your sudo password when prompted.
Once you have your pre-requisites installed and setup we'll run the ipa-server-install command and go through the steps to get our server setup.
ipa-server-install --mkhomedir
There will be some question during the process we need to answer...
After a successful install, you'll want to run the command
kinit admin
As this generates the necessary admin keys to get the Web UI ready for login, as well as for running admin commands from the cli if desired.
Client Install
For the client install we'll use Ubuntu 20.04. Ubuntu is one of the most popular, if not the most popular desktop distributionsn for Linux, our there, thus I'm using it for this demo.
First, we'll install ubuntu 20.04.
Next, update the OS and make sure all updates are installed with
sudo apt update && sudo apt upgrade -y
Next, make sure you've setup the IP address as part of your LAN (particularly if you're using Virtualbox or VirtManager - you need to have a bridge network setup so the machine can see / reach other machines).
Setup IP and FQDN
ip addr show
Will show you a list of ip addresses assigned to various network interfaces on the install.
You want the one that matches your LAN IP pattern.
In my case, i'll be using the one with "192.168.7.x"
Next, just as with the server, we need to ensure that the IP is set as a static IP, and we need to make sure we give the machine a FQDN (Fully Qualified Domain Name - e.g. "ipa-client1.mydomain.local").
sudo nano /etc/hosts
In this file ensure you have the following setup:
127.0.0.1 localhost
127.0.1.1 ipa-client1.mydomain.local ipa-client1
192.168.7.x ipa-client1.mydomain.local ipa-client1
192.168.7.150 ipasrv2.mydomain.local ipasrv2
Next, make sure the "/etc/hostname" file also has the correct hosname.
sudo nano /etc/hostname
it should have something like:
ipa-client1.mydomain.local
If not, make sure to change it to the proper hostname, then save.
Finally, make sure to add a DNS reference in your local DNS (router, or whatever, but in my case a Pi-Hole) to the client machine FQDN and IP.
Download the Software
Now, we need to download the freeipa client.
sudo apt install freeipa-client
While this isn't that actual client install and configuration, it will actually prompt you for a couple of bits of information, so you need to know what that is and be ready.
First screen in the terminal will be for "Configuring Kerberos Authentication", and will ask for the Kerberos version X realm.
this is basically the domain, and may be filled in by default, so if it is, just tab to 'ok', and move on. If not, type in the domain in all caps:
MYDOMAIN.LOCAL
then tab to 'Ok' and move forward.
Next, it will ask for the Kerberos server for your realm. This is just the FQDN of your server that we setup previously.
ipasrv2.mydomain.local
Next is the Administrative server for your Kerberos realm. It's the same server.
ipasrv2.mydomain.local
Once you've entered those items, the download / install will continue.
Check your network settings one more time
Now, before we move forward with the final configuration and install of the freeipa client, it's a good idea to make sure that our server and client resolve to the right name and IP.
nslookup ipa-client1.mydomain.local
You should get the proper IP back.
nslookup ipasrv2.mydomain.local
Again, you should get the proper IP back.
Run the final Install and Configuration
This is again, easier to run as root, so you can do:
sudo su -
in a terminal, and enter your sudo user password when prompted.
Now, we'll run our final install command for our Free IPA client machine.
ipa-client-install --mkhomedir
PLEASE NOTE: The --mkhomedir part is VERY IMPORTANT.
If you do this, without that bit, and you have not setup network storage for user home directories somewhere else (and I'm not covering that here), then the client install may succeed, but upon trying to login using an LDAP user afterward, you'll get frustrated when you aren't taken to the desktop.
This happens becuase the system doesn't know where your home directory is, and won't create one for you without that flag.
Interactive Install Prompts
As with our server install, the client install has interactive prompts, and you will likely have to fill out a few bits of information as it goes through.
When you are done you should see a message that says:
`The ipa-client-install command was successful`
Time for one last reboot.
# Logging in with LDAP / FreeIPA user
Before you try to login wtih LDAP, you of cource need to create a user. For this we go back to the server web ui, and get started.