How to Install and Configure FreeIPA

on CentOS 7 Server
FreeIPA is a free and open source identity management tool, it is the upstream project for
Red Hat identity manager. Using FreeIPA tool, we can easily manage centralized
authentication along with account management, policy (host-based access control) and
audit. FreeIPA also provides the services like DNS and PKI.
FreeIPA is based on the following Open Source projects,

 389 Directory Server(LDAP)

 MIT Kerberos
 SSSD
 Dogtag (Certificate System)
 NTP & DNS

Step:1 Set static Hostname and apply updates

Set the static host name of your server using the hostnamectl command,

[root@localhost ~]# hostnamectl set-hostname "ipa.linuxtechi.lan"

[root@localhost ~]# exec bash

[root@ipa ~]#

Update the server using yum update command and then reboot it

[root@ipa ~]# yum update -y;reboot

Step:2 Update the hosts file (/etc/hosts)

Run the below echo command to update /etc/hosts file, replace the ip address and
hostname as per your setup.

[root@ipa ~]# echo -e "192.168.0.102\tipa.linuxtechi.lan\t ip" >> /etc/hosts

[root@ipa ~]#
Step:3 Install FreeIPA packages using yum command
FreeIPA packages and its dependencies are available in the default package repositories.
As we are planning to install integrated DNS of FreeIPA, so we will also install “ipa-server-
dns”
Run the below command to install FreeIPA and its dependencies

[root@ipa ~]# yum install ipa-server ipa-server-dns -y

Step:4 Start the FreeIPA Installation setup using “ipa-server-

install”
Once the packages are installed successfully then use the below command to start the
freeipa installation setup,

It will prompt couple of things like to configure Integrated DNS, Host name, Domain
Name and Realm Name

[root@ipa ~]# ipa-server-install

Output of above command would be something like below

After pressing yes in above window, it will take some time to configure your FreeIPA server
and once it has been setup successfully then we will get output something like below,
Above output confirms that it has been installed successfully.

Run the below command to allow User’s home directory creation automatically after
authentication (or login)

[root@ipa ~]# authconfig --enablemkhomedir --update

[root@ipa ~]#

Note: In case you get the below errors while installing FreeIPA on CentOS 7 server,

.............

[error] CalledProcessError: Command '/bin/systemctl start certmonger.service' returned

non-zero exit status 1

ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR Command

'/bin/systemctl start certmonger.service' returned non-zero exit status 1

ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-

server-install command failed. See /var/log/ipaserver-install.log for more information

.................

This seems to be known issue on CentOS 7, so to resolve this we have restart dbus service
(service dbus restart) and uninstall freeipa using the command “ipa-server-install –
uninstall” and then again try to install.

Step:5 Allow FreeIPA ports in OS Firewall

In case OS firewall is running on your centos 7 server then run the beneath firewall-cmd
commands to allow or open ports for FreeIPA,

[root@ipa ~]# firewall-cmd --add-service=freeipa-ldap

success

[root@ipa ~]# firewall-cmd --add-service=freeipa-ldap --permanent

success

[root@ipa ~]# firewall-cmd --reload

success

[root@ipa ~]#
Step:6 Verification & Access FreeIPA admin portal
Use the below command to check whether all services of FreeIPA are running or not

[root@ipa ~]# ipactl status

Directory Service: RUNNING

krb5kdc Service: RUNNING

kadmin Service: RUNNING

named Service: RUNNING

httpd Service: RUNNING

ipa-custodia Service: RUNNING

ntpd Service: RUNNING

pki-tomcatd Service: RUNNING

ipa-otpd Service: RUNNING

ipa-dnskeysyncd Service: RUNNING

ipa: INFO: The ipactl command was successful

[root@ipa ~]#

Let’s verify whether admin user will get token via Kerberos using the kinit command, use
the same password of admin user that we supplied during FreeIPA installation.

[root@ipa ~]# kinit admin

Password for [email protected]:

[root@ipa ~]# klist

Ticket cache: KEYRING:persistent:0:0

Default principal: [email protected]

Valid starting Expires Service principal

11/26/2018 07:39:00 11/27/2018 07:38:55 krbtgt/[email protected]

[root@ipa ~]#

Access the FreeIPA admin portal using the URL:

https://ipa.linuxtechi.lan/ipa/ui
Use the user name as admin and the password that we specify during the installation.

Click on Login
This confirms that we have successfully setup FreeIPA on CentOS 7 Server. It also
conclude the article, please do share your feedback and comments.
How to Configure FreeIPA Client on
Ubuntu 18.04 / CentOS 7 for Centralize
Authentication
by Pradeep Kumar · Published December 10, 2018 · Updated December 17, 2018
In our previous article we have already discussed about FreeIPA and its installation steps
on CentOS 7 Server, in this article we will discuss how an Ubuntu 18.04 and CentOS 7
machine can be integrated to FreeIPA Server for centralize authentication.
Read More: How to Install and Configure FreeIPA on CentOS 7 Server
I am assuming “sysadm” user is already created on FreeIPA Sever for Linux Systems for
centralize authentication, if not then execute the below commands from FreeIPA server to
create the user,

[root@ipa ~]# kinit admin

Password for [email protected]:

[root@ipa ~]# ipa config-mod --defaultshell=/bin/bash

[root@ipa ~]# ipa user-add sysadm --first=System --last=Admin --password

Password:

Enter Password again to verify:

-------------------

Added user "sysadm"

-------------------

User login: sysadm

First name: System

Last name: Admin

Full name: System Admin

Display name: System Admin

Initials: SA

Home directory: /home/sysadm

GECOS: System Admin

Login shell: /bin/bash

 Principal name: [email protected]

Principal alias: [email protected]

User password expiration: 20181118194031Z

Email address: [email protected]

UID: 1285200003

GID: 1285200003

Password: True

Member of groups: ipausers

Kerberos keys available: True

[root@ipa ~]#

First command is to get Kerberos credentials and second command to set default login
shell for all users as “/bin/bash” and third command used for creating the user with name
“sysadm”
Steps to configure FreeIPA Client on Ubuntu 18.04 system
Step:1) Add DNS record of Ubuntu 18.04 system on FreeIPA
Server
Login to your FreeIPA Server( In my case it is installed on CentOS 7) and run the beneath
command to add dns record for FreeIPA client (i.e Ubuntu 18.04 system)

[root@ipa ~]# ipa dnsrecord-add linuxtechi.lan app01.linuxtechi.lan --a-rec 192.168.1.106

Record name: app01.linuxtechi.lan

A record: 192.168.1.106

[root@ipa ~]#

In the above command app01.linuxtechi.lan is my Ubuntu 18.04 system with IP address

192.168.1.106.
Note: Make sure your FreeIPA Server and Clients are on the same timezone and getting the
time from NTP Servers.
Step:2) Install FreeIPA client Packages using apt-get command
Run the below command from your ubuntu system to install freeipa-client along with the
dependencies,
pkumar@app01:~$ sudo apt-get install freeipa-client oddjob-mkhomedir -y

While installing the freeipa-client, we will below screen, Hit enter to Skip

Step:3) Update /etc/hosts file of FreeIPA client (Ubuntu 18.04)

Add below entries of your FreeIPA Server in /etc/hosts file

pkumar@app01:~$ echo "192.168.1.105 ipa.linuxtechi.lan ipa" | sudo tee -a /etc/hosts

Change IP address and hostname that suits to your setup.

Step:4) Configure FreeIPA client using command ‘ipa-client-

install’
Now run “ipa-client-install” command to configure freeipa-client on your ubuntu 18.04
system,

pkumar@app01:~$ sudo ipa-client-install --hostname=`hostname -f` --mkhomedir --

server=ipa.linuxtechi.lan --domain linuxtechi.lan --realm LINUXTECHI.LAN

Change the FreeIPA Server address, domain name and realm that suits to your setup.

Output of above command would be something like below :

Now allow user’s home direction to be created automatically when they first time
authenticated with FreeIPA Server.

Append the following line in the file “/usr/share/pam-configs/mkhomedir”

required pam_mkhomedir.so umask=0022 skel=/etc/skel

pkumar@app01:~$ echo "required pam_mkhomedir.so umask=0022 skel=/etc/skel" | sudo tee -a

/usr/share/pam-configs/mkhomedir

Apply the above changes using following command,

pkumar@app01:~$ sudo pam-auth-update

Select OK and then hit enter,

Now try to login or ssh to your Ubuntu 18.04 system with sysadm user.

Step:5) Try to Login to your Ubuntu 18.04 System with sysadm

user
Now ssh to your ubuntu 18.04 system using the sysadm user,

# ssh [email protected]

[email protected]'s password:

X11 forwarding request failed on channel 0

Password expired. Change your password now.

Creating directory '/home/sysadm'.

Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)

* Documentation: https://help.ubuntu.com

* Management: https://landscape.canonical.com

* Support: https://ubuntu.com/advantage

* Canonical Livepatch is available for installation.

- Reduce system reboots and improve kernel security. Activate at:

https://ubuntu.com/livepatch
418 packages can be updated.

166 updates are security updates.

WARNING: Your password has expired.

You must change your password now and login again!

Current Password:

New password:

Retype new password:

passwd: password updated successfully

Connection to 192.168.1.106 closed.

As we can see, at the first time authentication, it will prompt us to set the new password as
the password is expired and will disconnect that session.

Now try to ssh ubuntu system and this time we should able to connect,

# ssh [email protected]

Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)

Last login: Sat Dec 8 21:37:44 2018 from 192.168.1.101

/usr/bin/xauth: timeout in locking authority file /home/sysadm/.Xauthority

sysadm@app01:~$

sysadm@app01:~$ id

uid=1285200003(sysadm) gid=1285200003(sysadm) groups=1285200003(sysadm)

sysadm@app01:~$

This confirms that we have successfully configure FreeIPA Client on Ubuntu 18.04 system.

Steps to configure FreeIPA Client on CentOS 7 System

Step:1) Add DNS record of CentOS 7 on FreeIPA Server
Run the following command from FreeIPA server,

[root@ipa ~]# ipa dnsrecord-add linuxtechi.lan db01.linuxtechi.lan --a-rec 192.168.1.103

 Record name: db01.linuxtechi.lan

A record: 192.168.1.103

[root@ipa ~]#

Step:2) Add the FreeIPA Server details in /etc/hosts

Login to your centos 7 system and add the following in /etc/hosts file

[root@db01 ~]# echo "192.168.1.105 ipa.linuxtechi.lan ipa" >> /etc/hosts

[root@db01 ~]# echo "192.168.0.103 db01.linuxtechi.lan" >> /etc/hosts

Step:3 Install and Configure FreeIPA Client

Use the below command to install FreeIPA client on CentOS 7 system,

[root@db01 ~]# yum install freeipa-client -y

Now configure FreeIPA client using “ipa-client-install” command,

[root@db01 ~]# ipa-client-install --hostname=`hostname -f` --mkhomedir --

server=ipa.linuxtechi.lan --domain linuxtechi.lan --realm LINUXTECHI.LAN

Use the same details and credentials that we have used while the same command in
Ubuntu 18.04 system

If the above command is executed successfully then we should the output something like
below,

………………………………………………

[try 1]: Forwarding 'host_mod' to json server

'https://ipa.linuxtechi.lan/ipa/session/json'

Could not update DNS SSHFP records.

SSSD enabled

Configured /etc/openldap/ldap.conf

Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config

Configuring linuxtechi.lan as NIS domain.

Client configuration complete.

The ipa-client-install command was successful

[root@db01 ~]#

Run the below command so that User’s home directory is created automatically at the first
login,

[root@db01 ~]# authconfig --enablemkhomedir --update

[root@db01 ~]#

Now you should able to login to CentOS 7 system with sysadm user.

Steps to uninstall FreeIPA Client from Ubuntu 18.04 / CentOS 7

[root@db01 ~]# ipa-client-install --uninstall

[root@db01 ~]# rm -rf /var/lib/sss/db/*

[root@db01 ~]# systemctl restart sssd.service

That’s all from this article, please do share your feedback and comments.