Configure a Linux Machine as FreeIPA Client - CentLinux


Sunday, 29 July 2018

Configure a Linux Machine as FreeIPA Client


FreeIPA Client is the machine that uses the services from a FreeIPA Server to authenticate users, systems, certificates, etc. We have successfully configured a Identity Management (IdM) Server using FreeIPA in my previous post “Configure Identity Management (IdM) with FreeIPA Server”. Now it’s time to configure a Linux Machine as FreeIPA client.


This Article Provides:


    System Specification:

    FreeIPA Server

    • IP Address -
    • Hostname -
    FreeIPA Client
    • IP Address -
    • Hostname -


    FreeIPA Server-Side Configuration:

    Connect to and add 'A' record of to DNS Server.

    [root@ipaserver ~]# kinit admin Password for admin@EXAMPLE.COM: [root@ipaserver ~]# ipa dnsrecord-add client1 --ttl=3600 --a-ip-address= Record name: client1 Time to live: 3600 A record: [root@ipaserver ~]#


    FreeIPA Client-Side Configuration:

    Connect to now and set DNS Server settings.

    [root@client1 ~]# nmcli connection modify eno16777728 ipv4.dns [root@client1 ~]# nmcli connection down eno16777728 ; nmcli connection up eno16777728 Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)

    Install required packages. Our client already configured to use a local yum repository.

    [root@client1 ~]# yum install -y ipa-client ... Installed: ipa-client.x86_64 0:3.3.3-28.el7 Dependency Installed: autofs.x86_64 1:5.0.7-40.el7 autogen-libopts.x86_64 0:5.18-5.el7 c-ares.x86_64 0:1.10.0-3.el7 certmonger.x86_64 0:0.70-2.el7 cyrus-sasl-gssapi.x86_64 0:2.1.26-17.el7 hesiod.x86_64 0:3.2.1-3.el7 ipa-python.x86_64 0:3.3.3-28.el7 keyutils.x86_64 0:1.5.8-3.el7 krb5-workstation.x86_64 0:1.11.3-49.el7 libbasicobjects.x86_64 0:0.1.0-22.el7 libcollection.x86_64 0:0.6.2-22.el7 libdhash.x86_64 0:0.4.3-22.el7 libevent.x86_64 0:2.0.21-4.el7 libini_config.x86_64 0: libipa_hbac.x86_64 0:1.11.2-65.el7 libipa_hbac-python.x86_64 0:1.11.2-65.el7 libldb.x86_64 0:1.1.16-4.el7 libnfsidmap.x86_64 0:0.25-9.el7 libpath_utils.x86_64 0:0.2.1-22.el7 libref_array.x86_64 0:0.1.3-22.el7 libsss_idmap.x86_64 0:1.11.2-65.el7 libtalloc.x86_64 0:2.0.8-4.el7 libtdb.x86_64 0:1.2.12-3.el7 libtevent.x86_64 0:0.9.18-6.el7 libtirpc.x86_64 0:0.2.4-0.3.el7 libwbclient.x86_64 0:4.1.1-31.el7 nfs-utils.x86_64 1:1.3.0-0.el7 ntp.x86_64 0:4.2.6p5-18.el7 oddjob.x86_64 0:0.31.5-3.el7 oddjob-mkhomedir.x86_64 0:0.31.5-3.el7 pam_krb5.x86_64 0:2.4.8-4.el7 psmisc.x86_64 0:22.20-8.el7 pytalloc.x86_64 0:2.0.8-4.el7 python-dns.noarch 0:1.10.0-5.el7 python-kerberos.x86_64 0:1.1-13.el7 python-krbV.x86_64 0:1.0.90-8.el7 python-ldap.x86_64 0:2.4.6-6.el7 python-netaddr.noarch 0:0.7.5-7.el7 python-nss.x86_64 0:0.14.0-5.el7 python-sssdconfig.noarch 0:1.11.2-65.el7 rpcbind.x86_64 0:0.2.0-23.el7 samba-libs.x86_64 0:4.1.1-31.el7 sssd.x86_64 0:1.11.2-65.el7 sssd-ad.x86_64 0:1.11.2-65.el7 sssd-common.x86_64 0:1.11.2-65.el7 sssd-common-pac.x86_64 0:1.11.2-65.el7 sssd-ipa.x86_64 0:1.11.2-65.el7 sssd-krb5.x86_64 0:1.11.2-65.el7 sssd-krb5-common.x86_64 0:1.11.2-65.el7 sssd-ldap.x86_64 0:1.11.2-65.el7 sssd-proxy.x86_64 0:1.11.2-65.el7 Complete!

    To keep it brief, I trimmed the output of the command above. Let’s configure FreeIPA Client now.

    [root@client1 ~]# ipa-client-install --force-ntpd Discovery was successful! Hostname: Realm: EXAMPLE.COM DNS Domain: IPA Server: BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for admin@EXAMPLE.COM: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Valid From: Fri Jul 27 17:03:24 2018 UTC Valid Until: Tue Jul 27 17:03:24 2038 UTC Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.COM trying Forwarding 'ping' to server '' Forwarding 'env' to server '' Adding SSH public key from /etc/ssh/ Adding SSH public key from /etc/ssh/ Forwarding 'host_mod' to server '' SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete.

    I used --force-ntpd option to force use of ntpd because, myclient is using the chronyd service and it is conflicting with ntpd.

    To let the system, create Users’ home directories on first login, use the following command.

    [root@client1 /]# authconfig --update --enablemkhomedir has been successfully configured as FreeIPA Client.

    Login to with a central user. I am login with user ahmer that I have created during configuration of FreeIPA Server.

    root@client1 /]# su - ahmer Creating home directory for ahmer. Last login: Sat Jul 28 12:55:12 PDT 2018 on pts/0 [ahmer@client1 ~]$ id uid=1692200001(ahmer) gid=1692200001(ahmer) groups=1692200001(ahmer) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [ahmer@client1 ~]$

    I use id command to confirm the UID of the user and that the user ahmer is a central user.

    We have successfully configured our Red Hat Enterprise Linux (RHEL) 7 machine as a FreeIPA client. Here, we have used the ipa-client package for easy configuration. However, if you do not want to use ipa-client than you have to configure Client settings for each component of FreeIPA by yourself.

    No comments:

    Post a comment