FreeIPA Client is the machine that uses the services from a FreeIPA Server to authenticate users, systems, certificates, etc. We have successfully configured a Identity Management (IdM) Server using FreeIPA in my previous post “Configure Identity Management (IdM) with FreeIPA Server”. Now it’s time to configure a Linux Machine as FreeIPA client.
Table of Contents:
System Specification:
FreeIPA Server
- IP Address - 192.168.116.200/24
- Hostname - ipaserver.example.com
- IP Address - 192.168.116.201/24
- Hostname - client1.example.com
FreeIPA Server-Side Configuration:
Connect to ipaserver.example.com and add 'A' record of client1.example.com to DNS Server.
[root@ipaserver ~]# kinit admin
Password for admin@EXAMPLE.COM:
[root@ipaserver ~]# ipa dnsrecord-add example.com client1 --ttl=3600 --a-ip-address=192.168.116.201
Record name: client1
Time to live: 3600
A record: 192.168.116.201
[root@ipaserver ~]#
FreeIPA Client-Side Configuration:
Connect to client1.example.com now and set DNS Server settings.
[root@client1 ~]# nmcli connection modify eno16777728 ipv4.dns 192.168.116.200
[root@client1 ~]# nmcli connection down eno16777728 ; nmcli connection up eno16777728
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
Install required packages. Our client already configured to use a local yum repository.
[root@client1 ~]# yum install -y ipa-client
...
Installed:
ipa-client.x86_64 0:3.3.3-28.el7
Dependency Installed:
autofs.x86_64 1:5.0.7-40.el7
autogen-libopts.x86_64 0:5.18-5.el7
c-ares.x86_64 0:1.10.0-3.el7
certmonger.x86_64 0:0.70-2.el7
cyrus-sasl-gssapi.x86_64 0:2.1.26-17.el7
hesiod.x86_64 0:3.2.1-3.el7
ipa-python.x86_64 0:3.3.3-28.el7
keyutils.x86_64 0:1.5.8-3.el7
krb5-workstation.x86_64 0:1.11.3-49.el7
libbasicobjects.x86_64 0:0.1.0-22.el7
libcollection.x86_64 0:0.6.2-22.el7
libdhash.x86_64 0:0.4.3-22.el7
libevent.x86_64 0:2.0.21-4.el7
libini_config.x86_64 0:1.0.0.1-22.el7
libipa_hbac.x86_64 0:1.11.2-65.el7
libipa_hbac-python.x86_64 0:1.11.2-65.el7
libldb.x86_64 0:1.1.16-4.el7
libnfsidmap.x86_64 0:0.25-9.el7
libpath_utils.x86_64 0:0.2.1-22.el7
libref_array.x86_64 0:0.1.3-22.el7
libsss_idmap.x86_64 0:1.11.2-65.el7
libtalloc.x86_64 0:2.0.8-4.el7
libtdb.x86_64 0:1.2.12-3.el7
libtevent.x86_64 0:0.9.18-6.el7
libtirpc.x86_64 0:0.2.4-0.3.el7
libwbclient.x86_64 0:4.1.1-31.el7
nfs-utils.x86_64 1:1.3.0-0.el7
ntp.x86_64 0:4.2.6p5-18.el7
oddjob.x86_64 0:0.31.5-3.el7
oddjob-mkhomedir.x86_64 0:0.31.5-3.el7
pam_krb5.x86_64 0:2.4.8-4.el7
psmisc.x86_64 0:22.20-8.el7
pytalloc.x86_64 0:2.0.8-4.el7
python-dns.noarch 0:1.10.0-5.el7
python-kerberos.x86_64 0:1.1-13.el7
python-krbV.x86_64 0:1.0.90-8.el7
python-ldap.x86_64 0:2.4.6-6.el7
python-netaddr.noarch 0:0.7.5-7.el7
python-nss.x86_64 0:0.14.0-5.el7
python-sssdconfig.noarch 0:1.11.2-65.el7
rpcbind.x86_64 0:0.2.0-23.el7
samba-libs.x86_64 0:4.1.1-31.el7
sssd.x86_64 0:1.11.2-65.el7
sssd-ad.x86_64 0:1.11.2-65.el7
sssd-common.x86_64 0:1.11.2-65.el7
sssd-common-pac.x86_64 0:1.11.2-65.el7
sssd-ipa.x86_64 0:1.11.2-65.el7
sssd-krb5.x86_64 0:1.11.2-65.el7
sssd-krb5-common.x86_64 0:1.11.2-65.el7
sssd-ldap.x86_64 0:1.11.2-65.el7
sssd-proxy.x86_64 0:1.11.2-65.el7
Complete!
To keep it brief, I trimmed the output of the command above. Let’s configure FreeIPA Client now.
[root@client1 ~]# ipa-client-install --force-ntpd
Discovery was successful!
Hostname: client1.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipaserver.example.com
BaseDN: dc=example,dc=com
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin@EXAMPLE.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Valid From: Fri Jul 27 17:03:24 2018 UTC
Valid Until: Tue Jul 27 17:03:24 2038 UTC
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://ipaserver.example.com/ipa/xml
Forwarding 'ping' to server 'https://ipaserver.example.com/ipa/xml'
Forwarding 'env' to server 'https://ipaserver.example.com/ipa/xml'
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Forwarding 'host_mod' to server 'https://ipaserver.example.com/ipa/xml'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
I used --force-ntpd option to force use of ntpd because, myclient is using the chronyd service and it is conflicting with ntpd.
To let the system, create Users’ home directories on first login, use the following command.
[root@client1 /]# authconfig --update --enablemkhomedir
client1.example.com has been successfully configured as FreeIPA Client.
Login to client1.example.com with a central user. I am login with user ahmer that I have created during configuration of FreeIPA Server.
root@client1 /]# su - ahmer
Creating home directory for ahmer.
Last login: Sat Jul 28 12:55:12 PDT 2018 on pts/0
[ahmer@client1 ~]$ id
uid=1692200001(ahmer) gid=1692200001(ahmer) groups=1692200001(ahmer) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[ahmer@client1 ~]$
I use id command to confirm the UID of the user and that the user ahmer is a central user.
We have successfully configured our Red Hat Enterprise Linux (RHEL) 7 machine as a FreeIPA client. Here, we have used the ipa-client package for easy configuration. However, if you do not want to use ipa-client than you have to configure Client settings for each component of FreeIPA by yourself.
No comments:
Post a Comment