Latest

Thursday, 15 September 2022

How to Setup FreeIPA Server on Rocky Linux 9

How to install FreeIPA on Rocky Linux 9

In this server configuration guide, you will learn how to install FreeIPA on Rocky Linux 9.

 

Table of Contents:

 

What is FreeIPA? :

FreeIPA is a free and open source identity management system. FreeIPA is the upstream open-source project for Red Hat Identity ManagementFreeIPA aims to provide a centrally managed Identity, Policy, and Audit (IPA) system. It uses a combination of Fedora Linux, 389 Directory Server, MIT Kerberos, NTP, DNS, the DogTag certificate system, SSSD and other free/open-source components. 

FreeIPA includes extensible management interfaces (CLI, Web UI, XMLRPC and JSONRPC API) and Python SDK for the integrated CA, and BIND with a custom plugin for the integrated DNS server. Each of the major components of FreeIPA operates as a preexisting free/open-source project. The bundling of these components into a single manageable suite with a comprehensive management interface is GPLv3, but that does not change the licenses of the components.

Since version 3.0.0, FreeIPA uses Samba to integrate with Microsoft's Active Directory by way of Cross Forest Trusts. FreeIPA provides support for Linux, Unix-based, Windows and Mac OS X computers.

How to install FreeIPA on Rocky Linux 9

Environment Specification:

We are using a minimal Rocky Linux 9 virtual machine with following specifications.

  • CPU - 3.4 Ghz (2 cores)
  • Memory - 2 GB
  • Storage - 20 GB
  • Operating System - Rocky Linux release 9.0 (Blue Onyx)
  • Hostname – ipa-server-01.centlinux.com
  • IP Address - 192.168.116.5/24

We are using a Lenovo - 2022 - IdeaPad 3i - Essential Laptop Computer - Intel Core i5 12th Gen - 15.6" FHD Display - 8GB Memory - 512GB Storage. You can also use the following link to purchase the same at very reasonable price from Amazon.com.

Lenovo Idealpad 3i

 

Update your Rocky Linux Server:

Connect with ipa-server-01.centlinux.com as root user by using a ssh client.

Refresh the yum cache by executing following command.

# dnf makecache
Rocky Linux 9 - BaseOS                          1.5 kB/s | 3.6 kB     00:02
Rocky Linux 9 - AppStream                       1.3 kB/s | 3.6 kB     00:02
Rocky Linux 9 - Extras                          1.5 kB/s | 2.9 kB     00:01
Metadata cache created.

Execute following dnf command to update your Rocky Linux server.

# dnf update -y

If the above command updates your Linux Kernel, then you should reboot your operating system before moving forward.

# reboot

After reboot, check your Linux Kernel and operating system versions.

# cat /etc/rocky-release
Rocky Linux release 9.0 (Blue Onyx)

# uname -r
5.14.0-70.22.1.el9_0.x86_64

 

Configure Server Time Zone:

The FreeIPA server provides the NTP services to network devices, therefore it is recommended that you should set the time zone before performing IPA server configurations.

# timedatectl set-timezone America/Chicago

Verify that the time zone is set successfully.

# timedatectl
               Local time: Sun 2022-09-11 11:16:55 CDT
           Universal time: Sun 2022-09-11 16:16:55 UTC
                 RTC time: Sun 2022-09-11 16:16:56
                Time zone: America/Chicago (CDT, -0500)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

 

Set Static IP Address and Hostname:

By using hostnamectl command, set a FQDN for your Linux server.

# hostnamectl set-hostname ipa-server-01.centlinux1.com

Set a Static IP Address, Default Gateway and DNS for your network connection by executing nmcli command.

# nmcli connection modify ens33 \
> ipv4.method manual \
> ipv4.address 192.168.116.5/24 \
> ipv4.gateway 192.168.116.2 \
> ipv4.dns 192.168.116.2

Restart network connection to apply changes.

# nmcli connection down ens33 ; nmcli c up ens33
Connection 'ens33' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)

Execute following command to configure name resolution by means of Local DNS Resolver.

# echo "192.168.116.5 ipa-server-01.centlinux1.com ipa-server-01" >> /etc/hosts

Perform a ping test to verify your above server configurations.

# ping ipa-server-01.centlinux1.com
PING ipa-server-01.centlinux1.com (192.168.116.5) 56(84) bytes of data.
64 bytes from ipa-server-01.centlinux1.com (192.168.116.5): icmp_seq=1 ttl=64 time=0.066 ms
64 bytes from ipa-server-01.centlinux1.com (192.168.116.5): icmp_seq=2 ttl=64 time=0.100 ms
^C

 

Installing FreeIPA Server:

Required FreeIPA software packages are available in standard yum repositories, therefore, you can easily install it by using dnf commmand.

# dnf install -y freeipa-server freeipa-server-dns freeipa-client

To setup your IPA server, you need to execute ipa-server-install command.

You can either execute ipa-server-install command in interactive mode or unattended mode.

Following variation of ipa-server-install command installs and configures your IPA server in unattended mode.

# ipa-server-install \
> --unattended \
> --realm CENTLINUX1.COM \
> --ds-password Ahmer@1234 \
> --admin-password Ahmer@1234 \
> --setup-dns \
> --auto-reverse \
> --forwarder 192.168.116.2

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.9.8

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the NTP client (chronyd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)
  * Configure SID generation
  * Configure the KDC to enable PKINIT

Warning: skipping DNS resolution of host ipa-server-01.centlinux1.com
The domain name has been determined based on the host name.

Checking DNS domain centlinux1.com., please wait ...
Checking DNS forwarders, please wait ...
Checking DNS domain 116.168.192.in-addr.arpa., please wait ...
Reverse zone 116.168.192.in-addr.arpa. will be created
Using reverse zone(s) 116.168.192.in-addr.arpa.
Trust is configured but no NetBIOS domain name found, setting it now.

The IPA Master Server will be configured with:
Hostname:       ipa-server-01.centlinux1.com
IP address(es): 192.168.116.5
Domain name:    centlinux1.com
Realm name:     CENTLINUX1.COM

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=CENTLINUX1.COM
Subject base: O=CENTLINUX1.COM
Chaining:     self-signed

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       192.168.116.2
Forward policy:   only
Reverse zone(s):  116.168.192.in-addr.arpa.

Disabled p11-kit-proxy
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/41]: creating directory server instance
Validate installation settings ...
Create file system structures ...
Perform SELinux labeling ...
Create database backend: dc=centlinux1,dc=com ...
Perform post-installation tasks ...
  [2/41]: tune ldbm plugin
  [3/41]: adding default schema
  [4/41]: enabling memberof plugin
  [5/41]: enabling winsync plugin
  [6/41]: configure password logging
  [7/41]: configuring replication version plugin
  [8/41]: enabling IPA enrollment plugin
  [9/41]: configuring uniqueness plugin
  [10/41]: configuring uuid plugin
  [11/41]: configuring modrdn plugin
  [12/41]: configuring DNS plugin
  [13/41]: enabling entryUSN plugin
  [14/41]: configuring lockout plugin
  [15/41]: configuring topology plugin
  [16/41]: creating indices
  [17/41]: enabling referential integrity plugin
  [18/41]: configuring certmap.conf
  [19/41]: configure new location for managed entries
  [20/41]: configure dirsrv ccache and keytab
  [21/41]: enabling SASL mapping fallback
  [22/41]: restarting directory server
  [23/41]: adding sasl mappings to the directory
  [24/41]: adding default layout
  [25/41]: adding delegation layout
  [26/41]: creating container for managed entries
  [27/41]: configuring user private groups
  [28/41]: configuring netgroups from hostgroups
  [29/41]: creating default Sudo bind user
  [30/41]: creating default Auto Member layout
  [31/41]: adding range check plugin
  [32/41]: creating default HBAC rule allow_all
  [33/41]: adding entries for topology management
  [34/41]: initializing group membership
  [35/41]: adding master entry
  [36/41]: initializing domain level
  [37/41]: configuring Posix uid/gid generation
  [38/41]: adding replication acis
  [39/41]: activating sidgen plugin
  [40/41]: activating extdom plugin
  [41/41]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/10]: adding kerberos container to the directory
  [2/10]: configuring KDC
  [3/10]: initialize kerberos container
  [4/10]: adding default ACIs
  [5/10]: creating a keytab for the directory
  [6/10]: creating a keytab for the machine
  [7/10]: adding the password extension to the directory
  [8/10]: creating anonymous principal
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa-custodia
  [1/5]: Making sure custodia container exists
  [2/5]: Generating ipa-custodia config file
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/29]: configuring certificate server instance
  [2/29]: stopping certificate server instance to update CS.cfg
  [3/29]: backing up CS.cfg
  [4/29]: Add ipa-pki-wait-running
  [5/29]: secure AJP connector
  [6/29]: reindex attributes
  [7/29]: exporting Dogtag certificate store pin
  [8/29]: disabling nonces
  [9/29]: set up CRL publishing
  [10/29]: enable PKIX certificate path discovery and validation
  [11/29]: authorizing RA to modify profiles
  [12/29]: authorizing RA to manage lightweight CAs
  [13/29]: Ensure lightweight CAs container exists
  [14/29]: Ensuring backward compatibility
  [15/29]: starting certificate server instance
  [16/29]: configure certmonger for renewals
  [17/29]: requesting RA certificate from CA
  [18/29]: publishing the CA certificate
  [19/29]: adding RA agent as a trusted user
  [20/29]: configure certificate renewals
  [21/29]: Configure HTTP to proxy connections
  [22/29]: updating IPA configuration
  [23/29]: enabling CA instance
  [24/29]: importing IPA certificate profiles
  [25/29]: migrating certificate profiles to LDAP
  [26/29]: adding default CA ACL
  [27/29]: adding 'ipa' CA entry
  [28/29]: configuring certmonger renewal for lightweight CAs
  [29/29]: deploying ACME service
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
  [1/3]: configuring TLS for DS instance
  [2/3]: adding CA certificate entry
  [3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring ipa-otpd
  [1/2]: starting ipa-otpd
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd)
  [1/22]: stopping httpd
  [2/22]: backing up ssl.conf
  [3/22]: disabling nss.conf
  [4/22]: configuring mod_ssl certificate paths
  [5/22]: setting mod_ssl protocol list
  [6/22]: configuring mod_ssl log directory
  [7/22]: disabling mod_ssl OCSP
  [8/22]: adding URL rewriting rules
  [9/22]: configuring httpd
Nothing to do for configure_httpd_wsgi_conf
  [10/22]: setting up httpd keytab
  [11/22]: configuring Gssproxy
  [12/22]: setting up ssl
  [13/22]: configure certmonger for renewals
  [14/22]: publish CA cert
  [15/22]: clean up any existing httpd ccaches
  [16/22]: enable ccache sweep
  [17/22]: configuring SELinux for httpd
  [18/22]: create KDC proxy config
  [19/22]: enable KDC proxy
  [20/22]: starting httpd
  [21/22]: configuring httpd to start on boot
  [22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: disabling Schema Compat
  [6/10]: starting directory server
  [7/10]: upgrading server
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server
Done.
Restarting the KDC
dnssec-validation yes
Configuring DNS (named)
  [1/12]: generating rndc key file
  [2/12]: adding DNS container
  [3/12]: setting up our zone
  [4/12]: setting up reverse zone
  [5/12]: setting up our own record
  [6/12]: setting up records for other masters
  [7/12]: adding NS record to the zones
  [8/12]: setting up kerberos principal
  [9/12]: setting up named.conf
created new /etc/named.conf
created named user config '/etc/named/ipa-ext.conf'
created named user config '/etc/named/ipa-options-ext.conf'
created named user config '/etc/named/ipa-logging-ext.conf'
  [10/12]: setting up server configuration
  [11/12]: configuring named to start on boot
  [12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/7]: checking status
  [2/7]: setting up bind-dyndb-ldap working directory
  [3/7]: setting up kerberos principal
  [4/7]: setting up SoftHSM
  [5/7]: adding DNSSEC containers
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Configuring SID generation
  [1/8]: creating samba domain object
  [2/8]: adding admin(group) SIDs
  [3/8]: adding RID bases
  [4/8]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
  [5/8]: activating sidgen task
  [6/8]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
  [7/8]: adding fallback group
  [8/8]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
Done.
Configuring client side components
This program will set up IPA client.
Version 4.9.8

Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: ipa-server-01.centlinux1.com
Realm: CENTLINUX1.COM
DNS Domain: centlinux1.com
IPA Server: ipa-server-01.centlinux1.com
BaseDN: dc=centlinux1,dc=com

Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring centlinux1.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

==============================================================================
Setup complete

Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                  * 53: bind
                UDP Ports:
                  * 88, 464: kerberos
                  * 53: bind
                  * 123: ntp

        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful

After successful configuration, check the version of your IPA server.

# ipa --version
VERSION: 4.9.8, API_VERSION: 2.246

 

Configure Linux Firewall:

Rocky Linux 9 has a predefined Firewall service for FreeIPA. You can allow this service to open all the relevant service ports at once.

# firewall-cmd --permanent --add-service=freeipa-4
success
# firewall-cmd --reload
success

 

Configure IPA Server:

Verify the status of IPA services.

# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

Before starting administration of FreeIPA server, you need to acquire a Kerberos ticket.

# kinit admin
Password for admin@CENTLINUX1.COM:

Check list of available kerberos tickets.

# klist
Ticket cache: KCM:0
Default principal: admin@CENTLINUX1.COM

Valid starting       Expires              Service principal
09/11/2022 13:40:21  09/12/2022 12:43:44  krbtgt/CENTLINUX1.COM@CENTLINUX1.COM

You have acquired a kerberos ticket for 23 hours.

Check FreeIPA server configurations.

# ipa config-show
  Maximum username length: 32
  Maximum hostname length: 64
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: centlinux1.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=CENTLINUX1.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash, KDC:Disable Last Success
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  IPA masters: ipa-server-01.centlinux1.com
  IPA master capable of PKINIT: ipa-server-01.centlinux1.com
  IPA CA servers: ipa-server-01.centlinux1.com
  IPA CA renewal master: ipa-server-01.centlinux1.com
  IPA DNS servers: ipa-server-01.centlinux1.com

 

Configure DNS Server:

Allow zone transfer from local network.

# ipa dnszone-mod --allow-transfer=192.168.116.0/24 centlinux1.com
  Zone name: centlinux1.com.
  Active zone: TRUE
  Authoritative nameserver: ipa-server-01.centlinux1.com.
  Administrator e-mail address: hostmaster.centlinux1.com.
  SOA serial: 1662920566
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant CENTLINUX1.COM krb5-self * A; grant CENTLINUX1.COM
                      krb5-self * AAAA; grant CENTLINUX1.COM krb5-self * SSHFP;
  Dynamic update: TRUE
  Allow query: any;
  Allow transfer: 192.168.116.0/24;

Add MX (Mail Exchange) record in your Private DNS server.

# ipa dnsrecord-add centlinux1.com @ --mx-rec="0 mail-server.centlinux1.com"
  Record name: @
  MX record: 0 mail-server.centlinux1.com
  NS record: ipa-server-01.centlinux1.com.

 

Configure User Home Directories:

You need to install nfs-utils package to configure a NFS server. FreeIPA has already installed nfs-utils package as a dependency.

Enable and start nfs-server and rpcbind services.

# systemctl enable --now nfs-server rpcbind
Created symlink /etc/systemd/system/multi-user.target.wants/nfs-server.service → /usr/lib/systemd/system/nfs-server.service.

Allow NFS server related ports in Linux firewall.

# firewall-cmd --permanent --add-service={nfs,mountd,rpc-bind}
success
# firewall-cmd --reload
success

Create a directory to store FreeIPA users' home directories.

# mkdir /home/guests

Export users' home directories.

# echo '/home/guests 192.168.116.0/24(rw,sync,no_subtree_check,root_squash)' >> /etc/exports
# exportfs -rav
exporting 192.168.116.0/24:/home/guests

Add NFS service in FreeIPA server.

# ipa service-add nfs/ipa-server-01.centlinux1.com
---------------------------------------------------------------
Added service "nfs/ipa-server-01.centlinux1.com@CENTLINUX1.COM"
---------------------------------------------------------------
  Principal name: nfs/ipa-server-01.centlinux1.com@CENTLINUX1.COM
  Principal alias: nfs/ipa-server-01.centlinux1.com@CENTLINUX1.COM
  Managed by: ipa-server-01.centlinux1.com

Add entry in keytab.

# kadmin.local
Authenticating as principal admin/admin@CENTLINUX1.COM with password.
kadmin.local:  ktadd nfs/ipa-server-01.centlinux1.com
Entry for principal nfs/ipa-server-01.centlinux1.com with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipa-server-01.centlinux1.com with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipa-server-01.centlinux1.com with kvno 1, encryption type aes128-cts-hmac-sha256-128 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipa-server-01.centlinux1.com with kvno 1, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipa-server-01.centlinux1.com with kvno 1, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipa-server-01.centlinux1.com with kvno 1, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
kadmin.local:  exit

Configure default home directory and shell for new FreeIPA users.

# ipa config-mod --homedirectory=/home/guests --defaultshell=/bin/bash
  Maximum username length: 32
  Maximum hostname length: 64
  Home directory base: /home/guests
  Default shell: /bin/bash
  Default users group: ipausers
  Default e-mail domain: centlinux1.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=CENTLINUX1.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash, KDC:Disable Last Success
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  IPA masters: ipa-server-01.centlinux1.com
  IPA master capable of PKINIT: ipa-server-01.centlinux1.com
  IPA CA servers: ipa-server-01.centlinux1.com
  IPA CA renewal master: ipa-server-01.centlinux1.com
  IPA DNS servers: ipa-server-01.centlinux1.com

 

Create a FreeIPA user:

Create a new FreeIPA user with the help of following command.

# ipa user-add ipauser1 --first=ahmer --last=m --password
Password:
Enter Password again to verify:
---------------------
Added user "ipauser1"
---------------------
  User login: ipauser1
  First name: ahmer
  Last name: m
  Full name: ahmer m
  Display name: ahmer m
  Initials: am
  Home directory: /home/guests/ipauser1
  GECOS: ahmer m
  Login shell: /bin/bash
  Principal name: ipauser1@CENTLINUX1.COM
  Principal alias: ipauser1@CENTLINUX1.COM
  User password expiration: 20220911184641Z
  Email address: ipauser1@centlinux1.com
  UID: 930600003
  GID: 930600003
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

Create home directory for FreeIPA user.

# mkdir -m0750 -p /home/guests/ipauser1
# chown 930600003:930600003 /home/guests/ipauser1

Your FreeIPA server has been configured successfully. Besides Linux CLI, you can also perform administration of your Linux server by using the Rocky Identity Management, a web based user interface, provided herewith.

Open URL https://ipa-server-01.centlinux1.com/ipa/ui in a web browser.

Login as admin user.

 

Add a Linux Client in FreeIPA Server:

Add a new Linux machine in FreeIPA server.

# ipa host-add --ip-address 192.168.116.11 ipa-client1.centlinux1.com
---------------------------------------
Added host "ipa-client1.centlinux1.com"
---------------------------------------
  Host name: ipa-client1.centlinux1.com
  Principal name: host/ipa-client1.centlinux1.com@CENTLINUX1.COM
  Principal alias: host/ipa-client1.centlinux1.com@CENTLINUX1.COM
  Password: False
  Keytab: False
  Managed by: ipa-client1.centlinux1.com

Add our Linux machine in DNS server.

# ipa dnsrecord-add centlinux1.com ipaclient1 --ttl=3600 --a-ip-address=192.168.116.11
  Record name: ipaclient1
  Time to live: 3600
  A record: 192.168.116.11

 

Configure Linux machine as FreeIPA Client:

To configure a Linux machine as FreeIPA client, you need to install following packages on it.

# dnf install -y freeipa-client

Configure autofs to automatically mount the FreeIPA users' home directory on ipaclient machine after successful login.

# echo '* -rw 192.168.116.5:/home/guests/&' >> /etc/auto.guests
# echo '/home/guests /etc/auto.guests' >> /etc/auto.master

Enable and start autofs service.

# systemctl enable --now autofs.service
Created symlink /etc/systemd/system/multi-user.target.wants/autofs.service → /usr/lib/systemd/system/autofs.service.

Add DNS server in network configurations of Linux client.

# nmcli c m ens33 ipv4.dns 192.168.116.5
# nmcli c down ens33 ; nmcli c up ens33
Connection 'ens33' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)

Test DNS resolution by using dig command.

# dig ipa-server-01.centlinux1.com

; <<>> DiG 9.16.23-RH <<>> ipa-server-01.centlinux1.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50501
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: cf3d2ea5d1b3b69e01000000631f525df897f1176b2d53e6 (good)
;; QUESTION SECTION:
;ipa-server-01.centlinux1.com.  IN      A

;; ANSWER SECTION:
ipa-server-01.centlinux1.com. 1200 IN   A       192.168.116.5

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Sep 12 10:38:05 CDT 2022
;; MSG SIZE  rcvd: 101

Configure Linux client as follows.

# ipa-client-install \
> --enable-dns-updates \
> --mkhomedir \
> --ntp-server=192.168.116.5:323
This program will set up IPA client.
Version 4.8.0

Discovery was successful!
Client hostname: ipa-client1.centlinux1.com
Realm: CENTLINUX1.COM
DNS Domain: centlinux1.com
IPA Server: ipa-server-01.centlinux1.com
BaseDN: dc=centlinux,dc=com
NTP server: 192.168.116.5:323

Continue to configure the system with these values? [no]: yes
Synchronizing time
Augeas failed to configure file /etc/chrony.conf
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: admin
Password for admin@CENTLINUX1.COM:
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=CENTLINUX1.COM
    Issuer:      CN=Certificate Authority,O=CENTLINUX1.COM
    Valid From:  2020-02-06 18:32:37
    Valid Until: 2040-02-06 18:32:37

Enrolled in IPA realm CENTLINUX1.COM
Created /etc/ipa/default.conf
Configured sudoers in /etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm CENTLINUX1.COM
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring centlinux1.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

Edit SSH server configurations to use your FreeIPA service.

# vi /etc/ssh/sshd_config

Find and set following directives in this file.

KerberosAuthentication no
UsePAM yes

Restart sshd.service to apply changes.

# systemctl restart sshd.service

Now login as ipauser1.

# su - ipauser1
$ mount | grep /ipauser1
192.168.116.5:/home/guests/ipauser1 on /home/guests/ipauser1 type nfs4 (rw,relatime,vers=4.2,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.116.11,local_lock=none,addr=192.168.116.5)

You can see that the home directory for user ipauser1 has been mounted by autofs service.

To develop expertise in FreeIPA, we recommend that, you should attend FreeIPA - IdM, Identity Management online training.

 

Conclusion:

You have successfully installed FreeIPA server on Rocky Linux 9 and configured a client to use your Domain services.

If you find this article useful? Don't you mind support us by Buy Me A Coffee


No comments:

Post a Comment

© 2022 CentLinux. All Rights Reserved.