(Last Updated On: December 12, 2018)

We recently covered the installation of FreeIPA Server on Ubuntu 18.04 and Ubuntu 16.04 server. In this guide, I’ll show you how you can install and configure FreeIPA Client on Ubuntu 18.04 and Ubuntu 16.04 System. It also covers how to Configure FreeIPA Client on CentOS 7.

FreeIPA is an open source Identity management system sponsored by Red Hat. It aims to provide an easily managed Identity, Policy, and Audit.

For Vanilla LDAP, use: How to configure LDAP Client on Ubuntu 18.04 & Ubuntu 16.04 LTS

Setup Prerequisite

  • Install FreeIPA Server
  • Installed and updated Ubuntu 18.04 / Ubuntu 16.04 server / CentOS 7
  • Root access

If you don’t have FreeIPA server ready, check:

How to Install FreeIPA Server on Ubuntu 18.04 and Ubuntu 16.04

How to install FreeIPA Server on CentOS 7

Once the installation of FreeIPA Server is complete, setup FreeIPA Client using steps covered here.

Step 1: Update system

We always start server configurations by doing an update of system packages:

$ sudo apt-get update
$ sudo apt-get upgrade

If you get kernel updates, consider rebooting the server for changes to take place.

Configure valid client hostname (FQDN) :

$ sudo hostnamectl set-hostname node-01.computingforgeeks.com

Step 2: Install FreeIPA Client

FreeIPA client is available on apt repositories for Ubuntu. Install it using the command:

$ sudo  apt-get install freeipa-client

When prompted to provide a Kerberos realm for the server, just skip by pressing <Enter> key.

For CentOS 7 use:

$ sudo yum install ipa-client

This will be configured in the next step:

Step 3: Configure FreeIPA Client on Ubuntu 18.04 / Ubuntu 16.04 / CentOS 7

Once the installation of client package is complete. Add hostname and IP address of your IPA Server to /etc/hosts file:

# echo "192.168.58.121 ipa.computingforgeeks.com ipa" >> /etc/hosts

Replace 192.168.58.121 IP address of your FreeIPA replica or master server, and ipa.computingforgeeks.com with its hostname:

Then configure IPA client on this server so that users can start authenticating against it:

[email protected]:~# ipa-client-install --hostname=`hostname -f` \
--mkhomedir \
--server=ipa.computingforgeeks.com \
--domain computingforgeeks.com \
--realm COMPUTINGFORGEEKS.COM

Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Client hostname: node-01.computingforgeeks.com
Realm: COMPUTINGFORGEEKS.COM
DNS Domain: computingforgeeks.com
IPA Server: ipa.computingforgeeks.com
BaseDN: dc=computingforgeeks,dc=com

This will start configuring FreeIPA Client on your server:

Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: admin
Password for [email protected]: 
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=COMPUTINGFORGEEKS.COM
Issuer: CN=Certificate Authority,O=COMPUTINGFORGEEKS.COM
Valid From: 2018-06-30 08:27:06
Valid Until: 2038-06-30 08:27:06

Enrolled in IPA realm COMPUTINGFORGEEKS.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm COMPUTINGFORGEEKS.COM
trying https://ipa.computingforgeeks.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://ipa.computingforgeeks.com/ipa/json'
trying https://ipa.computingforgeeks.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://ipa.computingforgeeks.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://ipa.computingforgeeks.com/ipa/session/json'
Systemwide CA database updated.
Hostname (node-01.computingforgeeks.com) does not have A/AAAA record.
Failed to update DNS records.
Missing A/AAAA record(s) for host node-01.computingforgeeks.com: 178.128.164.219, 10.16.0.5.
Incorrect reverse record(s):
10.16.0.5 is pointing to node-01. instead of node-01.computingforgeeks.com.
10.16.0.5 is pointing to node-01.local. instead of node-01.computingforgeeks.com.
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://ipa.computingforgeeks.com/ipa/session/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring computingforgeeks.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

If everything went as expected, you should get a successful message like below:

The ipa-client-install command was successful

Step 4:  Enable mkhomedir ( For Ubuntu only)

By default, sssd service will not create a home directory for the user on the first login, we need to enable this feature by modifying PAM configuration file.

$ sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
EOF

Then run:

$ sudo pam-auth-update

Select <OK>

Ensure  “activate mkhomedir” is selected, it should have [*]

Then Select <Ok> to save changes.

Step 4:  Testing FreeIPA Client ( Ubuntu & CentOS 7)

Now that we have everything we need to be configured, let’ create test user account on FreeIPA Server and try ssh to the client with the added user account. You can add an account to FreeIPA server from UI or CLI

Add user account from CLI:

Login to FreeIPA server and get a Kerberos ticket for admin user:

$ sudo kinit admin
Password for [email protected]:

Enter admin password when prompted. Confirm that you have an active ticket using the command:

[[email protected] ~]# klist 
Ticket cache: KEYRING:persistent:0:0
Default principal: [email protected]

Valid starting Expires Service principal
06/30/2018 09:33:40 07/01/2018 09:33:37 krbtgt/[email protected]
Add user to FreeIPA:
  • Set default shell to /bin/bash for all accounts:
$ sudo ipa config-mod --defaultshell=/bin/bash
  • Create user
[[email protected] ~]# ipa user-add jmutai --first=Josphat \
--last=Mutai [email protected] --password
Password: 
Enter Password again to verify: 
-------------------
Added user "jmutai"
-------------------
User login: jmutai
First name: Josphat
Last name: Mutai
Full name: Josphat Mutai
Display name: Josphat Mutai
Initials: JM
Home directory: /home/jmutai
GECOS: Josphat Mutai
Login shell: /bin/bash
Principal name: [email protected]
Principal alias: [email protected]
Email address: [email protected]
UID: 32200001
GID: 32200001
Password: True
Member of groups: ipausers
Kerberos keys available: True

Login to enrolled client and check user existence:

[email protected]:~# id jmutai
uid=32200001(jmutai) gid=32200001(jmutai) groups=32200001(jmutai)
You can confirm the existence of a user with ID 32200001

[email protected]:~# ssh [email protected]
The authenticity of host 'localhost (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:y4GzK0NLDHF+g8pKNstpPq0Z6Gui+4jq/0WjtqKf5CE.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.

Password: 
Password expired. Change your password now.
Current Password: 
New password: 
Retype new password: 
Creating directory '/home/jmutai'.
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-23-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat Jun 30 10:04:49 UTC 2018

[email protected]:~$ id
uid=32200001(jmutai) gid=32200001(jmutai) groups=32200001(jmutai)

Add the user account to FreeIPA from UI:

To add an account on Web UI, login to FreeIPA web interface and navigate to:

Identity > Users > Active users > Add

Click Add button to add the user.

Enable Passwordless Authentication using Private Key

If you would like to authenticate to a server without a password, copy your Public key to FreeIPA Server:

Click the Add button under “SSH public keys“, paste your public key into the box and save.

If you need LDAP Authentication on your GitLab Server, read:

How to Configure GitLab FreeIPA Authentication