We recently covered the installation of FreeIPA Server on Ubuntu 18.04 and Ubuntu 16.04 server. In this guide, I’ll show you how you can install and configure FreeIPA Client on Ubuntu 18.04 and Ubuntu 16.04 System. It also covers how to Configure FreeIPA Client on CentOS 7.
FreeIPA is an open source Identity management system sponsored by Red Hat. It aims to provide an easily managed Identity, Policy, and Audit.
For Vanilla LDAP, use: How to configure LDAP Client on Ubuntu 18.04 & Ubuntu 16.04 LTS
- Install FreeIPA Server
- Installed and updated Ubuntu 18.04 / Ubuntu 16.04 server / CentOS 7
- Root access
If you don’t have FreeIPA server ready, check:
Once the installation of FreeIPA Server is complete, setup FreeIPA Client using steps covered here.
Step 1: Update system
We always start server configurations by doing an update of system packages:
$ sudo apt-get update $ sudo apt-get upgrade
If you get kernel updates, consider rebooting the server for changes to take place.
Configure valid client hostname (FQDN) :
$ sudo hostnamectl set-hostname node-01.computingforgeeks.com
Step 2: Install FreeIPA Client
FreeIPA client is available on apt repositories for Ubuntu. Install it using the command:
$ sudo apt-get install freeipa-client
When prompted to provide a Kerberos realm for the server, just skip by pressing <Enter> key.
For CentOS 7 use:
$ sudo yum install ipa-client
This will be configured in the next step:
Step 3: Configure FreeIPA Client on Ubuntu 18.04 / Ubuntu 16.04 / CentOS 7
Once the installation of client package is complete. Add hostname and IP address of your IPA Server to /etc/hosts file:
# echo "192.168.58.121 ipa.computingforgeeks.com ipa" >> /etc/hosts
Replace 192.168.58.121 IP address of your FreeIPA replica or master server, and ipa.computingforgeeks.com with its hostname:
Then configure IPA client on this server so that users can start authenticating against it:
[email protected]:~# ipa-client-install --hostname=`hostname -f` \ --mkhomedir \ --server=ipa.computingforgeeks.com \ --domain computingforgeeks.com \ --realm COMPUTINGFORGEEKS.COM Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Client hostname: node-01.computingforgeeks.com Realm: COMPUTINGFORGEEKS.COM DNS Domain: computingforgeeks.com IPA Server: ipa.computingforgeeks.com BaseDN: dc=computingforgeeks,dc=com
This will start configuring FreeIPA Client on your server:
Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. Attempting to sync time with chronyc. Time synchronization was successful. User authorized to enroll computers: admin Password for [email protected]: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=COMPUTINGFORGEEKS.COM Issuer: CN=Certificate Authority,O=COMPUTINGFORGEEKS.COM Valid From: 2018-06-30 08:27:06 Valid Until: 2038-06-30 08:27:06 Enrolled in IPA realm COMPUTINGFORGEEKS.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm COMPUTINGFORGEEKS.COM trying https://ipa.computingforgeeks.com/ipa/json [try 1]: Forwarding 'schema' to json server 'https://ipa.computingforgeeks.com/ipa/json' trying https://ipa.computingforgeeks.com/ipa/session/json [try 1]: Forwarding 'ping' to json server 'https://ipa.computingforgeeks.com/ipa/session/json' [try 1]: Forwarding 'ca_is_enabled' to json server 'https://ipa.computingforgeeks.com/ipa/session/json' Systemwide CA database updated. Hostname (node-01.computingforgeeks.com) does not have A/AAAA record. Failed to update DNS records. Missing A/AAAA record(s) for host node-01.computingforgeeks.com: 220.127.116.11, 10.16.0.5. Incorrect reverse record(s): 10.16.0.5 is pointing to node-01. instead of node-01.computingforgeeks.com. 10.16.0.5 is pointing to node-01.local. instead of node-01.computingforgeeks.com. Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub [try 1]: Forwarding 'host_mod' to json server 'https://ipa.computingforgeeks.com/ipa/session/json' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring computingforgeeks.com as NIS domain. Client configuration complete. The ipa-client-install command was successful
If everything went as expected, you should get a successful message like below:
The ipa-client-install command was successful
Step 4: Enable mkhomedir ( For Ubuntu only)
By default, sssd service will not create a home directory for the user on the first login, we need to enable this feature by modifying PAM configuration file.
$ sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF Name: activate mkhomedir Default: yes Priority: 900 Session-Type: Additional Session: required pam_mkhomedir.so umask=0022 skel=/etc/skel EOF
$ sudo pam-auth-update
Ensure “activate mkhomedir” is selected, it should have [*]
Then Select <Ok> to save changes.
Step 4: Testing FreeIPA Client ( Ubuntu & CentOS 7)
Now that we have everything we need to be configured, let’ create test user account on FreeIPA Server and try ssh to the client with the added user account. You can add an account to FreeIPA server from UI or CLI
Add user account from CLI:
Login to FreeIPA server and get a Kerberos ticket for admin user:
$ sudo kinit admin Password for [email protected]:
Enter admin password when prompted. Confirm that you have an active ticket using the command:
[[email protected] ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: [email protected] Valid starting Expires Service principal 06/30/2018 09:33:40 07/01/2018 09:33:37 krbtgt/[email protected]
Add user to FreeIPA:
- Set default shell to /bin/bash for all accounts:
$ sudo ipa config-mod --defaultshell=/bin/bash
- Create user
[[email protected] ~]# ipa user-add jmutai --first=Josphat \ --last=Mutai [email protected] --password Password: Enter Password again to verify: ------------------- Added user "jmutai" ------------------- User login: jmutai First name: Josphat Last name: Mutai Full name: Josphat Mutai Display name: Josphat Mutai Initials: JM Home directory: /home/jmutai GECOS: Josphat Mutai Login shell: /bin/bash Principal name: [email protected] Principal alias: [email protected] Email address: [email protected] UID: 32200001 GID: 32200001 Password: True Member of groups: ipausers Kerberos keys available: True
Login to enrolled client and check user existence:
[email protected]:~# id jmutai uid=32200001(jmutai) gid=32200001(jmutai) groups=32200001(jmutai)
You can confirm the existence of a user with ID 32200001 [email protected]:~# ssh [email protected] The authenticity of host 'localhost (<no hostip for proxy command>)' can't be established. ECDSA key fingerprint is SHA256:y4GzK0NLDHF+g8pKNstpPq0Z6Gui+4jq/0WjtqKf5CE. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. Password: Password expired. Change your password now. Current Password: New password: Retype new password: Creating directory '/home/jmutai'. Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-23-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Sat Jun 30 10:04:49 UTC 2018 [email protected]:~$ id uid=32200001(jmutai) gid=32200001(jmutai) groups=32200001(jmutai)
Add the user account to FreeIPA from UI:
To add an account on Web UI, login to FreeIPA web interface and navigate to:
Identity > Users > Active users > Add
Click Add button to add the user.
Enable Passwordless Authentication using Private Key
If you would like to authenticate to a server without a password, copy your Public key to FreeIPA Server:
If you need LDAP Authentication on your GitLab Server, read: