Welcome to our guide on how to install FreeIPA Server on Ubuntu 20.04|18.04|16.04 Linux system. FreeIPA is a free and open source identity management system for centrally managing users and computers in your network. In this article, we’ll cover both the installation and configuration of FreeIPA Server on Ubuntu 20.04|18.04|16.04 Linux.

There are few pre-requisites to the installation of FreeIPA Server on Ubuntu 20.04|18.04|16.04 Linux server.

Setup Pre-requisites

Before you can install FreeIPA server, ensure that the following minimum requirements are met;

  • A fully-qualified domain name – e.g ipa.computingforgeeks.com.
  • The hostname must be resolvable. If you don’t a DNS server, you can define your hostname in the hosts file.
  • 4GB of RAM
  • 10GB disk space
  • 2 vCPUs

Install FreeIPA Server on Ubuntu 20.04|18.04|16.04

Well, before we start the installation of FreeIPA Server on Ubuntu 20.04|18.04|16.04, let’s do a little bit of in-house preparation.

Step 1: Set Proper hostname and FQDN

Set proper hostname for your server

$ hostname -f

This doesn’t look good. Let us make it fully qualified.

sudo hostnamectl set-hostname ipa.example.com

Confirm your new hostname.

$ hostname -f

Add your FQDN in the /etc/hosts file to make it resolvable from anywhere:

$ sudo vim /etc/hosts ipa.example.com ipa

Step 2: Update your Ubuntu server

Ensure your system us updated.

sudo apt -y update
sudo apt -y upgrade

It is always recommended to do a reboot after the server is upgraded.

sudo reboot

Step 3: Install rng-tools

FreeIPA server performs a lot of cryptographic operations while running and thus your VM must have enough entropy to ensure FreeIPA cryptographic operations doesn’t stall. To achieve high entropy, install and configure rng-tools.

sudo apt -y install rng-tools

Once the installation is done, edit the file, /etc/default/rng-tools and set the input source for random data as /dev/urandom by adding the line, HRNGDEVICE=/dev/urandom as shown;

$ sudo vim /etc/default/rng-tools
# This is a POSIX shell fragment
# Set to the input source for random data, leave undefined
# for the initscript to attempt auto-detection.  Set to /dev/null
# for the viapadlock and tpm drivers.


Enable and start the rng-tools:

sudo systemctl enable rng-tools
sudo systemctl start rng-tools

Now that our server is prerequisite compliant, let us get the actual installation of FreeIPA Server on Ubuntu 20.04/18.04 / Ubuntu 16.04 Linux.

Step 4: Install FreeIPA Server on Ubuntu 20.04/18.04 / Ubuntu 16.04

Run the following command to install FreeIPA packages on your Ubuntu server.

sudo apt -y install freeipa-server

In the mid of installation, you will be prompted to enter the Kerberos realm, the hostnames of Kerberos servers and the hostname of the administrative server for the Kerberos realm.


  • Kerberos Server hostname: ipa.computingforgeeks.com
  • Administrative server hostname: ipa.computingforgeeks.com

If you encounter errors relating to Kerberos and tomcat, you can safely ignore them.

After the installation is complete, run the FreeIPA installation command.

sudo ipa-server-install

This will prompt you for a number of configuration options and install FreeIPA. The first prompt will be about FreeIPA’s integrated DNS and since we do not need this service in this setup, then we can’t configure it.

To accept the default options shown in square brackets, just press Enter key.…

Do you want to configure integrated DNS (BIND)? [no]: Enter

Enter the fully qualified domain name of the computer

on which you're setting up server software. Using the form


Example: master.example.com.

Server host name [ipa.computingforgeeks.com]: Enter
The domain name has been determined based on the host name.
Please confirm the domain name [computingforgeeks.com]: Enter
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
Please provide a realm name [COMPUTINGFORGEEKS.COM]: Enter
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long
Directory Manager password: <secure password>
Password (confirm): <secure password>
The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password: <secure password>
Password (confirm): <secure password>

The IPA Master Server will be configured with:

Hostname:    ipa.computingforgeeks.com
IP address(es):
Domain name: computingforgeeks.com

The CA will be configured with:

Subject DN:   CN=Certificate Authority,O=COMPUTINGFORGEEKS.COM
Chaining:  self-signed

Continue to configure the system with these values? [no]: yes

...output cut…
Client configuration complete.

The ipa-client-install command was successful

Setup complete

Next steps:

1.You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos * 123: ntp 2 You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface.

Now that the FreeIPA server setup is complete, open the ports required for various FreeIPA server services through the firewall.

If you ufw is not running, you can enable it and allow all incoming connections to the above ports.

Step 5: Configure Firewall

Enable ufw if you have it installed.

sudo ufw enable

Open all required TCP ports

for i in 80 443 389 636 88 464; do sudo ufw allow proto tcp from any to any port $i; done

Do the same for UDP ports.

for i in 88 464 123; do sudo ufw allow proto udp from any to any port $i; done

Reload ufw after making the changes.

sudo ufw reload

Now that the ports have been opened through the firewall, let us verify our FreeIPA server by initializing a Kerberos token for the admin user.

For the normal administrative activity, an administrative account admin has been created. When prompted for the password, use the one you specified during the configuration step for the admin user.

# kinit admin
Password for [email protected]:

Check Kerberos tickets:

[email protected]:~# klist 
Ticket cache: KEYRING:persistent:0:0
Default principal: [email protected]

Valid starting     Expires            Service principal
06/29/18 22:52:40  06/30/18 22:52:36  krbtgt/[email protected]

If that is successful, try to find if the user admin, exists on the FreeIPA server.

# ipa user-find admin

1 user matched

  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: [email protected]
  UID: 1506000000
  GID: 1506000000
  Account disabled: False
  Number of entries returned 1

Well, seems like all is well. You can now perform any IPA tasks from web dashboard as well as from command line. To login to web dashboard, use the address https://ipa.example.com

The web login username is admin and the password is the one supplied during the configuration step for the admin user.

freeipa login

The next view will look similar to below.

ipa server users

IPA Server information:

freeipa web interface

You were successful in installing FreeIPA Server on Ubuntu 20.04/18.04/16.04, next configuration is FreeIPA Client.

Configure FreeIPA Client on Ubuntu

Also read: How to Reset FreeIPA admin Password as root user

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!

As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.


  1. This DOES NOT work for Ubuntu 20.04 – there are issues with DNS Bind in Ubuntu. FreeIPA states that they only support Fedora / RedHat Enterprise at this point. The freeipa-server package is not included in the repos for Ubuntu 20.04. Please update this article.

  2. These instructions don’t work for 20.04 because there is no freeipa-server package. It was excluded because of conflicting code. I’m attempting now to use 18.04 as the starting point.

  3. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
    [1/28]: configuring certificate server instance
    multi-wanipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: CalledProcessError(Command [‘/usr/sbin/pkispawn’, ‘-s’, ‘CA’, ‘-f’, ‘/tmp/tmpd5Dimh’] returned non-zero exit status 1: u”pkispawn : ERROR ……. subprocess.CalledProcessError: Command ‘[‘sysctl’, ‘crypto.fips_enabled’, ‘-bn’]’ returned non-zero exit status 255!\npkispawn : ERROR ……….. server did not start after 60s\npkispawn : ERROR ……. server failed to restart\n”)
    ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
    ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
    [error] RuntimeError: CA configuration failed.
    ipapython.admintool: ERROR CA configuration failed.
    ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

    kinit admin
    kinit: Generic preauthentication failure while getting initial credentials
    After reboot:
    kinit: Cannot contact any KDC for realm ‘CRUZIT.COM’ while getting initial credentials


Please enter your comment!
Please enter your name here