In this article, we will learn how to install and configure freeipa client on Ubuntu 20.04.
FreeIPA is an open source Identity management system sponsored by Red Hat. It aims to provide an easily managed Identity, Policy, and Audit.
This integrations allow a System Administrator to conveniently configure the server centrally, on the FreeIPA server. When a management command is executed on the Client machine, the FreeIPA client sends it to the server where it is executed.
Related Content
- How to manage users and groups in FreeIPA Server
- How To Install FreeIPA Client on Rocky Linux/Alma Linux/CentOS 8
- How to Install and Configure FreeIPA on Rocky Linux/Centos 8
- How To Install FreeIPA Client on Fedora 35
Prerequisites
To follow along, ensure you have the following
- An updated Ubuntu 20.04 server/Workstation
- A FreeIPA Server that the client will join
- Sudo access to the server or user with sudo access
- Internet access from the sever
Table of Content
- Update system
- Installing FreeIPA packages
- Setting up the Client
- Enable Creation of home directories on the first Login
- Test Client Addition
- Using FreeIPA ipa Command Line Management Tool
- Enable Passwordless Authentication using Private Key
- Removing FreeIPA Client
1. Update system
Ensure that the system packages are updated
sudo apt update
sudo apt upgrade
2. Installing FreeIPA packages
FreeIPA client is available on repositories for Ubuntu. Install it using the command:
sudo apt install -y freeipa-client
When prompted to provide a Kerberos realm for the server, just skip by pressing <**Enter> **key.
Confirm client addition using this command
$ apt-cache policy freeipa-client
freeipa-client:
Installed: 4.8.6-1ubuntu2
Candidate: 4.8.6-1ubuntu2
Version table:
*** 4.8.6-1ubuntu2 500
500 http://us-west-2.ec2.archive.ubuntu.com/ubuntu focal/universe amd64 Packages
100 /var/lib/dpkg/status
2. Seting up client
Once the installation of the FreeIPA Client packages is complete. Add hostname and IP address of your IPA Server to **/etc/hosts **file if you don’t have a working DNS resolution.
Open the hosts file with your client:
sudo vim <meta charset="utf-8">/etc/hosts
Then append this:
10.2.40.149 ipa.citizix.com 10.2.40.70 ubuntu-client.citizix.com
Set your system hostname.
sudo hostnamectl set-hostname ubuntu-client.citizix.com
Update the timezone to your timezone:
sudo timedatectl set-timezone Africa/Nairobi
We can then setup client with specifying FreeIPA server and domain name
sudo ipa-client-install --server=ipa.citizix.com --domain ipa.citizix.com
You can also add more arguments specifying the ipa client hostname, server, domain and realm like in this example.
sudo ipa-client-install --hostname=fedora-client.citizix.com \
--mkhomedir \
--server=ipa.citizix.com \
--domain ipa.citizix.com \
--realm IPA.CITIZIX.COM
This is my output. You should see something similar to this
$ sudo ipa-client-install --server=ipa.citizix.com --domain ipa.citizix.com
This program will set up FreeIPA client.
Version 4.8.6
WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Do you want to configure chrony with NTP server or pool address? [no]: no
Client hostname: ubuntu-client.citizix.com
Realm: IPA.CITIZIX.COM
DNS Domain: ipa.citizix.com
IPA Server: ipa.citizix.com
BaseDN: dc=ipa,dc=citizix,dc=com
Continue to configure the system with these values? [no]: yes
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: admin
Password for admin@IPA.CITIZIX.COM:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.CITIZIX.COM
Issuer: CN=Certificate Authority,O=IPA.CITIZIX.COM
Valid From: 2021-11-09 05:42:01
Valid Until: 2041-11-09 05:42:01
Enrolled in IPA realm IPA.CITIZIX.COM
Created /etc/ipa/default.conf
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.CITIZIX.COM
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring ipa.citizix.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
3. Enable Creation of home directories on the first Login
By default, sssd service will not create a home directory for the user on the first login, we need to enable this feature by modifying PAM configuration file.
sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF Name: activate mkhomedir Default: yes Priority: 900 Session-Type: Additional Session: required pam_mkhomedir.so umask=0022 skel=/etc/skel EOF
Then run:
sudo pam-auth-update
Ensure “activate mkhomedir” is selected, it should have [*]. Select
4. Test Client addition
To test that the client was added successfully, let us login with a user in freeipa. If its the first time you are logging in, you should see a password change prompt else you will see this:
$ ssh etowett@10.2.40.70
(etowett@10.2.40.70) Password:
Last login: Sat Nov 13 08:29:12 2021 from 10.2.40.174
[etowett@ubuntu-client ~]$
5. Using FreeIPA ipa Command Line Management Tool
You can administer FreeIPA Server from the client machine using ipa command line tool.
First, obtain a Kerberos ticket.
$ kinit admin Password for admin@IPA.CITIZIX.COM:
Check ticket expiry information using klist.
$ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: admin@IPA.CITIZIX.COM Valid starting Expires Service principal 11/14/21 16:40:33 11/15/21 16:40:16 krbtgt/IPA.CITIZIX.COM@IPA.CITIZIX.COM
Test by adding a user account and listing accounts present:
$ sudo ipa user-add kip \
--first=Kipkoech \
--last=Towett \
--email=kip@citizix.com \
--password
Password:
Enter Password again to verify:
----------------
Added user "kip"
----------------
User login: kip
First name: Kipkoech
Last name: Towett
Full name: Kipkoech Towett
Display name: Kipkoech Towett
Initials: KT
Home directory: /home/kip
GECOS: Kipkoech Towett
Login shell: /bin/bash
Principal name: kip@IPA.CITIZIX.COM
Principal alias: kip@IPA.CITIZIX.COM
User password expiration: 20211112183007Z
Email address: kip@citizix.com
UID: 1063800003
GID: 1063800003
Password: True
Member of groups: ipausers
Kerberos keys available: True
Verify.
$ ipa user-find kip -------------- 1 user matched -------------- User login: kip First name: Kipkoech Last name: Towett Home directory: /home/kip Login shell: /bin/bash Principal name: kip@IPA.CITIZIX.COM Principal alias: kip@IPA.CITIZIX.COM Email address: kip@citizix.com UID: 1063800003 GID: 1063800003 Account disabled: False ---------------------------- Number of entries returned 1 ----------------------------
6. Enable Passwordless Authentication using Private Key
If you would like to authenticate to a server without a password, copy your Public key to FreeIPA Server. In the User profile, click the **Add **button under “SSH public keys“, paste your public key into the box and save.
7. Removing FreeIPA Client
Removal of FreeIPA client on Ubuntu can be done by running the command:
$ sudo ipa-client-install --uninstall
Conclusion
In this guide, we managed to install and set up FreeIPA client on a Ubuntu 20.04.