This guide shows how to install and configure a FreeIPA client on Ubuntu 20.04 so Linux hosts can authenticate users centrally with Kerberos, LDAP, and SSSD.
FreeIPA provides centralized identity, policy, and access management. After enrolling a client, user and group information comes from the FreeIPA server, and admins can manage access from one place.
Related Content
- How to Manage Users and Groups in FreeIPA Server
- How to Install FreeIPA Client on Rocky Linux/AlmaLinux/CentOS
- How to Install and Configure FreeIPA on Rocky Linux/CentOS
- How to Install FreeIPA Client on Fedora
Prerequisites
Before you begin, ensure you have:
- Ubuntu 20.04 server or workstation
- A reachable FreeIPA server
- A user with
sudoprivileges - Working DNS resolution for the IPA server and client hostname (recommended)
- Time synchronization working on both client and IPA server (critical for Kerberos)
1. Update Ubuntu Packages
| |
2. Install FreeIPA Client Package
Install the client from Ubuntu repositories:
| |
If prompted for Kerberos realm during package install, you can skip and continue. We will configure with ipa-client-install.
Verify installation:
| |
3. Prepare Hostname, DNS, and Time
Set hostname
Set a fully qualified domain name (FQDN) for the client:
| |
Ensure name resolution
DNS is preferred. If DNS is unavailable, add static entries in /etc/hosts:
| |
Example entries:
| |
Validate time sync
Kerberos depends on accurate time. Check NTP status:
| |
If needed, set timezone:
| |
4. Enroll Ubuntu Client into FreeIPA
Run interactive enrollment:
| |
Or run with explicit values and home directory creation:
| |
If enrollment succeeds, you should see output ending with:
SSSD enabledClient configuration complete.The ipa-client-install command was successful
5. Enable Home Directory Creation on First Login
If --mkhomedir was not used or you want to ensure it is enabled, configure PAM:
| |
Then apply PAM settings:
| |
Ensure activate mkhomedir is selected.
6. Test FreeIPA Login and Identity Resolution
Confirm identity lookup
| |
Test SSH login with an IPA user
| |
On first login, users may be prompted to change password depending on policy.
7. Use FreeIPA CLI from the Client
Obtain a Kerberos ticket:
| |
Check ticket details:
| |
Test IPA operations from the client, for example adding a user:
| |
Verify:
| |
8. Enable Passwordless SSH with FreeIPA User Keys
To allow SSH key authentication for IPA users:
- Copy your public key (for example
~/.ssh/id_rsa.pubor~/.ssh/id_ed25519.pub). - In FreeIPA Web UI, open the user profile.
- Under SSH public keys, add and save the key.
- Ensure the target host trusts IPA/SSSD-based SSH key lookup (configured by
ipa-client-install).
9. Troubleshooting Common FreeIPA Client Issues
Cannot resolve IPA server
- Check DNS:
dig ipa.citizix.com +short - Verify
/etc/hostsfallback entries if DNS is unavailable
Kerberos errors (clock skew)
- Verify time sync on client and server
- Check
timedatectl status
SSSD not working
- Check service status:
| |
- Inspect logs:
| |
Enrollment fails
- Confirm hostname is FQDN
- Confirm realm/domain values are correct
- Check connectivity to IPA ports (LDAP/Kerberos/HTTPS)
10. Remove FreeIPA Client from Ubuntu 20.04
To unenroll and clean local FreeIPA client configuration:
| |
You can also disable/remove residual packages if needed:
| |
Summary
You now have a fully configured FreeIPA client on Ubuntu 20.04 with centralized identity lookup, Kerberos authentication, optional automatic home directory creation, and IPA CLI administration from the client node.
For production, prioritize reliable DNS, NTP synchronization, and periodic validation of SSSD/Kerberos health across all enrolled hosts.