In this article, we will learn how to install and configure freeipa client on Fedora 35.
This integrations allow a System Administrator to conveniently configure the server centrally, on the FreeIPA server. When a management command is executed on the Client machine, the FreeIPA client sends it to the server where it is executed.
- How to manage users and groups in FreeIPA Server
- How To Install FreeIPA Client on Rocky Linux/Alma Linux/CentOS 8
- How to Install and Configure FreeIPA on Rocky Linux/Centos 8
- How To Install and Configure FreeIPA Client on Ubuntu 20.04
- How to configure FreeIPA Replication on Rocky Linux/Alma Linux/Centos 8
To follow along, ensure you have the following
- An updated Fedora 35 server/Workstation
- An IPA Server that the client will join
- Sudo access to the server or user with sudo access
- Internet access from the sever
Table of Content
- Installing FreeIPA packages
- Setting up the Client
- Enable Creation of home directories on the first Login
- Test Client Addition
- Using FreeIPA ipa Command Line Management Tool
- Enable Passwordless Authentication using Private Key
- Removing Rocky Linux/Alma Linux IPA Client
1. Installing FreeIPA packages
On Fedora 35 Server/Workstation, the FreeIPA client is available in the default repos as
freeipa-client. Search using this command:
sudo dnf search freeipa-client
Install FreeIPA Client packages using this command.
sudo dnf -y install freeipa-client
Confirm client addition using the
rpm -qi commannd
$ rpm -qi freeipa-client Name : freeipa-client Version : 4.9.7 Release : 2.fc35 Architecture: x86_64 Install Date: Sat 13 Nov 2021 08:22:50 AM UTC Group : Unspecified Size : 242563 License : GPLv3+ Signature : RSA/SHA256, Fri 15 Oct 2021 07:13:26 PM UTC, Key ID db4639719867c58f Source RPM : freeipa-4.9.7-2.fc35.src.rpm Build Date : Fri 15 Oct 2021 06:59:37 PM UTC Build Host : buildvm-x86-25.iad2.fedoraproject.org Packager : Fedora Project Vendor : Fedora Project URL : http://www.freeipa.org/ Bug URL : https://bugz.fedoraproject.org/freeipa Summary : IPA authentication for use on clients Description : IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). If your network uses IPA for authentication, this package should be installed on every client machine. This package provides command-line tools for IPA administrators.
2. Seting up client
Once the installation of the FreeIPA Client packages is complete. Add hostname and IP address of your IPA Server to /etc/hosts file if you don’t have a working DNS resolution.
echo "10.2.40.149 ipa.citizix.com" | sudo tee /etc/hosts
Set your system hostname.
sudo hostnamectl set-hostname fedora-client.citizix.com
We can then setup client with specifying FreeIPA server and domain name
sudo ipa-client-install --server=ipa.citizix.com --domain ipa.citizix.com
You can also add more arguments specifying the ipa client hostname, server, domain and realm like in this example.
sudo ipa-client-install --hostname=fedora-client.citizix.com \ --mkhomedir \ --server=ipa.citizix.com \ --domain ipa.citizix.com \ --realm IPA.CITIZIX.COM
This is my output. You should see something similar to this
$ sudo ipa-client-install --server=ipa.citizix.com --domain ipa.citizix.com This program will set up IPA client. Version 4.9.7 Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Do you want to configure chrony with NTP server or pool address? [no]: no Client hostname: fedora-client.citizix.com Realm: IPA.CITIZIX.COM DNS Domain: ipa.citizix.com IPA Server: ipa.citizix.com BaseDN: dc=ipa,dc=citizix,dc=com Continue to configure the system with these values? [no]: yes Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. Attempting to sync time with chronyc. Time synchronization was successful. User authorized to enroll computers: admin Password for [email protected]: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.CITIZIX.COM Issuer: CN=Certificate Authority,O=IPA.CITIZIX.COM Valid From: 2021-11-09 05:42:01 Valid Until: 2041-11-09 05:42:01 Enrolled in IPA realm IPA.CITIZIX.COM Created /etc/ipa/default.conf Configured sudoers in /etc/authselect/user-nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm IPA.CITIZIX.COM Systemwide CA database updated. Hostname (fedora-client.citizix.com) does not have A/AAAA record. Failed to update DNS records. Missing A/AAAA record(s) for host fedora-client.citizix.com: 10.2.40.174. Incorrect reverse record(s): 10.2.40.174 is pointing to ip-10-2-40-174.us-west-2.compute.internal. instead of fedora-client.citizix.com. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config.d/04-ipa.conf Configuring ipa.citizix.com as NIS domain. Client configuration complete. The ipa-client-install command was successful
3. Enable Creation of home directories on the first Login
If user’s home directory are not created automatically, enable this feature by running the command below. This will create home directory at initial login.
$ sudo authselect enable-feature with-mkhomedir Make sure that SSSD service is configured and enabled. See SSSD documentation for more information. - with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module is present and oddjobd service is enabled and active - systemctl enable --now oddjobd.service $ sudo systemctl enable --now oddjobd Created symlink /etc/systemd/system/multi-user.target.wants/oddjobd.service → /usr/lib/systemd/system/oddjobd.service.
4. Test Client addition
To test that the client was added successfully, let us login with a user in freeipa. If its the first time you are logging in, you should see a password change prompt else you will see this:
$ ssh [email protected] ([email protected]) Password: Last login: Sat Nov 13 08:29:12 2021 from 10.2.40.174 [[email protected] ~]$
5. Using FreeIPA ipa Command Line Management Tool
You can administer FreeIPA Server from the client machine using ipa command line tool.
First, obtain a Kerberos ticket.
$ kinit admin Password for [email protected]:
Check ticket expiry information using klist.
$ klist Ticket cache: KCM:1000 Default principal: [email protected] Valid starting Expires Service principal 11/12/2021 21:27:59 11/13/2021 21:27:47 krbtgt/[email protected]
Test by adding a user account and listing accounts present:
$ sudo ipa user-add kip \ --first=Kipkoech \ --last=Towett \ [email protected] \ --password Password: Enter Password again to verify: ---------------- Added user "kip" ---------------- User login: kip First name: Kipkoech Last name: Towett Full name: Kipkoech Towett Display name: Kipkoech Towett Initials: KT Home directory: /home/kip GECOS: Kipkoech Towett Login shell: /bin/bash Principal name: [email protected] Principal alias: [email protected] User password expiration: 20211112183007Z Email address: [email protected] UID: 1063800003 GID: 1063800003 Password: True Member of groups: ipausers Kerberos keys available: True
$ ipa user-find kip -------------- 1 user matched -------------- User login: kip First name: Kipkoech Last name: Towett Home directory: /home/kip Login shell: /bin/bash Principal name: [email protected] Principal alias: [email protected] Email address: [email protected] UID: 1063800003 GID: 1063800003 Account disabled: False ---------------------------- Number of entries returned 1 ----------------------------
6. Enable Passwordless Authentication using Private Key
If you would like to authenticate to a server without a password, copy your Public key to FreeIPA Server. In the User profile, click the Add button under “SSH public keys“, paste your public key into the box and save.
7. Removing Fedora 35 IPA Client
Removal of FreeIPA client on Rocky Linux/Alma Linux 8 can be done by running the command:
$ sudo ipa-client-install --uninstall
In this guide, we managed to install and set up FreeIPA client on a Fedora 35.