How To Install FreeIPA Client on Rocky Linux/Alma Linux/CentOS 8

In this article, we will learn how to install freeipa client on Rocky Linux/Alma Linux/CentOS 8. This guide will also work on other RHEL 8 based systems.

This integrations allow a System Administrator to conveniently configure the server centrally, on the FreeIPA server. When a management command is executed on the Client machine, the FreeIPA client sends it to the server where it is executed.

Related Content:

Prerequisites

To follow along, ensure you have the following

  • A Rocky Linux/Centos 8 or Any Rhel 8 based server
  • An IPA Server that the client will join
  • Sudo access to the server or user with sudo access
  • Internet access from the sever

Installing FreeIPA packages

On Rocky Linux 8 server, the FreeIPA client is available as an AppStream module. List the module using this command:

1
2
3
4
5
6
7
8
9
$ sudo dnf module list idm

Last metadata expiration check: 0:01:12 ago on Sat 02 Sep 2023 08:12:53 AM UTC.
Rocky Linux 8 - AppStream
Name     Stream         Profiles                                     Summary
idm      DL1            adtrust, client, common [d], dns, server     The Red Hat Enterprise Linux Identity Management system module
idm      client [d]     common [d]                                   RHEL IdM long term support client module

Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled

From the output, you can see we have DL1 and client Streams. For more information about the FreeIPA client stream, run:

1
sudo dnf module info idm:DL1/client

Install FreeIPA Client packages using this command.

1
sudo dnf module -y install idm:DL1/client

Confirm client addition using the rpm -qi commannd:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ rpm -qi ipa-client

Name        : ipa-client
Version     : 4.9.2
Release     : 4.module+el8.4.0+664+1636a961
Architecture: x86_64
Install Date: Fri 12 Nov 2021 08:53:52 PM EAT
Group       : Unspecified
Size        : 266180
License     : GPLv3+
Signature   : RSA/SHA256, Tue 02 Nov 2021 07:33:39 PM EAT, Key ID 15af5dac6d745a60
Source RPM  : ipa-4.9.2-4.module+el8.4.0+664+1636a961.src.rpm
Build Date  : Tue 02 Nov 2021 07:21:45 PM EAT
Build Host  : ord1-prod-x86build001.svc.aws.rockylinux.org
Relocations : (not relocatable)
Packager    : infrastructure@rockylinux.org
Vendor      : Rocky
URL         : http://www.freeipa.org/
Summary     : IPA authentication for use on clients
Description :
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
(host access control, SELinux user roles, services). The solution provides
features for further integration with Linux based clients (SUDO, automount)
and integration with Active Directory based infrastructures (Trusts).
If your network uses IPA for authentication, this package should be
installed on every client machine.
This package provides command-line tools for IPA administrators.

Seting up client

Once the installation of the FreeIPA Client packages is complete. Add hostname and IP address of your IPA Server to /etc/hosts file if you don’t have a working DNS resolution.

1
echo "10.2.40.149 ipa.citizix.com" | sudo tee /etc/hosts

Set your system hostname.

1
sudo hostnamectl set-hostname ipa-client.citizix.com

We can then setup client with specifying FreeIPA server and domain name

1
sudo ipa-client-install --server=ipa.citizix.com --domain ipa.citizix.com

You can also add more arguments specifying the ipa client hostname, server, domain and realm like in this example.

1
2
3
4
5
sudo ipa-client-install --hostname=ipa-client.citizix.com \
 --mkhomedir \
 --server=ipa.citizix.com \
 --domain ipa.citizix.com \
 --realm IPA.CITIZIX.COM

This is my output. You should see something similar to this

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
# ipa-client-install --server=ipa.citizix.com --domain ipa.citizix.com

This program will set up IPA client.
Version 4.9.2

Sudo version 1.8.29
Configure options: --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --prefix=/usr --sbindir=/usr/sbin --libdir=/usr/lib64 --docdir=/usr/share/doc/sudo --disable-root-mailer --with-logging=syslog --with-logfac=authpriv --with-pam --with-pam-login --with-editor=/bin/vi --with-env-editor --with-ignore-dot --with-tty-tickets --with-ldap --with-ldap-conf-file=/etc/sudo-ldap.conf --with-selinux --with-passprompt=[sudo] password for %p:  --with-linux-audit --with-sssd
Sudoers policy plugin version 1.8.29
Sudoers file grammar version 46

Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Ignore '.' in $PATH
Send mail if the user is not in sudoers
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Always set $HOME to the target user's home directory
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5.0 minutes
Password prompt timeout: 5.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to lecture status dir: /var/db/sudo/lectured
Path to authentication timestamp dir: /run/sudo/ts
Default password prompt: [sudo] password for %p:
Default user to run commands as: root
Value to override user's $PATH with: /sbin:/bin:/usr/sbin:/usr/bin
Path to the editor for use by visudo: /bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
	TZ
	TERM
	LINGUAS
	LC_*
	LANGUAGE
	LANG
	COLORTERM
Environment variables to remove:
	*=()*
	RUBYOPT
	RUBYLIB
	PYTHONUSERBASE
	PYTHONINSPECT
	PYTHONPATH
	PYTHONHOME
	TMPPREFIX
	ZDOTDIR
	READNULLCMD
	NULLCMD
	FPATH
	PERL5DB
	PERL5OPT
	PERL5LIB
	PERLLIB
	PERLIO_DEBUG
	JAVA_TOOL_OPTIONS
	SHELLOPTS
	BASHOPTS
	GLOBIGNORE
	PS4
	BASH_ENV
	ENV
	TERMCAP
	TERMPATH
	TERMINFO_DIRS
	TERMINFO
	_RLD*
	LD_*
	PATH_LOCALE
	NLSPATH
	HOSTALIASES
	RES_OPTIONS
	LOCALDOMAIN
	CDPATH
	IFS
Environment variables to preserve:
	XAUTHORITY
	_XKB_CHARSET
	LINGUAS
	LANGUAGE
	LC_ALL
	LC_TIME
	LC_TELEPHONE
	LC_PAPER
	LC_NUMERIC
	LC_NAME
	LC_MONETARY
	LC_MESSAGES
	LC_MEASUREMENT
	LC_IDENTIFICATION
	LC_COLLATE
	LC_CTYPE
	LC_ADDRESS
	LANG
	USERNAME
	QTDIR
	PS2
	PS1
	MAIL
	LS_COLORS
	KDEDIR
	HISTSIZE
	HOSTNAME
	DISPLAY
	COLORS
Locale to use while parsing sudoers: C
Compress I/O logs using zlib
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty
PAM service name to use: sudo
PAM service name to use for login shells: sudo-i
Attempt to establish PAM credentials for the target user
Create a new PAM session for the command to run in
Perform PAM account validation management
Maximum I/O log sequence number: 0
Enable sudoers netgroup support
Check parent directories for writability when editing files with sudoedit
Query the group plugin for unknown system groups
Allow commands to be run even if sudo cannot write to the audit log
Allow commands to be run even if sudo cannot write to the log file
Resolve groups in sudoers and match on the group ID, not the name
Log entries larger than this value will be split into multiple syslog messages: 960
File mode to use for the I/O log files: 0600
Execute commands by file descriptor instead of by path: digest_only
Type of authentication timestamp record: tty
Ignore case when matching user names
Ignore case when matching group names
Log when a command is allowed by sudoers
Log when a command is denied by sudoers
Don't pre-resolve all group names

Local IP address and netmask pairs:
	10.2.40.72/255.255.255.0
	10.88.0.1/255.255.0.0
	fe80::863:3cff:fec2:9a33/ffff:ffff:ffff:ffff::
	fe80::c894:28ff:fe0e:4b89/ffff:ffff:ffff:ffff::
	fe80::5857:74ff:fe85:d86d/ffff:ffff:ffff:ffff::
	fe80::9896:7dff:fef6:b3be/ffff:ffff:ffff:ffff::
	fe80::1445:1aff:fe2e:d9dd/ffff:ffff:ffff:ffff::

Sudoers I/O plugin version 1.8.29
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Do you want to configure chrony with NTP server or pool address? [no]: no
Client hostname: ipa-replica.citizix.com
Realm: IPA.CITIZIX.COM
DNS Domain: ipa.citizix.com
IPA Server: ipa.citizix.com
BaseDN: dc=ipa,dc=citizix,dc=com

Continue to configure the system with these values? [no]: yes
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: admin
Password for admin@IPA.CITIZIX.COM:
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=IPA.CITIZIX.COM
    Issuer:      CN=Certificate Authority,O=IPA.CITIZIX.COM
    Valid From:  2021-11-09 05:42:01
    Valid Until: 2041-11-09 05:42:01

Enrolled in IPA realm IPA.CITIZIX.COM
Created /etc/ipa/default.conf
Configured sudoers in /etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.CITIZIX.COM
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring ipa.citizix.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

Enable Creation of home directories on the first Login

If user’s home directory are not created automatically, enable this feature by running the command below. This will create home directory at initial login.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# authselect enable-feature with-mkhomedir

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
  is present and oddjobd service is enabled and active
  - systemctl enable --now oddjobd.service

# systemctl enable --now oddjobd

Created symlink /etc/systemd/system/multi-user.target.wants/oddjobd.service /usr/lib/systemd/system/oddjobd.service.

Test Client addition

To test that the client was added successfully, let us login with a user in freeipa. If its the first time you are logging in, you should see a password change prompt else you will see this:

1
2
3
4
5
6
$ ssh etowett@10.2.40.72
(etowett@10.2.40.72) Password:
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Fri Nov 12 21:03:32 2021 from 10.2.40.10
[etowett@ipa-client ~]$

Using FreeIPA ipa Command Line Management Tool

You can administer FreeIPA Server from the client machine using ipa command line tool.

First, obtain a Kerberos ticket.

1
2
$ kinit admin
Password for admin@IPA.CITIZIX.COM:

Check ticket expiry information using klist.

1
2
3
4
5
6
$ klist
Ticket cache: KCM:1000
Default principal: admin@IPA.CITIZIX.COM

Valid starting       Expires              Service principal
11/12/2021 21:27:59  11/13/2021 21:27:47  krbtgt/IPA.CITIZIX.COM@IPA.CITIZIX.COM

Test by adding a user account and listing accounts present:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
$ sudo ipa user-add kip \
     --first=Kipkoech \
     --last=Towett \
     --email=kip@citizix.com \
     --password

Password:
Enter Password again to verify:
----------------
Added user "kip"
----------------
  User login: kip
  First name: Kipkoech
  Last name: Towett
  Full name: Kipkoech Towett
  Display name: Kipkoech Towett
  Initials: KT
  Home directory: /home/kip
  GECOS: Kipkoech Towett
  Login shell: /bin/bash
  Principal name: kip@IPA.CITIZIX.COM
  Principal alias: kip@IPA.CITIZIX.COM
  User password expiration: 20211112183007Z
  Email address: kip@citizix.com
  UID: 1063800003
  GID: 1063800003
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

Verify.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
$ ipa user-find kip
--------------
1 user matched
--------------
  User login: kip
  First name: Kipkoech
  Last name: Towett
  Home directory: /home/kip
  Login shell: /bin/bash
  Principal name: kip@IPA.CITIZIX.COM
  Principal alias: kip@IPA.CITIZIX.COM
  Email address: kip@citizix.com
  UID: 1063800003
  GID: 1063800003
  Account disabled: False
----------------------------
Number of entries returned 1
----------------------------

Enable Passwordless Authentication using Private Key

If you would like to authenticate to a server without a password, copy your Public key to FreeIPA Server. In the User profile, click the Add button under SSH public keys, paste your public key into the box and save.

Removing Rocky Linux/Alma Linux IPA Client

Removal of FreeIPA client on

Rocky Linux/Alma Linux 8 can be done by running the command:

1
$ sudo ipa-client-install  --uninstall

Conclusion

In this guide, we managed to install and set up FreeIPA client on a Rocky Linux/Almas Linux/Centos 8 server.

comments powered by Disqus
Built with Hugo
Theme Stack designed by Jimmy