How to add Ubuntu System to FreeIPA Server

After you have installed the FreeIPA identity management system, you will need to enroll and add client machines to the FreeIPA server. This will ensure FreeIPA users to log in to any client machines that are enrolled on the FreeIPA server.

In this tutorial, we will show you how to add an Ubuntu client machine to the FreeIPA server. In the end, the FreIPA users will be able to log in to the Ubuntu client machines using the authentication provides by the FreeIPA server.

Prerequisites

  • A FreeIPA server is fully configured.
  • An Ubuntu Linux machine - server or desktop.
  • A non-root user with sudo administrator privileges.

Add User on FreeIPA Server

Before you start configuring the Ubuntu client machine, connect to your FreeIPA server using the ssh command below.

ssh user@SERVER-IP-FreeIPA

Now run the below command to authenticate against the Kerberos server.

kinit admin

This will prompt you for a password for the Kerberos admin. Input the correct password.

Next, verify the authentication by checking the available Kerberos ticket using the below command.

klist

You will see the following screenshot if you are authenticated to the Kerberos server.

authenticate against admin

Now you will be setting up the FreeIPA server using the ipa command line.

Change the default shell for FreeIPA users to /bin/bash using the below command.

ipa config-mod --defaultshell=/bin/bash

You will all default configurations for FreeIPA users below. As you can see, the default shell is changed to /bin/bash.

setup default shell freeipa users

Now run the below command to create a new FreeIPA user named laura.

ipa user-add laura --first=Laura --last=Admin --password

You will be asked to input a strong password for the user laura, then the new user will be created.

add user freeipa

Add DNS Record for Ubuntu Client on FreeIPA Server

After setting up a new user, you will now need to add the DNS configuration for the Ubuntu client machine. In this example, the Ubuntu client machine is running with IP address 192.168.10.50 with the hostname ubuntu-node.

Now add the DNS configuration for the ubuntu-node using the below command. You will also need to change the domain name howtoforge.local using your DNS zone of the FreeIPA server and all details of the client machine.

ipa dnsrecord-add howtoforge.local ubuntu-node.howtoforge.local --a-rec 192.168.10.50

Verify the DNS configuration using the below command.

ipa dnsrecord-find howtoforge.local ubuntu-node.howtoforge.local

Below you can see the FQDN ubuntu-node.howtoforge.local is resolved to the client IP address 192.168.10.50.

Additionally, if you run the ping command from the FreeIPA server to the FQDN ubuntu-node.howtoforge.local, the domain will automatically be resolved to the correct IP address defined on the FreeIPA server.

ping ubuntu-node.howtoforge.local -c5

You have now created the FreeIPA user and configured the DNS record for the client machine.

Setting FQDN and /etc/hosts

Now move to the Ubuntu client machine and start configuring the FQDN and /etc/hosts file on the client machine.

Run the below command to set up the FQDN to ubuntu-node-.howtoforge.local.

sudo hostnamectl set-hostname ubuntu-node.howtoforge.local

Now edit the configuration /etc/hosts using nano editor.

sudo nano /etc/hosts

Change the detailed IP addresses and domain names, then add the configuration to the file.

192.168.10.25 ipa.howtoforge.local
192.168.10.50 ubuntu-node.howtoforge.local

Save and close the file when you are done.

Next, run the dig command below to verify the FQDN and /etc/hosts file configuration.

dig +short ubuntu-node.howtoforge.local A
dig +short -X 192.168.10.50

You will see the following screenshot, the FQDN ubuntu-node.howtoforge.local is resolved to the IP address 192.169.10.50 and vice-versa.

setup fqdn and /etc/hosts file

Adding Ubuntu Client to FreeIPA

After configuring the FQDN and /etc/hosts file, you will now be installing the FreeIPA client package and start adding your Ubuntu client to the FreIPA server.

Before start installing any packages, update and refresh your Ubuntu repository using the below command.

sudo apt update

Now install the FreeIPA client package using the below command.

sudo apt install freeipa-client oddjob-mkhomedir

Input Y to confirm the installation and press ENTER to continue.

install freeipa client

During the installation, you will be asked to set up the default REALM. Leave it as default, because it will automatically be detected based on your FQDN.

confirm realm domain

Now leave all the res questions about the Kerberos configuration blank and select skip kerberos authentication.

skip kerberos configuration

The FreeIPA client package is now installed on your Ubuntu client machine.

Next, run the ipa-client-install command below to add the Ubuntu client machine to the FreeIPA server. Be sure to change the FreeIPA server address, domain name, and REALM.

ipa-client-install --hostname=`hostname -f` \
--mkhomedir \
--server=ipa.howtoforge.local \
--domain howtoforge.local \
--realm HWDOMAIN.IO

During the installation, you will be asked for the following configurations:

  • Input yes when asked about the autodiscovery configuration.
  • Leave the NTP configuration as default no.
  • Check your detailed FreeIPA server configuration and input yes to confirm the installation.
  • Now input the user admin for the Kerberos authentication.
  • Input the password for the Kerberos admin user.

add freeipa client

When all configuration is completed, you will see a message such as "Client configuration completed.".

installation completed

Next, run the below command to change the PAM authentication module configuration.

sudo pam-auth-update

Select the PAM profile "Create a home directory on login" to enable it, then select OK to confirm.

setup pam module

Now all configurations of the FreeIPA client machine are completed.

Logging in to Ubuntu Client with FreeIPA User

To verify your Ubuntu client machine configuration, move back to the FreeIPA server and connect to the ubuntu-node.howtoforge.local using the FreeIPA user laura. Also, make sure the password authentication on your Ubuntu client machine is enabled.

Connect to the Ubuntu client machine using the FreeIPA user as below.

ssh [email protected]

Input the password for the FreeIPA user. When the password is correct, you will be asked to input again the password and change the default password to the new one. So be sure to use a strong password for your user.

When you are connected, you will see the output like the following screenshot. The FreeIPA user laura is logged in to the ubuntu-node machine using the SSH authentication.

login to ubuntu client with freeipa user

Conclusion

Congratulation! You have now learned how to add the Ubuntu client machine to the FreeIPA server, You have also learned the basic ipa command for managing FreeIPA users and DNS configuration, and also the basic configuration for the PAM module.

Share this page:

0 Comment(s)