How to add Ubuntu System to FreeIPA Server
After you have installed the FreeIPA identity management system, you will need to enroll and add client machines to the FreeIPA server. This will ensure FreeIPA users to log in to any client machines that are enrolled on the FreeIPA server.
In this tutorial, we will show you how to add an Ubuntu client machine to the FreeIPA server. In the end, the FreIPA users will be able to log in to the Ubuntu client machines using the authentication provides by the FreeIPA server.
- A FreeIPA server is fully configured.
- An Ubuntu Linux machine - server or desktop.
- A non-root user with sudo administrator privileges.
Add User on FreeIPA Server
Before you start configuring the Ubuntu client machine, connect to your FreeIPA server using the ssh command below.
Now run the below command to authenticate against the Kerberos server.
This will prompt you for a password for the Kerberos admin. Input the correct password.
Next, verify the authentication by checking the available Kerberos ticket using the below command.
You will see the following screenshot if you are authenticated to the Kerberos server.
Now you will be setting up the FreeIPA server using the ipa command line.
Change the default shell for FreeIPA users to /bin/bash using the below command.
ipa config-mod --defaultshell=/bin/bash
You will all default configurations for FreeIPA users below. As you can see, the default shell is changed to /bin/bash.
Now run the below command to create a new FreeIPA user named laura.
ipa user-add laura --first=Laura --last=Admin --password
You will be asked to input a strong password for the user laura, then the new user will be created.
Add DNS Record for Ubuntu Client on FreeIPA Server
After setting up a new user, you will now need to add the DNS configuration for the Ubuntu client machine. In this example, the Ubuntu client machine is running with IP address 192.168.10.50 with the hostname ubuntu-node.
Now add the DNS configuration for the ubuntu-node using the below command. You will also need to change the domain name hwdomain.io using your DNS zone of the FreeIPA server and all details of the client machine.
ipa dnsrecord-add hwdomain.io ubuntu-node.hwdomain.io --a-rec 192.168.10.50
Verify the DNS configuration using the below command.
ipa dnsrecord-find hwdomain.io ubuntu-node.hwdomain.io
Below you can see the FQDN ubuntu-node.hwdomain.io is resolved to the client IP address 192.168.10.50.
Additionally, if you run the ping command from the FreeIPA server to the FQDN ubuntu-node.hwdomain.io, the domain will automatically be resolved to the correct IP address defined on the FreeIPA server.
ping ubuntu-node.hwdomain.io -c5
You have now created the FreeIPA user and configured the DNS record for the client machine.
Setting FQDN and /etc/hosts
Now move to the Ubuntu client machine and start configuring the FQDN and /etc/hosts file on the client machine.
Run the below command to set up the FQDN to ubuntu-node-.hwdomain.io.
sudo hostnamectl set-hostname ubuntu-node.hwdomain.io
Now edit the configuration /etc/hosts using nano editor.
sudo nano /etc/hosts
Change the detailed IP addresses and domain names, then add the configuration to the file.
Save and close the file when you are done.
Next, run the dig command below to verify the FQDN and /etc/hosts file configuration.
dig +short ubuntu-node.hwdomain.io A
dig +short -X 192.168.10.50
You will see the following screenshot, the FQDN ubuntu-node.hwdomain.io is resolved to the IP address 126.96.36.199 and vice-versa.
Adding Ubuntu Client to FreeIPA
After configuring the FQDN and /etc/hosts file, you will now be installing the FreeIPA client package and start adding your Ubuntu client to the FreIPA server.
Before start installing any packages, update and refresh your Ubuntu repository using the below command.
sudo apt update
Now install the FreeIPA client package using the below command.
sudo apt install freeipa-client oddjob-mkhomedir
Input Y to confirm the installation and press ENTER to continue.
During the installation, you will be asked to set up the default REALM. Leave it as default, because it will automatically be detected based on your FQDN.
The FreeIPA client package is now installed on your Ubuntu client machine.
Next, run the ipa-client-install command below to add the Ubuntu client machine to the FreeIPA server. Be sure to change the FreeIPA server address, domain name, and REALM.
ipa-client-install --hostname=`hostname -f` \
--domain hwdomain.io \
During the installation, you will be asked for the following configurations:
- Input yes when asked about the autodiscovery configuration.
- Leave the NTP configuration as default no.
- Check your detailed FreeIPA server configuration and input yes to confirm the installation.
- Now input the user admin for the Kerberos authentication.
- Input the password for the Kerberos admin user.
When all configuration is completed, you will see a message such as "Client configuration completed.".
Next, run the below command to change the PAM authentication module configuration.
Select the PAM profile "Create a home directory on login" to enable it, then select OK to confirm.
Now all configurations of the FreeIPA client machine are completed.
Logging in to Ubuntu Client with FreeIPA User
To verify your Ubuntu client machine configuration, move back to the FreeIPA server and connect to the ubuntu-node.hwdomain.io using the FreeIPA user laura. Also, make sure the password authentication on your Ubuntu client machine is enabled.
Connect to the Ubuntu client machine using the FreeIPA user as below.
Input the password for the FreeIPA user. When the password is correct, you will be asked to input again the password and change the default password to the new one. So be sure to use a strong password for your user.
When you are connected, you will see the output like the following screenshot. The FreeIPA user laura is logged in to the ubuntu-node machine using the SSH authentication.
Congratulation! You have now learned how to add the Ubuntu client machine to the FreeIPA server, You have also learned the basic ipa command for managing FreeIPA users and DNS configuration, and also the basic configuration for the PAM module.