How to Install FreeIPA Client on Ubuntu Server 18.04
FreeIPA is free and open source Identity, Policy, and Audit (IPA) suite sponsored by RedHat. It's an IPA solution combination of Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS Bind, Dogtag, Apache web server, and Python.
In our previous guide, we've already shown you the FreeIPA installation and configuration on CentOS 7 server. However, this guide will show you the installation and configuration of the FreeIPA Client.
Currently, FreeIPA has client packages for CentOS 7, Fedora, and Ubuntu. And for this guide, we're going to install and configure the FreeIPA client on Ubuntu 18.04 Bionic Beaver server.
Prerequisites
- Server with FreeIPA Server installed.
- Ubuntu 18.04 Bionic Beaver
- Root privileges
What we will do?
- Add Client DNS Record
- Setup the Client DNS Resolver
- Setup FQDN
- Install FreeIPA Client on Ubuntu 18.04
- Enable Automatically Create Home Directory
- Verify FreeIPA Client Installation
- Testing
Step 1 - Add Client DNS Record
First of all, we need to add the DNS record of the client host to the FreeIPA server.
Login to the FreeIPA server and authenticate to the Kerberos admin using the following command.
kinit admin
TYPE YOUR PASSWORD
After that, add the DNS record of the client host to the FreeIPA server.
ipa dnsrecord-add hakase-labs.io client1 --a-rec 10.9.9.16
Step 2 - Setup DNS Resolver
In order to configure the client with the DNS autodiscovery setup, we need to edit the client DNS resolver to use the FreeIPA server IP address as the nameserver.
Edit the '/etc/resolv.conf' file.
vim /etc/resolv.conf
Replace the domain name and IP address with your own FreeIPA server and paste into it.
search hakase-labs.io
nameserver 10.9.9.15
Step 3 - Setup FQDN
After configuring the DNS resolver, we need to configure the FQDN (Fully Qualified Domain Name) of the client host. And then add the FreeIPA server IP address and domain name to the '/etc/hosts' file.
Change FQDN of the client by running the following command.
hostnamectl set-hostname client1.hakase-labs.io
Next, edit the '/etc/hosts' file using vim editor.
vim /etc/hosts
Make the following change in configuration and paste into it.
10.9.9.15 ipa.hakase-labs.io ipa
10.9.9.16 client1.hakase-labs.io client1
Save and close, then type 'exit' command to log out from the server.
Now log in again to the server and verify FQDN using the following command.
hostname -f
Step 4 - Install FreeIPA Client Packages
By default, Ubuntu provides FreeIPA client packages on its own repository. So we can install FreeIPA client packages just by running the following command below.
sudo apt-get install freeipa-client oddjob-mkhomedir -y
After that, run the FreeIPA client command installation below.
ipa-client-install --mkhomedir --no-ntp
Type 'yes' to apply system changes using profile values generated from the DNS autodiscovery. Once the installation is complete, you will get the result such as 'The ipa-client-install command was successful'.
Additionally:
- If you fail with the autodiscovery host, ensure the DNS of the FreeIPA server is in the top line on the '/etc/resolv.conf file, and ensure the DNS port '53' are open on the server.
- If you have an error during the join process to the FreeIPA server, you can use '--force-join' option.
Step 5 - Setup Automatically Create Home Directory
On Ubuntu server, the automatically created home directory for each user will not work at the beginning. Even the ipa client installation using the '--mkhomedir' option.
In order to make this thing work on the Ubuntu server, we need to install additional packages and add additional PAM (Pluggable Authentication Modules) configuration.
The additional packages have been installed on the top, so we just need to create a new PAM configuration.
Add new PAM configuration for automatically create the home directory by running the following command.
cat > /usr/share/pam-configs/mkhomedir <<EOF
Name: create home directory FreeIPA
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
EOF
After that, apply the new PAM configuration.
sudo pam-auth-update
Now all users that log in to the client host using the FreeIPA user will automatically create the home directory.
Step 6 - Verify FreeIPA Client Installation
After the FreeIPA client installation and configuration, we want to verify by checking the client hosts from the FreeIPA server.
Run the following command on the FreeIPA server.
ipa host-show client1.hakase-labs.io
Change the name of the host with your own info, and you will be shown your host info.
In addition, we want to check again from the FreeIPA web-UI dashboard.
Log in to the FreeIPA dashboard, click on the 'Hosts' tab. And you will be shown your own host info.
Step 7 - Testing FreeIPA Client
For this example, we want to test the FreeIPA client installation by creating a new user on the FreeIPA server.
Run the following command to create a new user.
ipa user-add misaka --first=misaka --last=mikoto [email protected] --shell=/bin/bash --password
After that, try to log in to the client host through SSH from the FreeIPA server.
ssh [email protected]
And finally, you will be logged in to the client using the FreeIPA user recently created.